3_R aplas08-camera-ready

3_R aplas08-camera-ready - An Operational Semantics for...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: An Operational Semantics for JavaScript Sergio Maffeis 1 , John C. Mitchell 2 , Ankur Taly 2 , 1 Department of Computing, Imperial College London 2 Department of Computer Science, Stanford University Abstract. We define a small-step operational semantics for the EC- MAScript standard language corresponding to JavaScript, as a basis for analyzing security properties of web applications and mashups. The se- mantics is based on the language standard and a number of experiments with different implementations and browsers. Some basic properties of the semantics are proved, including a soundness theorem and a charac- terization of the reachable portion of the heap. 1 Introduction JavaScript [8,14,10] is widely used in Web programming and it is implemented in every major browser. As a programming language, JavaScript supports func- tional programming with anonymous functions, which are widely used to handle browser events such as mouse clicks. JavaScript also has objects that may be constructed as the result of function calls, without classes. The properties of an object, which may represent methods or fields, can be inherited from a proto- type, or redefined or even removed after the object has been created. For these and other reasons, formalizing JavaScript and proving correctness or security properties of JavaScript mechanisms poses substantial challenges. Although there have been scientific studies of limited subsets of the language [7,21,24], there appears to be no previous formal investigation of the full core language, on the scale defined by the informal ECMA specifications [14]. In order to later analyze the correctness of language-based isolation mechanisms for JavaScript, such as those that have arisen recently in connection with online advertising and social networking [1,2,6,20], we develop a small-step operational semantics for JavaScript that covers the language addressed in the ECMA-262 Standard, 3rd Edition [14]. This standard is intended to define the common core language implemented in all browsers and is roughly a subset of JavaScript 1.5. We provide a basis for further analysis by proving some properties of the semantics, such as a progress theorem and properties of heap reachability. As part of our effort to make conformance to the informal standard evi- dent, we define our semantics in a way that is faithful to the common explana- tions of JavaScript and the intuitions of JavaScript programmers. For example, JavaScript scope is normally discussed in relation to an object-based represen- tation. We therefore define execution of a program with respect to a heap that contains a linked structure of objects instead of a separate stack. Thus enter- ing a JavaScript scope creates an object on the heap, serving as an activation record for that scope but also subject to additional operations on JavaScript objects. Another unusual aspect of our semantics, reflecting the unusual nature of JavaScript, is that declarations within the body of a function are handled by...
View Full Document

This note was uploaded on 03/08/2011 for the course CS 242 at Stanford.

Page1 / 18

3_R aplas08-camera-ready - An Operational Semantics for...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online