Generating error-revealing inputs with new static analysis warnings

Abstract

JavaScript is the most used programming language for the last few years. Many JavaScript libraries are widely used in practice. However, existing research is not yet ready for analyzing JavaScript libraries. Pattern-based static analyzers use pattern matching to identify known buggy patterns. Yet, it can hardly identify bugs that require semantics-based analysis. Applying existing semantics-based static analyzers on JavaScript libraries faces several challenges: functions not reachable during analysis, creating objects of dynamic types, identifying new warnings for untested execution paths, and insufficient debugging aids. To address these limitations, this thesis proposes TSA, a test-based approach that combines static and dynamic analysis. It leverages existing test cases to call and reach the library functions during static analysis. The approach extends existing test cases to identify new warnings for untested execution paths. It also reveals real errors that serve as debugging aids. This thesis applied TSA to analyze 32 popular client-side JavaScript libraries from GitHub. TSA identified 22–27% of new warnings for untested execution paths. It also verified the warnings of 47% of the subjects. A total of 3723 extended test cases revealed 33 unique TypeError. Among the 33 TypeError, existing tools can detect at most 24% of them. Developers confirmed six of the detected TypeError as real bugs. The proposed approach acts as a milestone that drives the JavaScript community to expand their scope of research by analyzing a large variety of JavaScript libraries in their work.