Copyright 2009-2015 Aarhus University
TAJS is a dataflow analysis for JavaScript that infers type information and call graphs. The current version of the analysis contains a model of ECMAScript 3rd edition, including the standard library, and a partial model of the HTML DOM and browser API.
For research publications and other information about this tool see http://www.brics.dk/TAJS.
The simplest way to build TAJS is to run ant
, which will build two jar files: dist/tajs.jar
(which contains only TAJS itself) and dist/tajs-all.jar
(which also includes the relevant extra libraries).
The jar files are also available for download at http://www.brics.dk/TAJS/dist/.
You can now run the analysis as, for example:
java -jar dist/tajs-all.jar test/google/richards.js
or
java -jar dist/tajs-all.jar test/chromeexperiments/3ddemo.html
By default, TAJS outputs some information about its progress and eventually a list of type warnings and other messages.
Some of the available options (run TAJS without arguments to see the full list):
-
-callgraph
- output call graph as text and in a fileout/callgraph.dot
(process with Graphviz dot) -
-collect-variable-info
- output type and line information about all variables -
-debug
- output extensive internal information during the analysis -
-flowgraph
- output the initial and final flow graphs (TAJS's intermediate representation) as text and toout/flowgraphs/
(in Graphviz dot format, with a file for each function and for the complete program) -
-low-severity
- enable many more type warnings -
-quiet
- only print results, not information about analysis progress -
-states
- output intermediate abstract states during the analysis -
-uneval
- enable the Unevalizer for on-the-fly translation ofeval
calls, as described in 'Remedying the Eval that Men Do', ISSTA 2012 -
-determinacy
- enable the techniques described in 'Determinacy in Static Analysis of jQuery', OOPSLA 2014
Note that the analysis produces lots of addition information that is not output by default. If you want full access to the abstract states and call graphs, as a starting point see the source code for dk.brics.tajs.Main
.
The javadoc for TAJS is available at http://www.brics.dk/TAJS/doc/.
TAJS recognizes a few special built-in functions (defined as properties of the global object) to support debugging and testing of the tool, including:
-
TAJS_dumpValue(exp)
- report the abstract value of expressionexp
after analysis has completed -
TAJS_dumpObject(obj)
- report the properties of the abstract objectobj
after analysis has completed -
TAJS_dumpState()
- report the abstract state at this program point after analysis has completed -
TAJS_assert(value)
- tests thatvalue
istrue
, failure will result in an AssertionError. -
TAJS_assert(value, predicate, expectedResult)
- a generalized version of the single-argument TAJS_assert, supports disjunctions of the predicate methods in Value.java. E.g. to check that a value is either a single concrete string or some unsigned integer:TAJS_assert(myValue, 'isMaybeSingleStr || isMaybeNumUInt', true)
The directory test
contains a collection of tests that can be executed by running dk.brics.tajs.test.RunFast
with JUnit from Eclipse/IntelliJ or with ant test
from the command-line.
(A more thorough but slower test is located in dk.brics.tajs.test.RunAll
.)
This diagram shows the main package dependencies:
Modifications of the source code should avoid introducing upwards dependencies in this diagram.
The following people have contributed to the source code:
- Anders Møller
- Simon Holm Jensen
- Peter Thiemann
- Magnus Madsen
- Matthias Diehn Ingesman
- Peter Jonsson
- Esben Andreasen
This software includes components from:
- Google Closure Compiler (http://code.google.com/p/closure-compiler/)
- Jericho HTML Parser (http://jericho.htmlparser.net/)
- Log4j (http://logging.apache.org/log4)