JavaScript has become ubiquitous: not only is it the lingua franca of the Web platform, but it is also increasingly being used for developing server-side applications and for writing platform-independent mobile applications. Consequently, it is now the focus of many strands of research work in static and dynamic program analysis, automated testing, security analysis and refactoring, to name just a few. At the same time, there is a strong interest from industry in providing better development tools for JavaScript programmers, such as debuggers and smart IDEs.
All these projects need to overcome similar challenges: How to delineate the program in a dynamic setting like a web page, how to deal with the extensive native APIs and framework libraries most JavaScript code relies on, how to handle non-determinism of concurrency and asynchronous events, and what to do about the language’s extraordinarily dynamic features like eval or reflection over object structure.
JSTools will bring together participants from academia and industry working on analysis of JavaScript and its dialects to share ideas and problems, with a focus on presentations of shareable infrastructure created by the participants. We also aim to involve developers working on JavaScript dialects such as TypeScript to share their perspective.

Call for Papers

JavaScript has become ubiquitous: not only is it the lingua franca of the Web platform, but it is also increasingly being used for developing server-side applications and for writing platform-independent mobile applications. Consequently, it is now the focus of many strands of research work in static and dynamic program analysis, automated testing, security analysis and refactor- ing, to name just a few. At the same time, there is a strong interest from industry in providing better development tools for JavaScript programmers, such as debuggers and smart IDEs.
All these projects need to overcome similar challenges:
  • What constitutes a JavaScript program itself is an increasingly slippery concept. Even simple web pages tend to be composed of multiple script tags in a Web page, some of which refer to external source files and some of which contain inline code. Further code is commonly added with handlers attached to various Web page elements. Depending on the particular structure of these tags, the semantics of the induced program can differ. And further, code is often loaded dynamically into a page, for instance by dynamically creating new script tags in the current page.
  • Web pages increasingly use concurrency. While JavaScript itself is single-threaded, execution in modern browsers sometimes is not entirely, and, even when it is, asynchronous styles such as AJAX can introduce non-determinism into when pieces of code execute. Even the initial parsing of the Web page is often not atomic from the point of view of the code.
  • JavaScript is an extraordinarily dynamic language including a wide array of features for reflective programming and runtime code generation. This makes it challenging to design an internal representation as is commonly used for analysis and optimization purposes, since the semantics of even a simple statement can depend on the runtime state of the program in subtle and complex ways.
  • Almost all JavaScript programs rely on extensive native API libraries such as the browser’s DOM implementation for web applications, or APIs for accessing mobile phone hardware for mobile applications. Modeling the semantics of these libraries is a formidable task, but essential for analyzing real-world programs. Additionally, many programs use framework libraries such as jQuery or Sencha; while these are themselves written in JavaScript, they tend to use sophisticated coding patterns that are often extremely difficult to analyze.
  • JavaScript has given rise to variants such as ActionScript (the language behind Flash) and TypeScript (a strongly typed dialect of JavaScript), while JavaScript itself also keeps evolving. Supporting these dialects and new features is often desirable, but adds considerable additional complexity.
Various research and project groups have addressed these challenges, and there is a growing body of infrastructure that can be used and extended to tackle JavaScript. In this workshop, we hope to bring the builders and interested consumers of such tooling together. We plan to have a focus on tooling that, at least to some extent, addresses these challenges in a practical way. We want a combined focus on the research challenges the tools address and a tutorial-like to using these tools as well.

Preliminary Program

08:45 Opening Remarks
09:00 Jens Nicolay
JIPDA: Reusable and Precise Static Analysis of Real-world JavaScript Programs
09:30 Arlen Cox
Automatically Verifying JS Libraries without Client Code
10:30 Erick Lavoie
investigating the performance of upcoming web technologies
11:00 Shiyi Wei
Blended Taint Analysis for JavaScript
11:30 Vineet Rajani
Information Flow Control for WebKit's Bytecode
13:30 Ming Jin
Tizen and Web
14:00 Simon Jensen
Tooling at Samsung
14:30 Shu-yu Guo
Memory Tooling in Firefox (Work in Progress)
15:30 Frank Piessens
A Security Architecture for Server-side JavaScript
16:00 Rezwana Karim
web browser security
16:30 Gareth Smith
Proving Security Properties about Secure ECMAScript (SES) Programs
17:00 Closing Remarks

Submissions

We welcome any submissions of work in this field: you may submit a paper, an abstract for a talk, or a talk abstract together with a supporting position paper. To submit, please e-mail submissions by 25 April to the organizers. Papers will be published on this site if desired by the authors. We propose to follow this style; if desired, slides from talks will be put online on the workshop Web site, but talks can also be kept unpublished if that is preferred so as not to preclude future publications in workshops and conferences. The organizing committee will referee submissions for relevance, as we are looking for ongoing work more than finished research projects. Additional expert opinions may be requested from the expected participants.

Travel/Venue

Regarding travel and venue please follow the pages for the main conferences.

Organization