Accelerating JavaScript Static Analysis via Dynamic Shortcuts (Extended Version)

JavaScript has become one of the most widely used programming languages for web development, server-side programming, and even micro-controllers for IoT. However, its extremely functional and dynamic features degrade the performance and precision of static analysis. Moreover, the variety of built-in functions and host environments requires excessive manual modeling of their behaviors. To alleviate these problems, researchers have proposed various ways to leverage dynamic analysis during JavaScript static analysis. However, they do not fully utilize the high performance of dynamic analysis and often sacrifice the soundness of static analysis. In this paper, we present dynamic shortcuts, a new technique to flexibly switch between abstract and concrete execution during JavaScript static analysis in a sound way. It can significantly improve the analysis performance and precision by using highly-optimized commercial JavaScript engines and lessen the modeling efforts for opaque code. We actualize the technique via $\text{SAFE}\textsf{DS}$, an extended combination of $\text{SAFE}$ and Jalangi, a static analyzer and a dynamic analyzer, respectively. We evaluated $\text{SAFE}\textsf{DS}$ using 269 official tests of Lodash 4 library. Our experiment shows that $\text{SAFE}_\textsf{DS}$ is 7.81x faster than the baseline static analyzer, and it improves the precision to reduce failed assertions by 12.31% on average for 22 opaque functions.