This is not possible to achieve through static analysis based on the
source code level constructs. In other words, you cannot build a tool
that looks at source code, analyzes the tokens appearing in it, and
infer whether a property on an object has been accessed.
To detect this kind of pattern, you should probably look at methods
using symbolic execution. Very simplistically, symbolic execution looks
at the program's input (typically from the user and/or the external
world) and assumes that the input can be any valid value according to
some constraints (in typed languages for example, you start by assuming
that an integer input can take any valid value in the range acceptable
by the type of the variable it is stored in). Then you start evaluating
the program and as you make progress, you learn about the possible
subranges of a value. Through following different branches in a program
like this, you will find a set of constraints which can cause a program
to take a specific path, and sometimes solving the system of constraints
obtained like this gives you input values that can cause a program to
take a specific path (an unsafe operation, for example.)
I'm not really sure how much this technique can be used on JS. Based on
some quick searches, I found a number of resources which you may find
interesting:
*
http://webblaze.cs.berkeley.edu/2010/kudzu/kudzu.pdf
*
https://code.google.com/p/js-symbolic-executor/ (which I'm exporting
to github to make sure it won't get lost right now:
https://github.com/ehsan/js-symbolic-executor/)
*
https://github.com/SRA-SiliconValley/jalangi (the readme says it has
an undocumented symbolic execution engine, not sure how useful it is
since the project is now replaced with jalangi2.)
That all being said, analyses based on symbolic execution even in typed
languages have a lot of practical limitations and using it even for the
simplest cases such as your example below in JS may very well turn into
a research project that would result in nothing in practice. In my
opinion, it's impractical to detect any useful properties in an add-on
JS code statically based on the source code.
> _______________________________________________
> dev-static-analysis mailing list
>
dev-stati...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-static-analysis
>