Skip to content

Commit 8e650a2

Browse files
sukyoungsukyoung
committed
SAFE 2.0
1 parent bbe3bf9 commit 8e650a2

File tree

22,301 files changed

+277241
-4029135
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

22,301 files changed

+277241
-4029135
lines changed

.gitignore

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
*.DS_Store
2+
*.aux
3+
*.log
4+
*.swp
5+
*.swo
6+
*.out
7+
*.toc
8+
*.o
9+
*~
10+
*.d
11+
*.a
12+
*.y
13+
*.pyc
14+
*.js.html
15+
*.html.html
16+
src/main/java/kr/ac/kaist/safe/parser/
17+
tests/detail
18+
project/project/
19+
project/target/
20+
target/
21+
lib/xtc.jar

LICENSE

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
1-
Unless otherwise noted below, SAFE is released under this BSD license:
1+
Unless otherwise noted below, the Scalable Analysis Framework for
2+
ECMAScript (SAFE) Version 2.0 is released under this BSD license:
23
--------------------------------------------------------
3-
Copyright (c) 2012-2014, KAIST and S-Core. All rights reserved.
4+
Copyright (c) 2016, KAIST.
5+
All rights reserved.
46

57
Redistribution and use in source and binary forms, with
68
or without modification, are permitted provided that
@@ -13,7 +15,7 @@ following disclaimer.
1315
above copyright notice, this list of conditions and the
1416
following disclaimer in the documentation and/or other
1517
materials provided with the distribution.
16-
* Neither the name of KAIST, S-Core, nor
18+
* Neither the name of KAIST nor
1719
the names of its contributors may be used to endorse or
1820
promote products derived from this software without
1921
specific prior written permission.
@@ -34,7 +36,3 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
3436
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
3537
POSSIBILITY OF SUCH DAMAGE.
3638
--------------------------------------------------------
37-
38-
The licenses of the third party software are available at:
39-
40-
lib/THIRDPARTYLICENSEREADME.txt

META-INF/MANIFEST.MF

Lines changed: 0 additions & 27 deletions
This file was deleted.

README.md

Lines changed: 0 additions & 96 deletions
This file was deleted.

README.rst

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
Scalable Analysis Framework for ECMAScript (SAFE) Version 2.0
2+
===========
3+
4+
Introduction
5+
============
6+
Copyright (c) 2016, KAIST
7+
8+
SAFE 2.0 is a scalable and pluggable analysis framework for JavaScript web applications developed by the Programming Language Research Group at KAIST:
9+
10+
http://plrg.kaist.ac.kr
11+
12+
Older versions are still available at the SAFE1.0 branch.
13+
14+
SAFE has been used by:
15+
16+
* `JSAI`_ @ UCSB
17+
* `ROSAEC`_ @ Seoul National University
18+
* `K Framework`_ @ University of Illinois at Urbana-Champaign
19+
* `Ken Cheung`_ @ HKUST
20+
* `Web-based Vulnerability Detection`_ @ Oracle Labs
21+
* `Tizen`_ @ Linux Foundation
22+
23+
.. _JSAI: http://www.cs.ucsb.edu/~benh/research/downloads.html
24+
.. _ROSAEC: http://rosaec.snu.ac.kr
25+
.. _K Framework: http://www.kframework.org/index.php/Main_Page
26+
.. _Ken Cheung: http://www.cse.ust.hk/~hunkim
27+
.. _Web-based Vulnerability Detection: https://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:133
28+
.. _Tizen: https://www.tizen.org
29+
30+
Requirements
31+
============
32+
33+
We assume you are using an operating system with a Unix-style shell (for example, Mac OS X, Linux, or Cygwin on Windows).
34+
Assuming **SAFE_HOME** points to the SAFE directory, you will need to have access to the following:
35+
36+
* J2SDK 1.8. See http://java.sun.com/javase/downloads/index.jsp
37+
* Scala 2.12. See http://scala-lang.org/download
38+
* sbt version 0.13 or later. See http://www.scala-sbt.org
39+
* Bash version 2.5 or later, installed at /bin/bash. See http://www.gnu.org/software/bash/
40+
41+
In your shell startup script, add $SAFE_HOME/bin to your path. The shell scripts in this directory are Bash scripts. To run them, you must have Bash accessible in /bin/bash.
42+
43+
Installation
44+
============
45+
46+
Type **sbt compile** and then **sbt test** to make sure that your installation successfully finishes the tests.
47+
48+
Once you have built the framework, you can call it from any directory, on any JavaScript file, simply by typing one of available commands at a command line. You can see the available commands by typing: ::
49+
50+
bin/safe
51+
52+
or with more explanation: ::
53+
54+
bin/safe help
55+
56+
Some of the available commands are as follows:
57+
58+
* **parse**: parses a JavaScript file.
59+
* **astRewrite**: rewrites a JavaScript AST via Hoister, Disambiguator, and WithRewriter.
60+
* **compile**: translates a JavaScript file to a SAFE intermediate representation.
61+
* **cfgBuild**: builds a control flow graph for a JavaScript file.
62+
* **analyze**: analyzes static properties of JavaScript expressions in a given file.
63+
64+
Changes from SAFE 1.0
65+
============
66+
67+
* SAFE 2.0 has been tested using `Test262`_, the official ECMAScript (ECMA-262) conformance suite.
68+
* SAFE 2.0 now uses **sbt** instead of **ant** to build SAFE.
69+
* Most Java source files are replaced by Scala code and the only Java source code remained is the generated parser code.
70+
* Several components from SAFE 1.0 may not be integrated into SAFE 2.0. Such components include interpreter, concolic testing, clone detector, clone refactoring, TypeScript support, Web API misuse detector, and several abstract domains like the string automata domain.
71+
72+
.. _Test262: https://github.com/tc39/test262
73+
74+
SAFE 2.0 Roadmap
75+
============
76+
77+
* SAFE 2.0 will make monthly updates.
78+
* The next update will include a SAFE document, browser benchmarks, and more Test262 tests.
79+
* We plan to support some missing features from SAFE 1.0 incrementally such as a bug detector, DOM modeling, and jQuery analysis.
80+
* SAFE 2.0 is aimed to be a playground for advanced research in JavaScript web applications. Thus, we intentionally designed it to be light-weight.
81+
* Future versions of SAFE 2.0 will address various analysis techniques, dynamic features of web applications, event handling, modeling framework, compositional analysis, and selective sensitivity among others.
82+
83+
Publications
84+
============
85+
86+
Details of the SAFE framework are available in our papers:
87+
88+
* `Battles with False Positives in Static Analysis of JavaScript Web Applications in the Wild`_ (ICSE SEIP 2016)
89+
* `Static Analysis of JavaScript Web Applications in the Wild via Practical DOM Modeling`_ (ASE 2015)
90+
* `Practically Tunable Static Analysis Framework for Large-Scale JavaScript Applications`_ (ASE 2015)
91+
* `Development Nature Matters\: An Empirical Study of Code Clones in JavaScript Applications`_ (EMSE 2015)
92+
* `Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity`_ (ECOOP 2015)
93+
* `SAFE_WAPI\: Web API Misuse Detector for Web Applications`_ (FSE 2014)
94+
* `All about the ''with'' Statement in JavaScript\: Removing ''with'' Statements in JavaScript Applications`_ (DLS 2013)
95+
* `Formal Specification of a JavaScript Module System`_ (OOPSLA 2012)
96+
* `SAFE\: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript`_ (FOOL 2012)
97+
98+
.. _Battles with False Positives in Static Analysis of JavaScript Web Applications in the Wild: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:icse-seip16.pdf
99+
.. _Static Analysis of JavaScript Web Applications in the Wild via Practical DOM Modeling: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:ase15dom.pdf
100+
.. _Practically Tunable Static Analysis Framework for Large-Scale JavaScript Applications: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:ase15sparse.pdf
101+
.. _Development Nature Matters\: An Empirical Study of Code Clones in JavaScript Applications: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:emse15.pdf
102+
.. _Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:ecoop15.pdf
103+
.. _SAFE_WAPI\: Web API Misuse Detector for Web Applications: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:fse14final.pdf
104+
.. _All about the ''with'' Statement in JavaScript\: Removing ''with'' Statements in JavaScript Applications: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:dls13.pdf
105+
.. _Formal Specification of a JavaScript Module System: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:oopsla12.pdf
106+
.. _SAFE\: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript: http://plrg.kaist.ac.kr/lib/exe/fetch.php?media=research:publications:fool2012.pdf
107+
108+
Authors
109+
============
110+
111+
The main developers of SAFE 2.0 are as follows:
112+
113+
* `Jihyeok Park`_
114+
* `Yeonhee Ryou`_
115+
* `Sukyoung Ryu`_
116+
117+
.. _Jihyeok Park: https://github.com/jhnaldo
118+
.. _Yeonhee Ryou: https://github.com/yeonni
119+
.. _Sukyoung Ryu: https://github.com/sukyoung
120+
121+
and the following people have contributed to the source code:
122+
123+
* `Minsoo Kim`_ (Built-in function modeling)
124+
* `PLRG @ KAIST`_ and colleagues in S-Core and Samsung Electronics (SAFE 1.0)
125+
126+
.. _Minsoo Kim: https://github.com/mskim5383
127+
.. _PLRG @ KAIST: http://plrg.kaist.ac.kr

0 commit comments

Comments
 (0)