Remedying the Eval that Men Do

Simon Holm Jensen, Peter A. Jonsson, Anders Møller

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review


A range of static analysis tools and techniques have been developed
in recent years with the aim of helping JavaScript
web application programmers produce code that is more robust,
safe, and efficient. However, as shown in a previous
large-scale study, many web applications use the JavaScript
eval function to dynamically construct code from text strings
in ways that obstruct existing static analyses. As a consequence,
the analyses either fail to reason about the web
applications or produce unsound or useless results.
We present an approach to soundly and automatically
transform many common uses of eval into other language
constructs to enable sound static analysis of web applications.
By eliminating calls to eval, we expand the applicability
of static analysis for JavaScript web applications in
The transformation we propose works by incorporating a
refactoring technique into a dataflow analyzer. We report
on our experimental results with a small collection of programming
patterns extracted from popular web sites. Although
there are inevitably cases where the transformation
must give up, our technique succeeds in eliminating many
nontrivial occurrences of eval.
Original languageEnglish
Title of host publication2012 International Symposium on Software Testing and Analysis (ISSTA) : Proceedings
EditorsMats Heimdahl, Zhendong Su
Number of pages11
PublisherAssociation for Computing Machinery
Publication date2012
ISBN (Print)978-1-4503-1454-1
Publication statusPublished - 2012
EventInternational Symposium on Software Testing and Analysis - Minneapolis, United States
Duration: 15 Jul 201220 Jul 2012


ConferenceInternational Symposium on Software Testing and Analysis
Country/TerritoryUnited States


  • JavaScript
  • Refactoring
  • Static analysis


Dive into the research topics of 'Remedying the Eval that Men Do'. Together they form a unique fingerprint.

Cite this