Jalangi 2

Class: MyAnalysis

MyAnalysis

new MyAnalysis()

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 101

This file is a template for writing a custom Jalangi 2 analysis. Simply copy this file and rewrite the callbacks that you need to implement in your analysis. Other callbacks should be removed from the file.

In the following methods (also called as callbacks) one can choose to not return anything. If all of the callbacks return nothing, we get a passive analysis where the concrete execution happens unmodified and callbacks can be used to observe the execution. One can choose to return suitable objects with specified properties in some callbacks to modify the behavior of the concrete execution. For example, one could set the skip property of the object returned from MyAnalysis#putFieldPre to true to skip the actual putField operation. Similarly, one could set the result field of the object returned from a MyAnalysis#write callback to modify the value that is actually written to a variable. The result field of the object returned from a MyAnalysis#conditional callback can be suitably set to change the control-flow of the program execution. In MyAnalysis#functionExit and MyAnalysis#scriptExit, one can set the isBacktrack property of the returned object to true to reexecute the body of the function from the beginning. This in conjunction with the ability to change the control-flow of a program enables us to explore the different paths of a function in symbolic execution.

Note that if process.exit() is called, then an execution terminates abnormally and a callback to MyAnalysis#endExecution will be skipped.

An analysis can access the source map, which maps instruction identifiers to source locations, using the global object stored in J$.smap. Jalangi 2 assigns a unique id, called sid, to each JavaScript script loaded at runtime. J$.smap maps each sid to an object, say iids, containing source map information for the script whose id is sid. iids has the following properties: "originalCodeFileName" (stores the path of the original script file), "instrumentedCodeFileName" (stores the path of the instrumented script file), "url" (is optional and stores the URL of the script if it is set during instrumentation using the --url option), "evalSid" (stores the sid of the script in which the eval is called in case the current script comes from an eval function call), "evalIid" (iid of the eval function call in case the current script comes from an eval function call), "nBranches" (the number of conditional statements in the script), and "code" (a string denoting the original script code if the code is instrumented with the --inlineSource option). iids also maps each iid (which stands for instruction id, an unique id assigned to each callback function inserted by Jalangi2) to an array containing [beginLineNumber, beginColumnNumber, endLineNumber, endColumnNumber]. The mapping from iids to arrays is only available if the code is instrumented with the --inlineIID option.

In each callback described below, iid denotes the unique static instruction id of the callback in the script. Two callback functions inserted in two different scripts may have the same iid. In a callback function, one can access the current script id using J$.sid. One can call J$.getGlobalIID(iid) to get a string, called giid, that statically identifies the callback throughout the program. J$.getGlobalIID(iid) returns the string J$.sid+":"+iid. J$.iidToLocation(giid) returns a string containing the original script file path, begin and end line numbers and column numbers of the code snippet for which the callback with giid was inserted.

A number of sample analyses can be found at ../src/js/sample_analyses/. Refer to ../README.md for instructions on running an analysis.

Methods

_return(iid, val){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 385
This callback is called before a value is returned from a function using the return keyword.
Name Type Description
iid number Static unique instruction identifier of this callback
val * Value to be returned
Returns:
Type Description
Object | undefined - If an object is returned, the value to be returned is replaced with the value stored in the result property of the object.

_throw(iid, val){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 397
This callback is called before a value is thrown using the throw keyword.
Name Type Description
iid number Static unique instruction identifier of this callback
val * Value to be thrown
Returns:
Type Description
Object | undefined - If an object is returned, the value to be thrown is replaced with the value stored in the result property of the object.

_with(iid, val){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 409
This callback is called when a with statement is executed
Name Type Description
iid number Static unique instruction identifier of this callback
val * Value used as an argument to with
Returns:
Type Description
Object | undefined - If an object is returned, the value to be used in with is replaced with the value stored in the result property of the object.

binary(iid, op, left, right, result, isOpAssign, isSwitchCaseComparison, isComputed){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 513
This callback is called after a binary operation. Binary operations include +, -, *, /, %, &, |, ^, <<, >>, >>>, <, >, <=, >=, ==, !=, ===, !==, instanceof, delete, in.
Name Type Description
iid number Static unique instruction identifier of this callback
op string Operation to be performed
left * Left operand
right * Right operand
result * The result of the binary operation
isOpAssign boolean True if the binary operation is part of an expression of the form x op= e
isSwitchCaseComparison boolean True if the binary operation is part of comparing the discriminant with a consequent in a switch statement.
isComputed boolean True if the operation is of the form delete x[p], and false otherwise (even if the operation if of the form delete x.p)
Returns:
Type Description
Object | undefined - If an object is returned, the result of the binary operation is replaced with the value stored in the result property of the object.

binaryPre(iid, op, left, right, isOpAssign, isSwitchCaseComparison, isComputed){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 491
This callback is called before a binary operation. Binary operations include +, -, *, /, %, &, |, ^, <<, >>, >>>, <, >, <=, >=, ==, !=, ===, !==, instanceof, delete, in. No callback for delete x because this operation cannot be performed reflectively.
Name Type Description
iid number Static unique instruction identifier of this callback
op string Operation to be performed
left * Left operand
right * Right operand
isOpAssign boolean True if the binary operation is part of an expression of the form x op= e
isSwitchCaseComparison boolean True if the binary operation is part of comparing the discriminant with a consequent in a switch statement.
isComputed boolean True if the operation is of the form delete x[p], and false otherwise (even if the operation if of the form delete x.p)
Returns:
Type Description
Object | undefined - If an object is returned and the skip property is true, then the binary operation is skipped. Original op, left, and right are replaced with that from the returned object if an object is returned.

conditional(iid, result){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 555
This callback is called after a condition check before branching. Branching can happen in various statements including if-then-else, switch-case, while, for, ||, &&, ?:.
Name Type Description
iid number Static unique instruction identifier of this callback
result * The value of the conditional expression
Returns:
Type Description
Object | undefined - If an object is returned, the result of the conditional expression is replaced with the value stored in the result property of the object.

declare(iid, name, val, isArgument, argumentIndex, isCatchParam){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 266
This callback is triggered at the beginning of a scope for every local variable declared in the scope, for every formal parameter, for every function defined using a function statement, for arguments variable, and for the formal parameter passed in a catch statement.
Name Type Description
iid number Static unique instruction identifier of this callback
name string Name of the variable that is declared
val * Initial value of the variable that is declared. Variables can be local variables, function parameters, catch parameters, arguments, or functions defined using function statements. Variables declared with var have undefined as initial values and cannot be changed by returning a different value from this callback. On the beginning of an execution of a function, a declare callback is called on the arguments variable.
isArgument boolean True if the variable is arguments or a formal parameter.
argumentIndex number Index of the argument in the function call. Indices start from 0. If the variable is not a formal parameter, then argumentIndex is -1.
isCatchParam boolean True if the variable is a parameter of a catch statement.
Returns:
Type Description
Object | undefined - If the function returns an object, then the original initial value is replaced with the value stored in the result property of the object. This does not apply to local variables declared with var.

endExecution(){undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 601
This callback is called when an execution terminates in node.js. In a browser environment, the callback is called if ChainedAnalyses.js or ChainedAnalysesNoCheck.js is used and Alt-Shift-T is pressed.
Returns:
Type Description
undefined - Any return value is ignored

endExpression(iid){undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 592
This callback is called when an expression is evaluated and its value is discarded. For example, this callback is called when an expression statement completes its execution.
Name Type Description
iid number Static unique instruction identifier of this callback
Returns:
Type Description
undefined - Any return value is ignored

forinObject(iid, val){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 241
This callback is called when a for-in loop is used to iterate the properties of an object.
Name Type Description
iid number Static unique instruction identifier of this callback
val * Objects whose properties are iterated in a for-in loop.
Returns:
Type Description
Object | undefined - If the function returns an object, then the original object whose properties are being iterated is replaced with the value stored in the result property of the returned object.
Example
for (x in y) { }

// the above call roughly gets instrumented as follows:

var aret = analysis.forinObject(iid, y);
if (aret) {
    y = aret.result;
}
for (x in y) {}

functionEnter(iid, f, dis, args){undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 422
This callback is called before the execution of a function body starts.
Name Type Description
iid number Static unique instruction identifier of this callback
f function The function object whose body is about to get executed
dis * The value of the this variable in the function body
args Array List of the arguments with which the function is called
Returns:
Type Description
undefined - Any return value is ignored

functionExit(iid, returnVal, wrappedExceptionVal){Object}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 440
This callback is called when the execution of a function body completes
Name Type Description
iid number Static unique instruction identifier of this callback
returnVal * The value returned by the function
wrappedExceptionVal Object | undefined If this parameter is an object, the function execution has thrown an uncaught exception and the exception is being stored in the exception property of the parameter
Returns:
Type Description
Object If an object is returned, then the actual returnVal and wrappedExceptionVal.exception are replaced with that from the returned object. If an object is returned and the property isBacktrack is set, then the control-flow returns to the beginning of the function body instead of returning to the caller. The property isBacktrack can be set to true to repeatedly execute the function body as in MultiSE symbolic execution.

getField(iid, base, offset, val, isComputed, isOpAssign, isMethodCall){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 305
This callback is called after a property of an object is accessed.
Name Type Description
iid number Static unique instruction identifier of this callback
base * Base object
offset string | * Property
val * Value of base[offset]
isComputed boolean True if property is accessed using square brackets. For example, isComputed is true if the get field operation is o[p], and false if the get field operation is o.p
isOpAssign boolean True if the operation is of the form o.p op= e
isMethodCall boolean True if the get field operation is part of a method call (e.g. o.p())
Returns:
Type Description
Object | undefined - If an object is returned, the value of the get field operation is replaced with the value stored in the result property of the object.

getFieldPre(iid, base, offset, isComputed, isOpAssign, isMethodCall){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 286
This callback is called before a property of an object is accessed.
Name Type Description
iid number Static unique instruction identifier of this callback
base * Base object
offset string | * Property
isComputed boolean True if property is accessed using square brackets. For example, isComputed is true if the get field operation is o[p], and false if the get field operation is o.p
isOpAssign boolean True if the operation is of the form o.p op= e
isMethodCall boolean True if the get field operation is part of a method call (e.g. o.p())
Returns:
Type Description
Object | undefined - If an object is returned and the skip property of the object is true, then the get field operation is skipped. Original base and offset are replaced with that from the returned object if an object is returned.

instrumentCode(iid, newCode, newAst){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 581
This callback is called after a string passed as an argument to eval or Function is instrumented.
Name Type Description
iid number Static unique instruction identifier of this callback
newCode * Instrumented code
newAst Object The AST of the instrumented code
Returns:
Type Description
Object | undefined - If an object is returned, the instrumented code is replaced with the value stored in the result property of the object.

instrumentCodePre(iid, code){Object}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 568
This callback is called before a string passed as an argument to eval or Function is instrumented.
Name Type Description
iid number Static unique instruction identifier of this callback
code * Code that is going to get instrumented
Returns:
Type Description
Object - If an object is returned and the skip property is true, then the instrumentation of code is skipped. Original code is replaced with that from the returned object if an object is returned.

invokeFun(iid, f, base, args, result, isConstructor, isMethod, functionIid){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 188
This callback is called after a function, method, or constructor invocation.
Name Type Description
iid number Static unique instruction identifier of this callback
f function The function object that was invoked
base * The receiver object for the function f
args Array The array of arguments passed to f
result * The value returned by the invocation
isConstructor boolean True if f is invoked as a constructor
isMethod boolean True if f is invoked as a method
functionIid number The iid (i.e. the unique instruction identifier) passed to the callback MyAnalysis#functionEnter when the function f is executed. functionIid can be treated as the static identifier of the function f. Note that a given function code block can create several function objects, but each such object has a common functionIid, which is the iid that is passed to MyAnalysis#functionEnter when the function executes.
Returns:
Type Description
Object | undefined - If an object is returned, the return value of the invoked function is replaced with the value stored in the result property of the object. This enables one to change the value that is returned by the actual function invocation.
Example
x = y.f(a, b, c)

// the above call roughly gets instrumented as follows:

var skip = false;
var aret = analysis.invokeFunPre(113, f, y, [a, b, c], false, true);
if (aret) {
    f = aret.f;
    y = aret.y;
    args = aret.args;
    skip = aret.skip
}
if (!skip) {
    result =f.apply(y, args);
}
aret = analysis.invokeFun(117, f, y, args, result, false, true);
if (aret) {
    x = aret.result
} else {
    x = result;
}

invokeFunPre(iid, f, base, args, isConstructor, isMethod, functionIid){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 141
This callback is called before a function, method, or constructor invocation. Note that a method invocation also triggers a MyAnalysis#getFieldPre and a MyAnalysis#getField callbacks.
Name Type Description
iid number Static unique instruction identifier of this callback
f function The function object that going to be invoked
base object The receiver object for the function f
args Array The array of arguments passed to f
isConstructor boolean True if f is invoked as a constructor
isMethod boolean True if f is invoked as a method
functionIid number The iid (i.e. the unique instruction identifier) passed to the callback MyAnalysis#functionEnter when the function f is executed. The functionIid can be treated as the static identifier of the function f. Note that a given function code block can create several function objects, but each such object has a common functionIid, which is the iid that is passed to MyAnalysis#functionEnter when the function executes.
Returns:
Type Description
Object | undefined - If an object is returned and the skip property of the object is true, then the invocation operation is skipped. Original f, base, and args are replaced with that from the returned object if an object is returned.
Example
y.f(a, b, c)

// the above call roughly gets instrumented as follows:

var skip = false;
var aret = analysis.invokeFunPre(113, f, y, [a, b, c], false, true);
if (aret) {
    f = aret.f;
    y = aret.y;
    args = aret.args;
    skip = aret.skip
}
if (!skip) {
    f.apply(y, args);
}

literal(iid, val, hasGetterSetter){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 216
This callback is called after the creation of a literal. A literal can be a function literal, an object literal, an array literal, a number, a string, a boolean, a regular expression, null, NaN, Infinity, or undefined.
Name Type Description
iid number Static unique instruction identifier of this callback
val * The literal value
hasGetterSetter boolean True if the literal is an object and the object defines getters and setters
Returns:
Type Description
Object | undefined - If the function returns an object, then the original literal value is replaced with the value stored in the result property of the object.
Example
x = "Hello"

// the above call roughly gets instrumented as follows:

var result = "Hello";
var aret = analysis.literal(201, result, false);
if (aret) {
    result = aret.result;
}
x = result;

onReady(cb)

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 632
onReady is useful if your analysis is running on node.js (i.e., via the direct.js or jalangi.js commands) and needs to complete some asynchronous initialization before the instrumented program starts. In such a case, once the initialization is complete, invoke the cb function to start execution of the instrumented program. Note that this callback is not useful in the browser, as Jalangi has no control over when the instrumented program runs there.
Name Type Description
cb

putField(iid, base, offset, val, isComputed, isOpAssign){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 342
This callback is called after a property of an object is written.
Name Type Description
iid number Static unique instruction identifier of this callback
base * Base object
offset * Property
val * Value to be stored in base[offset]
isComputed boolean True if property is accessed using square brackets. For example, isComputed is true if the get field operation is o[p], and false if the get field operation is o.p
isOpAssign boolean True if the operation is of the form o.p op= e
Returns:
Type Description
Object | undefined - If an object is returned, the result of the put field operation is replaced with the value stored in the result property of the object.

putFieldPre(iid, base, offset, val, isComputed, isOpAssign){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 324
This callback is called before a property of an object is written.
Name Type Description
iid number Static unique instruction identifier of this callback
base * Base object
offset * Property
val * Value to be stored in base[offset]
isComputed boolean True if property is accessed using square brackets. For example, isComputed is true if the get field operation is o[p], and false if the get field operation is o.p
isOpAssign boolean True if the operation is of the form o.p op= e
Returns:
Type Description
Object | undefined - If an object is returned and the skip property is true, then the put field operation is skipped. Original base, offset, and val are replaced with that from the returned object if an object is returned.

read(iid, name, val, isGlobal, isScriptLocal){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 357
This callback is called after a variable is read.
Name Type Description
iid number Static unique instruction identifier of this callback
name string Name of the variable being read
val * Value read from the variable
isGlobal boolean True if the variable is not declared using var (e.g. console)
isScriptLocal boolean True if the variable is declared in the global scope using var
Returns:
Type Description
Object | undefined - If an object is returned, the result of the read operation is replaced with the value stored in the result property of the object.

runInstrumentedFunctionBody(iid, f, functionIid){boolean}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 618
This callback is called only when instrumented with J$.Config.ENABLE_SAMPLING = true This callback is called before the body of a function, method, or constructor is executed if returns true, instrumented function body is executed, else uninstrumented function body is executed
Name Type Description
iid number Static unique instruction identifier of this callback
f function The function whose body is being executed
functionIid number The iid (i.e. the unique instruction identifier) passed to the callback MyAnalysis#functionEnter when the function f is executed. The functionIid can be treated as the static identifier of the function f. Note that a given function code block can create several function objects, but each such object has a common functionIid, which is the iid that is passed to MyAnalysis#functionEnter when the function executes.
Returns:
Type Description
boolean - If true is returned the instrumented function body is executed, otherwise the uninstrumented function body is executed.

scriptEnter(iid, instrumentedFileName, originalFileName)

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 451
This callback is called before the execution of a JavaScript file
Name Type Description
iid number Static unique instruction identifier of this callback
instrumentedFileName string Name of the instrumented script file
originalFileName string Name of the original script file

scriptExit(iid, wrappedExceptionVal){Object}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 468
This callback is called when the execution of a JavaScript file completes
Name Type Description
iid number Static unique instruction identifier of this callback
wrappedExceptionVal Object | undefined If this parameter is an object, the script execution has thrown an uncaught exception and the exception is being stored in the exception property of the parameter
Returns:
Type Description
Object - If an object is returned, then the actual wrappedExceptionVal.exception is replaced with that from the returned object. If an object is returned and the property isBacktrack is set, then the control-flow returns to the beginning of the script body. The property isBacktrack can be set to true to repeatedly execute the script body as in MultiSE symbolic execution.

unary(iid, op, left, result){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 542
This callback is called after a unary operation. Unary operations include +, -, ~, !, typeof, void.
Name Type Description
iid number Static unique instruction identifier of this callback
op string Operation to be performed
left * Left operand
result * The result of the unary operation
Returns:
Type Description
Object | undefined - If an object is returned, the result of the unary operation is replaced with the value stored in the result property of the object.

unaryPre(iid, op, left){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 527
This callback is called before a unary operation. Unary operations include +, -, ~, !, typeof, void.
Name Type Description
iid number Static unique instruction identifier of this callback
op string Operation to be performed
left * Left operand
Returns:
Type Description
Object | undefined If an object is returned and the skip property is true, then the unary operation is skipped. Original op and left are replaced with that from the returned object if an object is returned.

write(iid, name, val, lhs, isGlobal, isScriptLocal){Object|undefined}

/Users/ksen/Dropbox/jalangi2/src/js/runtime/analysisCallbackTemplate.js, line 373
This callback is called before a variable is written.
Name Type Description
iid number Static unique instruction identifier of this callback
name string Name of the variable being read
val * Value to be written to the variable
lhs * Value stored in the variable before the write operation
isGlobal boolean True if the variable is not declared using var (e.g. console)
isScriptLocal boolean True if the variable is declared in the global scope using var
Returns:
Type Description
Object | undefined - If an object is returned, the result of the write operation is replaced with the value stored in the result property of the object.