Copyright 2009-2016 Aarhus University
For research publications and other information about this tool see http://www.brics.dk/TAJS.
How to build and run the tool
The simplest way to build TAJS is to run
ant, which will build two jar files:
dist/tajs.jar (which contains only TAJS itself) and
dist/tajs-all.jar (which also includes the relevant extra libraries).
The jar files are also available for download at http://www.brics.dk/TAJS/dist/.
You can now run the analysis as, for example:
java -jar dist/tajs-all.jar test/google/richards.js
java -jar dist/tajs-all.jar test/chromeexperiments/3ddemo.html
By default, TAJS outputs some information about its progress and eventually a list of type warnings and other messages.
Some of the available options (run TAJS without arguments to see the full list):
-callgraph- output call graph as text and in a file
out/callgraph.dot(process with Graphviz dot)
-show-variable-info- output type and line information about all variables
-debug- output extensive internal information during the analysis
-flowgraph- output the initial and final flow graphs (TAJS's intermediate representation) as text and to
out/flowgraphs/(in Graphviz dot format, with a file for each function and for the complete program)
-low-severity- enable many more type warnings
-quiet- only print results, not information about analysis progress
-states- output intermediate abstract states during the analysis
-uneval- enable the Unevalizer for on-the-fly translation of
evalcalls, as described in 'Remedying the Eval that Men Do', ISSTA 2012
-determinacy- enable the techniques described in 'Determinacy in Static Analysis of jQuery', OOPSLA 2014
Note that the analysis produces lots of addition information that is not output by default. If you want full access to the abstract states and call graphs, as a starting point see the source code for
The javadoc for TAJS is available at http://www.brics.dk/TAJS/doc/.
Special built-in functions
TAJS recognizes a few special built-in functions (defined as properties of the global object) to support debugging and testing of the tool, including:
TAJS_dumpValue(exp)- report the abstract value of expression
expafter analysis has completed
TAJS_dumpObject(obj)- report the properties of the abstract object
objafter analysis has completed
TAJS_dumpState()- report the abstract state at this program point after analysis has completed
TAJS_assert(value)- tests that
true, failure will result in an AssertionError.
TAJS_assert(value, predicate)- a generalized version of the single-argument TAJS_assert, supports disjunctions of the predicate methods in Value.java. E.g. to check that a value is either a single concrete string or some unsigned integer:
TAJS_assert(myValue, 'isMaybeSingleStr || isMaybeNumUInt')
Running regression tests
test contains a collection of tests that can be executed by running dk.brics.tajs.test.RunFast with JUnit from Eclipse/IntelliJ or with
ant test from the command-line.
(A more thorough but slower test located in dk.brics.tajs.test.RunAll can be run with
The analysis models of the HTML DOM, the browser API, and the ECMAScript native library are not complete. For a list of other known sources of unsoundness, see https://github.com/cs-au-dk/TAJS/issues?q=is%3Aopen+is%3Aissue+label%3Asoundiness.
This diagram shows the main package dependencies:
Modifications of the source code should avoid introducing upwards dependencies in this diagram.
The following people have contributed to the source code:
- Anders Møller
- Esben Andreasen
- Simon Holm Jensen
- Peter Thiemann
- Magnus Madsen
- Matthias Diehn Ingesman
- Peter Jonsson
This software includes components from: