JISET: JavaScript IR-based semantics extraction toolchain

ABSTRACTJavaScript was initially designed for client-side programming in web browsers, but its engine is now embedded in various kinds of host software. Despite the popularity, since the JavaScript semantics is complex especially due to its dynamic nature, understanding and reasoning about JavaScript programs are challenging tasks. Thus, researchers have proposed several attempts to define the formal semantics of JavaScript based on ECMAScript, the official JavaScript specification. However, the existing approaches are manual, labor-intensive, and error-prone and all of their formal semantics target ECMAScript 5.1 (ES5.1, 2011) or its former versions. Therefore, they are not suitable for understanding modern JavaScript language features introduced since ECMAScript 6 (ES6, 2015). Moreover, ECMAScript has been annually updated since ES6, which already made five releases after ES5.1. To alleviate the problem, we propose JISET, a JavaScript IR-based Semantics Extraction Toolchain. It is the first tool that automatically synthesizes parsers and AST-IR translators directly from a given language specification, ECMAScript. For syntax, we develop a parser generation technique with lookahead parsing for BNFES, a variant of the extended BNF used in ECMAScript. For semantics, JISET synthesizes AST-IR translators using forward compatible rule-based compilation. Compile rules describe how to convert each step of abstract algorithms written in a structured natural language into IRES, an Intermediate Representation that we designed for ECMAScript. For the four most recent ECMAScript versions, JISET automatically synthesized parsers for all versions, and compiled 95.03% of the algorithm steps on average. After we complete the missing parts manually, the extracted core semantics of the latest ECMAScript (ES10, 2019) passed all 18,064 applicable tests. Using this first formal semantics of modern JavaScript, we found nine specification errors in ES10, which were all confirmed by the Ecma Technical Committee 39. Furthermore, we showed that JISET is forward compatible by applying it to nine feature proposals ready for inclusion in the next ECMAScript, which let us find three errors in the BigInt proposal.