Context-Sensitive Pointer Analysis for ArkTS

TL;DR

This paper introduces APAK, a context-sensitive pointer analysis framework for ArkTS, improving call graph precision and reducing false positives, thereby enabling advanced static analysis in OpenHarmony applications.

Contribution

The paper presents the first context-sensitive pointer analysis framework for ArkTS, with a novel heap object model and extensible plugin architecture tailored for OpenHarmony.

Findings

Superior performance over CHA/RTA in valid edge coverage

Reduces false positive rates from 20% to 2%

Merged into the official ArkAnalyzer framework

Abstract

Current call graph generation methods for ArkTS, a new programming language for OpenHarmony, exhibit precision limitations when supporting advanced static analysis tasks such as data flow analysis and vulnerability pattern detection, while the workflow of traditional JavaScript(JS)/TypeScript(TS) analysis tools fails to interpret ArkUI component tree semantics. The core technical bottleneck originates from the closure mechanisms inherent in TypeScript's dynamic language features and the interaction patterns involving OpenHarmony's framework APIs. Existing static analysis tools for ArkTS struggle to achieve effective tracking and precise deduction of object reference relationships, leading to topological fractures in call graph reachability and diminished analysis coverage. This technical limitation fundamentally constrains the implementation of advanced program analysis techniques. Therefore, in this paper, we propose a tool named ArkAnalyzer Pointer Analysis Kit (APAK), the first context-sensitive pointer analysis framework specifically designed for ArkTS. APAK addresses these challenges through a unique ArkTS heap object model and a highly extensible plugin architecture, ensuring future adaptability to the evolving OpenHarmony ecosystem. In the evaluation, we construct a dataset from 1,663 real-world applications in the OpenHarmony ecosystem to evaluate APAK, demonstrating APAK's superior performance over CHA/RTA approaches in critical metrics including valid edge coverage (e.g., a 7.1% reduction compared to CHA and a 34.2% increase over RTA). The improvement in edge coverage systematically reduces false positive rates from 20% to 2%, enabling future exploration of establishing more complex program analysis tools based on our framework. Our proposed APAK has been merged into the official static analysis framework ArkAnalyzer for OpenHarmony.