research-article

Static DOM event dependency analysis for testing web applications

Authors:

Chao WangAuthors Info & Claims

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

Pages 447 - 459

https://doi.org/10.1145/2950290.2950292

Published: 01 November 2016 Publication History

Abstract

The number and complexity of JavaScript-based web applications are rapidly increasing, but methods and tools for automatically testing them are lagging behind, primarily due to the difficulty in analyzing the subtle interactions between the applications and the event-driven execution environment. Although static analysis techniques have been routinely used on software written in traditional programming languages, such as Java and C++, adapting them to handle JavaScript code and the HTML DOM is difficult. In this work, we propose the first constraint-based declarative program analysis procedure for computing dependencies over program variables as well as event-handler functions of the various DOM elements, which is crucial for analyzing the behavior of a client-side web application. We implemented the method in a software tool named JSDEP and evaluated it in ARTEMIS, a platform for automated web application testing. Our experiments on a large set of web applications show the new method can significantly reduce the number of redundant test sequences and significantly increase test coverage with minimal overhead.

References

[1]

100 Online JavaScript Games.

[2]

S. Alimadadi, A. Mesbah, and K. Pattabiraman. Hybrid dom-sensitive change impact analysis for javascript. In 29th European Conference on Object-Oriented Programming, ECOOP 2015, July 5-10, 2015, Prague, Czech Republic, pages 321–345, 2015.

[3]

E. Andreasen and A. Møller. Determinacy in static analysis for jQuery. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 17–31, 2014.

Digital Library

[4]

S. Arlt, A. Podelski, and M. Wehrle. Reducing GUI test suites via program slicing. In International Symposium on Software Testing and Analysis, pages 270–281, 2014.

Digital Library

[5]

S. Artzi, J. Dolby, S. H. Jensen, A. Moller, and F. Tip. A framework for automated testing of JavaScript web applications. In International Conference on Software Engineering, pages 571–580, 2011.

Digital Library

[6]

M. Bravenboer and Y. Smaragdakis. Strictly declarative specification of sophisticated points-to analyses. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 243–262, 2009.

Digital Library

[7]

L. Cheng, J. Chang, Z. Yang, and C. Wang. GUICat: GUI testing as a service. In IEEE/ACM International Conference On Automated Software Engineering, 2016.

Digital Library

[8]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged information flow for javascript. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 50–62, 2009.

Digital Library

[9]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst., 13(4):451–490, 1991.

Digital Library

[10]

L. De Moura and N. Bjørner. Z3: An efficient smt solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[11]

A. Feldthaus, M. Schäfer, M. Sridharan, J. Dolby, and F. Tip. Efficient construction of approximate call graphs for JavaScript IDE services. In International Conference on Software Engineering, pages 752–761, 2013.

Digital Library

[12]

J. Ferrante, K. J. Ottenstein, and J. D. Warren. The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst., 9(3):319–349, July 1987.

Digital Library

[13]

P. Godefroid. Partial-Order Methods for the Verification of Concurrent Systems - An Approach to the State-Explosion Problem. Springer, 1996.

Digital Library

[14]

S. Guarnieri and V. B. Livshits. GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript code. In USENIX Security Symposium, pages 151–168, 2009.

Digital Library

[15]

A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In International Conference on World Wide Web, pages 561–570, 2009.

Digital Library

[16]

A. Guha, C. Saftoiu, and S. Krishnamurthi. Typing local control and state using flow analysis. In European Symposium on Programming, pages 256–275, 2011.

Digital Library

[17]

K. Hoder, N. Bjørner, and L. de Moura. muZ - an efficient engine for fixed points with constraints. In International Conference on Computer Aided Verification, pages 457–462, 2011.

Digital Library

[18]

C. S. Jensen, A. Møller, V. Raychev, D. Dimitrov, and M. T. Vechev. Stateless model checking of event-driven applications. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 57–73, 2015.

Digital Library

[19]

S. H. Jensen, P. A. Jonsson, and A. Møller. Remedying the eval that men do. In International Symposium on Software Testing and Analysis, pages 34–44, 2012.

Digital Library

[20]

S. H. Jensen, M. Madsen, and A. Møller. Modeling the HTML DOM and browser API in static analysis of javascript web applications. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 59–69, 2011.

Digital Library

[21]

V. Kahlon, C. Wang, and A. Gupta. Monotonic partial order reduction: An optimal symbolic partial order reduction technique. In International Conference on Computer Aided Verification, pages 398–413, 2009.

Digital Library

[22]

J. B. Kam and J. D. Ullman. Monotone data flow analysis frameworks. Acta Inf., 7:305–317, 1977.

Digital Library

[23]

M. Kusano and C. Wang. Assertion guided abstraction: a cooperative optimization for dynamic partial order reduction. In IEEE/ACM International Conference On Automated Software Engineering, pages 175–186, 2014.

Digital Library

[24]

M. Kusano and C. Wang. Flow-sensitive composition of thread-modular abstract interpretation. In ACM SIGSOFT Symposium on Foundations of Software Engineering, 2016.

Digital Library

[25]

M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems, pages 1–12, 2005.

Digital Library

[26]

G. Li, E. Andreasen, and I. Ghosh. SymJS: automatic symbolic testing of JavaScript web applications. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 449–459, 2014.

Digital Library

[27]

B. Livshits, M. Sridharan, Y. Smaragdakis, O. Lhoták, J. N. Amaral, B. E. Chang, S. Z. Guyer, U. P. Khedker, A. Møller, and D. Vardoulakis. In defense of soundiness: a manifesto. Commun. ACM, 58(2):44–46, 2015.

Digital Library

[28]

V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security Symposium, 2005.

Digital Library

[29]

M. Madsen, B. Livshits, and M. Fanning. Practical static analysis of JavaScript applications in the presence of frameworks and libraries. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 499–509, 2013.

Digital Library

[30]

M. Madsen, F. Tip, and O. Lhoták. Static analysis of event-driven Node.js JavaScript applications. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 505–519, 2015.

Digital Library

[31]

L. A. Meyerovich and V. B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for JavaScript in the browser. In IEEE Symposium on Security and Privacy, pages 481–496, 2010.

Digital Library

[32]

M. Naik, A. Aiken, and J. Whaley. Effective static race detection for Java. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 308–319, 2006.

Digital Library

[33]

C. Nguyen, H. Yoshida, M. R. Prasad, I. Ghosh, and K. Sen. Generating succinct test cases using don’t care analysis. In IEEE International Conference on Software Testing, Verification and Validation, pages 1–10, 2015.

[34]

C. Pacheco and M. D. Ernst. Randoop: feedback-directed random testing for Java. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 815–816, 2007.

Digital Library

[35]

G. Richards, C. Hammer, B. Burg, and J. Vitek. The eval that men do - A large-scale study of the use of eval in javascript applications. In European Conference on Object-Oriented Programming, pages 52–78, 2011.

Digital Library

[36]

A. Rountev, A. Milanova, and B. G. Ryder. Points-to analysis for java using annotated constraints. In ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, pages 43–55, 2001.

Digital Library

[37]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In IEEE Symposium on Security and Privacy, pages 513–528, 2010.

Digital Library

[38]

K. Sen, S. Kalasapur, T. G. Brutch, and S. Gibbs. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 488–498, 2013.

Digital Library

[39]

M. Sridharan, J. Dolby, S. Chandra, M. Schäfer, and F. Tip. Correlation tracking for points-to analysis of JavaScript. In European Conference on Object-Oriented Programming, pages 435–458, 2012.

Digital Library

[40]

C. Wang, Z. Yang, V. Kahlon, and A. Gupta. Peephole partial order reduction. In International Conference on Tools and Algorithms for Construction and Analysis of Systems, pages 382–396, 2008.

Digital Library

[41]

S. Wei and B. G. Ryder. State-sensitive points-to analysis for the dynamic behavior of JavaScript objects. In European Conference on Object-Oriented Programming, pages 1–26, 2014.

Digital Library

[42]

J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 131–144, 2004.

Digital Library

[43]

N. Zhang, M. Kusano, and C. Wang. Dynamic partial order reduction for relaxed memory models. In ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 250–259, 2015.

Digital Library

[44]

Y. Zheng, T. Bao, and X. Zhang. Statically locating web application bugs caused by asynchronous calls. In International Conference on World Wide Web, pages 805–814, 2011.

Digital Library

Cited By

An KTilevich E(2024)EdgStr: Automating Client-Cloud to Client-Edge-Cloud Transformation2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00061(589-600)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00061
Gao PXu YSong FChen T(2022)Model-based automated testing of JavaScript Web applications via longer test sequencesFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-020-0356-716:3Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s11704-020-0356-7
An KTilevich E(2021)Communicating Web Vessels: Improving the Responsiveness of Mobile Web Apps with Adaptive RedistributionWeb Engineering10.1007/978-3-030-74296-6_30(388-403)Online publication date: 18-May-2021
https://dl.acm.org/doi/10.1007/978-3-030-74296-6_30
Show More Cited By

Index Terms

Static DOM event dependency analysis for testing web applications
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

A framework for automated testing of javascript web applications
ICSE '11: Proceedings of the 33rd International Conference on Software Engineering

Current practice in testing JavaScript web applications requires manual construction of test cases, which is difficult and tedious. We present a framework for feedback-directed automated test generation for JavaScript in which execution is monitored to ...
Automated Acceptance Testing of JavaScript Web Applications
WCRE '12: Proceedings of the 2012 19th Working Conference on Reverse Engineering

Acceptance testing is an important part of software development and it is performed to ensure that a system delivers its required functionalities. Today, most modern interactive web applications are designed using Web 2.0 technologies, many among them ...
SAFEWAPI: web API misuse detector for web applications
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

The evolution of Web 2.0 technologies makes web applications prevalent in various platforms including mobile devices and smart TVs. While one of the driving technologies of web applications is JavaScript, the extremely dynamic features of JavaScript ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

November 2016

1156 pages

ISBN:9781450342186

DOI:10.1145/2950290

General Chair:
Thomas Zimmermann
Microsoft Research, USA
,
Program Chairs:
Jane Cleland-Huang
University of Notre Dame, USA
,
Zhendong Su
University of California at Davis, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

FSE'16

Sponsor:

SIGSOFT

FSE'16: 24nd ACM SIGSOFT International Symposium on the Foundations of Software Engineering

November 13 - 18, 2016

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
403
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

An KTilevich E(2024)EdgStr: Automating Client-Cloud to Client-Edge-Cloud Transformation2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00061(589-600)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00061
Gao PXu YSong FChen T(2022)Model-based automated testing of JavaScript Web applications via longer test sequencesFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-020-0356-716:3Online publication date: 1-Jun-2022
https://dl.acm.org/doi/10.1007/s11704-020-0356-7
An KTilevich E(2021)Communicating Web Vessels: Improving the Responsiveness of Mobile Web Apps with Adaptive RedistributionWeb Engineering10.1007/978-3-030-74296-6_30(388-403)Online publication date: 18-May-2021
https://dl.acm.org/doi/10.1007/978-3-030-74296-6_30
An K(2020)Enhancing Web App Execution with Automated ReengineeringCompanion Proceedings of the Web Conference 202010.1145/3366424.3382087(274-278)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366424.3382087
An KTilevich E(2020)Client Insourcing: Bringing Ops In-House for Seamless Re-engineering of Full-Stack JavaScript ApplicationsProceedings of The Web Conference 202010.1145/3366423.3380105(179-189)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380105
An KTilevich E(2020)D-Goldilocks: Automatic Redistribution of Remote Functionalities for Performance and Efficiency2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER48275.2020.9054870(251-260)Online publication date: Feb-2020
https://doi.org/10.1109/SANER48275.2020.9054870
Yeo JShin CMoon S(2019)Snapshot-based Loading Acceleration of Web Apps with Nondeterministic JavaScript ExecutionThe World Wide Web Conference10.1145/3308558.3313575(2215-2224)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313575
Paulsen BSung CPeterson PWang CZimmermann TLawall JMarinov D(2019)DebreachProceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE.2019.00088(899-911)Online publication date: 10-Nov-2019
https://dl.acm.org/doi/10.1109/ASE.2019.00088
Lau P(2019)Static Detection of Event-Driven Races in HTML5-Based Mobile AppsVerification and Evaluation of Computer and Communication Systems10.1007/978-3-030-35092-5_3(32-46)Online publication date: 12-Nov-2019
https://doi.org/10.1007/978-3-030-35092-5_3
An KTilevich E(2019)Catch & Release: An Approach to Debugging Distributed Full-Stack JavaScript ApplicationsWeb Engineering10.1007/978-3-030-19274-7_32(459-473)Online publication date: 26-Apr-2019
https://doi.org/10.1007/978-3-030-19274-7_32
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten