Software Analysis for the Web: Achievements and Prospects

The web has had a significant impact on our lives. A technology that was initially created for sharing documents across the network has evolved into a strong medium for developing and distributing software applications. In this paper, we first provide a concise overview of the evolution of the web itself. We then focus on some of the main industrial and research achievements in software analysis and testing techniques geared toward web apps, in the past two decades. We discuss static, dynamic, and hybrid analyses approaches, software testing and test adequacy techniques, as well as techniques that help developers write, analyze and maintain their code. Finally, we present some of the current and future challenges and research opportunities ahead in this field.

[1]  Ali Mesbah,et al.  Detecting Inconsistencies in JavaScript MVC Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[2]  Manu Sridharan,et al.  DLint: dynamically checking bad coding practices in JavaScript , 2015, ISSTA.

[3]  Ben Hardekopf,et al.  JSAI: a static analysis platform for JavaScript , 2014, SIGSOFT FSE.

[4]  Ali Mesbah,et al.  DOM-based test adequacy criteria for web applications , 2014, ISSTA 2014.

[5]  Yvonne Koch,et al.  Javascript The Good Parts , 2016 .

[6]  Benjamin Livshits,et al.  Practical static analysis of JavaScript applications in the presence of frameworks and libraries , 2013, ESEC/FSE 2013.

[7]  A. Jefferson Offutt,et al.  Applying Mutation Testing to Web Applications , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[8]  Emily Hill,et al.  Automated replay and failure detection for web applications , 2005, ASE '05.

[9]  Amin Milani Fard,et al.  Leveraging existing tests in automated test generation for web applications , 2014, ASE.

[10]  Barbara G. Ryder,et al.  Practical blended taint analysis for JavaScript , 2013, ISSTA.

[11]  Gregg Rothermel,et al.  Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact , 2005, Empirical Software Engineering.

[12]  Ali Mesbah,et al.  Mining questions asked by web developers , 2014, MSR 2014.

[13]  Gregg Rothermel,et al.  Improving web application testing with user session data , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[14]  Ali Mesbah,et al.  Generating Fixtures for JavaScript Unit Testing , 2015 .

[15]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Ali Mesbah,et al.  AutoFLox: An Automatic Fault Localizer for Client-Side JavaScript , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[17]  Paolo Tonella,et al.  Capture-replay vs. programmable web testing: An empirical assessment during test case evolution , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[18]  Alberto Pan,et al.  Automating Navigation Sequences in AJAX Websites , 2009, ICWE.

[19]  Amin Milani Fard,et al.  JSNOSE: Detecting JavaScript Code Smells , 2013, 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[20]  Silviu Andrica,et al.  WaRR: A tool for high-fidelity web application record and replay , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[21]  Ivan Beschastnikh,et al.  Don't Call Us, We'll Call You: Characterizing Callbacks in Javascript , 2015, 2015 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[22]  Paolo Tonella,et al.  A case study-based comparison of web testing techniques applied to AJAX web applications , 2008, International Journal on Software Tools for Technology Transfer.

[23]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[24]  Jon Howell,et al.  Mugshot: Deterministic Capture and Replay for JavaScript Applications , 2010, NSDI.

[25]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[26]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[27]  Roy T. Fielding,et al.  Principled design of the modern Web architecture , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[28]  A. Jefferson Offutt,et al.  Testing Web applications by modeling with FSMs , 2005, Software & Systems Modeling.

[29]  Frank Tip,et al.  Tool-supported refactoring for JavaScript , 2011, OOPSLA '11.

[30]  Manu Sridharan,et al.  Effective race detection for event-driven programs , 2013, OOPSLA.

[31]  Ali Mesbah,et al.  Understanding JavaScript event-based interactions , 2014, ICSE.

[32]  Amin Milani Fard,et al.  Feedback-directed exploration of web applications to derive test models , 2013, 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE).

[33]  Hung Viet Nguyen,et al.  Building call graphs for embedded client-side code in dynamic web applications , 2014, SIGSOFT FSE.

[34]  Vahid Garousi,et al.  Web application testing: A systematic literature review , 2014, J. Syst. Softw..

[35]  Jan Vitek,et al.  Eval begone!: semi-automated removal of eval from javascript programs , 2012, OOPSLA '12.

[36]  Arie van Deursen,et al.  Crawling Ajax-Based Web Applications through Dynamic Analysis of User Interface State Changes , 2012, TWEB.

[37]  Hung Viet Nguyen,et al.  Detection of embedded code smells in dynamic web applications , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[38]  J. F. Allaire,et al.  Macromedia Flash MX: A next-generation rich client , 2002 .

[39]  Christian Kästner,et al.  Cross-language program slicing for dynamic web applications , 2015, ESEC/SIGSOFT FSE.

[40]  Ali Mesbah,et al.  Vejovis: suggesting fixes for JavaScript faults , 2014, ICSE.

[41]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[42]  Alessandra Gorla,et al.  Automatic workarounds for web applications , 2010, FSE '10.

[43]  Arie van Deursen,et al.  Invariant-Based Automatic Testing of Modern Web Applications , 2012, IEEE Transactions on Software Engineering.

[44]  Ali Mesbah,et al.  JSEFT: Automated Javascript Unit Test Generation , 2015, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST).

[45]  Alessandro Orso,et al.  Precise interface identification to improve testing and analysis of web applications , 2009, ISSTA.

[46]  Brad A. Myers,et al.  FireCrystal: Understanding interactive behaviors in dynamic web pages , 2009, 2009 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[47]  Paolo Tonella,et al.  Visual vs. DOM-Based Web Locators: An Empirical Study , 2014, ICWE.

[48]  Ali Mesbah,et al.  Hidden-Web Induced by Client-Side Scripting: An Empirical Study , 2013, ICWE.

[49]  Ali Mesbah,et al.  Atrina: Inferring Unit Oracles from GUI Test Cases , 2016, 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[50]  Frank Tip,et al.  Efficient construction of approximate call graphs for JavaScript IDE services , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[51]  Paolo Tonella,et al.  Analysis and testing of Web applications , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[52]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[53]  Ali Mesbah,et al.  Hybrid DOM-Sensitive Change Impact Analysis for JavaScript , 2015, ECOOP.

[54]  Mark Harman,et al.  Coverage and fault detection of the output-uniqueness test selection criteria , 2014, ISSTA 2014.

[55]  Kartik Bajaj Synthesizing Web Element Locators , 2015 .

[56]  Andreas Zeller,et al.  Mining behavior models from enterprise web applications , 2013, ESEC/FSE 2013.

[57]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[58]  Ali Mesbah,et al.  An Empirical Study of Client-Side JavaScript Bugs , 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement.

[59]  Alessandro Orso,et al.  WEBDIFF: Automated identification of cross-browser issues in web applications , 2010, 2010 IEEE International Conference on Software Maintenance.

[60]  Koushik Sen,et al.  The Good, the Bad, and the Ugly: An Empirical Study of Implicit Type Conversions in JavaScript , 2015, ECOOP.

[61]  Arie van Deursen,et al.  Understanding Ajax applications by connecting client and server-side execution traces , 2012, Empirical Software Engineering.

[62]  Michael D. Ernst,et al.  Defects4J: a database of existing faults to enable controlled testing studies for Java programs , 2014, ISSTA 2014.

[63]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[64]  Frank Tip,et al.  Automated repair of HTML generation errors in PHP applications using string constraint solving , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[65]  Michael D. Ernst,et al.  Interactive record/replay for web application debugging , 2013, UIST.

[66]  Vincent Quint,et al.  On the analysis of cascading style sheets , 2012, WWW.

[67]  Christopher Krügel,et al.  Leveraging User Interactions for In-Depth Testing of Web Applications , 2008, RAID.

[68]  Ali Mesbah,et al.  Discovering refactoring opportunities in cascading style sheets , 2014, SIGSOFT FSE.

[69]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[70]  Karthik Pattabiraman,et al.  JavaScript Errors in the Wild: An Empirical Study , 2011, 2011 IEEE 22nd International Symposium on Software Reliability Engineering.

[71]  Ali Mesbah,et al.  Synthesizing Web Element Locators (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[72]  Vahid Garousi,et al.  A systematic mapping study of web application testing , 2013, Inf. Softw. Technol..

[73]  Arie van Deursen,et al.  Invariant-based automatic testing of AJAX user interfaces , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[74]  Mehdi Jazayeri,et al.  Some Trends in Web Application Development , 2007, Future of Software Engineering (FOSE '07).

[75]  Ali Mesbah,et al.  Efficient JavaScript Mutation Testing , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[76]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[77]  Arie van Deursen,et al.  Regression Testing Ajax Applications: Coping with Dynamism , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[78]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[79]  Simon Holm Jensen,et al.  Remedying the eval that men do , 2012, ISSTA 2012.

[80]  Frank Tip,et al.  Static analysis of event-driven Node.js JavaScript applications , 2015, OOPSLA.

[81]  Paul Klint,et al.  An empirical study of PHP feature usage: a static analysis perspective , 2013, ISSTA.

[82]  Saurabh Sinha,et al.  Robust test automation using contextual clues , 2014, ISSTA 2014.

[83]  Shin Hong,et al.  Detecting Concurrency Errors in Client-Side Java Script Web Applications , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation.

[84]  Porfirio Tramontana,et al.  The DynaRIA tool for the comprehension of Ajax web applications by dynamic analysis , 2013, Innovations in Systems and Software Engineering.

[85]  Alessandro Orso,et al.  CrossCheck: Combining Crawling and Differencing to Better Detect Cross-browser Incompatibilities in Web Applications , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[86]  Barbara G. Ryder,et al.  State-Sensitive Points-to Analysis for the Dynamic Behavior of JavaScript Objects , 2014, ECOOP.

[87]  Ding Li,et al.  Making web applications more energy efficient for OLED smartphones , 2014, ICSE.

[88]  Esben Andreasen,et al.  Determinacy in static analysis for jQuery , 2014, OOPSLA 2014.

[89]  Frank Tip,et al.  Correlation Tracking for Points-To Analysis of JavaScript , 2012, ECOOP.

[90]  Anders Møller,et al.  Semi-automatic rename refactoring for JavaScript , 2013, OOPSLA.

[91]  Alessandro Orso,et al.  Improving test case generation for web applications using automated interface discovery , 2007, ESEC-FSE '07.

[92]  Tim Berners-Lee,et al.  WWW: Past, Present, and Future , 1996, Computer.

[93]  Hung Viet Nguyen,et al.  Mining interprocedural, data-oriented usage patterns in JavaScript web applications , 2014, ICSE.

[94]  Frank Tip,et al.  A framework for automated testing of javascript web applications , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[95]  Amin Milani Fard,et al.  Generating Fixtures for JavaScript Unit Testing (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[96]  Ali Mesbah,et al.  Automated cross-browser compatibility testing , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[97]  Gregg Rothermel,et al.  Leveraging user-session data to support Web application testing , 2005, IEEE Transactions on Software Engineering.

[98]  Arie van Deursen,et al.  Software engineering for the web: the state of the practice , 2014, ICSE Companion.

[99]  Ali Mesbah,et al.  Automated analysis of CSS rules to support style maintenance , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[100]  Ali Mesbah,et al.  Advances in Testing JavaScript-Based Web Applications , 2015, Adv. Comput..

[101]  Alessandro Orso,et al.  X-PERT: Accurate identification of cross-browser issues in web applications , 2013, 2013 35th International Conference on Software Engineering (ICSE).