Automatic invariant detection in dynamic web applications

The complexity of modern web applications increases as client-side JavaScript and dynamic DOM programming are used to offer a more interactive web experience. In this paper, we focus on improving the dependability of such applications by automatically inferring invariants from the client-side and using those invariants for testing. By combining JavaScript code instrumentation and tracing we infer runtime program invariants. Furthermore, we dynamically analyze DOM-trees and use learning algorithms to detect template-based invariants per user interface state, across various states, as well as across multiple execution runs. Our open source implementation of the technique is agnostic to server-side technology and capable of automatically using the detected invariants for testing web applications. We demonstrate through a series of case studies that (1) codelevel and structural invariants exist in web applications with a large client-side state, (2) they can be automatically detected, (3) they can serve as regression test oracles

[1]  Andreas Zeller,et al.  Efficient mutation testing by checking invariant violations , 2009, ISSTA.

[2]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[3]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[4]  Lionel C. Briand,et al.  Is mutation an appropriate tool for testing experiments? , 2005, ICSE.

[5]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[6]  M. Lam,et al.  Tracking down software bugs using automatic anomaly detection , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[7]  D. H. Knight,et al.  Aims and Methods of Vegetation Ecology , 1974 .

[8]  Gregg Rothermel,et al.  An experimental determination of sufficient mutant operators , 1996, TSEM.

[9]  David S. Rosenblum,et al.  A historical perspective on runtime assertion checking in software development , 2006, SOEN.

[10]  Arie van Deursen,et al.  Invariant-based automatic testing of AJAX user interfaces , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[11]  Karthik Pattabiraman DoDOM: Leveraging DOM Invariants for Web 2.0 Application Reliability , 2009 .

[12]  Arie van Deursen,et al.  Crawling AJAX by Inferring User Interface State Changes , 2008, 2008 Eighth International Conference on Web Engineering.

[13]  Arie van Deursen,et al.  Regression Testing Ajax Applications: Coping with Dynamism , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[14]  Leonardo Mariani,et al.  Automatic generation of software behavioral models , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[15]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[17]  Marat Boshernitsan,et al.  From daikon to agitator: lessons and challenges in building a commercial tool for developer testing , 2006, ISSTA '06.

[18]  Nikolai Tillmann,et al.  DySy: dynamic symbolic execution for invariant inference , 2008, ICSE.

[19]  Michael D. Ernst,et al.  Efficient incremental algorithms for dynamic detection of likely invariants , 2004, SIGSOFT '04/FSE-12.

[20]  Benjamin Livshits,et al.  AjaxScope: a platform for remotely monitoring the client-side behavior of web 2.0 applications , 2007, TWEB.

[21]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[22]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[23]  Arie van Deursen,et al.  Automated security testing of web widget interactions , 2009, ESEC/FSE '09.

[24]  Bertrand Meyer,et al.  A comparative study of programmer-written and automatically inferred contracts , 2009, ISSTA.