Web Applications Reliability

Project Publications and Talks Summary Collaborators Funding


JavaScript is today the de-facto programming language of the modern web, and has enabled Rich Internet Applications (RIAs). RIAs are fast replacing traditional desktop and mobile applications. Yet writing RIAs using JavaScript is challenging due to the dynamic nature of the language, and the interaction of JavaScript code with the webpage’s Document Object Model (DOM). In a prior empirical study, we found that many of the Alexa top 100 websites exhibit errors in their JavaScript code, which manifest as runtime exceptions [ISSRE’11].

In this project, we first empirically studied the nature of errors in JavaScript applications, and found that around two-thirds of these errors are due to DOM-JavaScript interactions (see below). We call these DOM-related bugs. More interestingly, about 80% of the highest-impact JavaScript faults such as security vulnerabilities, are DOM-related bugs. Finally, DOM-related bugs take longer to fix than non-DOM related ones, even though they get triaged quicker showing their importance. These results are published in our ESEM’13 paper. We have also conducted a large scale study of questions asked by web developers on StackOverflow, a popular Q&A website, and have found again the DOM-JavaScript interactions are the most problematic for developers [MSR’14].
DOM-JavaScript errors breakdown

We have since worked on mitigating DOM-related faults in web applications, and built automated tools for fault-localization (AutoFlox) [ICST’12] and fault repair (Vejovis) [ICSE’14] for DOM-related bugs. The main idea in AutoFlox is to monitor the dynamic execution of the web application, and use the backward slices for finding the line of JavaScript code that interacts with the DOM and is likely responsible for the failure (e.g., throws an exception). Vejovis takes off from where AutoFlox left off and uses the slice to find a possible fix for the DOM-related error. The main idea in Vejovis is to use the structure of the DOM and find a satisfying assignment for the DOM element that allows the program to pass the test case without throwing an exception. Vejovis also incorporates various heuristics based on how programmers fix JavaScript bugs to find the minimum code changes required to fix the bug. We find that AutoFlox can successfully localize over 90% of DOM-related JavaScript bugs in web applications, and that Vejovis can suggest successful fixes for 20 of 22 bugs in real web applications. Both AutoFlox and Vejovis are publicly available to interested researchers here.

We have also developed program understanding techniques for DOM-JavaScript interactions (Clematis)[ICSE’14], and on automated code completion for DOM-JavaScript interactions (DOMPletion) [ASE’14]. Finally, we have worked on automated testing of web applications (Mutandis) [ICST’13] and test oracle generation (Pythia) [ASE’13].

Back to top

Industry: Ben Zorn (MSR), Moh Haghighat (Intel)

Colleagues: Ali Mesbah

Students: Frolin Ocariza, Saba Alimadadi

Alumni: Shabnam Mirshokraie, Sheldon Sequira, Kartik Bajaj

Funding: NSERC, MITACS, Intel and Microsoft Research.

Back to top