JS EFT: Automated JavaScript Unit Test Generation
Shabnam Mirshokraie Ali Mesbah Karthik Pattabiraman
University of British Columbia
Vancouver, BC, Canada
{shabnamm, amesbah, karthikp}@ece.ubc.ca
Abstract—The event-driven and highly dynamic nature of
JavaScript, as well as its runtime interaction with the Document
Object Model (DOM) make it challenging to test JavaScript-based
applications. Current web test automation techniques target
the generation of event sequences, but they ignore testing the
JavaScript code at the unit level. Further they either ignore the
oracle problem completely or simplify it through generic soft
oracles such as HTML validation and runtime exceptions. We
present a framework to automatically generate test cases for Java-
Script applications at two complementary levels, namely events
and individual JavaScript functions. Our approach employs a
combination of function coverage maximization and function
state abstraction algorithms to efficiently generate test cases.
In addition, these test cases are strengthened by automatically
generated mutation-based oracles. We empirically evaluate the
implementation of our approach, called JS EFT, to assess its
efficacy. The results, on 13 JavaScript-based applications, show
that the generated test cases achieve a coverage of 68% and that
JS EFT can detect injected JavaScript and DOM faults with a high
accuracy (100% precision, 70% recall). We also find that JS EFT
outperforms an existing JavaScript test automation framework
both in terms of coverage and detected faults.
Keywords—Test generation; oracles; JavaScript; DOM
I. I NTRODUCTION
JavaScript plays a prominent role in modern web ap-
plications. To test their JavaScript applications, developers
often write test cases using web testing frameworks such as
S ELENIUM (GUI tests) and QU NIT (JavaScript unit tests).
Although such frameworks help to automate test execution, the
test cases still need to be written manually, which is tedious
and time-consuming.
Further, the event-driven and highly dynamic nature of
JavaScript, as well as its runtime interaction with the Docu-
ment Object Model (DOM) make JavaScript applications error-
prone [1] and difficult to test.
Researchers have recently developed automated test gen-
eration techniques for JavaScript-based applications [2], [3],
[4], [5], [6]. However, current web test generation techniques
suffer from two main shortcomings, namely, they:
1) Target the generation of event sequences, which operate
at the event-level or DOM-level to cover the state space
of the application. These techniques fail to capture faults
that do not propagate to an observable DOM state. As
such, they potentially miss this portion of code-level Java-
Script faults. In order to capture such faults, effective test
generation techniques need to target the code at the Java-
Script unit-level, in addition to the event-level.
2) Either ignore the oracle problem altogether or simplify
it through generic soft oracles, such as W3C HTML
validation [2], [5], or JavaScript runtime exceptions [2]. A
generated test case without assertions is not useful since
coverage alone is not the goal of software testing. For
such generated test cases, the tester still needs to manually
write many assertions, which is time and effort intensive.
On the other hand, soft oracles target generic fault types
and are limited in their fault finding capabilities. However,
to be practically useful, unit testing requires strong oracles
to determine whether the application under test executes
correctly.
To address these two shortcomings, we propose an automated
test case generation technique for JavaScript applications.
Our approach, called JS EFT (JavaScript Event and Func-
tion Testing) operates through a three step process. First, it
dynamically explores the event-space of the application using
a function coverage maximization method, to infer a test
model. Then, it generates test cases at two complementary
levels, namely, DOM event and JavaScript functions. Our
technique employs a novel function state abstraction algorithm
to minimize the number of function-level states needed for
test generation. Finally, it automatically generates test oracles,
through a mutation-based algorithm.
A preliminary version of this work appeared in a short
New Ideas paper [7]. In this current paper, we present the
complete technique with conceptually significant improve-
ments, including detailed new algorithms (Algorithms 1–2), a
fully-functional tool implementation, and a thorough empirical
analysis on 13 JavaScript applications, providing evidence of
the efficacy of the approach.
This work makes the following main contributions:
• An automatic technique to generate test cases for Java-
Script functions and events.
• A combination of function converge maximization and
function state abstraction algorithms to efficiently gener-
ate unit test cases;
• A mutation-based algorithm to effectively generate test
oracles, capable of detecting regression JavaScript and
DOM-level faults;
• The implementation of our technique in a tool called
JS EFT, which is publicly available [8];
• An empirical evaluation to assess the efficacy of JS EFT
using 13 JavaScript applications.
The results of our evaluation show that on average (1)
the generated test suite by JS EFT achieves a 68% JavaScript
code coverage, (2) compared to A RTEMIS, a feedback-directed
JavaScript testing framework [2], JS EFT achieves 53% better
coverage, and (3) the test oracles generated by JS EFT are able
to detect injected faults with 100% precision and 70% recall.
II. R ELATED W ORK
Web application testing. Marchetto and Tonella [3] propose a
search-based algorithm for generating event-based sequences
to test Ajax applications. Mesbah et al. [9] apply dynamic 1 var currentDim=20;
2 function cellClicked() {
analysis to construct a model of the application’s state space, 3 var divTag = '<div id='divElem' />';
from which event-based test cases are automatically generated. 4 if($(this).attr('id') == 'cell0'){
In subsequent work [5], they propose generic and application- 5 $('#cell0').after(divTag);
specific invariants as a form of automated soft oracles for 6 $('div #divElem').click(setup);
7 }
testing A JAX applications. Our earlier work, JS ART [10], auto- 8 else if($(this).attr('id') == 'cell1'){
matically infers program invariants from JavaScript execution 9 $('#cell1').after(divTag);
traces and uses them as regression assertions in the code. Sen 10 $('div #divElem').click(function(){setDim(20)});
11 }
et al. [11] recently proposed a record and replay framework 12 }
called Jalangi. It incorporates selective record-replay as well
as shadow values and shadow execution to enable writing of 14 function setup() {
15 setDim(10);
heavy-weight dynamic analyses. The framework is able to 16 $('#startCell').click(start);
track generic faults such as null and undefined values 17 }
as well as type inconsistencies in JavaScript. Jensen et al. [12]
propose a technique to test the correctness of communication 19 function setDim(dimension) {
20 var dim=($('#endCell').width() + $('#endCell').height←
patterns between client and server in A JAX applications by ()))/dimension;
incorporating server interface descriptions. They construct 21 currentDim += dim;
server interface descriptions through an inference technique 22 $('#endCell').css('height', dim+'px');
23 return dim;
that can learn communication patterns from sample data. 24 }
Saxena et al. [6] combine random test generation with the use
of symbolic execution for systematically exploring a JavaScript 26 function start() {
27 if(currentDim > 40)
application’s event space as well as its value space, for security 28 $(this).css('height', currentDim+'px');
testing. Our work is different in two main aspects from these: 29 else $(this).remove();
(1) they all target the generation of event sequences at the 30 }
DOM level, while we also generate unit tests at the JavaScript 32 $document.ready(function() {
code level, which enables us to cover more and find more 33 ...
faults, and (2) they do not address the problem of test oracle 34 $('#cell0').click(cellClicked);
generation and only check against soft oracles (e.g., invalid 35 $('#cell1').click(cellClicked);
36 });
HTML). In contrast, we generate strong oracles that capture
application behaviours, and can detect a much wider range of Fig. 1. JavaScript code of the running example.
faults.
with the DOM.
Perhaps the most closely related work to ours is A RTEMIS
[2], which supports automated testing of JavaScript applica- III. C HALLENGES AND M OTIVATION
tions. A RTEMIS considers the event-driven execution model
of a JavaScript application for feedback-directed testing. In In this section, we illustrate some of the challenges asso-
this paper, we quantitatively compare our approach with that ciated with test generation for JavaScript applications.
of A RTEMIS (Section V). Figure 1 presents a snippet of a JavaScript game application
Oracle generation. There has been limited work on oracle that we use as a running example throughout the paper. This
generation for testing. Fraser et al. [13] propose µTEST, simple example uses the popular jQuery library [18] and
which employs a mutant-based oracle generation technique. contains four main JavaScript functions:
It automatically generates unit tests for Java object-oriented 1) cellClicked is bound to the event-handlers of DOM
classes by using a genetic algorithm to target mutations elements with IDs cell0 and cell1 (Lines 34–35).
with high impact on the application’s behaviour. They further These two DOM elements become available when the
identify [14] relevant pre-conditions on the test inputs and DOM is fully loaded (Line 32). Depending on the element
post-conditions on the outputs to ease human comprehension. clicked, cellClicked inserts a div element with ID
Differential test case generation approaches [15], [16] are sim- divElem (Line 3) after the clicked element and makes
ilar to mutation-based techniques in that they aim to generate it clickable by attaching either setup or setDim as its
test cases that show the difference between two versions of a event-handler function (Lines 5–6, 9–10).
program. However, mutation-based techniques such as ours, do 2) setup calls setDim (Line 15) to change the value of
not require two different versions of the application. Rather, the the global variable currentDim. It further makes an
generated differences are in the form of controllable mutations element with ID startCell clickable by setting its
that can be used to generate test cases capable of detecting event- handler to start (Line 16).
regression faults in future versions of the program. Staats et 3) setDim receives an input variable. It performs some
al. [17] address the problem of selecting oracle data, which computations to set the height value of the css
is formed as a subset of internal state variables as well as property of a DOM element with ID endCell and the
outputs for which the expected values are determined. They value of currentDim (Lines 20–22). It also returns the
apply mutation testing to produce oracles and rank the inferred computed dimension.
oracles in terms of their fault finding capability. This work is 4) start is called at runtime when the element with ID
different from ours in that they merely focus on supporting startCell is clicked (Line 16), which either updates
the creation of test oracles by the programmer, rather than the width dimension of the element on which it was
fully automating the process of test case generation. Further, called, or removes the element (Lines 27-29).
(1) they do not target JavaScript; (2) in addition to the code-
level mutation analysis, we propose DOM-related mutations There are four main challenges in testing JavaScript appli-
to capture error-prone [1] dynamic interactions of JavaScript cations.
 The first challenge is that a fault may not immediately prop- 1
agate into a DOM-level observable failure. For example, if the Instrument Crawl
Collect Maximize
‘+’ sign in Line 21 is mistakenly replaced by ‘-’, the affected Trace Coverage

result does not immediately propagate to the observable DOM

state after the function exits. While this mistakenly changes the SFG

value of a global variable, currentDim, which is later used

in start (Line 27), it neither affects the returned value of the 2
Extract
setDim function nor the css value of element endCell. Event
Event-based Function-level
Tests Unit Tests
Therefore, a GUI-level event-based testing approach may not Seq.

help to detect the fault in this case. Web Run Collect Extract Abstract Func.
App Instrument
tests Trace Function State States
The second challenge is related to fault localization; even
if the fault propagates to a future DOM state and a DOM-level Extract
DOM State
test case detects it, finding the actual location of the fault is
challenging for the tester as the DOM-level test case is agnostic 3
of the JavaScript code. However, a unit test case that targets
DOM Func.
individual functions, e.g., setDim in this running example, Oracles
Diff
Oracles
Diff

helps a tester to spot the fault, and thus easily resolve it.
The third challenge pertains to the event-driven dynamic
nature of JavaScript, and its extensive interaction with the
DOM resulting in many state permutations and execution
paths. In the initial state of the example, clicking on cell0
or cell1 takes the browser to two different states as a result
of the if-else statement in Lines 4 and 8 of the function
cellClicked. Even in this simple example, expanding
either of the resulting states has different consequences due to
different functions that can be potentially triggered. Executing
either setup or setDim in Lines 6 and 10 results in different
execution paths, DOM states, and code coverage. It is this
dynamic interaction of the JavaScript code with the DOM (and
indirectly CSS) at runtime that makes it challenging to generate
test cases for JavaScript applications.
The fourth important challenge in unit testing JavaScript
functions that have DOM interactions, such as setDim, is
that the DOM tree in the state expected by the function, has
to be present during unit test execution. Otherwise the test will
fail due to a null or undefined exception. This situation
arises often in modern web applications that have many DOM
interactions.
IV. A PPROACH
Our main goal in this work is to generate client-side test
cases coupled with effective test oracles, capable of detecting
regression JavaScript and DOM-level faults. Further, we aim
to achieve this goal as efficiently as possible. Hence, we make
two design decisions. First, we assume that there is a finite
amount of time available to generate test cases. Consequently
we guide the test generation to maximize coverage under a
given time constraint. The second decision is to minimize the
number of test cases and oracles generated to only include
those that are essential in detecting potential faults. Conse-
quently, to examine the correctness of the test suite generated,
the tester would only need to examine a small set of assertions,
which minimizes their effort.
Mutate Extract
DOM State
Instrument
Run Collect Extract
tests Trace Function State
Fig. 2. Overview of our test generation approach.
An overview of the technique is depicted in Figure 2. At
a high level, our approach is composed of three main steps:
1) In the first step (Section IV-A), we dynamically explore
various states of a given web application, in such a way
as to maximize the number of functions that are covered
throughout the program execution. The output of this
initial step is a state-flow graph (SFG) [5], capturing the
explored dynamic DOM states and event-based transitions
between them.
2) In the second step (Section IV-B), we use the inferred
SFG to generate event-based test cases. We run the gen-
erated tests against an instrumented version of the applica-
tion. From the execution trace obtained, we extract DOM
element states as well as JavaScript function states at the
entry and exit points, from which we generate function-
level unit tests. To reduce the number of generated test
cases to only those that are constructive, we devise a state
abstraction algorithm that minimizes the number of states
by selecting representative function states.
3) To create effective test oracles for the two test case
levels, we automatically generate mutated versions of the
application (Section IV-C). Assuming that the original
version of the application is fault-free, the test oracles
are then generated at the DOM and JavaScript code levels
by comparing the states traced from the original and the
mutated versions.
A. Maximizing Function Coverage

Our approach generates test cases and oracles at two
complementary levels:
DOM-level event-based tests consist of DOM-level event se-
quences and assertions to check the application’s be-
haviour from an end-user’s perspective.
Function-level unit tests consist of unit tests with assertions
that verify the functionality of JavaScript code at the
function level.
In this step, our goal is to maximize the number of
functions that can be covered, while exercising the program’s
event space. To that end, our approach combines static and
dynamic analysis to decide which state and event(s) should be
selected for expansion to maximize the probability of cover-
ing uncovered JavaScript functions. While exploring the web
application under test, our function coverage maximization
algorithm selects a next state for exploration, which has the
maximum value of the sum of the following two metrics:
1. Potential Uncovered Functions. This pertains to the total
number of unexecuted functions that can potentially be visited
through the execution of DOM events in a given DOM state
si . When a given function fi is set as the event-handler of
a DOM element d ∈ si , it makes the element a potential
clickable element in si . This can be achieved through various
patterns in web applications depending on which DOM event
model level is adopted. To calculate this metric, our algorithm
identifies all JavaScript functions that are directly or indirectly
attached to DOM elements as event handlers, in si through
code instrumentation and execution trace monitoring.
2. Potential Clickable Elements. The second metric, used to
select a state for expansion, pertains to the number of DOM
elements that can potentially become clickable elements. If
the event-handlers bound to those clickables are triggered,
new (uncovered) functions will be executed. To obtain this
number, we statically analyze the previously obtained potential
uncovered functions within a given state in search of such
elements.
While exploring the application, the next state for ex-
pansion is selected by adding the two metrics and choosing
the state with the highest sum. The procedure repeats the
aforementioned steps until the designated time limit, or state
space size is reached.
In the running example of Figure 1, in the initial state,
clicking on elements with IDs cell0 and cell1 results in
two different states due to an if-else statement in Lines 4
and 8 of cellClicked. Let’s call the state in which a DIV
element is located after the element with ID cell0 as s0 , and
the state in which a DIV element is placed after the element
with ID cell1 as s1 . If state s0 , with the clickable cell0, is
chosen for expansion, function setup is called. As shown in
Line 15, setup calls setDim, and thus, by expanding s0 both
of the aforementioned functions get called by a single click.
Moreover, a potential clickable element is also created in Line
16, with start as the event-handler. Therefore, expanding s1
results only in the execution of setDim, while expanding s0
results in the execution of functions setup, setDim, and a
potential execution of start in future states. At the end of
this step, we obtain a state-flow graph of the application that
can be used in the next test generation step.
B. Generating Test Cases
In the second step, our technique first extracts sequences
of events from the inferred state-flow graph. These sequences
of events are used in our test case generation process. We
generate test cases at two complementary levels, as described
below.
DOM-level event-based testing. To verify the behaviour
of the application at the user interface level, each event
path, taken from the initial state (Index) to a leaf node
in the state-flow graph, is used to generate DOM event-
based test cases. Each extracted path is converted into a
JU NIT S ELENIUM-based test case, which executes the se-
quence of events, starting from the initial DOM state. Go-
ing back to our running example, one possible event se-
quence to generate is: $(‘#cell0’).click→$(‘div
#divElem’).click→$(‘#startCell’).click.
To collect the required trace data, we capture all DOM
elements and their attributes after each event in the test path is
fired. This trace is later used in our DOM oracle comparison,
as explained in Section IV-C.
JavaScript function-level unit testing. To generate unit tests
that target JavaScript functions directly (as opposed to event-
triggered function executions), we log the state of each func-
tion at their entry and exit point, during execution. To that end,
we instrument the code to trace various entities. At the entry
point of a given JavaScript function we collect (1) function
parameters including passed variables, objects, functions, and
DOM elements, (2) global variables used in the function,
and (3) the current DOM structure just before the function
is executed. At the exit point of the JavaScript function and
before every return statement, we log the state of the (1)
return value of the function, (2) global variables that have been
accessed in that function, and (3) DOM elements accessed
(read/written) in the function. At each of the above points, our
instrumentation records the name, runtime type, and actual
values. The dynamic type is stored because JavaScript is a
dynamically typed language, meaning that the variable types
cannot be determined statically. Note that complex JavaScript
objects can contain circular or multiple references (e.g., in
JSON format). To handle such cases, we perform a de-
serialization process in which we replace such references by
an object in the form of $ref : P ath, where P ath denotes
a JSON P ath string1 that indicates the target path of the
reference.
In addition to function entry and exit points, we
log information required for calling the function from
the generated test cases. JavaScript functions that are
accessible in the public scope are mainly defined
in (1) the global scope directly (e.g., function
f(){...}), (2) variable assignments in the global scope
(e.g., var f = function(){...}), (3) constructor
functions (e.g, function constructor() {this.
member= function(){...}}), and (4) prototypes (e.g.,
Constructor.prototype.f= function() {...}).
Functions in the first and second case are easy to call from test
cases. For the third case, the constructor function is called via
the new operator to create an object type, which can be used
to access the object’s properties (e.g., container=new
Constructor(); container.member();). This
allows us to access the inner function, which is a member
of the constructor function in the above example. For
the prototype case, the function can be invoked through
container.f() from a test case.
Going back to our running example in Figure 1, at the entry
point of setDim, we log the value and type of both the input
parameter dimension and global variable currentDim,
which is accessed in the function. Similarly, at the exit point,
we log the values and types of the returned variable dim and
currentDim.
In addition to the values logged above, we need to capture
the DOM state for functions that interact with the DOM. This
is to address the fourth challenge outlined in Section III. To
mitigate this problem, we capture the state of the DOM just
before the function starts its execution, and include that as a
test fixture [19] in the generated unit test case.
In the running example, at the entry point of setDim, we
log the innerHTML of the current DOM as the function con-
tains several calls to the DOM, e.g., retrieving the element with
ID endCell in Line 22. We further include in our execution
trace the way DOM elements and their attributes are modified
by the JavaScript function at runtime. The information that we
1 http://goessner.net/articles/JsonPath/
 Algorithm 1: Function State Abstraction
input : The set of function states sti ∈ STf for a given function f
output: The obtained abstracted states set AbsStates
begin
1 for sti ∈ STf do
2 L = 1; StSetL ← ∅
3 if B RN C OV L NS[sti ] = B RN C OV L NS[StSet]L
l=1 then
4 StSetL+1 ← sti
5 L++
6 else
7 StSetl ← sti ∪ StSetl
8 K = L + 1; StSetK ← ∅
9 if DOMP ROPS[sti ] = DOMP ROPS [StSet]K k=L+1 ||
RetType[sti ] = R ET T YPE[StSet]K
k=L+1 then
10 StSetK+1 ← sti
11 K++
12 else
13 StSetk ← stk ∪ StSetk
14 while StSetK+L = ∅ do
15 SelectedSt ← S ELECT M AX S T(sti |sti ∩ StSetK+L
j=1 )
AbsStates.ADD(SelectedSt)
16
17 StSetK+L ← StSetK+L − SelectedSt
18 return AbsStates
log for accessed DOM elements includes the ID attribute, the
XPath position of the element on the DOM tree, and all the
modified attributes. Collecting this information is essential for
oracle generation in the next step. We use a set to keep the
information about DOM modifications, so that we can record
the latest changes to a DOM element without any duplication
within the function. For instance, we record ID as well as both
width and height properties of the endCell element.
Once our instrumentation is carried out, we run the gener-
ated event sequences obtained from the state-flow graph. This
way, we produce an execution trace that contains:
• Information required for preparing the environment for
each function to be executed in a test case, including its
input parameters, used global variables, and the DOM tree
in a state that is expected by the function;
• Necessary entities that need to be assessed after the func-
tion is executed, including the function’s output as well
as the touched DOM elements and their attributes (The
actual assessment process is explained in Section IV-C).
Function State Abstraction. As mentioned in Section III, the
highly dynamic nature of JavaScript applications can result in
a huge number of function states. Capturing all these different
states can potentially hinder the technique’s scalability for
large applications. In addition, generating too many test cases
can negatively affect test suite comprehension. We apply a
function state abstraction method to minimize the number of
function-level states needed for test generation.
Our abstraction method is based on classification of func-
tion (entry/exit) states according to their impact on the func-
tion’s behaviour, in terms of covered branches within the
function, the function’s return value type, and characteristics
of the accessed DOM elements.
Branch coverage: Taking different branches in a given func-
tion can change its behaviour. Thus, function entry states
that result in a different covered branch should be taken
into account while generating test cases. Going back to
our example in Figure 1, executing either of the branches
in lines 27 and 29 clearly takes the application into a
different DOM state. In this example, we need to include the
states of the start function that result in different covered
branches, e.g., two different function states where the value
of the global variable currentDim at the entry point falls
into different boundaries.
Return value type: A variable’s type can change in Java-
Script at runtime. This can result in changes in the expected
outcome of the function. Going back to our example, if dim
is mistakenly assigned a string value before adding it to
currentDim (Line 21) in function setDim, the returned
value of the function becomes the string concatenation of
the two values rather than the expected numerical addition.
Accessed DOM properties: DOM elements and their prop-
erties accessed in a function can be seen as entry
states. Changes in such DOM entry states can affect
the behaviour of the function. For example, in line 29
this keyword refers to the clicked DOM element of
which function start is an event-handler. Assuming that
currentDim ≤ 40, depending on which DOM element
is clicked, by removing the element in line 29 the resulting
state of the function start differs. Therefore, we take into
consideration the DOM elements accessed by the function
as well as the type of accessed DOM properties.
Algorithm 1 shows our function state abstraction algorithm.
The algorithm first collects covered branches of individual
functions per entry state (B RN C OV L NS[sti ] in Line 3). Each
function’s states exhibiting same covered branches are cate-
gorized under the same set of states (Lines 4 and 7). StSetl
corresponds to the set of function states, which are classified
according to their covered branches, where l = 1, ..., L and
L is the number of current classified sets in covered branch
category. Similarly, function states with the same accessed
DOM characteristics as well as return value type, are put into
the same set of states (Lines 10 and 13). StSetk corresponds
to the set of function states, which are classified according to
their DOM/return value type, where k = 1, ..., K and K is
the number of current classified sets in that category. After
classifying each function’s states into several sets, we cover
each set by selecting one of its common states. The state
selection step is a set cover problem [20], i.e., given a universe
U and a family S of subsets of U , a cover is a subfamily C ⊆ S
of sets whose union is U . Sets to be covered in our algorithm
are StSetK+L , where sti ∈ StSetK+L . We use a common
greedy algorithm for obtaining the minimum number of states
that can cover all the possible sets (Lines 15-17). Finally, the
abstracted list of states is returned in Line 18.
C. Generating Test Oracles
In the third step, our approach automatically generates test
oracles for the two levels of test cases generated in the previous
step, as depicted in the third step of Figure 2. Instead of
randomly generating assertions, our oracle generation uses a
mutation-based process.
Mutation testing is typically used to evaluate the quality of
a test suite [21], or to generate test cases that kill mutants [13].
In our approach, we adopt mutation testing to (1) reduce the
number of assertions automatically generated, (2) target critical
and error-prone portions of the application. Hence, the tester
would only need to examine a small set of effective assertions
to verify the correctness of the generated oracles. Algorithm 2
shows our algorithm for generating test oracles. At a high level,
the technique iteratively executes the following steps:
 Algorithm 2: Oracle Generation naive approach would be to compare the DOM tree in its
input : A Web application (App), list of event sequences obtained from SFG entirety, after the event execution. Not only is this approach
(EvSeq), maximum number of mutations (n) inefficient, it results in brittle test-cases, i.e., the smallest
output: Assertions for function-level (F cAsserts) and DOM event-level tests update on the user interface can break the test case. We
(DomAsserts)
propose an alternative approach that utilizes DOM mutation
1 App ← I NSTRUMENT(App)
begin
testing to detect and selectively compare only those DOM
2 while GenM uts < n do elements and attributes that are affected by an injected fault at
3 foreach EvSeq ∈ SF G do the DOM-level of the application. Our DOM mutations target
4 OnEvDomSt ← T race.G ET O N E V D OM S T (Ev ∈ only the elements that have been accessed (read/written) during
EvSeq)
5 Af terEvDomSt ← T race.G ETA FTER E V D OM S T (Ev ∈ execution, and thus have a larger impact on the application’s
EvSeq) behaviour. To select proper DOM elements for mutation, we
6 AccdDomP rops ← G ETACCD D OM N DS (OnEvDomSt) instrument JavaScript functions that interact with the DOM,
7 EquivalentDomM ut ← true
8 while EquivalentDomM ut do i.e., code that either accesses or modifies DOM elements.
9 M utDom ←
M UTATE D OM(AccdDomP rops, OnEvDomSt) We execute the instrumented application by running the
10 ChangedSt ← EvSeq.E XEC E VENT(M utDom) generated S ELENIUM test cases and record each accessed
11 Dif fChangedSt,Af terEvDomSt ←
D IFF(ChangedSt, Af terEvDomSt)
DOM element, its attributes, the triggered event on the
12 if Dif fChangedSt,Af terEvDomSt = ∅ then DOM state, and the DOM state after the event is triggered
13 EquivalentDomM ut ← f alse (G ET O N E V D OM S T in line 4, G ETA FTER E V D OM S T in line
14 DomAsserti = 5, and G ETACCD D OM N DS in line 6 to retrieve the original
Dif fChangedSt,Af terEvDomSt
15 DomAsserts
 Ev,Af terEvDomSt =
DOM state, DOM state after event Ev is triggered, and the
DomAsserti accessed DOM properties as event Ev is triggered, respec-
16 AbsF cSts ← T race.G ETA BS F C S TS ()
tively, in Algorithm 2). To perform the actual mutation, as
17 EquivalentCodeM ut ← true the application is re-executed using the same sequence of
18 while EquivalentCodeM ut do events, we mutate the recorded DOM elements, one at a time,
19 M utApp ← M UTATE J S C ODE(App) before the corresponding event is fired. M UTATE D OM in line
20 M utF cSts ← EvSeq.E XEC E VENT(M utApp)
21 foreach F cEntry ∈ AbsF cSts.G ET F C E NTRIES do 9 mutates the DOM elements, and EvSeq.E XEC E VENT in
22 F cExit ← AbsF cSts.G ET F C E XIT (F cEntry) line 10 executes the event sequence on the mutated DOM.
23 M utF cExit ← The mutation operators include (1) deleting a DOM element,
M utF cSts.G ET M UT F C E XIT (F cEntry)
24 Dif fF cExit,M utF cExit ←
and (2) changing the attribute, accessed during the original
D IFF(F cExit, M utF cExit) execution. As we mutate the DOM, we collect the current state
25 if Dif fF cExit,M utF cExit = ∅ then of DOM elements and attributes.
26 EquivalentCodeM ut ← f alse
27
 cAsserti =
F Figure 3 shows part of a DOM-level test case
Dif fF cExit,M utF cExit
28 F cAssertsF cEntry = F cAsserti generated for the running example. Going back to
our running example, as a result of clicking on
$(‘div #divElem’) in our previously obtained
29 return {F cAsserts, DOM Asserts} event sequence ($(‘#cell0’).click→$(‘div
#divElem’).click→$(‘#startCell’)), the
height and width properties of DOM element with
ID endCell, and the DOM element with ID startCell
1) A mutant is created by injecting a single fault into the are accessed. One possible DOM mutation is altering the
original version of the web application (Line 9 and 19 in width value of the endCell element before click on
Algorithm 2 for DOM mutation and code-level mutation, $(‘div #divElem’) happens. We log the consequences
respectively), of this modification after the click event on $(‘div
2) Related entry/exit program states at the DOM and Java- #divElem’) as well as the remaining events. This mutation
Script function levels of the mutant and the original affects the height property of DOM element with ID
version are captured. OnEvDomSt in Line 4 is the endCell in the resulting DOM state from clicking on
original DOM state on which the event Ev is triggered, $(‘div #divElem’). Line 6 in Figure 3 shows the
Af terEvDomSt in line 5 is the observed DOM state corresponding assertion. Furthermore, Assuming that the
after the event is triggered, M utDom in line 9 is the DOM mutation makes currentDim≤ 40 in line 27, after
mutated DOM, and ChangedSt in line 10 is the corre- click on element #startCell happens, the element is
sponding affected state for DOM mutations. F cExit in removed and no longer exists in the resulting DOM state. The
Line 22 is the exit state of the function in the original ap- generated assertion is shown in line 10 of Figure 3.
plication and M utF cExit in line 23 is the corresponding
exit state for that function after the application is mutated Hence, we obtain two sets of execution traces that contain
for function-level mutations. information about the state of DOM elements for each fired
3) Relevant observed state differences at each level are event in the original and mutated application. By compar-
detected and abstracted into test oracles (D IFF in Line 11 ing these two traces (D IFF in line 11 in Algorithm 2), we
and 24 for DOM and function-level oracles, respectively), identify all changed DOM elements and generate assertions
4) The generated assertions (Lines 15 and 28) are injected for these elements. Note that any changes detected by the
into the corresponding test cases. D IFF operator (line 12 in Algorithm 2) is an indication
that the corresponding DOM mutation is not equivalent (line
DOM-level event-based test oracles. After an event is trig- 13); if no change is detected, another DOM mutation is
gered in the generated S ELENIUM test case, the resulting DOM generated. We automatically place the generated assertion
state needs to be compared against the expected structure. One immediately after the corresponding line of code that executed
 1 @Test
2 public void testCase1(){
3 WebElement divElem=driver.findElements(By.id("divElem"←
));
4 divElem.click();
5 int endCellHeight=driver.findElements(By.id("endCell")←
).getSize().height;
6 assertEquals(endCellHeight, 30);
7 WebElement startCell=driver.findElements(By.id("←
startCell"));
8 startCell.click();
9 boolean exists=driver.findElements(By.id("startCell"))←
.size!=0;
10 assertTrue(exists);
11 int startCellHeight=driver.findElements(By.id("←
startCell")).getSize().height;
12 assertEquals(startCellHeight, 50);
13 }
Fig. 3. Generated S ELENIUM test case.
the event, in the generated event-based (S ELENIUM) test case.
DomAssertsEv,Af terEvDomSt in line 15 contains all DOM
assertions for the state Af terEvDOM St and the triggered
event Ev.
Function-level test oracles. To seed code level faults, we
use our recently developed JavaScript mutation testing tool,
M UTANDIS [22]. Mutations generated by M UTANDIS are
selected through a function rank metric, which ranks functions
in terms of their relative importance from the application’s
behaviour point of view. The mutation operators are chosen
from a list of common operators, such as changing the value of
a variable or modifying a conditional statement. Once a mutant
is produced (M UTATE J S C ODE in line 19), it is automatically
instrumented. We collect a new execution trace from the
mutated program by executing the same sequence of events
that was used on the original version of the application. This
way, the state of each JavaScript function is extracted at its
entry and exit points. AbsF cSts.G ET F C E NTRIES in line 21
retrieves the function’s entries from the abstracted function’s
states. G ET F C E XIT in line 22, and G ET M UT F C E XIT in line 23
retrieve the corresponding function’s exit state in the original
and mutated application. This process is similar to the function
state extraction algorithm explained in Section IV-B.
After the execution traces are collected for all the generated
mutants, we generate function-level test oracles by comparing
the execution trace of the original application with the traces
we obtained from the modified versions (D IFF in line 24 in
Algorithm 2). If the D IFF operator detects no changes (line 25
of the algorithm), an equivalent mutant is detected, and thus
another mutant will be generated.
Our function-level oracle generation targets postcondition
assertions. Such postcondition assertions can be used to exam-
ine the expected behaviour of a given function after it is exe-
cuted in a unit test case. Our technique generates postcondition
assertions for all functions that exhibit a different exit-point
state but the same entry-point state, in the mutated execution
traces. F cAsserti in line 27 contains all such post condition
assertions. Due to the dynamic and asynchronous behaviour of
JavaScript applications, a function with the same entry state
can exhibit different outputs when called multiple times. In
this case, we need to combine assertions to make sure that the
generated test cases do not mistakenly fail. F cAssertsF cEntry
in line 28 contains the union of function assertions gener-
ated for the same entry but different outputs during multiple
executions. Let’s consider a function f with an entry state
entry in the original version of the application (A), with two
different exit states exit1 and exit2 . If in the mutated version
1 test("Testing setDim",4,function(){
2 var fixture = $("#qunit-fixture");
3 fixture.append("<button id=\"cell0\"> <div id=\"←
divElem\"/> </button> <div id=\"endCell\" style←
=\"height:200px;width:100px;\"/>");
4 var currentDim=20;
5 var result= setDim(10);
6 equal(result, 30);
7 equal(currentDim, 50);
8 ok($(#endCell).length > 0));
9 equal($(#endCell).css('height'), 30); });
Fig. 4. Generated QU NIT test case.
of the application (Am ), f exhibits an exit state exitm that
is different from both exit1 and exit2 , then we combine the
resulting assertions as follows: assert1(exit1 ,expRes1 )a-
ssert2(exit2 ,expRes2 ), where the expected values expRes1
and expRes2 are obtained from the execution trace of A.
Each assertion for a function contains (1) the function’s
returned value, (2) the used global variables in that function,
and/or (3) the accessed DOM element in that function. Each
assertion is coupled with the expected value obtained from the
execution trace of the original version.
The generated assertions that target variables, compare
the value as well as the runtime type against the expected
ones. An oracle that targets a DOM element, first checks
the existence of that DOM element. If the element exists, it
checks the attributes of the element by comparing them against
the observed values in the original execution trace. Assuming
that width and height are 100 and 200 accordingly in
Figure 1, and ‘+’ sign is mutated to ‘-’ in line 20 of the
running example in Figure 1, the mutation affects the global
variable currentDim, height property of element with ID
endCell, and the returned value of the function setDim.
Figure 4 shows a QU NIT test case for setDim function
according to this mutation with the generated assertions.
D. Tool Implementation
We have implemented our JavaScript test and oracle gen-
eration approach in an automated tool called JS EFT. The tool
is written in Java and is publicly available for download [8].
Our implementation requires no browser modifications, and is
hence portable. For JavaScript code interception, we use a web
proxy, which enables us to automatically instrument JavaScript
code before it reaches the browser. The crawler for JS EFT ex-
tends and builds on top of the event-based crawler, C RAWLJAX
[9], with random input generation enabled for form inputs.
As mentioned before, to mutate JavaScript code, we use our
recently developed mutation testing tool, M UTANDIS [22]. The
upper-bound for the number of mutations can be specified by
the user. However, the default is 50 for code-level and 20 for
DOM-level mutations. We observed that these default numbers
provide a balanced trade-off between oracle generation time,
and the fault finding capability of the tool. DOM-level test
cases are generated in a JU NIT format that uses S ELENIUM
(WebDriver) APIs to fire events on the application’s DOM
inside the browser. JavaScript function-level tests are generated
in the QU NIT unit testing framework [19], capable of testing
any generic JavaScript code.
V. E MPIRICAL E VALUATION
To quantitatively assess the efficacy of our test generation
approach, we have conducted an empirical study, in which we
address the following research questions:
 TABLE I. C HARACTERISTICS OF THE EXPERIMENTAL OBJECTS . TABLE II. R ESULTS SHOWING THE EFFECTS OF OUR FUNCTION
COVERAGE MAXIMIZATION , FUNCTION STATE ABSTRACTION , AND
ID Name LOC URL
MUTATION - BASED ORACLE GENERATION ALGORITHMS .
1 SameGame 206 crawljax.com/same-game/
2 Tunnel 334 arcade.christianmontoya.com/tunnel/ St. Coverage State Abstraction Oracles

#Func.States with abstraction

3 GhostBusters 282 10k.aneventapart.com/2/Uploads/657/

#Func.States w/o abstraction

4 Peg 509 www.cccontheweb.org/peggame.htm

#Assertions with mutation

Func.State Reduction (%)

#Assertions w/o mutation

Random exploration (%)
Fun. cov. maximize (%)
5 BunnyHunt 580 themaninblue.com/experiment/BunnyHunt/
6 AjaxTabs 592 github.com/amazingSurge/jquery-tabs/
7 NarrowDesign 1,005 http://www.narrowdesign.com
8 JointLondon 1,211 http://www.jointlondon.com
9 FractalViewer 1,245 onecm.com/projects/canopy/
10 SimpleCart 1,900 github.com/wojodesign/simplecart-js/

App ID
11 WymEditor 3,035 http://www.wymeditor.org
12 TuduList 1,963 http://tudu.ess.ch/tudu
13 TinyMCE 26,908 http://www.tinymce.com
1 99 80 447 33 93 5101 136
RQ1 How effective is JS EFT in generating test cases with 2 78 78 828 21 97 23212 81
3 90 66 422 14 96 3520 45
high coverage? 4 75 75 43 19 56 1232 109
RQ2 How capable is JS EFT of generating test oracles that 5 49 45 534 23 95 150 79
detect regression faults? 6 78 75 797 30 96 1648 125
RQ3 How does JS EFT compare to existing automated Java- 7 63 58 1653 54 97 198202 342
8 56 50 32 18 43 78 51
Script testing frameworks? 9 82 82 1509 49 97 65403 253
10 71 69 71 23 67 6584 96
JS EFT and all our experimental data in this paper are 11 56 54 1383 131 90 2530 318
available for download [8]. 12 41 38 1530 62 96 3521 184
13 51 47 1401 152 89 2481 335
AVG 68.4 62.8 - - 85.5 - -
A. Objects
used for oracle generation have been selectively generated (as
Our study includes thirteen JavaScript-based applications
discussed in Section IV-C), mutations used for the purpose of
in total. Table I presents each application’s ID, name, lines of
evaluation are randomly generated from the entire application.
custom JavaScript code (LOC, excluding JavaScript libraries)
Note that if the mutation used for the purpose of evaluation and
and resource. The first five are web-based games. AjaxTabs
the mutation used for generating oracles happen to be the same,
is a J Q UERY plugin for creating tabs. NarrowDesign and
we remove the mutant from the evaluation set. Next we run the
JointLondon are websites. FractalViewer is a fractal tree zoom
whole generated test suite (including both function-level and
application. SimpleCart is a shopping cart library, WymEditor
event-based test cases) on the faulty version of the application.
is a web-based HTML editor, TuduList is a web-based task
The fault is considered detected if an assertion generated by
management application, and TinyMCE is a JavaScript based
JS EFT fails and our manual examination confirms that the
WYSIWYG editor control. The applications range from 206
failed assertion is detecting the seeded fault. We measure the
to 27K lines of JavaScript code.
precision and recall as follows:
The experimental objects are open-source and cover dif-
ferent application types. All the applications are interactive in Precision is the rate of injected faults found by the tool that
nature and extensively use JavaScript on the client-side. are actual faults: TPTP
+FP
Recall is the rate of actual injected faults that the tool finds:
TP
B. Setup TP+FN

To address our research questions, we provide the URL
of each experimental object to JS EFT. Test cases are then
automatically generated by JS EFT. We give JS EFT 10 minutes
in total for each application. 5 minutes of the total time is
designated for the dynamic exploration step.
Test Case Generation (RQ1). To measure client-side code
coverage, we use JSC OVER [23], an open-source tool for mea-
suring JavaScript code coverage. We report the average results
over five runs to account for the non-determinism behaviour
that stems from crawling the application. In addition, we assess
each step in our approach separately as follows: (1) compare
the statement coverage achieved by our function coverage
maximization with a method that chooses the next state/event
for the expansion uniformly at random, (2) assess the efficacy
of our function state abstraction method (Algorithm 1), and
(3) evaluate the effectiveness of applying mutation techniques
(Algorithm 2) to reduce the number of assertions generated.
Test Oracles (RQ2). To evaluate the fault finding capability
of JS EFT (RQ2), we simulate web application faults by auto-
matically seeding each application with 50 random faults. We
automatically pick a random program point and seed a fault
at that point according to our fault category. While mutations
where TP (true positives), FP (false positives), and FN (false
negatives) respectively represent the number of faults that are
correctly detected, falsely reported, and missed.
Comparison (RQ3). To assess how JS EFT performs with re-
spect to existing JavaScript test automation tools, we compare
its coverage and fault finding capability to that of A RTEMIS
[2]. Similar to JS EFT, we give A RTEMIS 10 minutes in total
for each application; we observed no improvements in the
results obtained from running A RTEMIS for longer periods of
time. We run A RTEMIS from the command line by setting
the iteration option to 100 and enabling the coverage priority
strategy, as described in [2]. Similarly, JSCover is used to
measure the coverage of A RTEMIS (over 5 runs). We use
the output provided by A RTEMIS to determine if the seeded
mutations are detected by the tool, by following the same
procedure as described above for JS EFT.
C. Results
Test Case Generation (RQ1). Figure 5 depicts the statement
coverage achieved by JS EFT for each application. The results
show that the test cases generated by JS EFT achieve a coverage
of 68.4% on average, ranging from 41% (ID 12) up to 99% (ID
 TABLE III. FAULT DETECTION .
JS EFT A RTEMIS

By func-level tests (%)

100

JSeft

# Injected Faults
Artemis

Precision (%)

Precision (%)
Recall (%)

Recall (%)
80

App ID

#FN

#TP
#FP
1 50 0 0 50 100 100 30 100 20
60

2 50 9 0 41 100 82 73 100 12
Coverage (%)

3 50 4 0 46 100 92 17 100 8
4 50 15 0 35 100 70 28 100 22
5 50 26 0 24 100 48 25 100 0
6 50 9 0 41 100 82 15 100 16
40

7 50 17 0 33 100 66 24 100 0
8 50 23 0 27 100 54 26 100 0
9 50 6 0 44 100 88 41 100 24
10 50 16 0 34 100 68 65 100 8
20

11 50 21 0 29 100 58 27 100 6
12 50 26 0 24 100 48 17 100 22
13 50 23 0 27 100 54 26 100 28
AVG - 15 0 35 100 70 32 100 12.8
0

on the fault finding capabilities of JS EFT. The table shows the

1 2 3 4 5 6 7 8
Experimental Objects
Fig. 5. Statement coverage achieved.
1). We investigated why JS EFT has low coverage for some of
the applications. For instance, we observed that in JointLondon
(ID 7), the application contains JavaScript functions that are
browser/device specific, i.e., they are exclusively executed in
Internet Explorer, or iDevices. As a result, we are unable to
cover them using JS EFT. We also noticed that some applica-
tions required more time to achieve higher statement coverage
(e.g., in NarrowDesign ID 8), or they have a large DOM state
space (e.g., BunnyHunt ID 5) and hence JS EFT is only able
to cover a portion of these applications in the limited time it
had available.
Table II columns under “St. Coverage” present JavaScript
statement coverage achieved by our function coverage maxi-
mization algorithm versus a random strategy. The results show
a 9% improvement on average, for our algorithm, across all
the applications. We observed that our technique achieves
the highest improvement when there are many dynamically
generated clickable DOM elements in the application, for
example, GhostBusters (ID 3).
The columns under “State Abstract” in Table II present
the number of function states before and after applying our
function state abstraction algorithm. The results show that
the abstraction strategy reduces function states by 85.5% on
average. NarrowDesign (ID 7) and FractalViewer (ID 9) benefit
the most by a 97% state reduction rate. Note that despite
this huge reduction, our state abstraction does not adversely
influence the coverage as we include at least one function
state from each of the covered branch sets as described in
Section IV-B.
The last two columns of Table II, under “Oracles”, present
the number of assertions obtained by capturing the whole ap-
plication’s state, without any mutations, and with our mutation-
based oracle generation algorithm respectively. The results
show that the number of assertions is decreased by 86.5% on
average due to our algorithm. We observe the most significant
reduction of assertions for JointLondon (ID 7) from more than
198000 to 342.
Fault finding capability (RQ2). Table III presents the results
9 10 11 12 13
total number of injected faults, the number of false negatives,
false positives, true positives, and the precision and recall of
JS EFT.
JS EFT achieves 100% precision, meaning that all the de-
tected faults reported by JS EFT are real faults. In other words,
there are no false-positives. This is because the assertions
generated by JS EFT are all stable i.e., they do not change
from one run to another. However, the recall of JS EFT is
70% on average, and ranges from 48 to 100%. This is due
to false negatives, i.e., missed faults by JS EFT, which occur
when the injected fault falls is either in the uncovered region
of the application, or is not properly captured by the generated
oracles.
The table also shows that on average 32% percent of the
injected faults (ranges from 15–73%) are detected by function-
level test cases, but not by our DOM event-based test cases.
This shows that a considerable number of faults do not propa-
gate to observable DOM states, and thus cannot be captured by
DOM-level event-based tests. For example in the SimpleCart
application (ID 10), if we mutate the mathematical operation
that is responsible for computing the total amount of purchased
items, the resulting error is not captured by event-based tests
as the fault involves internal computations only. However, the
fault is detected by a function-level test that directly checks the
returned value of the function. This points to the importance
of incorporating function-level tests in addition to event-based
tests for JavaScript web applications. We also observed that
even when an event-based test case detects a JavaScript fault,
localizing the error to the corresponding JavaScript code can
be quite challenging. However, function-level tests pinpoint
the corresponding function when an assertion fails, making it
easier to localize the fault.
Comparison (RQ3). Figure 5 shows the code coverage
achieved by both JS EFT and A RTEMIS on the experimental
objects running for the same amount of time, i.e., 10 minutes.
The test cases generated by JS EFT achieve 68.4% coverage
on average (ranging from 41–99%), while those generated by
A RTEMIS achieve only 44.8% coverage on average (ranging
from 0–92%). Overall, the test cases generated by JS EFT
achieve 53% more coverage than A RTEMIS, which points to
the effectiveness of JS EFT in generating high coverage test
cases. Further, as can be seen in the bar plot of Figure 5,
for all the applications, the test cases generated by JS EFT
achieve higher coverage than those generated by A RTEMIS.
This increase was more than 226% in the case of Bunnyhunt
(ID 5). For two of the applications, NarrowDesign (ID 7) and
JointLondon (id 8), A RTEMIS was not able to complete the
testing task within the allocated time of ten minutes. Thus
we let A RTEMIS run for an additional 10 minutes for these
applications (i.e., 20 minutes in total). Even then, neither
application completes under A RTEMIS.
Table III shows the precision and recall achieved by JS EFT
and A RTEMIS. With respect to fault finding capability, unlike
A RTEMIS that detects only generic faults such as runtime
exceptions and W3C HTML validation errors, JS EFT is able to
accurately distinguish faults at the code-level and DOM-level
through the test oracles it generates. Both tools achieve 100%
precision, however, JS EFT achieves five-fold higher recall
(70% on average) compared with A RTEMIS (12.8% recall on
average).
D. Threats to Validity
An external threat to the validity of our results is the
limited number of web applications that we use to evaluate
our approach. We mitigated this threat by using JavaScript
applications that cover various application types. Another
threat is that we validate the failed assertions through manual
inspection, which can be error-prone. To mitigate this threat,
we carefully inspected the code in which the assertion failed
to make sure that the injected fault was indeed responsible
for the assertion failure. Regarding the reproducibility of our
results, JS EFT and all the applications used in this study are
publicly available, thus making the study replicable.
VI. C ONCLUSIONS
In this paper, we presented a technique to automatically
generate test cases for JavaScript applications at two comple-
mentary levels: (1) individual JavaScript functions, (2) event
sequences. Our technique is based on algorithms to maximize
function coverage and minimize function states needed for
efficient test generation. We also proposed a method for
effectively generating test oracles along with the test cases,
for detecting faults in JavaScript code as well as on the DOM
tree. We implemented our approach in an open-source tool
called JS EFT. We empirically evaluated JS EFT on 13 web
applications. The results show that the generated tests by
JS EFT achieve high coverage (68.4% on average), and that
the injected faults can be detected with a high accuracy rate
(recall 70%, precision 100%).
ACKNOWLEDGMENT
This work was supported in part by a Strategic Project
Grant (SPG) from the Natural Science and Engineering Re-
search Council of Canada (NSERC), and a research gift
from Intel Corporation. We thank the anonymous reviewers
of ICST’15 for their insightful comments.
R EFERENCES
[1] F. Ocariza, K. Bajaj, K. Pattabiraman, and A. Mesbah, “An empirical
study of client-side JavaScript bugs,” in Proc. ACM/IEEE Interna-
tional Symposium on Empirical Software Engineering and Measurement
(ESEM’13). IEEE Computer Society, 2013, pp. 55–64.
[2] S. Artzi, J. Dolby, S. Jensen, A. Møller, and F. Tip, “A framework
for automated testing of JavaScript web applications,” in Proc. 33rd
International Conference on Software Engineering (ICSE’11), 2011, pp.
571–580.
[3] A. Marchetto and P. Tonella, “Using search-based algorithms for
Ajax event sequence generation during testing,” Empirical Software
Engineering, vol. 16, no. 1, pp. 103–140, 2011.
[4] A. Marchetto, P. Tonella, and F. Ricca, “State-based testing of Ajax web
applications,” in Proc. 1st Int. Conference on Sw. Testing Verification
and Validation (ICST’08). IEEE Computer Society, 2008, pp. 121–130.
[5] A. Mesbah, A. van Deursen, and D. Roest, “Invariant-based automatic
testing of modern web applications,” IEEE Transactions on Software
Engineering (TSE), vol. 38, no. 1, pp. 35–53, 2012.
[6] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song,
“A symbolic execution framework for JavaScript,” in Proc. Symp. on
Security and Privacy (SP’10). IEEE Computer Society, 2010, pp.
513–528.
[7] S. Mirshokraie, A. Mesbah, and K. Pattabiraman, “Pythia: Generating
test cases with oracles for JavaScript applications,” in Proc. Inter-
national Conference on Automated Software Engineering (ASE), New
Ideas Track. IEEE Computer Society, 2013, pp. 610–615.
[8] “JSeft,” http://salt.ece.ubc.ca/software/jseft/.
[9] A. Mesbah, A. van Deursen, and S. Lenselink, “Crawling Ajax-based
web applications through dynamic analysis of user interface state
changes,” ACM Transactions on the Web (TWEB), vol. 6, no. 1, pp.
3:1–3:30, 2012.
[10] S. Mirshokraie and A. Mesbah, “JSART: JavaScript assertion-based re-
gression testing,” in Proc. International Conference on Web Engineering
(ICWE’12). Springer, 2012, pp. 238–252.
[11] K. Sen, S. Kalasapur, T., and S. Gibbs, “Jalangi: A selective record-
replay and dynamic analysis framework for JavaScript,” in Proc.
European Software Engineering Conference and ACM SIGSOFT In-
ternational Symposium on Foundations of Software Engineering (ES-
EC/FSE’013). ACM, 2013.
[12] C. Jensen, A. Møller, and Z. Su, “Server interface descriptions for
automated testing of JavaScript web applications,” in Proc. European
Software Engineering Conference and ACM SIGSOFT International
Symposium on Foundations of Software Engineering (ESEC/FSE’013).
ACM, 2013.
[13] G. Fraser and A. Zeller, “Mutation-driven generation of unit tests and
oracles,” IEEE Transactions on Software Engineering (TSE), vol. 38,
no. 2, pp. 278–292, 2012.
[14] G. Fraser and A. Zeller, “Generating parameterized unit tests,” in Proc.
International Symposium on Software Testing and Analysis (ISSTA’11),
2011, pp. 364–374.
[15] K. Taneja and T. Xie, “DiffGen: Automated regression unit-test gen-
eration,” in Proc. International Conference on Automated Software
Engineering (ASE’08). IEEE Computer Society, 2008, pp. 407–410.
[16] S. Elbaum, H. N. Chin, M. B. Dwyer, and M. Jorde, “Carving and
replaying differential unit test cases from system test cases,” IEEE
Transactions on Software Engineering (TSE), vol. 35, no. 1, pp. 29–
45, 2009.
[17] M. Staats, G. Gay, and M. Heimdahl, “Automated oracle creation
support, or: How I learned to stop worrying about fault propagation and
love mutation testing,” in Proc. International Conference on Software
Engineering (ICSE’11), 2011, pp. 870–880.
[18] “jQuery API,” http://api.jquery.com.
[19] “Qunit,” http://qunitjs.com.
[20] T. H. Cormen, C. Stein, R. L. Rivest, and C. E. Leiserson, Introduction
to Algorithms, 2nd ed. McGraw-Hill Higher Education, 2001.
[21] R. DeMillo, R. Lipton, and F. Sayward, “Hints on test data selection:
Help for the practicing programmer,” Computer, vol. 11, no. 4, pp.
34–41, 1978.
[22] S. Mirshokraie, A. Mesbah, and K. Pattabiraman, “Efficient JavaScript
mutation testing,” in Proc. 6th International Conference on Software
Testing Verification and Validation (ICST’13). IEEE Computer Society,
2013, pp. 74–83.
[23] “JSCover,” http://tntim96.github.io/JSCover/.