Type-aware concolic testing of JavaScript programs.

Conventional concolic testing has been used to provide high coverage of paths in statically typed languages. While it has also been applied in the context of JavaScript (JS) programs, we observe that applying concolic testing to dynamically-typed JS programs involves tackling unique problems to ensure scalability. In particular, a naive type-agnostic extension of concolic testing to JS programs causes generation of large number of inputs. Consequently, many executions operate on undefined values and repeatedly explore same paths resulting in redundant tests, thus diminishing the scalability of testing drastically. In this paper, we address this problem by proposing a simple yet effective approach that incorporates type-awareness intelligently in conventional concolic testing to reduce the number of generated inputs for JS programs. We extend our approach inter-procedurally by generating preconditions for each function that provide a summary of the relation between the variable types and paths. Employing the function preconditions when testing reduces the number of inputs generated even further. We implement our ideas and validate it on a number of open-source JS programs (and libraries). For a significant percentage (on average 50%) of the functions, we observe that type-aware concolic testing generates a minuscule percentage (less than 5%) of the inputs as compared to conventional concolic testing approach implemented on top of Jalangi. On average, this approach achieves over 97% of line coverage and over 94% of branch coverage for all the functions across all benchmarks. Moreover, the use of function preconditions reduces the number of inputs generated by 50%. We also demonstrate the use of function preconditions in automatically avoiding real crashes due to incorrectly typed objects.