Article

Automated repair of HTML generation errors in PHP applications using string constraint solving

Authors:

Todd Millstein,

Laurie HendrenAuthors Info & Claims

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

Pages 277 - 287

Published: 02 June 2012 Publication History

Abstract

PHP web applications routinely generate invalid HTML. Modern browsers silently correct HTML errors, but sometimes malformed pages render inconsistently, cause browser crashes, or expose security vulnerabilities. Fixing errors in generated pages is usually straightforward, but repairing the generating PHP program can be much harder. We observe that malformed HTML is often produced by incorrect "constant prints", i.e., statements that print string literals, and present two tools for automatically repairing such HTML generation errors. PHPQuickFix repairs simple bugs by statically analyzing individual prints. PHPRepair handles more general repairs using a dynamic approach. Based on a test suite, the property that all tests should produce their expected output is encoded as a string constraint over variables representing constant prints. Solving this constraint describes how constant prints must be modified to make all tests pass. Both tools were implemented as an Eclipse plugin and evaluated on PHP programs containing hundreds of HTML generation errors, most of which our tools were able to repair automatically.

References

[1]

W³Techs, "Usage Statistics and Market Share of PHP for Websites," http://w3techs.com.

[2]

S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. M. Paradkar, and M. D. Ernst, "Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking," IEEE TSE, vol. 36, no. 4, pp. 474-494, 2010.

Digital Library

[3]

W. Weimer, T. Nguyen, C. L. Goues, and S. Forrest, "Automatically Finding Patches Using Genetic Programming," in ICSE, 2009, pp. 364-374.

Digital Library

[4]

H. V. Nguyen, H. A. Nguyen, T. T. Nguyen, and T. N. Nguyen, "Auto-Locating and Fix-Propagating for HTML Validation Errors to PHP Server-Side Code," in ASE, 2011, pp. 13-22.

Digital Library

[5]

E. Torlak, "A constraint solver for software engineering: Finding models and cores of large relational specifications," Ph.D. dissertation, MIT, 2009.

Digital Library

[6]

V. Ganesh, A. Kiezun, S. Artzi, P. J. Guo, P. Hooimeijer, and M. D. Ernst, "HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection," in CAV, 2011, pp. 1-19.

Digital Library

[7]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song, "A Symbolic Execution Framework for JavaScript," in IEEE Symp. on Security and Privacy, 2010, pp. 513-528.

Digital Library

[8]

Y. Minamide, "Static Approximation of Dynamically Generated Web Pages," in WWW, 2005, pp. 432-441.

Digital Library

[9]

A. Møller and M. Schwarz, "HTML Validation of Context-Free Languages," in FOSSACS, 2011, pp. 426-440.

Digital Library

[10]

Y. Minamide and A. Tozawa, "XML Validation for Context-Free Grammars," in APLAS, 2006, pp. 357-373.

Digital Library

[11]

G. Wassermann, C. Gould, Z. Su, and P. Devanbu, "Static Checking of Dynamically Generated Queries in Database Applications," ACM TOSEM, vol. 16, September 2007.

Digital Library

[12]

G. Wassermann and Z. Su, "Static Detection of Cross-Site Scripting Vulnerabilities," in ICSE, 2008, pp. 171-180.

Digital Library

[13]

F. Yu, M. Alkhalaf, and T. Bultan, "Patching Vulnerabilities with Sanitization Synthesis," in ICSE, 2011, pp. 251-260.

Digital Library

[14]

A. Solar-Lezama, L. Tancau, R. Bodík, S. Seshia, and V. Saraswat, "Combinatorial Sketching for Finite Programs," in ASPLOS, 2006, pp. 404-415.

Digital Library

[15]

A. Solar-Lezama, C. G. Jones, and R. Bodík, "Sketching Concurrent Data Structures," in PLDI, 2008, pp. 136-148.

Digital Library

[16]

S. Gulwani, "Automating String Processing in Spreadsheets Using Input-Output Examples," in POPL, 2011, pp. 317-330.

Digital Library

[17]

S. Chandra, E. Torlak, S. Barman, and R. Bodík, "Angelic Debugging," in ICSE, 2011, pp. 121-130.

Digital Library

[18]

F. Tip, R. M. Fuhrer, A. Kiezun, M. D. Ernst, I. Balaban, and B. D. Sutter, "Refactoring Using Type Constraints," ACM TOPLAS, vol. 33, no. 3, 2011.

Digital Library

[19]

A. Donovan, A. Kie?zun, M. S. Tschantz, and M. D. Ernst, "Converting Java Programs to Use Generic Libraries," in OOPSLA, 2004, pp. 15-34.

Digital Library

[20]

F. Steimann and A. Thies, "From Public to Private to Absent: Refactoring Java Programs under Constrained Accessibility," in ECOOP, 2009, pp. 419-443.

Digital Library

Cited By

Amadini R(2021)A Survey on String Constraint SolvingACM Computing Surveys10.1145/348419855:1(1-38)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3484198
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594
Mesbah ARice AJohnston EGlorioso NAftandilian EDumas MPfahl DApel SRusso A(2019)DeepDelta: learning to repair compilation errorsProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3340455(925-936)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3340455
Show More Cited By

Recommendations

PHP Ajax Cookbook
Web Development in PHP, MySQL, JavaScript, HTML & CSS: Step-by-Step Web Project
Automated Discovery of JavaScript Code Injection Attacks in PHP Web Applications

This paper discussed some of the performance issues in the existing defensive solutions of Java Script injection attacks (e.g. Cross-Site Scripting (XSS) attacks). Moreover, a high level of comparison for such existing solutions has been done based on ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

June 2012

1657 pages

ISBN:9781467310673

General Chair:
Martin Glinz,
Program Chairs:
Gail Murphy,
Mauro Pezzè

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

IEEE Press

Publication History

Published: 02 June 2012

Check for updates

Qualifiers

Article

Conference

ICSE '12

Sponsor:

SIGSOFT

ICSE '12: 34th International Conference on Software Engineering

June 2 - 9, 2012

Zurich, Switzerland

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

55
Total Citations
View Citations
390
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Amadini R(2021)A Survey on String Constraint SolvingACM Computing Surveys10.1145/348419855:1(1-38)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3484198
Qiu ZShao SZhao QJin GSpinellis DGousios GChechik MDi Penta M(2021)Understanding and detecting server-side request races in web applicationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468594(842-854)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468594
Mesbah ARice AJohnston EGlorioso NAftandilian EDumas MPfahl DApel SRusso A(2019)DeepDelta: learning to repair compilation errorsProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3340455(925-936)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3340455
Le Goues CPradel MRoychoudhury A(2019)Automated program repairCommunications of the ACM10.1145/331816262:12(56-65)Online publication date: 21-Nov-2019
https://dl.acm.org/doi/10.1145/3318162
Li GLiu HChen XGunawi HLu SMcKinley KFisher K(2019)DFix: automatically fixing timing bugs in distributed systemsProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314620(994-1009)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314620
Gazzola LMicucci DMariani L(2019)Automatic Software RepairIEEE Transactions on Software Engineering10.1109/TSE.2017.275501345:1(34-67)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1109/TSE.2017.2755013
Nguyen HPhan HKästner CNguyen T(2019)Exploring output-based coverage for testing PHP web applicationsAutomated Software Engineering10.1007/s10515-018-0246-526:1(59-85)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1007/s10515-018-0246-5
Wang WWu JGong XLi TYew P(2018)Improving Dynamically-Generated Code Performance on Dynamic Binary TranslatorsACM SIGPLAN Notices10.1145/3296975.318641353:3(17-30)Online publication date: 25-Mar-2018
https://dl.acm.org/doi/10.1145/3296975.3186413
Mayer MKuncak VChugh R(2018)Bidirectional evaluation with direct manipulationProceedings of the ACM on Programming Languages10.1145/32764972:OOPSLA(1-28)Online publication date: 24-Oct-2018
https://dl.acm.org/doi/10.1145/3276497
Wang KSullivan AKhurshid SHuchard MKästner CFraser G(2018)Automated model repair for AlloyProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238162(577-588)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238162
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents