Software & Systems Modeling

, Volume 18, Issue 2, pp 913–936 | Cite as

Testing concurrent user behavior of synchronous web applications with Petri nets

  • Jeff OffuttEmail author
  • Sunitha Thummala
Theme Section Paper


Web applications are now used in every aspect of our lives to manage work, provide products and services, read email, and provide entertainment. The software technologies used to build web applications provide features that help designers provide flexible functionality, but that are challenging to model and test. In particular, the network-based request-response model of programming means that web applications are inherently “stateless” and implicitly concurrent. They are stateless because a new network connection is made for each request (for example, when a user clicks a submit button). Thus, the server does not, by default, recognize multiple requests from the same user. Web applications are also concurrent because multiple users can use the same web application at the same time, creating contention for the same resources. Unfortunately, most web application testing does not adequately evaluate these aspects of web applications, leaving many software faults in deployed web applications. Part of this problem is because most traditional software modeling tools (such as UML) do not have built-in support for the stateless and concurrent aspects of web applications. This research project uses a novel model that is based on Petri nets to describe certain aspects of the behavior of web applications. This paper makes several contributions. We present a novel technique to design tests from this model that explicitly tests concurrency in web applications. We present novel coverage criteria that are defined on the Petri net model. We present results from an empirical study of 18 web applications with 343 components and 30,186 lines of code, followed by a case study on a large industrial web application. The tests found significantly more faults than traditional requirements-based tests, with fewer tests.


Web applications Model-based testing Test criteria Petri nets 



We would like to thank Dr. Nida Gökçe for her valuable feedback, as well as the experiment participants. We also thank the anonymous company that generously allowed us to develop tests for their application. This work was partly funded by The Knowledge Foundation (KKS) through the Project 20130085: Testing of Critical System Characteristics (TOCSYC).


  1. 1.
    comScore.: Cyber Monday jumps 18 percent to $1.735 billion in desktop sales to rank as heaviest U.S. online spending day in history, Online, December 3rd 2013. (2013). Accessed Jan 2015
  2. 2.
    Pollock, R.: Troubled Obamacare website wasn’t tested until a week before launch, Online, October 17th 2013. (2013). Accessed Jan 2015
  3. 3.
    Epstein, Z.: Pokemon Go fans, we have some bad news about all those annoying bugs, August 2016. (2016). Accessed July 2017
  4. 4.
    Humphery-Jenner, M.: What went wrong with Pokemon Go? Three lessons from its plummeting player numbers, October 2016, (2016). Accessed July 2017
  5. 5.
    Hamill, J., Moorhead, A.: Gamers furious as Pokemon Go RESETS their progress through the game, August 2016. (2016). Accessed July 2017
  6. 6.
    Bugs, glitches, freezes, and fixes, May 2017.,_Glitches,_Freezes,_and_Fixes (2017). Accessed July 2017
  7. 7.
    Roy, P.V., Haridi, S.: Concepts, Techniques, and Models of Computer Programming. The MIT Press, Cambridge (2004), ISBN: 0262220695Google Scholar
  8. 8.
    Gupt, S.: Target black Friday cancellation fiasco, Online, December 7th 2010. (2010). Accessed Jan 2015
  9. 9.
    Hall, M.: Core Servlets and JavaServer Pages. Prentice Hall, Upper Saddle River (2001), ISBN: 0076092036876Google Scholar
  10. 10.
    BlaineDonley, Offutt, J.: Web Application Testing Challenges, (2009), Unpublished research. (2009). Accessed Aug 2015
  11. 11.
    Thummala, S., Offutt, J.: Using Petri nets to test concurrent behavior of web applications. In: 12th Advances in Model Based Testing (A-MOST) Workshop of the International Conference on Software Testing, Verification and Validation, IEEE, April (2016), pp. 189–198Google Scholar
  12. 12.
    Garrett, J.J.: Ajax: a new approach to web applications, Online, 2006. (2006). Accessed May 2015
  13. 13.
    Offutt, J., Wu, Y.: Modeling presentation layers of web applications for testing. Softw. Syst. Modeling 9(2), 257–280 (2010)CrossRefGoogle Scholar
  14. 14.
    Wikipedia.: World wide web. (2004). Accessed 20 Jan 2015
  15. 15.
    Wikipedia.: Web application. (2004). Accessed 20 Jan 2015
  16. 16.
    Mordani, R.: Java servlet specification 3.0, online, December 2009. (2009). Accessed June 2015
  17. 17.
    Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: Proceedings of the 19th USENIX Conference on Security. USENIX Association, pp. 6–6. [Online]. Available: (2010)
  18. 18.
    Wikipedia.: Privacy mode. (2016). Accessed Feb 2016
  19. 19.
    Zhao, B., Liu, P.: “Private browsing mode not really that private: Dealing with privacy breach caused by browser extensions,” In 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).IEEE, (2015), pp. 184–195Google Scholar
  20. 20.
    Ian Hickson, I.: Google, Web storage W3C recommendation, Online. (2012). Accessed Jan 2015
  21. 21.
    Zakas, N.C.: Introduction to session storage, Online. (2009). Accessed Jan 2015
  22. 22.
    Göetz, B., Peierls, T., Bloch, J., Bowbeer, J., Holmes, D., Lea, D.: Java Concurrency in Practice. Addison-Wesley, Boston (2006)Google Scholar
  23. 23.
    Petri, C.A.: Communication with automata, New York: Griffiss Air Force Base. Technical Report RADCTR-65-377, vol. 1, (1966)Google Scholar
  24. 24.
    Murata, T.: Petri nets: properties, analysis and applications. Proc IEEE 77(4), 541–580 (1989)CrossRefGoogle Scholar
  25. 25.
    Jensen, K.: Coloured Petri Nets: Basic Concepts, Analysis Methods and Practical Use. Springer, Berlin, (1997), ISBN: 3642082009Google Scholar
  26. 26.
    Bernardinello, L., De Cindio, F.: A survey of basic net models and modular net classes. In: Rozenberg G (ed.) Advances in Petri Nets, pp. 304–351. Springer, Berlin (1992)Google Scholar
  27. 27.
    Genrich, H.J., Lautenbach, K., Thiagarajan, P.: Elements of general net theory. Net Theory and Applications, pp. 21–163. Springer, Berlin (1980)Google Scholar
  28. 28.
    Reisig, W.: Place/Transition Systems. Petri Nets: Central Models and Their Properties, pp. 117–141. Springer, Berlin (1987)Google Scholar
  29. 29.
    RTCA-DO-178B, Software considerations in airborne systems and equipment certification, (1992)Google Scholar
  30. 30.
    Ammann, P., Offutt, J., Huang, H.: Coverage criteria for logical expressions. In: IEEE 14th International Symposium on Software Reliability Engineering, pp. 99–107 (2003)Google Scholar
  31. 31.
    Ammann, P., Offutt, J.: Introduction to Software Testing, 2nd ed. Cambridge University Press, Cambridge (2017), ISBN 978-1107172012Google Scholar
  32. 32.
    Veanes, M., Campbell, C., Grieskamp, W., Schulte, W., Tillmann, N., Nachmanson, L.: Model-based testing of object-oriented reactive systems with Spec Explorer. In: Formal Methods and Testing, LNCS 4949, pp. 39–76. Springer, Berlin (2008)Google Scholar
  33. 33.
    Offutt, J., Abdurazik, A.: Generating tests from UML specifications. In: Proceedings of the Second IEEE International Conference on the Unified Modeling Language (UML99). Springer, Fort Collins. Lecture Notes in Computer Science vol 1723, pp. 416–429 (1999)Google Scholar
  34. 34.
    Hierons, R.M., Bogdanov, K., Bowen, J., Cleaveland, R., Derrick, J., Dick, J., Gheorghe, M., Harman, M., Kapoor, K., Krause, P., Luettgen, G., Simons, A., Vilkomir, S., Woodward, M., Zedan, H.: Using formal specifications to support testing. ACM Comput Surv 41(2), 9 (2009)CrossRefGoogle Scholar
  35. 35.
    Utting, M., Pretschner, A., Legeard, B.: A taxonomy of model-based testing approaches. Softw Test Verif Reliab 22(5), 297–312 (2012)CrossRefGoogle Scholar
  36. 36.
    Li, N., Offutt, J.: Test oracle strategies for model-based testing. IEEE Trans Softw Eng 43(4), 372–395 (2017)CrossRefGoogle Scholar
  37. 37.
    Fehling, R.: A concept of Hierarchical Petri Nets with Building Blocks. In: Rozenberg G (ed.) Advances in Petri nets, pp. 148–168. Springer, Berlin (1993)Google Scholar
  38. 38.
    Andrews, A.A., Offutt, J., Alexander, R.T.: Testing web applications by modeling with FSMs. Softw Syst Model 4(3), 326–345 (2005)CrossRefGoogle Scholar
  39. 39.
    Zuberek, W.: Timed Petri nets definitions, properties, and applications. Microelectron Reliab 31(4), 627–644 (1991)CrossRefGoogle Scholar
  40. 40.
    Larsen, G.K., Pettersson, P., Yi, W.: Uppaal in a nutshell. Int J Softw ToolsTechnolTrans 1(1), 134–152 (1997)zbMATHGoogle Scholar
  41. 41.
    Platform independent Petri net Editor 2 (PIPE2): Open source software. 2002. Accessed 20 June 2016
  42. 42.
    ArgoUML: open source software. (2002). Accessed 20 June 2016
  43. 43.
    Larsen, K.G., Pettersson, P., Yi, W.: Model-checking for real-time systems. In: Proceedings of Fundamentals of Computation Theory, ser. Lecture Notes in Computer Science, no. 965, pp. 62–88 (1995)Google Scholar
  44. 44.
    Wikipedia.: Petri nets. (2003). Accessed 20 June 2016
  45. 45.
    Fraser, G., Wotawa, F., Ammann, P.E.: Testing with model checkers: a survey. Softw Test Verif Reliab 19(3), 215–261 (2009). CrossRefGoogle Scholar
  46. 46.
    Salgado, M.R.M.: Towards verifying petri nets: a model checking approach, Unpublished Master’s research project. (2009). Accessed June 2016
  47. 47.
    Cheng, A., Christensen, S., Mortensen, K.H.: Model checking coloured Petri nets-exploiting strongly connected components. In: Proceedings of International Workshop on Discrete Event Systems, pp. 169–177 (1997)Google Scholar
  48. 48.
    Gardey, G., Lime, D., Magnin, M., Roux, O.H.: Romeo: a tool for analyzing time petri nets. In: 17th International Conference on Computer Aided Verification. Edinburgh, Scotland, UK: Springer, July 2005, pp. 418–423. [Online]. Available:
  49. 49.
    Van Der Aalst, W.: The application of Petri nets to workflow management. J Circuits Syst Comput 8(1), 21–66 (1998)CrossRefGoogle Scholar
  50. 50.
    Bernardi, S., Donatelli, S., Merseguer, J.: From UML sequence diagrams and statecharts to analysable Petri net models. In: Proceedings of the Third International Workshop on Software and Performance. New York, USA: ACM, (2002), pp. 35–45Google Scholar
  51. 51.
    Group, O.M.: Documents associated with object constraint language, version 2.0. online, May 2006. (2006). Accessed July 2017
  52. 52.
    Platform independent Petri net editor 2, Open source software. (2007). Accessed Jan 2015
  53. 53.
    Ammann, P., Offutt, J., Xu, W., Li, N.: Coverage computation web applications. Online. (2008). Accessed July 2016
  54. 54.
    Billington, J., Christensen, S., van Hee, K., Kindler, E., Kummer, O., Petrucci, L., Post, R., Stehno, C., Weber, M.: The Petri net markup language: Concepts, technology, and tools. In: 24th International Conference of Applications and Theory of Petri Nets (ICATPN), W. M. P. van der Aalst and E. Best, Eds, pp. 483–505. Springer, Berlin (2003)Google Scholar
  55. 55.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslen, A.: Experimentation in Software Engineering: An introduction. Kluwer Academic Publishers, Norwell (2008), ISBN: 0-7923-8682-5Google Scholar
  56. 56.
    Darondeau, P., Demri, S., Meyer, R., Morvan, C.: Petri net reachability graphs: decidability status of FO properties. In: 31st International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS), pp. 140–151 (2011)Google Scholar
  57. 57.
    GitHub.: Github: The largest open source community in the world. (2007). Accessed 20 June 2016
  58. 58.
    Students3K.: Open source software: an educational website. (2012). Accessed 20 June 2016
  59. 59.
    Danial, A.: CLOC: count lines of code. Online, 2006 (2006). Accessed June 2016
  60. 60. Session mix-up using stateserver. Online, December 7th 2010, (2010). Accessed Jan 2015
  61. 61. Mixing user session data in JBoss, Online, December 2013, (2013). Accessed Jan 2015
  62. 62.
    Durbin, P.: User sessions mixed up when Java app deployed to glassfish, Online, October 2014, (2014). Accessed Jan 2015
  63. 63.
    Langley, R.: Practical Statistics Simply Explained. Dover Publications, New York (1971)Google Scholar
  64. 64.
    Stotts, P.D., Furuta, R.: Petri-net-based hypertext: Document structure with browsing semantics. ACM Trans Inf Syst 7(1), 3–29 (1989)CrossRefGoogle Scholar
  65. 65.
    Stotts, D., Navon, J.: Model checking cobweb protocols for verification of HTML frames behavior. In: Proceedings of the 11th International Conference On World Wide Web, pp. 182–190. ACM Press, New York (2002)Google Scholar
  66. 66.
    Chachkov, S., Buchs, D.: From formal specifications to ready-to-use software components: The concurrent object oriented Petri net approach. In: International Conference on Application of Concurrency to System Design, pp. 99–110 (2001)Google Scholar
  67. 67.
    Hamadi, R., Benatallah, B.: A Petri net-based model for web service composition. In: Proceedings of the 14th Australasian Database Conference, vol. 17, pp. 191–200 (2003)Google Scholar
  68. 68.
    Grigore, L., Buy, U.: Enforcing safety properties in web applications using Petri nets. In: Proceedings of the 9th IASTED International Conference, vol. 632, p. 33 (2008)Google Scholar
  69. 69.
    Zhu, H., He, X.: A methodology of testing high-level Petri nets. Inf Softw Technol 44(8), 473–489 (2002)CrossRefGoogle Scholar
  70. 70.
    Adjir, N., De Saqui-Sannes, P., Rahmouni, K.M.: Testing real-time systems using TINA. In: Testing of Software and Communication Systems, pp. 1–15. Springer, Berlin (2009)Google Scholar
  71. 71.
    Lill, R., Saglietti, F.: Test coverage criteria for autonomous mobile systems based on colored Petri nets. In: Ninth Symposium on Formal Methods for Automation and Safety in Railway and Automotive Systems, pp. 155–162 (2012)Google Scholar
  72. 72.
    Pugh, W., Ayewah, N.: Unit testing concurrent software. In : Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering, pp. 513–516 (2007)Google Scholar
  73. 73.
    Koppol, P.V., Tai, K.-C.: An incremental approach to structural testing of concurrent software. SIGSOFT Softw Eng Notes 21(3), 14–23 (1996)CrossRefGoogle Scholar
  74. 74.
    Ricca, F., Tonella, P.: Analysis and testing of web applications. In: IEEE 23rd International Conference on Software Engineering (ICSE), pp. 25–34. Toronto, CA (2001)Google Scholar
  75. 75.
    Benedikt, M., Freire, J., Godefroid, P.: VeriWeb: automatically testing dynamic web sites. In: Proceedings of 11th International World Wide Web Conference, pp. 654–668 (2002)Google Scholar
  76. 76.
    Offutt, J.: Quality attributes of Web software applications. IEEE Softw Spec Issue Softw Eng Internet Softw 19(2), 25–32 (2002)Google Scholar
  77. 77.
    Guerra, E., Sanz, D., Díaz, P., Aedo, I.: A transformation-driven approach to the verification of security policies in web designs. In: Web Engineering, pp. 269–284. Springer, Berlin (2007)Google Scholar
  78. 78.
    Elbaum, S., Rothermel, G., Karre, S., Fisher, M.: Leveraging user-session data to support web application testing. IEEE Trans Softw Eng 31(3), 187–202 (2005)CrossRefGoogle Scholar
  79. 79.
    Di Lucca, G.A., Di Penta, M.: Considering browser interaction in web application testing. In: IEEE Fifth International Workshop on Web Site Evolution, pp. 74–81 (2003)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Software EngineeringGeorge Mason University FairfaxUSA

Personalised recommendations