Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Abstracting Failure Inducing Inputs

Rahul Gopinath
September 20, 2020
Research
0
120

Abstracting Failure Inducing Inputs

ISSTA 2020

Rahul Gopinath

September 20, 2020
Tweet

More Decks by Rahul Gopinath

See All by Rahul Gopinath
Building Blocks for Fuzzing
rahulgopinath
0
64
"Synthesizing Input Grammars" A Replication Study
rahulgopinath
0
140
Learning And Refining Input Grammars For Effective Fuzzing
rahulgopinath
0
34
Input Languages for 
Effective and Focused Fuzzing
rahulgopinath
0
90
Fuzzing -- From Alchemy to a Science
rahulgopinath
0
130
Input Algebras
rahulgopinath
0
130
Inducing Subtle Mutations with Program Repair
rahulgopinath
0
110
Mining Input Grammars from Dynamic Control Flow
rahulgopinath
0
140
Revisiting the Relationship Between Fault Detection, Test Adequacy Criteria, and Test Set Size
rahulgopinath
0
110

Other Decks in Research

See All in Research
Bridging the Gap: AI Research and Real-World Deployment in AI Companies
shurain
0
250
AutoML チュートリアル(HPOとNAS)
sgnm
8
1.2k
Openproxy型ハニーポット「Proxypot」
tatsui
0
390
20221219TXPMedical勉強会
tadook
1
380
LIFULLアジェンダ -社会課題の発見と解決に向けた研究開発活動の紹介- / LIFULL Agenda -Research and development activities to discover and solve social issues-
ykiyota
0
110
AWS CDKでもMacを 管理したい
moba
0
190
ABEMAにおけるサムネイル検証とOPE活用
ebisawahayata
2
1k
Federated Learning Tutorial (IBIS 2022)
osx
2
2.4k
SummerCake_pdf.pdf
lyh125
0
420
第20回チャンピオンズミーティング・サジタリウス杯ラウンド1集計 / Umamusume Sagittarius 2022 Round1
kitachan_black
0
690
[IR Reading 2022秋 論文紹介] Price DOES Matter!: Modeling Price and Interest Preferences in Session-based Recommendation (SIGIR 2022) /IR-Reading-2022-fall
koheishinden
3
120
卒業研究の進め方 / How to preceed with the research
shun74
1
120

Featured

See All Featured
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
Statistics for Hackers
jakevdp
785
210k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
We Have a Design System, Now What?
morganepeng
38
6k
Designing with Data
zakiwarfel
91
4.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.4k
Infographics Made Easy
chrislema
236
17k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Become a Pro
speakerdeck
PRO
7
3.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
16k

Transcript

  1. Abstracting Failure Inducing Inputs
    Rahul Gopinath
    Alexander Kampmann
    Nikolas Havrikov
    Ezekiel Soremekun
    Andreas Zeller
    CISPA Helmholtz Center for Information Security

    View Slide

  2. Abstracting Failure Inducing Inputs
    Rahul Gopinath
    Alexander Kampmann
    Nikolas Havrikov
    Ezekiel Soremekun
    Andreas Zeller
    CISPA Helmholtz Center for Information Security

    View Slide

  3. 3
    (1 + 2 + 334) ✓
    Program

    View Slide

  4. 4
    (1 + 2 + 334)
    Program
    (( 442 / 3 )) - 1 ✘

    View Slide

  5. 5
    (1 + 2 + 334)
    Program
    (( 442 / 3 )) - 1

    2 -( 19 - 34 ) + 9 - 7

    View Slide

  6. 6
    (1 + 2 + 334)
    Program
    (( 442 / 3 )) - 1
    2 -( 19 - 34 ) + 9 - 7
    (1) + ((3 + 1 / 334)) + 2

    View Slide

  7. 7
    (1 + 2 + 334)
    (( 442 / 3 )) - 1
    2 -( 19 - 34 ) + 9 - 7
    (1) + ((3 + 1 / 334)) + 2
    if '((' in input and '))' in input:
    raise Exception()
    Program

    View Slide

  8. 8
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ✘

    View Slide

  9. Why did my program fail?

    View Slide

  10. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program

    View Slide

  11. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ?

    View Slide

  12. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ?

    View Slide

  13. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ?

    View Slide

  14. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ?

    View Slide

  15. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program
    (
    (
    )
    )
    4

    View Slide

  16. Delta Debugging
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Program ✘
    (( ))
    4
    Reproduced the failure

    View Slide

  17. Context Free Grammar
    Structured Inputs
    See also: "Learning Input Tokens for Effective Fuzzing" ISSTA '20
    https://www.slideshare.net/BjrnMathis/lfuzzer-learning-input-tokens-for-effective-fuzzing-237085021

    View Slide

  18. 8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Interpreter ✘
    Reproduced the failure
    Structured Inputs
    SYNTAX CHECK

    View Slide

  19. 8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Interpreter
    Structured Inputs
    SYNTAX ERROR
    #

    View Slide

  20. 8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) +
    8.2 - 27 - -9 / +((+9 * --2 + --+-+-((-1 * +(8 -
    5 - 6)) * (-(a-+(((+(4))))) - ++4) / +(-+---((5.6
    - --(3 * -1.8 * +(6 * +-(((-(-6) * ---+6)) / +--(+-
    +-7 * (-0 * (+(((((2)) + 8 - 3 - ++9.0 + ---(--+7
    / (1 / +++6.37) + (1) / 482) / +++-+0)))) * -
    +5 + 7.513)))) - (+1 / ++((-84)))))))) * ++5 /
    +-(--2 - -++-9.0)))) / 5 * --++090 + * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * 8.2 - 27 - -9
    / +((+9 * --2 + --+-+-((-1 * +(8 - 5 - 6)) * (-(a-
    +(((+(4))))) - ++4) / +(-+---((5.6 - --(3 * -1.8 *
    +(6 * +-(((-(-6) * ---+6)) / +--(+-+-7 * (-0 * (+
    (((((2)) + 8 - 3 - ++9.0 + ---(--+7 / (1 / ++
    +6.37) + (1) / 482) / +++-+0)))) * -+5 +
    7.513)))) - (+1 / ++((-84)))))))) * ++5 / +-(--2
    - -++-9.0)))) / 5 * --++090 ++5 / +-(--2 - -+
    +-9.0)))) / 5 * --++090
    Interpreter
    Structured Inputs
    SYNTAX ERROR
    #

    View Slide

  21. SYNTAX ERROR

    View Slide

  22. Solution: Work on the Parse Tree

    View Slide

  23. 23
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    1 + (( 2 * 3 / 4 ))

    View Slide

  24. 24
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    1 + (( 2 * 3 / 4 ))

    View Slide

  25. 25
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    1 + (( 2 * 3 / 4 ))

    View Slide

  26. 26
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    (( 2 * 3 / 4 ))

    View Slide

  27. 27
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    (( 3 / 4 ))

    View Slide

  28. 28
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    (( 4 ))

    View Slide

  29. 29
    (
    1 + (( 2 * 3 / 4 ))
    ( 4 ))

    View Slide

  30. 30
    (
    1 + (( 2 * 3 / 4 )) (4))
    What caused this failure?
    Does the failure occur in other inputs?

    View Slide

  31. 31
    (
    1 + (( 2 * 3 / 4 )) (4))
    4444
    ?
    ()()
    ?
    ((-4))
    ?
    ((29))
    ?
    ((v))
    ?
    +++1
    ?

    View Slide

  32. 32
    var A = class extends (class {}){};
    Issue 2937 from Closure

    View Slide

  33. 33
    { while ((l_0)){ if ((l_0)) { break;;var l_0; continue }0 } }
    Issue 2842 from Closure

    View Slide

  34. 34
    var {baz:{} = baz => {}} = baz => {};
    Issue 385 from Rhino

    View Slide

  35. 35
    const [y,y] = [];
    Issue 386 from Rhino

    View Slide

  36. 36
    Abstraction with DDSet

    View Slide

  37. 37
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]

    View Slide

  38. 38
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    ✓ Did not reproduce the failure
    1 * (2 - 3)

    View Slide

  39. 39
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]

    View Slide

  40. 40
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c

    View Slide

  41. 41
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c
    ✓ Did not reproduce the failure
    1 + 3 + 4

    View Slide

  42. 42
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c
    c

    View Slide

  43. 43
    3 * 4
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c
    c
    ✓ Did not reproduce the failure

    View Slide

  44. 44
    ( ( 4 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c
    c
    c
    c
    c
    c
    c

    View Slide

  45. 45
    ( ( 1 - 2 ) )
    :=
    := ' + '
    | ' - '
    |
    := ' * '
    | ' / '
    |
    := '+'
    | '-'
    | '(' ')'
    | '.'
    |
    :=
    |
    := [0-9]
    c
    c
    c
    c
    c
    c
    c
    ✘ reproduced the failure
    ( ( 1 - 2 ) )

    View Slide

  46. 46
    ( ( 1 - 2 ) )
    c
    c
    c
    c
    c
    c
    c

    ( ( 1 - 2 ) )

    View Slide

  47. 47
    ( ( 1 - 2 ) )
    c
    c
    c
    c
    c
    c
    c

    ( ( 1 - 2 ) )

    ( ( 2 * 3 + 4 ) )

    View Slide

  48. 48
    ( ( 1 - 2 ) )
    c
    c
    c
    c
    c
    c
    c

    ( ( 1 - 2 ) )

    ( ( 2 * 3 + 4 ) )

    ( ( - 2 / 1 ) )

    View Slide

  49. 49
    ( ( 1 - 2 ) )
    c
    c
    c
    c
    c
    c
    c

    ( ( 1 - 2 ) )

    ( ( 2 * 3 + 4 ) )

    ( ( - 2 / 1 ) )

    ( ( 98 - 0 ) )

    View Slide

  50. )
    (
    ( )
    ( ( )
    4 )
    50
    ( ( 4 ) )
    c
    c
    c
    c
    c
    c
    c
    A

    View Slide

  51. )
    (
    ( )
    ( ( )
    4 )
    51
    ( ( 4 ) )
    c
    c
    c
    c
    c
    c
    c
    A

    View Slide

  52. 52
    ( ( 4 ) )
    c
    c
    c
    c
    c
    c
    c
    A
    ( ( ) )

    ( ( ) )
    4
    Minimized Input
    Abstract Failure Inducing Input
    ((1 + 2))
    ((23 * 3 - 34))
    ((344- 4 + (223)))
    (((1) - 3 * 773 + (-22 + 1)))
    ((1798 - 889 / (333-1) * 2 / 3 + 1))
    ((34 + 4 --334 + (334 - (22) + 919 * 0 + 1))
    ((98435747+ 88 + (((0))) + (1) - 1 * 7 / 4 * 889 - 2))
    ((8 + ((8)) + --1 + 11223 / 344 - 39 + (1) - 456 + 134 / 45 ))
    ((437 + 8 - 1 * ((9 + 1) - 1 + 99111948 + 3 --1 + (112) - 2 + 445) + 0))
    ((74 + 334 + ((178 - 88 / (3393-1) * 1002 / 3 + 1+ 3439)) * 223 - 1233 + 334672
    (( 2 * 9 - (1798 - 889 / (333-1) * 2 / 3 + 100012 + 3434392 + 234 ----6 * 1798 - 889 / (333
    ((778 - (((1) - 3 * 773 + (-22 + 1) * (4545) - 23 - (2) * 773 + (-22 + 1) / 3434 + ---1 + 1 / 34343 + 112
    ((349 + (((1) - 3 * 3 + (-22 + 1) ((+ (-22 + 1) * (4545) - 23 - (2) * 773 + (-22 + 1) / 3434 + ---1 + 1 / 34343 + 1123
    ((8 + ((8)) + --1 + / 1 - 39 + (1) - 456 + 134 / 45 ))(((1) - 2334 + (((1) - 3 * 773 + (-22 + 1) * (2) - 23 - (2) * 773 + (-22 + 1) / 3
    ((74 + 3 + ((178 - 88 / (3393-1) * 1002 / 3 + 1+ 3439)) * - 1233 + 334672)) ((8 + ((8)) + --1 + / 344 - 39 + (1) - 456 + 134 / 45 ))(((1) - 3 * 77
    ((1+ 33+ 24343433 +23343 - ((74 + 334 + ((178 - 88 / (3393-1) * 1002 / 3 + 1+ 3439)) * - 1233 + 334672)) ((8 + ((8)) + --1 + / 344 - 39 + (1) - 456 + 134 /


    View Slide

  53. = class extends (class {}){}
    53
    var A = class extends (class {}){};
    Issue 2937 from Closure

    View Slide

  54. 54
    var A = class extends (class {}){};
    Issue 2937 from Closure
    = class extends (class {}){}

    View Slide

  55. var {baz:{} = baz => {}} =
    55
    var {baz:{} = baz => {}} = baz => {};
    Issue 385 from Rhino

    View Slide

  56. 56
    var {baz:{} = baz => {}} = baz => {};
    Issue 385 from Rhino
    var {baz:{} = baz => {}} =

    View Slide

  57. const [y,y] = [];
    57
    const [y,y] = [];
    Issue 386 from Rhino

    View Slide

  58. 58
    const [y,y] = [];
    Issue 386 from Rhino
    const [y,y] = [];

    View Slide

  59. v = 0; v = v
    Co-varying Fragments

    View Slide

  60. v = 0; v = v
    Co-varying Fragments

    View Slide

  61. v = 0; v = v

    View Slide

  62. v = 0; v = v
    x = 0; v = v ✓

    View Slide

  63. v = 0; v = v
    v = 0; r = v ✓

    View Slide

  64. v = 0; v = v
    v = 0; v = 0 ✓

    View Slide

  65. v = 0; v = v
    • Identify matching nonterminals of concrete nodes
    • Modify them together

    View Slide

  66. v = 0; v = v
    z = 0; z = z

    • Identify matching nonterminals of concrete nodes
    • Modify them together

    View Slide

  67. v = 0; v = v
    z = 0; z = z

    • Identify matching nonterminals of concrete nodes
    • Modify them together
    p = 0; p = p

    View Slide

  68. v = 0; v = v
    z = 0; z = z

    • Identify matching nonterminals of concrete nodes
    • Modify them together
    p = 0; p = p

    c = 0; c = c

    View Slide

  69. v = 0; v = v
    = ; =
    V1
    V1
    V1

    View Slide

  70. const [y,y] = [];
    Issue 386 from Rhino

    View Slide

  71. const [y,y] = [];
    Issue 386 from Rhino
    const [,] = []

    View Slide

  72. 72
    var {baz:{} = baz => {}} = baz => {};
    Issue 385 from Rhino

    View Slide

  73. 73
    var {baz:{} = baz => {}} = baz => {};
    Issue 385 from Rhino
    var {:{} = => {}} ;

    View Slide

  74. 74
    {while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}}
    Issue 2842 from Closure

    View Slide

  75. 75
    {while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}}
    Issue 2842 from Closure
    {while (()){ if (()) {break;;var ; continue }0}}

    View Slide

  76. Program %Valid %Fail
    lua-5.3.5 4 100.0 100.0
    clj-2092 100.0 100.0
    clj-2345 100.0 100.0
    clj-2450 62.0 100.0
    clj-2473 40.0 100.0
    clj-2518 100.0 100.0
    clj-2521 100.0 100.0
    closure.1978 76.0 100.0
    closure.2808 100.0 100.0
    closure.2842 100.0 99.0
    closure.2937 36.0 100.0
    closure.3178 57.0 100.0
    closure.3379 84.0 100.0
    rhino 385 49.0 100.0
    rhino 386 100.0 100.0
    find 07b941b1 100.0 100.0
    find 93623752 100.0 100.0
    find c8491c11 100.0 100.0
    find dbcb10e9 100.0 100.0
    grep 3c3bdace 100.0 100.0
    grep 54d55bba 100.0 100.0
    grep 9c45c193 100.0 100.0
    Mean 86.54 100.0
    • Lua
    • lua-5.3.5 (1 bug)
    • Javascript
    • rhino-1.7.7.2 (2 bugs)
    • closure 20151216 (1 bug)
    • closure 20171203 (3 bugs)
    • closure 20200101 (2 bugs)
    • Clojure
    • clojure-1.11.0 (6 bug)
    • Unix Utilities (dbgbench)
    • find (4 bugs)
    • grep (3 bugs)
    Experimental Results

    View Slide

  77. Where do the grammars come from?
    https://rahul.gopinath.org/post/2020/07/15/ddset/ https://github.com/vrthra/ddset
    Stay tuned for our FSE 2020 Paper
    Mining Input Grammars from
    Dynamic Control Flow

    View Slide

  78. Future...
    Algebra of Behavior Inducing Patterns
    Grammar refinement:
    generate(Grefined): 123 + ((34 + 5)) - 244
    After fixing a failure, I want to produce numerous new inputs that
    • Induces the same failure (R1)
    • Covers what I just checked in (R2)
    • Does not go through validation (R3)
    • ...
    Grefined = R1 & R2 & !R3 ...

    View Slide

  79. https://rahul.gopinath.org/post/2020/07/15/ddset/ https://github.com/vrthra/ddset

    View Slide

  80. 80
    https://rahul.gopinath.org/post/2020/07/15/ddset/ https://github.com/vrthra/ddset

    View Slide