Input Algebras

Transcript

1. Input Algebras Rahul Gopinath Hamed Nemati Andreas Zeller CISPA Helmholtz

   Center for Information Security for Taming Grammar Fuzzers

2. 3 {"a": ["key"]} ✓ Program

3. 4 {"a": ["key"]} Program {"": [1,2,"k"]} ✘

4. 5 {"a": ["key"]} Program {"": [1,2,"k"]} ✓ ["A", "B", "C"]

5. 6 {"a": ["key"]} Program {"": [1,2,"k"]} ["A", "B", "C"] [{"":

   [1,2,3,4]}] ✘

6. 7 {"a": ["key"]} {"": [1,2,"k"]} ["A", "B", "C"] [{"": [1,2,3,4]}]

   if json.has_key(""): raise Exception() Program

7. 8 {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653

   9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": Program ✘

8. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

   [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": What is the smallest failure inducing input? Hierarchical Delta Debugging

9. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

   [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item>|<item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits>|<digit>
 <digit> ::= [0-9] JSON Grammar

10. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201948628471,"dy":371.568659125 7294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness":0.5,"startX":50,"startY":0,"closed ":true,"segments":[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.07100312784314156]}, {"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.13260168116539717]}, {"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.4790717279538512]},

    {"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.1564063960686326]}],"shadow":false}, {"type":"PathNode","matrix": {"":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.1381032855618,"dy":133.2062807751560 5},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5,"startX":126.25,"startY":127.504 45838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.053223272785544395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.6827937204955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.38731588050723076]}, {"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.1330692209303379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.50445838342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.05325550492852926]}],"shadow":false}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children":[],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20},{"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":464,"dy":-3},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3," {"": []} Hierarchical Delta Debugging ✘

11. Why did my program fail? DDSET Gopinath, Kampmann, Havrikov, Soremekun,

    and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020.

12. 13 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET:

13. 14 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: 122489 {"A":{}, {"23": {"P":[]}}] [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

14. 15 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: "XYZR389" {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

15. 16 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: [true, null] {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

16. 17 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"__": [[]]} {"?P":[{}], {"|": {"":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

17. 18 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": [[]]} {"?P":[{}], {"|": {"P":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

18. 19 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"7897A": []} {"klnm,.qer;dfs?P":[]} {"123KOUIJ!qR30578950":[]}

19. 20 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": true} {"":[1,2,445,"x"]} {"":{"PQ":[true, false, 223,"a"]}}

20. 21 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: Abstraction {"": <elt>} Abstract Input

21. • Effectively abstracts a minimized input • The abstraction identifies

    where the problem lies • Decompose complex program behaviors DDSET Gopinath, Kampmann, Havrikov, Soremekun, and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020. ISSTA 2020 Distinguished Award {"": <elt>} Abstract Input {"": []} Minimized Input

22. {"": <elt>} Abstract Input {"": []} Minimized Input How do

    we generate more failure inducing inputs?

23. {"": <elt>} Abstract Input {"": [343,{},44998]} {"": {"xxy":44998, {"b":[1,2,3]}}} {"":

    {"ket":[], {"x":[],"y",[[],[1,2,3,455,6]]}}} {"":[{3243435656:"xy,zzzpqiu"},[{"c":[112]},{"d":[[]]},{}]]} ✘ ✘ ✘ ✘ Failure Inducing Inputs

24. {"": <elt>} Abstract Input Need Contextualization! Failure Inducing Inputs [{"":

    [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [{"xr": {"": [4]}, "abc":[[],[],[1243], true, false]} ✘ ✘ ✘

25. {"": <elt>} Abstract Input Language of Evocative Inputs

26. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

27. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Fragment

28. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

    <item E> is "":<elt> Root node of the tree fragment String representation of the tree fragment Evocative Fragment

29. Language of Evocative Inputs Evocative Subtree <item E0> ::= <string

    E1>`:`<elt> <string E1> ::= `""` Evocative Pattern Grammar generate(<item E0>) = "":<elt>

30. Identify Reachable Nodes Evocative Subtree <json> ::= <elt>
 <elt> ::=

    <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

31. Identify Reachable Nodes <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 | `true` | `false` | `null`
 <object> ::= `{`<items*>`}` | `{}`
 <items> ::= <item*> | <item*>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]` | `[]`
 <elts> ::= <elt*> | <elt*>`,`<elts*>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] Basic idea: (1) Collect all rules that can reach the root node of abstract tree (here <item>) Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

32. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> 
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

33. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

34. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

35. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> | <elt*>`,`<elts> | <elt>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

36. Reachable Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

37. Connect Reachable Grammar and Pattern Grammar <json E> ::= <elt

    E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt> 
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json E> ::= <elt E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""` <item E> is "":<elt>

38. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

39. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] generate(<json E>) Properties: - Generator: All generated inputs guaranteed to have
 at least one fragment inducing the given behavior - Validator: Will recognize all inputs with at least
 one fragment that can induce the given behavior - Produced grammar is context-free: Consumable
 by any grammar fuzzer.

40. What if there are more failure inducing patterns? <json E>

    where <item E> is "":<elt> if json.has_key_value(null): raise Exception() if json.has_key(""): raise Exception() <json N> where <item N> is <string>: null

41. What if there are more failure inducing patterns? if json.has_key("")

    and json.has_key_value(null): raise Exception() <json E & N> where <item E> is "":<elt> <item N> is <string>: null

42. What if there are more failure inducing patterns? if json.has_key("")

    and not json.has_key_value(null): raise Exception() <json E & not(N)> where <item E> is "":<elt> <item N> is <string>: null

43. What if there are more failure inducing patterns? if json.has_key(""):

    raise Exception() if json.has_key_value(null): raise Exception() <json not(E) & not(N)> where <item E> is "":<elt> <item N> is <string>: null

44. { } Input Algebras: Patterns to Grammar <json E &

    N> where <item E> is "":<elt> <item N> is <string>: null <json E> := <elt E> <elt E> := ... <json N> := <elt N> <elt N> := ... & = <json E&N> := and <elt E> <elt N> ... <json E&N> := <elt E&N> ... { } <elt E> := <object E> | <array E> & <elt N> := <object N> | <array N> = <elt E&N>:= and <object E>|<array E>|<string E>|<number E> <object N>|<array N>|<string N>|<number N> <elt E&N>:= <object E&N> | <array E&N>

45. <json E&N> := <elt E&N> <elt E&N> := <object E&N>

    | <array E&N> <array E&N>:= '[' <elts E&N> ']' <object E&N>:= '{' <items E&N> '}' <elts E&N> := <elt E&N> | <elt E&N>','<elts N> | <elt N>','<elts E&N> <items E&N> := <item E&N> | <item E&N>','<items N> | <item N>','<items E&N> <item E&N> := <string E1>':'<elt N&N1> | <string>':'<elt E&N&N1> <elt E&N&N1> := <object E&N> <array E&N> <elt N> := 'false' | 'true' | <number> | <string> | <object N> <array N> <array N> := '[]' | '[' <elts N> ']' <object N> := '{}' | '{' <items N> '}' <elts N> := <elt N> | <elt N>','<elts N> <items N> := <item N> | <item N>','<items N> <item N> := <string>':'<elt N&N1> <elt N&N1> := 'false' | 'true' | <number> | <string> | <object N> | <array N> <json E & N> where <item E> is "":<elt> <item N> is <string>: null {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E&N>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

46. <json E and not(N)> where <item E> is "": <elt>

    <item N> is <string>:null <calc not(D or F)> where <factor F> is ((<expr>)) <term D> is <factor> / 0 <ipv4addr O and H> where <quad O> is "0" <num> <quad H> is "0x" <num> <C not(F) not(EW or ED or F)> where <forCondition F> is ";;" <iterationStatement EW> is <WHILE> "()" <statement> <iterationStatement ED> is <DO> <statement> <WHILE> "()" <eos>

47. Issue 386 from Rhino var A = class extends (class

    {}){}; Issue 2937 from Closure const [y,y] = []; var {baz:{} = baz => {}} = baz => {}; Issue 385 from Rhino {while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}} Issue 2842 from Closure <varModifier> <Identifier> = class extends (class {}){} var {<$Id1>:{} = <$Id1> => {}} <variableDeclaration>; const [<$Id1>,<$Id1>] = [] {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}}

48. where <variableDeclarationList C2937> is <varModifier> <Identifier> = class extends (class

    {}){} <iterationStatement C2842> is {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}} <variableStatement R385> is var {<$Id2>:{} = <$Id2> => {}} <variableDeclaration>; <variableDeclarationList R386> is const [<$Id3>,<$Id3>] = [] Input Algebras <JavaScript C2937 and C2842> <JavaScript R385 and R386> <JavaScript (C2937 or C2842) and (R385 or R386)> <JavaScript not(C2937 or C2842 or R385 or R386)>

49. Input Algebras: Beyond fuzzing • Validating inputs • Supercharged recognizers

    (alternative to regex) • Semantic code search • Generating data structures • Easily specified access control lists

50. https://rahul.gopinath.org DOI:10.5281/zenodo.4456296