Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Input Algebras

Avatar for Rahul Gopinath Rahul Gopinath
May 25, 2021
Research
0
240

Input Algebras

ICSE 2021
Avatar for Rahul Gopinath

Rahul Gopinath

May 25, 2021
Tweet

More Decks by Rahul Gopinath

See All by Rahul Gopinath
Fuzzing Without Specifications: Learning Structure from Behaviour Part I
Avatar for Rahul Gopinath rahulgopinath
0
5
Fuzzing Without Specifications: Learning Structure from Behaviour Part II
Avatar for Rahul Gopinath rahulgopinath
0
2
How to Compare Fuzzers
Avatar for Rahul Gopinath rahulgopinath
0
84
Mutation Analysis: Answering the Fuzzing Challenge
Avatar for Rahul Gopinath rahulgopinath
0
43
An Empirical Evaluation of Frequency Based Statistical Models for Estimating Killable Mutants
Avatar for Rahul Gopinath rahulgopinath
0
51
Look Ma No Hands! Testing Software Without Specifications
Avatar for Rahul Gopinath rahulgopinath
0
110
How to Talk to Strange Programs and Find Bugs
Avatar for Rahul Gopinath rahulgopinath
0
140
Dancing to an Unknown Music: Grammar Inferrence with Prefix Queries
Avatar for Rahul Gopinath rahulgopinath
0
120
Systematic Assessment of Fuzzers using Mutation Analysis
Avatar for Rahul Gopinath rahulgopinath
0
200

Other Decks in Research

See All in Research
学生向けアンケート<データサイエンティストについて>
Avatar for The Japan DataScientist Society datascientistsociety
PRO
0
3k
AIによる画像認識技術の進化 -25年の技術変遷を振り返る-
Avatar for Hironobu Fujiyoshi hf149
6
3.4k
時系列データに対する解釈可能な 決定木クラスタリング
Avatar for MIKIO KUBO mickey_kubo
2
700
チャッドローン:LLMによる画像認識を用いた自律型ドローンシステムの開発と実験 / ec75-morisaki
Avatar for yumulab yumulab
1
440
最適化と機械学習による問題解決
Avatar for MIKIO KUBO mickey_kubo
0
140
業界横断 副業・兼業者の実態調査
Avatar for fkske fkske
0
160
SSII2025 [TS3] 医工連携における画像情報学研究
Avatar for 画像センシングシンポジウム ssii
PRO
2
1.1k
数理最適化と機械学習の融合
Avatar for MIKIO KUBO mickey_kubo
15
8.8k
RHO-1: Not All Tokens Are What You Need
Avatar for Sansan R&D sansan_randd
1
110
Looking for Escorts in Sydney?
Avatar for sophia lunsophia
1
120
言語モデルの内部機序:解析と解釈
Avatar for Sho Yokoi eumesy
PRO
48
18k
研究テーマのデザインと研究遂行の方法論
Avatar for Hisashi Ishihara hisashiishihara
5
1.4k

Featured

See All Featured
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
48
5.4k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.8k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
700
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
53
7.7k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
670
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
57
9.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
138
34k

Transcript

  1. Input Algebras Rahul Gopinath Hamed Nemati Andreas Zeller CISPA Helmholtz

    Center for Information Security for Taming Grammar Fuzzers

  2. 3 {"a": ["key"]} ✓ Program

  3. 4 {"a": ["key"]} Program {"": [1,2,"k"]} ✘

  4. 5 {"a": ["key"]} Program {"": [1,2,"k"]} ✓ ["A", "B", "C"]

  5. 6 {"a": ["key"]} Program {"": [1,2,"k"]} ["A", "B", "C"] [{"":

    [1,2,3,4]}] ✘

  6. 7 {"a": ["key"]} {"": [1,2,"k"]} ["A", "B", "C"] [{"": [1,2,3,4]}]

    if json.has_key(""): raise Exception() Program

  7. 8 {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653

    9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": Program ✘

  8. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

    [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": What is the smallest failure inducing input? Hierarchical Delta Debugging

  9. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

    [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item>|<item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits>|<digit>
 <digit> ::= [0-9] JSON Grammar

  10. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201948628471,"dy":371.568659125 7294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness":0.5,"startX":50,"startY":0,"closed ":true,"segments":[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.07100312784314156]}, {"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.13260168116539717]}, {"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.4790717279538512]},

    {"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.1564063960686326]}],"shadow":false}, {"type":"PathNode","matrix": {"":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.1381032855618,"dy":133.2062807751560 5},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5,"startX":126.25,"startY":127.504 45838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.053223272785544395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.6827937204955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.38731588050723076]}, {"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.1330692209303379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.50445838342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.05325550492852926]}],"shadow":false}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children":[],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20},{"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":464,"dy":-3},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3," {"": []} Hierarchical Delta Debugging ✘

  11. Why did my program fail? DDSET Gopinath, Kampmann, Havrikov, Soremekun,

    and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020.

  12. 13 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET:

  13. 14 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: 122489 {"A":{}, {"23": {"P":[]}}] [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  14. 15 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: "XYZR389" {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  15. 16 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: [true, null] {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  16. 17 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"__": [[]]} {"?P":[{}], {"|": {"":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

  17. 18 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": [[]]} {"?P":[{}], {"|": {"P":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

  18. 19 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"7897A": []} {"klnm,.qer;dfs?P":[]} {"123KOUIJ!qR30578950":[]}

  19. 20 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": true} {"":[1,2,445,"x"]} {"":{"PQ":[true, false, 223,"a"]}}

  20. 21 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: Abstraction {"": <elt>} Abstract Input

  21. • Effectively abstracts a minimized input • The abstraction identifies

    where the problem lies • Decompose complex program behaviors DDSET Gopinath, Kampmann, Havrikov, Soremekun, and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020. ISSTA 2020 Distinguished Award {"": <elt>} Abstract Input {"": []} Minimized Input

  22. {"": <elt>} Abstract Input {"": []} Minimized Input How do

    we generate more failure inducing inputs?

  23. {"": <elt>} Abstract Input {"": [343,{},44998]} {"": {"xxy":44998, {"b":[1,2,3]}}} {"":

    {"ket":[], {"x":[],"y",[[],[1,2,3,455,6]]}}} {"":[{3243435656:"xy,zzzpqiu"},[{"c":[112]},{"d":[[]]},{}]]} ✘ ✘ ✘ ✘ Failure Inducing Inputs

  24. {"": <elt>} Abstract Input Need Contextualization! Failure Inducing Inputs [{"":

    [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [{"xr": {"": [4]}, "abc":[[],[],[1243], true, false]} ✘ ✘ ✘

  25. {"": <elt>} Abstract Input Language of Evocative Inputs

  26. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

  27. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Fragment

  28. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

    <item E> is "":<elt> Root node of the tree fragment String representation of the tree fragment Evocative Fragment

  29. Language of Evocative Inputs Evocative Subtree <item E0> ::= <string

    E1>`:`<elt> <string E1> ::= `""` Evocative Pattern Grammar generate(<item E0>) = "":<elt>

  30. Identify Reachable Nodes Evocative Subtree <json> ::= <elt>
 <elt> ::=

    <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  31. Identify Reachable Nodes <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 | `true` | `false` | `null`
 <object> ::= `{`<items*>`}` | `{}`
 <items> ::= <item*> | <item*>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]` | `[]`
 <elts> ::= <elt*> | <elt*>`,`<elts*>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] Basic idea: (1) Collect all rules that can reach the root node of abstract tree (here <item>) Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  32. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> 
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  33. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  34. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  35. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> | <elt*>`,`<elts> | <elt>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  36. Reachable Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  37. Connect Reachable Grammar and Pattern Grammar <json E> ::= <elt

    E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt> 
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json E> ::= <elt E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""` <item E> is "":<elt>

  38. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

  39. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] generate(<json E>) Properties: - Generator: All generated inputs guaranteed to have
 at least one fragment inducing the given behavior - Validator: Will recognize all inputs with at least
 one fragment that can induce the given behavior - Produced grammar is context-free: Consumable
 by any grammar fuzzer.

  40. What if there are more failure inducing patterns? <json E>

    where <item E> is "":<elt> if json.has_key_value(null): raise Exception() if json.has_key(""): raise Exception() <json N> where <item N> is <string>: null

  41. What if there are more failure inducing patterns? if json.has_key("")

    and json.has_key_value(null): raise Exception() <json E & N> where <item E> is "":<elt> <item N> is <string>: null

  42. What if there are more failure inducing patterns? if json.has_key("")

    and not json.has_key_value(null): raise Exception() <json E & not(N)> where <item E> is "":<elt> <item N> is <string>: null

  43. What if there are more failure inducing patterns? if json.has_key(""):

    raise Exception() if json.has_key_value(null): raise Exception() <json not(E) & not(N)> where <item E> is "":<elt> <item N> is <string>: null

  44. { } Input Algebras: Patterns to Grammar <json E &

    N> where <item E> is "":<elt> <item N> is <string>: null <json E> := <elt E> <elt E> := ... <json N> := <elt N> <elt N> := ... & = <json E&N> := and <elt E> <elt N> ... <json E&N> := <elt E&N> ... { } <elt E> := <object E> | <array E> & <elt N> := <object N> | <array N> = <elt E&N>:= and <object E>|<array E>|<string E>|<number E> <object N>|<array N>|<string N>|<number N> <elt E&N>:= <object E&N> | <array E&N>

  45. <json E&N> := <elt E&N> <elt E&N> := <object E&N>

    | <array E&N> <array E&N>:= '[' <elts E&N> ']' <object E&N>:= '{' <items E&N> '}' <elts E&N> := <elt E&N> | <elt E&N>','<elts N> | <elt N>','<elts E&N> <items E&N> := <item E&N> | <item E&N>','<items N> | <item N>','<items E&N> <item E&N> := <string E1>':'<elt N&N1> | <string>':'<elt E&N&N1> <elt E&N&N1> := <object E&N> <array E&N> <elt N> := 'false' | 'true' | <number> | <string> | <object N> <array N> <array N> := '[]' | '[' <elts N> ']' <object N> := '{}' | '{' <items N> '}' <elts N> := <elt N> | <elt N>','<elts N> <items N> := <item N> | <item N>','<items N> <item N> := <string>':'<elt N&N1> <elt N&N1> := 'false' | 'true' | <number> | <string> | <object N> | <array N> <json E & N> where <item E> is "":<elt> <item N> is <string>: null {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E&N>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

  46. <json E and not(N)> where <item E> is "": <elt>

    <item N> is <string>:null <calc not(D or F)> where <factor F> is ((<expr>)) <term D> is <factor> / 0 <ipv4addr O and H> where <quad O> is "0" <num> <quad H> is "0x" <num> <C not(F) not(EW or ED or F)> where <forCondition F> is ";;" <iterationStatement EW> is <WHILE> "()" <statement> <iterationStatement ED> is <DO> <statement> <WHILE> "()" <eos>

  47. Issue 386 from Rhino var A = class extends (class

    {}){}; Issue 2937 from Closure const [y,y] = []; var {baz:{} = baz => {}} = baz => {}; Issue 385 from Rhino {while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}} Issue 2842 from Closure <varModifier> <Identifier> = class extends (class {}){} var {<$Id1>:{} = <$Id1> => {}} <variableDeclaration>; const [<$Id1>,<$Id1>] = [] {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}}

  48. where <variableDeclarationList C2937> is <varModifier> <Identifier> = class extends (class

    {}){} <iterationStatement C2842> is {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}} <variableStatement R385> is var {<$Id2>:{} = <$Id2> => {}} <variableDeclaration>; <variableDeclarationList R386> is const [<$Id3>,<$Id3>] = [] Input Algebras <JavaScript C2937 and C2842> <JavaScript R385 and R386> <JavaScript (C2937 or C2842) and (R385 or R386)> <JavaScript not(C2937 or C2842 or R385 or R386)>

  49. Input Algebras: Beyond fuzzing • Validating inputs • Supercharged recognizers

    (alternative to regex) • Semantic code search • Generating data structures • Easily specified access control lists

  50. https://rahul.gopinath.org DOI:10.5281/zenodo.4456296