Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Input Algebras

D27cb84e0d30e2778e9b66d6a5f42106?s=47 Rahul Gopinath
May 25, 2021
Research
0
48

Input Algebras

ICSE 2021

D27cb84e0d30e2778e9b66d6a5f42106?s=128

Rahul Gopinath

May 25, 2021
Tweet

More Decks by Rahul Gopinath

See All by Rahul Gopinath
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
19
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
14
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
48
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
21
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
21
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
79
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
290
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
88
D27cb84e0d30e2778e9b66d6a5f42106?s=48 rahulgopinath
0
48

Other Decks in Research

See All in Research
6d667e747a4a1cda7d201c3358424257?s=48 digitalnaturegroup
0
320
557c7fa1fbf43b88830901feb21f95a0?s=48 ynakano
1
160
6d667e747a4a1cda7d201c3358424257?s=48 digitalnaturegroup
0
420
6bd63bb363d2cb9933b263463f6305cf?s=48 matsui_528
0
1.6k
18923a96dc13fe272f16c77167102f42?s=48 koheishinden
0
150
B9876944233f30c903c2c22da2ee00b2?s=48 cpsymap
2
240
F16d24f8c3767910d0ef9dd3093ae016?s=48 tosho
0
100
A8e5603efe2e904e5643163d1e0cb0d6?s=48 butsugiri
39
11k
290a66d9796825297c2cdb438a372f6a?s=48 hashi0203
0
140
14da6ebc2e909305afdb348e7970de81?s=48 wingnus
1
1.7k
7449b55729798fe40c3512ad3f83f40d?s=48 unzaih
1
100
847a328633b1df6b11cc2f72430025e6?s=48 ks91
PRO
0
250

Featured

See All Featured
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
315
21k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
482
150k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
6
740
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
778
200k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.1k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1352
200k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
3.6k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
52
3.3k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
203
9.9k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
190
14k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
333
16k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
224
15k

Transcript

  1. Input Algebras Rahul Gopinath Hamed Nemati Andreas Zeller CISPA Helmholtz

    Center for Information Security for Taming Grammar Fuzzers

  2. 3 {"a": ["key"]} ✓ Program

  3. 4 {"a": ["key"]} Program {"": [1,2,"k"]} ✘

  4. 5 {"a": ["key"]} Program {"": [1,2,"k"]} ✓ ["A", "B", "C"]

  5. 6 {"a": ["key"]} Program {"": [1,2,"k"]} ["A", "B", "C"] [{"":

    [1,2,3,4]}] ✘

  6. 7 {"a": ["key"]} {"": [1,2,"k"]} ["A", "B", "C"] [{"": [1,2,3,4]}]

    if json.has_key(""): raise Exception() Program

  7. 8 {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653

    9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": Program ✘

  8. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

    [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": What is the smallest failure inducing input? Hierarchical Delta Debugging

  9. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201 948628471,"dy":371.5686591257294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness": 0.5,"startX":50,"startY":0,"closed":true,"segments": [{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431 4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653 9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":

    [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385 12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632 6]}],"shadow":false},{"type":"PathNode","matrix": {"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810 32855618,"dy":133.20628077515605},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5," startX":126.25,"startY":127.50445838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1": 127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554 4395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372 04955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307 6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930 3379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583 8342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529 26]}],"shadow":false},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children": [],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20}, {"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix": <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item>|<item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits>|<digit>
 <digit> ::= [0-9] JSON Grammar

  10. {"type":"PathNode","matrix": {"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201948628471,"dy":371.568659125 7294},"children": [],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness":0.5,"startX":50,"startY":0,"closed ":true,"segments":[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r": [-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.07100312784314156]}, {"type":3,"x":50,"y":100,"x1":100,"y1":100,"r": [0.24857700895518064,0.030472169630229473,0.49844827968627214,0.13260168116539717]}, {"type":3,"x":0,"y":50,"x1":0,"y1":100,"r": [0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.4790717279538512]},

    {"type":3,"x":50,"y":0,"x1":0,"y1":0,"r": [0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.1564063960686326]}],"shadow":false}, {"type":"PathNode","matrix": {"":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.1381032855618,"dy":133.2062807751560 5},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5,"startX":126.25,"startY":127.504 45838342671,"closed":true,"segments": [{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":127.50445838342671,"r": [-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.053223272785544395]}, {"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.6827937204955,"r": [-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.38731588050723076]}, {"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r": [0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.1330692209303379]}, {"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.50445838342671,"r": [0.42778260353952646,0.24726040940731764,0.3631806019693613,0.05325550492852926]}],"shadow":false}, {"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children": [],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20},{"type":"TextNode","matrix": {"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children":[],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20},{"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children": [],"arrowSize":10,"path":{"type":"PathNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":464,"dy":-3},"children": [],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3," {"": []} Hierarchical Delta Debugging ✘

  11. Why did my program fail? DDSET Gopinath, Kampmann, Havrikov, Soremekun,

    and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020.

  12. 13 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET:

  13. 14 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: 122489 {"A":{}, {"23": {"P":[]}}] [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  14. 15 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: "XYZR389" {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  15. 16 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: [true, null] {"A":{}, {"23": {"P":[]}}} [[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

  16. 17 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"__": [[]]} {"?P":[{}], {"|": {"":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

  17. 18 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": [[]]} {"?P":[{}], {"|": {"P":[]}}} {"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

  18. 19 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"7897A": []} {"klnm,.qer;dfs?P":[]} {"123KOUIJ!qR30578950":[]}

  19. 20 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: {"": true} {"":[1,2,445,"x"]} {"":{"PQ":[true, false, 223,"a"]}}

  20. 21 <json> ::= <elt>
 <elt> ::= <object>
 | <array> |

    <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": []} DDSET: Abstraction {"": <elt>} Abstract Input

  21. • Effectively abstracts a minimized input • The abstraction identifies

    where the problem lies • Decompose complex program behaviors DDSET Gopinath, Kampmann, Havrikov, Soremekun, and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020. ISSTA 2020 Distinguished Award {"": <elt>} Abstract Input {"": []} Minimized Input

  22. {"": <elt>} Abstract Input {"": []} Minimized Input How do

    we generate more failure inducing inputs?

  23. {"": <elt>} Abstract Input {"": [343,{},44998]} {"": {"xxy":44998, {"b":[1,2,3]}}} {"":

    {"ket":[], {"x":[],"y",[[],[1,2,3,455,6]]}}} {"":[{3243435656:"xy,zzzpqiu"},[{"c":[112]},{"d":[[]]},{}]]} ✘ ✘ ✘ ✘ Failure Inducing Inputs

  24. {"": <elt>} Abstract Input Need Contextualization! Failure Inducing Inputs [{"":

    [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [{"xr": {"": [4]}, "abc":[[],[],[1243], true, false]} ✘ ✘ ✘

  25. {"": <elt>} Abstract Input Language of Evocative Inputs

  26. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

  27. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Fragment

  28. Language of Evocative Inputs {"": <elt>} Abstract Input Evocative Subtree

    <item E> is "":<elt> Root node of the tree fragment String representation of the tree fragment Evocative Fragment

  29. Language of Evocative Inputs Evocative Subtree <item E0> ::= <string

    E1>`:`<elt> <string E1> ::= `""` Evocative Pattern Grammar generate(<item E0>) = "":<elt>

  30. Identify Reachable Nodes Evocative Subtree <json> ::= <elt>
 <elt> ::=

    <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  31. Identify Reachable Nodes <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 | `true` | `false` | `null`
 <object> ::= `{`<items*>`}` | `{}`
 <items> ::= <item*> | <item*>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]` | `[]`
 <elts> ::= <elt*> | <elt*>`,`<elts*>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] Basic idea: (1) Collect all rules that can reach the root node of abstract tree (here <item>) Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  32. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> 
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  33. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  34. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  35. Identify Insertion Positions <json> ::= <elt*>
 <elt> ::= <object*>
 |

    <array*> | <string*>
 | <number*>
 <object> ::= `{`<items*>`}`
 <items> ::= <item*> | <item*>`,`<items*> | <item*>`,`<items> | <item>`,`<items*>
 <item> ::= <string>`:`<elt*>
 <array> ::= `[`<elts*>`]`
 <elts> ::= <elt*> | <elt*>`,`<elts*> | <elt*>`,`<elts> | <elt>`,`<elts*> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  36. Reachable Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> Basic idea: (1) Insert one Nonterminal at a time. Evocative Subtree <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""`

  37. Connect Reachable Grammar and Pattern Grammar <json E> ::= <elt

    E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt> 
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json E> ::= <elt E>
 <elt E> ::= <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <item E0> ::= <string E1>`:`<elt> <string E1> ::= `""` <item E> is "":<elt>

  38. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

  39. Evocative Grammar <json E> ::= <elt E>
 <elt E> ::=

    <object E>
 | <array E> | <string E>
 | <number E>
 <object E> ::= `{`<items E>`}`
 <items E> ::= <item E> | <item E>`,`<items> | <item>`,`<items E>
 <item E> ::= <string>`:`<elt E> | <string E1>`:`<elt>
 <array E> ::= `[`<elts E>`]`
 <elts E> ::= <elt E> | <elt E>`,`<elts> | <elt>`,`<elts E> <string E1> ::= `""` <json> ::= <elt>
 <elt> ::= <object>
 | <array> | <string>
 | <number>
 | `true` | `false` | `null`
 <object> ::= `{`<items>`}` | `{}`
 <items> ::= <item> | <item>`,`<items>
 <item> ::= <string>`:`<elt>
 <array> ::= `[`<elts>`]` | `[]`
 <elts> ::= <elt> | <elt>`,`<elts>
 <string> ::= `"` <chars> `"` | `""`
 <chars> ::= <char><chars>
 <char> ::= [A-Za-z0-9]
 <number> ::= <digits>
 <digits> ::= <digit><digits> | <digit>
 <digit> ::= [0-9] generate(<json E>) Properties: - Generator: All generated inputs guaranteed to have
 at least one fragment inducing the given behavior - Validator: Will recognize all inputs with at least
 one fragment that can induce the given behavior - Produced grammar is context-free: Consumable
 by any grammar fuzzer.

  40. What if there are more failure inducing patterns? <json E>

    where <item E> is "":<elt> if json.has_key_value(null): raise Exception() if json.has_key(""): raise Exception() <json N> where <item N> is <string>: null

  41. What if there are more failure inducing patterns? if json.has_key("")

    and json.has_key_value(null): raise Exception() <json E & N> where <item E> is "":<elt> <item N> is <string>: null

  42. What if there are more failure inducing patterns? if json.has_key("")

    and not json.has_key_value(null): raise Exception() <json E & not(N)> where <item E> is "":<elt> <item N> is <string>: null

  43. What if there are more failure inducing patterns? if json.has_key(""):

    raise Exception() if json.has_key_value(null): raise Exception() <json not(E) & not(N)> where <item E> is "":<elt> <item N> is <string>: null

  44. { } Input Algebras: Patterns to Grammar <json E &

    N> where <item E> is "":<elt> <item N> is <string>: null <json E> := <elt E> <elt E> := ... <json N> := <elt N> <elt N> := ... & = <json E&N> := and <elt E> <elt N> ... <json E&N> := <elt E&N> ... { } <elt E> := <object E> | <array E> & <elt N> := <object N> | <array N> = <elt E&N>:= and <object E>|<array E>|<string E>|<number E> <object N>|<array N>|<string N>|<number N> <elt E&N>:= <object E&N> | <array E&N>

  45. <json E&N> := <elt E&N> <elt E&N> := <object E&N>

    | <array E&N> <array E&N>:= '[' <elts E&N> ']' <object E&N>:= '{' <items E&N> '}' <elts E&N> := <elt E&N> | <elt E&N>','<elts N> | <elt N>','<elts E&N> <items E&N> := <item E&N> | <item E&N>','<items N> | <item N>','<items E&N> <item E&N> := <string E1>':'<elt N&N1> | <string>':'<elt E&N&N1> <elt E&N&N1> := <object E&N> <array E&N> <elt N> := 'false' | 'true' | <number> | <string> | <object N> <array N> <array N> := '[]' | '[' <elts N> ']' <object N> := '{}' | '{' <items N> '}' <elts N> := <elt N> | <elt N>','<elts N> <items N> := <item N> | <item N>','<items N> <item N> := <string>':'<elt N&N1> <elt N&N1> := 'false' | 'true' | <number> | <string> | <object N> | <array N> <json E & N> where <item E> is "":<elt> <item N> is <string>: null {"": 100} {"": [343,{},44998]} [{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]] {"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}} {".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]} [{"": [1,2,3,4]}] {"pqr": {"": [1,2,3,4]}, "abc":[]} [[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]} generate(<json E&N>) ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘

  46. <json E and not(N)> where <item E> is "": <elt>

    <item N> is <string>:null <calc not(D or F)> where <factor F> is ((<expr>)) <term D> is <factor> / 0 <ipv4addr O and H> where <quad O> is "0" <num> <quad H> is "0x" <num> <C not(F) not(EW or ED or F)> where <forCondition F> is ";;" <iterationStatement EW> is <WHILE> "()" <statement> <iterationStatement ED> is <DO> <statement> <WHILE> "()" <eos>

  47. Issue 386 from Rhino var A = class extends (class

    {}){}; Issue 2937 from Closure const [y,y] = []; var {baz:{} = baz => {}} = baz => {}; Issue 385 from Rhino {while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}} Issue 2842 from Closure <varModifier> <Identifier> = class extends (class {}){} var {<$Id1>:{} = <$Id1> => {}} <variableDeclaration>; const [<$Id1>,<$Id1>] = [] {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}}

  48. where <variableDeclarationList C2937> is <varModifier> <Identifier> = class extends (class

    {}){} <iterationStatement C2842> is {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}} <variableStatement R385> is var {<$Id2>:{} = <$Id2> => {}} <variableDeclaration>; <variableDeclarationList R386> is const [<$Id3>,<$Id3>] = [] Input Algebras <JavaScript C2937 and C2842> <JavaScript R385 and R386> <JavaScript (C2937 or C2842) and (R385 or R386)> <JavaScript not(C2937 or C2842 or R385 or R386)>

  49. Input Algebras: Beyond fuzzing • Validating inputs • Supercharged recognizers

    (alternative to regex) • Semantic code search • Generating data structures • Easily specified access control lists

  50. https://rahul.gopinath.org DOI:10.5281/zenodo.4456296