@comment{ fuzzingbook bibliography } @comment{ All entries must have a 'url' entry the HTML version can link to! } @comment{ Define common abbreviations for non-BibTeX conversion } @string{ jan = "January" } @string{ feb = "February" } @string{ mar = "March" } @string{ apr = "April" } @string{ may = "May" } @string{ jun = "June" } @string{ jul = "July" } @string{ aug = "August" } @string{ sep = "September" } @string{ oct = "October" } @string{ nov = "November" } @string{ dec = "December" } @article{Purdom1972, year={1972}, issn={0006-3835}, journal={BIT Numerical Mathematics}, volume={12}, number={3}, doi={10.1007/BF01932308}, title={A sentence generator for testing parsers}, url={http://dx.doi.org/10.1007/BF01932308}, publisher={Kluwer Academic Publishers}, author={Purdom, Paul}, pages={366-375}, language={English} } @article{Miller1990, author = {Miller, Barton P. and Fredriksen, Louis and So, Bryan}, title = {An Empirical Study of the Reliability of {UNIX} Utilities}, journal = {Commun. ACM}, issue_date = {Dec. 1990}, volume = {33}, number = {12}, month = dec, year = {1990}, issn = {0001-0782}, pages = {32--44}, numpages = {13}, url = {http://doi.acm.org/10.1145/96267.96279}, doi = {10.1145/96267.96279}, acmid = {96279}, publisher = {ACM}, address = {New York, NY, USA} } @book{Pezze2008, title={Software Testing and Analysis: Process, Principles, and Techniques}, author={Pezz{\`e}, Mauro and Young, Michal}, year={2008}, publisher={John Wiley \& Sons}, url={http://ix.cs.uoregon.edu/~michal/book/}, } @article{Luke2000, author = {Luke, S.}, title = {Two Fast Tree-creation Algorithms for Genetic Programming}, journal = {Transactions on Evolutionary Computation}, issue_date = {September 2000}, volume = {4}, number = {3}, month = sep, year = {2000}, issn = {1089-778X}, pages = {274--283}, numpages = {10}, url = {https://doi.org/10.1109/4235.873237}, doi = {10.1109/4235.873237}, acmid = {2221499}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, } @book{fuzzingbook, author = {Andreas Zeller and Rahul Gopinath and Marcel B{\"o}hme and Gordon Fraser and Christian Holler}, booktitle = {The Fuzzing Book}, title = {The Fuzzing Book}, howpublished = {\url{https://www.fuzzingbook.org/}}, note = {Retrieved 2019-09-09 13:49:23+02:00}, url = {https://www.fuzzingbook.org/}, urldate = {2019-09-09 13:49:23+02:00} } @Article{Burkhardt1967, author="Burkhardt, W. H.", title="Generating test programs from syntax", journal="Computing", year="1967", month="Mar", day="01", volume="2", number="1", pages="53--73", abstract="The many faces of programming and systems development demand an immense amount of mechanical routine work. The present paper tries to explain some areas where automation of many tasks may be of great help. One special area, where progress seems to lag behind unduly, can be found in debugging, testing, and diagnosing systems. Here we attempted the generation of programs automatically from a definition of a problem and the characteristics of programs for its solution by a software system, which has been specially designed for this purpose. It has been indicated how the ideas underlying this project may be applied successfully to other areas.", issn="1436-5057", doi="10.1007/BF02235512", url="https://doi.org/10.1007/BF02235512" } @inproceedings{Slutz1998, author = {Slutz, Donald R.}, title = {Massive Stochastic Testing of SQL}, booktitle = {Proceedings of the 24rd International Conference on Very Large Data Bases}, series = {VLDB '98}, year = {1998}, isbn = {1-55860-566-5}, pages = {618--622}, numpages = {5}, original_url = {http://dl.acm.org/citation.cfm?id=645924.671199}, url = {https://www.microsoft.com/en-us/research/publication/massive-stochastic-testing-of-sql/}, acmid = {671199}, publisher = {Morgan Kaufmann Publishers Inc.}, address = {San Francisco, CA, USA}, } @article{Zeller2002, author = {Zeller, Andreas and Hildebrandt, Ralf}, title = {Simplifying and Isolating Failure-Inducing Input}, journal = {IEEE Trans. Softw. Eng.}, issue_date = {February 2002}, volume = {28}, number = {2}, month = feb, year = {2002}, issn = {0098-5589}, pages = {183--200}, numpages = {18}, url = {http://dx.doi.org/10.1109/32.988498}, doi = {10.1109/32.988498}, acmid = {506206}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, keywords = {Automated debugging, debugging aids, testing tools, combinatorial testing, diagnostics, tracing.}, } @book{Kernighan1999, author = {Kernighan, Brian W. and Pike, Rob}, title = {The Practice of Programming}, year = {1999}, isbn = {0-201-61586-X}, publisher = {Addison-Wesley Longman Publishing Co., Inc.}, address = {Boston, MA, USA}, } @book{Panini350bce, author = {Dak{\d{s}}iputra P{\=a}{\d{n}}ini}, title = {Ash{\d{t}}{\=a}dhy{\=a}y{\=i}}, publisher = {Sanskrit Oral Tradition}, year = {350 BCE}, url = {https://en.wikipedia.org/wiki/P%C4%81%E1%B9%87ini%23A%E1%B9%A3%E1%B9%AD%C4%81dhy%C4%81y%C4%AB}, urldate = {2018-10-10 12:15:00+02:00} } @article{Petke2015, author={J. Petke and M. B. Cohen and M. Harman and S. Yoo}, journal={IEEE Transactions on Software Engineering}, title={Practical Combinatorial Interaction Testing: Empirical Findings on Efficiency and Early Fault Detection}, year={2015}, volume={41}, number={9}, pages={901-924}, keywords={genetic algorithms;greedy algorithms;program testing;simulated annealing;software fault tolerance;combinatorial interaction testing;early fault detection;software system configuration space;simulated annealing;SA;greedy algorithm;CIT test suite generation;constraint handling;pairwise testing;genetic algorithm;Testing;Simulated annealing;Genetic algorithms;Fault detection;Greedy algorithms;Turning;Flexible printed circuits;Combinatorial Interaction Testing;Prioritisation;Empirical Studies;Software Testing;Combinatorial interaction testing;prioritisation;empirical studies;software testing}, doi={10.1109/TSE.2015.2421279}, ISSN={0098-5589}, month={Sept},} @inproceedings{Herfert2017, author = {Herfert, Satia and Patra, Jibesh and Pradel, Michael}, title = {Automatically Reducing Tree-structured Test Inputs}, booktitle = {Proceedings of the 32Nd IEEE/ACM International Conference on Automated Software Engineering}, series = {ASE 2017}, year = {2017}, isbn = {978-1-5386-2684-9}, location = {Urbana-Champaign, IL, USA}, pages = {861--871}, numpages = {11}, url = {http://dl.acm.org/citation.cfm?id=3155562.3155669}, acmid = {3155669}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, } @article{redziejowski2008, author = {Redziejowski, Roman R.}, title = {Some Aspects of Parsing Expression Grammar}, journal = {Fundam. Inf.}, issue_date = {January 2008}, volume = {85}, number = {1-4}, month = jan, year = {2008}, issn = {0169-2968}, pages = {441--451}, numpages = {11}, url = {http://dl.acm.org/citation.cfm?id=2365896.2365924}, acmid = {2365924}, publisher = {IOS Press}, address = {Amsterdam, The Netherlands, The Netherlands}, } @article{Valiant1975, author = {Valiant, Leslie G.}, title = {General Context-free Recognition in Less Than Cubic Time}, journal = {J. Comput. Syst. Sci.}, issue_date = {April, 1975}, volume = {10}, number = {2}, month = apr, year = {1975}, issn = {0022-0000}, pages = {308--315}, numpages = {8}, url = {http://dx.doi.org/10.1016/S0022-0000(75)80046-8}, doi = {10.1016/S0022-0000(75)80046-8}, acmid = {1740048}, publisher = {Academic Press, Inc.}, address = {Orlando, FL, USA}, } @article{Lee2002, author = {Lee, Lillian}, title = {Fast Context-free Grammar Parsing Requires Fast Boolean Matrix Multiplication}, journal = {J. ACM}, issue_date = {January 2002}, volume = {49}, number = {1}, month = jan, year = {2002}, issn = {0004-5411}, pages = {1--15}, numpages = {15}, url = {http://doi.acm.org/10.1145/505241.505242}, doi = {10.1145/505241.505242}, acmid = {505242}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {Boolean matrix multiplication, context-free grammar parsing}, } @inproceedings{LeGall2014, author = {Le Gall, Fran\c{c}ois}, title = {Powers of Tensors and Fast Matrix Multiplication}, booktitle = {Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation}, series = {ISSAC '14}, year = {2014}, isbn = {978-1-4503-2501-1}, location = {Kobe, Japan}, pages = {296--303}, numpages = {8}, url = {http://doi.acm.org/10.1145/2608628.2608664}, doi = {10.1145/2608628.2608664}, acmid = {2608664}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {algebraic complexity theory, matrix multiplication}, } @article{Hopcroft2001, title={Introduction to automata theory, languages, and computation}, author={Hopcroft, John E and Motwani, Rajeev and Ullman, Jeffrey D}, journal={Acm Sigact News}, volume={32}, number={1}, pages={60--65}, year={2001}, publisher={ACM} } @book{Myers2004, author = {Myers, Glenford J. and Sandler, Corey}, title = {The Art of Software Testing}, year = {2004}, isbn = {0471469122}, publisher = {John Wiley \&\#38; Sons, Inc.}, url = {https://dl.acm.org/citation.cfm?id=983238}, address = {USA}, } @book{Beizer1990, author = {Beizer, Boris}, title = {Software Testing Techniques}, year = {1990}, isbn = {0442245920}, publisher = {John Wiley \& Sons, Inc.}, url = {https://dl.acm.org/citation.cfm?id=79060}, address = {New York, NY, USA}, } @book{Sutton2007, author = {Sutton, Michael and Greene, Adam and Amini, Pedram}, title = {Fuzzing: Brute Force Vulnerability Discovery}, year = {2007}, isbn = {0321446119}, url = {http://www.fuzzing.org/}, publisher = {Addison-Wesley Professional}, } @book{Takanen2008, author = {Takanen, Ari and DeMott, Jared and Miller, Charlie}, title = {Fuzzing for Software Security Testing and Quality Assurance}, year = {2008}, isbn = {1596932147, 9781596932142}, edition = {1}, publisher = {Artech House, Inc.}, url = {http://us.artechhouse.com/Fuzzing-for-Software-Security-Testing-and-Quality-Assurance-Second-Edition-P1930.aspx}, address = {Norwood, MA, USA}, } @article{Dai2010, author = {Dai, Huning and Murphy, Christian and Kaiser, Gail}, title = {{CONFU}: Configuration Fuzzing Testing Framework for Software Vulnerability Detection}, journal = {Int. J. Secur. Softw. Eng.}, issue_date = {July 2010}, volume = {1}, number = {3}, month = jul, year = {2010}, issn = {1947-3036}, pages = {41--55}, numpages = {15}, url = {http://dx.doi.org/10.4018/jsse.2010070103}, doi = {10.4018/jsse.2010070103}, acmid = {2441117}, publisher = {IGI Global}, address = {Hershey, PA, USA}, keywords = {Configuration Fuzzing, Fuzz Testing, In Vivo Testing, Security Invariants, Vulnerability}, } @article{Earley1970, author = {Earley, Jay}, title = {An Efficient Context-free Parsing Algorithm}, journal = {Commun. ACM}, issue_date = {Feb 1970}, volume = {13}, number = {2}, month = feb, year = {1970}, issn = {0001-0782}, pages = {94--102}, numpages = {9}, url = {http://doi.acm.org/10.1145/362007.362035}, doi = {10.1145/362007.362035}, acmid = {362035}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {compilers, computational complexity, context-free grammar, parsing, syntax analysis}, } @article{Aycock2002, title={Practical Earley Parsing}, author={John Aycock and R. Nigel Horspool}, journal={The Computer Journal}, year={2002}, volume={45}, pages={620-630} } @article{Leo1991, title = "A general context-free parsing algorithm running in linear time on every {LR(k)} grammar without using lookahead", journal = "Theoretical Computer Science", volume = "82", number = "1", pages = "165 - 176", year = "1991", issn = "0304-3975", doi = "https://doi.org/10.1016/0304-3975(91)90180-A", url = "http://www.sciencedirect.com/science/article/pii/030439759190180A", author = "Joop M.I.M. Leo" } @inproceedings{Elbaum2006, author = {Elbaum, Sebastian and Chin, Hui Nee and Dwyer, Matthew B. and Dokulil, Jonathan}, title = {Carving Differential Unit Test Cases from System Test Cases}, booktitle = {Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, series = {SIGSOFT '06/FSE-14}, year = {2006}, isbn = {1-59593-468-5}, location = {Portland, Oregon, USA}, pages = {253--264}, numpages = {12}, url = {http://doi.acm.org/10.1145/1181775.1181806}, doi = {10.1145/1181775.1181806}, acmid = {1181806}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {automated test generation, carving and replay, regression testing}, } @inproceedings{Lin2008, author = {Lin, Zhiqiang and Zhang, Xiangyu}, title = {Deriving Input Syntactic Structure from Execution}, booktitle = {Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, series = {SIGSOFT '08/FSE-16}, year = {2008}, isbn = {978-1-59593-995-1}, location = {Atlanta, Georgia}, pages = {83--93}, numpages = {11}, url = {http://doi.acm.org/10.1145/1453101.1453114}, doi = {10.1145/1453101.1453114}, acmid = {1453114}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {bottom-up grammar, control dependence, input lineage, reverse engineering, syntax tree, top-down grammar}, } @article{Ford2004, author = {Ford, Bryan}, title = {Parsing Expression Grammars: A Recognition-based Syntactic Foundation}, journal = {SIGPLAN Not.}, issue_date = {January 2004}, volume = {39}, number = {1}, month = jan, year = {2004}, issn = {0362-1340}, pages = {111--122}, numpages = {12}, url = {http://doi.acm.org/10.1145/982962.964011}, doi = {10.1145/982962.964011}, acmid = {964011}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {BNF, GTDPL, TDPL, context-free grammars, lexical analysis, packrat parsing, parsing expression grammars, regular expressions, scannerless parsing, syntactic predicates, unified grammars}, } @article{Ford2002, author = {Ford, Bryan}, title = {Packrat Parsing:: Simple, Powerful, Lazy, Linear Time, Functional Pearl}, journal = {SIGPLAN Not.}, issue_date = {September 2002}, volume = {37}, number = {9}, month = sep, year = {2002}, issn = {0362-1340}, pages = {36--47}, numpages = {12}, url = {http://doi.acm.org/10.1145/583852.581483}, doi = {10.1145/583852.581483}, acmid = {581483}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {Haskell, backtracking, lexical analysis, memoization, parser combinators, scannerless parsing, top-down parsing}, } @inproceedings{Holler2012, author = {Holler, Christian and Herzig, Kim and Zeller, Andreas}, title = {Fuzzing with Code Fragments}, booktitle = {Proceedings of the 21st USENIX Conference on Security Symposium}, series = {Security'12}, year = {2012}, location = {Bellevue, WA}, pages = {38--38}, numpages = {1}, url = {https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf}, acmid = {2362831}, publisher = {USENIX Association}, address = {Berkeley, CA, USA}, } @article{Newcomb1881, author = {Simon Newcomb}, title = {Note on the frequency of use of the different digits in natural numbers}, journal = {American Journal of Mathematics}, volume = {4}, number = {1--4}, pages = {39--40}, year = {1881}, url = {http://www.jstor.org/stable/2369148}, } @article{Benford1938, author = "Frank Benford", title = "The Law of Anomalous Numbers", journal = "Proceedings of the American Philosophical Society", volume = "78", number = "4", pages = "551--572", month = mar, year = "1938", url = {http://links.jstor.org/sici?sici=0003-049X%2819380331%2978%3A4%3C551%3ATLOAN%3E2.0.CO%3B2-G}, } @article{Chomsky1956, author = {Chomsky, Noam}, title = {Three models for the description of language}, journal = {IRE Transactions on Information Theory}, pages = {113--124}, volume = 2, year = 1956, url = {https://chomsky.info/wp-content/uploads/195609-.pdf} } @article{Hanford1970, author = {Hanford, Kenneth V.}, title = {Automatic Generation of Test Cases}, journal = {IBM Syst. J.}, issue_date = {December 1970}, volume = {9}, number = {4}, month = dec, year = {1970}, issn = {0018-8670}, pages = {242--257}, numpages = {16}, url = {http://dx.doi.org/10.1147/sj.94.0242}, doi = {10.1147/sj.94.0242}, acmid = {1663480}, publisher = {IBM Corp.}, address = {Riverton, NJ, USA}, } @inproceedings{Yang2011, author = {Yang, Xuejun and Chen, Yang and Eide, Eric and Regehr, John}, title = {Finding and Understanding Bugs in {C} Compilers}, booktitle = {Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation}, series = {PLDI '11}, year = {2011}, isbn = {978-1-4503-0663-8}, location = {San Jose, California, USA}, pages = {283--294}, numpages = {12}, url = {http://doi.acm.org/10.1145/1993498.1993532}, doi = {10.1145/1993498.1993532}, acmid = {1993532}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {automated testing, compiler defect, compiler testing, random program generation, random testing}, } @inproceedings{Le2014, author = {Le, Vu and Afshari, Mehrdad and Su, Zhendong}, title = {Compiler Validation via Equivalence Modulo Inputs}, booktitle = {Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation}, series = {PLDI '14}, year = {2014}, isbn = {978-1-4503-2784-8}, location = {Edinburgh, United Kingdom}, pages = {216--226}, numpages = {11}, url = {http://doi.acm.org/10.1145/2594291.2594334}, doi = {10.1145/2594291.2594334}, acmid = {2594334}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {automated testing, compiler testing, equivalent program variants, miscompilation}, } @book{Aho2006, author = {Aho, Alfred V. and Lam, Monica S. and Sethi, Ravi and Ullman, Jeffrey D.}, title = {Compilers: Principles, Techniques, and Tools (2nd edition)}, year = {2006}, isbn = {0321486811}, publisher = {Addison-Wesley Longman Publishing Co., Inc.}, url = {https://www.pearson.com/us/higher-education/program/Aho-Compilers-Principles-Techniques-and-Tools-2nd-Edition/PGM167067.html}, address = {Boston, MA, USA}, } @inproceedings{Hodovan2018, title = {Grammarinator: A Grammar-based Open Source Fuzzer}, author = {Hodov{\'a}n, Ren{\'a}ta and Kiss, {\'A}kos and Tibor Gyim{\'o}thy}, booktitle = {Proceedings of the 9th Workshop on Automating Test Case Design, Selection and Evaluation (A-TEST 2018)}, year = {2018}, month = nov, url = {https://www.researchgate.net/publication/328510752_Grammarinator_a_grammar-based_open_source_fuzzer}, address = {Lake Buena Vista, Florida, USA}, } @article{ogden1968helpful, title={A helpful result for proving inherent ambiguity}, author={Ogden, William}, journal={Mathematical systems theory}, volume={2}, number={3}, pages={191--194}, year={1968}, publisher={Springer} } @article{scott2010gll, title={GLL parsing}, author={Scott, Elizabeth and Johnstone, Adrian}, journal={Electronic Notes in Theoretical Computer Science}, volume={253}, number={7}, pages={177--189}, year={2010}, publisher={Elsevier} } @book{tomita2012generalized, title={Generalized LR parsing}, author={Tomita, Masaru}, year={2012}, publisher={Springer Science \& Business Media} } @article{tomita1987efficient, title={An efficient augmented-context-free parsing algorithm}, author={Tomita, Masaru}, journal={Computational linguistics}, volume={13}, number={1-2}, pages={31--46}, year={1987}, publisher={MIT Press} } @article{grune2008parsing, title={Parsing techniques A Practical Guide}, author={Grune, Dick and Jacobs, Ceriel JH}, journal={A practical guide}, year={2008} } @inproceedings{pingali2015graphical, title={A Graphical Model for Context-Free Grammar Parsing}, author={Pingali, Keshav and Bilardi, Gianfranco}, booktitle={International Conference on Compiler Construction}, pages={3--27}, year={2015}, organization={Springer} } @article{qi2018generalized, title={Generalized Earley Parser: Bridging Symbolic Grammars and Sequence Data for Future Prediction}, author={Qi, Siyuan and Jia, Baoxiong and Zhu, Song-Chun}, journal={arXiv preprint arXiv:1806.03497}, year={2018} } @article{bar1961formal, title={On formal properties of simple phrase structure grammars}, author={Bar-Hillel, Yehoshua and Perles, Micha and Shamir, Eli}, journal={STUF-Language Typology and Universals}, volume={14}, number={1-4}, pages={143--172}, year={1961}, publisher={AKADEMIE VERLAG} } @techreport{Patra2016, title={Learning to fuzz: Application-independent fuzz testing with probabilistic, generative models of input data}, author={Patra, Jibesh and Pradel, Michael}, institution = {TU Darmstadt, Department of Computer Science}, number = {TUD-CS-2016-14664}, url = {http://mp.binaervarianz.de/TreeFuzz_TR_Nov2016.pdf}, year={2016} } @inproceedings{Claessen2000, author = {Claessen, Koen and Hughes, John}, title = {QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs}, booktitle = {Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming}, series = {ICFP '00}, year = {2000}, isbn = {1-58113-202-6}, pages = {268--279}, numpages = {12}, url = {http://doi.acm.org/10.1145/351240.351266}, doi = {10.1145/351240.351266}, acmid = {351266}, publisher = {ACM}, address = {New York, NY, USA}, } @inproceedings{Misherghi2006, author = {Misherghi, Ghassan and Su, Zhendong}, title = {{HDD}: Hierarchical Delta Debugging}, booktitle = {Proceedings of the 28th International Conference on Software Engineering}, series = {ICSE '06}, year = {2006}, isbn = {1-59593-375-1}, location = {Shanghai, China}, pages = {142--151}, numpages = {10}, url = {http://doi.acm.org/10.1145/1134285.1134307}, doi = {10.1145/1134285.1134307}, acmid = {1134307}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {automated debugging, delta debugging}, } @inproceedings{Regehr2012, author = {Regehr, John and Chen, Yang and Cuoq, Pascal and Eide, Eric and Ellison, Chucky and Yang, Xuejun}, title = {Test-case Reduction for C Compiler Bugs}, booktitle = {Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation}, series = {PLDI '12}, year = {2012}, isbn = {978-1-4503-1205-9}, location = {Beijing, China}, pages = {335--346}, numpages = {12}, url = {http://doi.acm.org/10.1145/2254064.2254104}, doi = {10.1145/2254064.2254104}, acmid = {2254104},} publisher = {ACM}, address = {New York, NY, USA}, keywords = {automated testing, bug reporting, compiler defect, compiler testing, random testing, test-case minimization}, } @techreport{Pavese2018, author = {Esteban Pavese and Ezekiel Soremekun and Nikolas Havrikov and Lars Grunske and Andreas Zeller}, title = {Inputs from Hell: Generating Uncommon Inputs from Common Samples}, institution = {CISPA Helmholtz Center for Information Security}, url = {http://arxiv.org/abs/1812.07525}, year={2018} } @inproceedings{Hoschele2017, author = {H{\"o}schele, Matthias and Zeller, Andreas}, title = {Mining Input Grammars with AUTOGRAM}, booktitle = {Proceedings of the 39th International Conference on Software Engineering Companion}, series = {ICSE-C '17}, year = {2017}, isbn = {978-1-5386-1589-8}, location = {Buenos Aires, Argentina}, pages = {31--34}, numpages = {4}, url = {https://doi.org/10.1109/ICSE-C.2017.14}, doi = {10.1109/ICSE-C.2017.14}, acmid = {3098355}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, keywords = {context-free grammars, dynamic tainting, fuzzing, input formats}, } @techreport{Kampmann2018, title={Carving Parameterized Unit Tests}, institution={CISPA Helmholtz Center for Information Security}, author={Kampmann, Alexander and Zeller, Andreas}, journal={arXiv preprint arXiv:1812.07932}, url={https://arxiv.org/abs/1812.07932}, month=dec, year={2018} } @book{higuera2010grammatical, title={Grammatical inference: learning automata and grammars}, author={De la Higuera, Colin}, year={2010}, publisher={Cambridge University Press} } @article{clark2013learning, title={Learning trees from strings: A strong learning algorithm for some context-free grammars}, author={Clark, Alexander}, journal={The Journal of Machine Learning Research}, volume={14}, number={1}, pages={3537--3559}, year={2013}, publisher={JMLR. org} } @article{king1976symbolic, author = {King, James C.}, title = {Symbolic Execution and Program Testing}, journal = {Commun. ACM}, issue_date = {July 1976}, volume = {19}, number = {7}, month = jul, year = {1976}, issn = {0001-0782}, pages = {385--394}, numpages = {10}, url = {http://doi.acm.org/10.1145/360248.360252}, doi = {10.1145/360248.360252}, acmid = {360252}, publisher = {ACM}, address = {New York, NY, USA}, } @inproceedings{wang2017angr, title={Angr-The Next Generation of Binary Analysis}, author={Wang, Fish and Shoshitaishvili, Yan}, booktitle={Cybersecurity Development (SecDev), 2017 IEEE}, pages={8--9}, year={2017}, organization={IEEE} } @article{godefroid2012sage, title={{SAGE}: whitebox fuzzing for security testing}, author={Godefroid, Patrice and Levin, Michael Y and Molnar, David}, journal={Queue}, volume={10}, number={1}, pages={20}, year={2012}, publisher={ACM} } @inproceedings{stephens2016driller, title={Driller: Augmenting Fuzzing Through Selective Symbolic Execution}, author={Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Andrew and Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni}, booktitle={NDSS}, volume={16}, pages={1--16}, year={2016} } @inproceedings{Memon2001, author = {Memon, Atif M. and Soffa, Mary Lou and Pollack, Martha E.}, title = {Coverage Criteria for {GUI} Testing}, booktitle = {Proceedings of the 8th European Software Engineering Conference Held Jointly with 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, series = {ESEC/FSE-9}, year = {2001}, isbn = {1-58113-390-1}, location = {Vienna, Austria}, pages = {256--267}, numpages = {12}, url = {http://doi.acm.org/10.1145/503209.503244}, doi = {10.1145/503209.503244}, acmid = {503244}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {GUI test coverage, GUI testing, component testing, event-based coverage, event-flow graph, integration tree}, } @inproceedings{Memon2003, author = {Memon, Atif and Banerjee, Ishan and Nagarajan, Adithya}, title = {{GUI} Ripping: Reverse Engineering of Graphical User Interfaces for Testing}, booktitle = {Proceedings of the 10th Working Conference on Reverse Engineering}, series = {WCRE '03}, year = {2003}, isbn = {0-7695-2027-8}, pages = {260--}, url = {http://dl.acm.org/citation.cfm?id=950792.951350}, acmid = {951350}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, } @article{Mesbah2012, author = {Mesbah, Ali and van Deursen, Arie and Lenselink, Stefan}, title = {Crawling Ajax-Based Web Applications Through Dynamic Analysis of User Interface State Changes}, journal = {ACM Trans. Web}, issue_date = {March 2012}, volume = {6}, number = {1}, month = mar, year = {2012}, issn = {1559-1131}, pages = {3:1--3:30}, articleno = {3}, numpages = {30}, url = {http://doi.acm.org/10.1145/2109205.2109208}, doi = {10.1145/2109205.2109208}, acmid = {2109208}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {Ajax, Crawling, DOM crawling, Web 2.0, dynamic analysis, hidden web}, } @inproceedings{Conti2010, author = {Conti, Juan Jos{\'e} and Russo, Alejandro}, title = {A Taint Mode for Python via a Library}, booktitle = {Proceedings of the 15th Nordic Conference on Information Security Technology for Applications}, series = {NordSec'10}, year = {2012}, isbn = {978-3-642-27936-2}, location = {Espoo, Finland}, pages = {210--222}, numpages = {13}, url = {http://dx.doi.org/10.1007/978-3-642-27937-9_15}, doi = {10.1007/978-3-642-27937-9_15}, acmid = {2341484}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, } @article{siever1999perl, title={Perl in a Nutshell}, author={Siever, Ellen and Spainhour, Stephen and Patwardhan, Nathan}, year={1999}, publisher={O'Reilly \& Associates, Inc.} } @article{Barsotti2018, title = {{PEF}: Python Error Finder}, journal = {Electronic Notes in Theoretical Computer Science}, volume = {339}, pages = {21--41}, year = {2018}, note = {The XLII Latin American Computing Conference}, issn = {1571-0661}, doi = {https://doi.org/10.1016/j.entcs.2018.06.003}, url = {http://www.sciencedirect.com/science/article/pii/S1571066118300471}, author = {Dami{\'a}n Barsotti and Andr{\'e}s M. Bordese and Tom{\'a}s Hayes}, } @techreport{PeerCheck, title = {A peer architecture for lightweight symbolic execution}, author = {A. Bruni and T. Disney and C. Flanagan}, institution = {University of California, Santa Cruz}, year = {2011}, url = {https://hoheinzollern.files.wordpress.com/2008/04/seer1.pdf} } @inproceedings{Larson2003, author = {Larson, Eric and Austin, Todd}, title = {High Coverage Detection of Input-related Security Facults}, booktitle = {Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12}, series = {SSYM'03}, year = {2003}, location = {Washington, DC}, pages = {9--9}, numpages = {1}, url = {http://dl.acm.org/citation.cfm?id=1251353.1251362}, acmid = {1251362}, publisher = {USENIX Association}, address = {Berkeley, CA, USA}, } @inproceedings{cadar2005execution, title={Execution generated test cases: How to make systems code crash itself}, author={Cadar, Cristian and Engler, Dawson}, booktitle={International SPIN Workshop on Model Checking of Software}, pages={2--23}, year={2005}, organization={Springer} } @article{Ernst2001, author = {Ernst, Michael D. and Cockrell, Jake and Griswold, William G. and Notkin, David}, title = {Dynamically Discovering Likely Program Invariants to Support Program Evolution}, journal = {IEEE Trans. Softw. Eng.}, issue_date = {February 2001}, volume = {27}, number = {2}, month = feb, year = {2001}, issn = {0098-5589}, pages = {99--123}, numpages = {25}, url = {https://doi.org/10.1109/32.908957}, doi = {10.1109/32.908957}, acmid = {373397}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, keywords = {Program invariants, formal specification, software evolution, dynamic analysis, execution traces, logical inference, pattern recognition.}, url = {https://homes.cs.washington.edu/~mernst/pubs/invariants-tse2001.pdf} } @inproceedings{Pacheco2005, author = {Pacheco, Carlos and Ernst, Michael D.}, title = {Eclat: Automatic Generation and Classification of Test Inputs}, booktitle = {Proceedings of the 19th European Conference on Object-Oriented Programming}, series = {ECOOP'05}, year = {2005}, isbn = {3-540-27992-X, 978-3-540-27992-1}, location = {Glasgow, UK}, pages = {504--527}, numpages = {24}, url = {http://dx.doi.org/10.1007/11531142_22}, doi = {10.1007/11531142_22}, acmid = {2144921}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, url = {https://homes.cs.washington.edu/~mernst/pubs/classify-tests-ecoop2005.pdf} } @inproceedings{Ammons2002, author = {Ammons, Glenn and Bod\'{\i}k, Rastislav and Larus, James R.}, title = {Mining Specifications}, booktitle = {Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages}, series = {POPL '02}, year = {2002}, isbn = {1-58113-450-9}, location = {Portland, Oregon}, pages = {4--16}, numpages = {13}, url = {http://doi.acm.org/10.1145/503272.503275}, doi = {10.1145/503272.503275}, acmid = {503275}, publisher = {ACM}, address = {New York, NY, USA}, } @misc{lipton1971fault, title={Fault diagnosis of computer programs}, author={Lipton, Richard J}, year={1971}, publisher={Carnegie Mellon Univ., Tech. Rep} } @article{jia2011analysis, title={An analysis and survey of the development of mutation testing}, author={Jia, Yue and Harman, Mark}, journal={IEEE transactions on software engineering}, volume={37}, number={5}, pages={649--678}, year={2011}, publisher={IEEE} } @incollection{papadakis2019mutation, title={Mutation testing advances: an analysis and survey}, author={Papadakis, Mike and Kintis, Marinos and Zhang, Jie and Jia, Yue and Le Traon, Yves and Harman, Mark}, booktitle={Advances in Computers}, volume={112}, pages={275--378}, year={2019}, publisher={Elsevier} } @article{boehme2018species, author={B{\"o}hme, Marcel}, journal={ACM Transactions on Software Engineering and Methodology}, title={{STADS}: Software Testing as Species Discovery}, issue_date = {June 2018}, volume = {27}, number = {2}, month = jun, year = {2018}, pages = {7:1--7:52}, articleno = {7}, numpages = {52}, doi = {10.1145/3210309} } @article{boehme2018greybox, author={B{\"o}hme, Marcel and Pham, Van-Thuan and Roychoudhury, Abhik}, journal={IEEE Transactions on Software Engineering}, title={Coverage-based Greybox Fuzzing as {Markov} Chain}, url={https://mboehme.github.io/paper/CCS16.pdf}, year={2018}, pages={1-18} } @inproceedings{boehme2017greybox, author = {B{\"o}hme, Marcel and Pham, Van-Thuan and Nguyen, Manh-Dung and Roychoudhury, Abhik}, title = {Directed Greybox Fuzzing}, booktitle = {Proceedings of the 24th ACM Conference on Computer and Communications Security}, series = {CCS}, year = {2017}, pages = {1-16}, url = {https://mboehme.github.io/paper/CCS17.pdf}, numpages = {16} } @article{boehme2016efficiency, author={B{\"o}hme, Marcel and Paul, Soumya}, journal={IEEE Transactions on Software Engineering}, title={A Probabilistic Analysis of the Efficiency of Automated Software Testing}, year={2016}, volume={42}, number={4}, pages={345-360}, keywords={Efficient Testing;Error-based Partitioning;Partition Testing;Random Testing;Testing Theory}, doi={10.1109/TSE.2015.2487274}, ISSN={0098-5589}, month={April}, url={https://mboehme.github.io/paper/TSE15.pdf} } @techreport{Pham2018aflsmart, title={Smart Greybox Fuzzing}, institution={National University of Singapore, Singapore and Monash University, Australia and University Politehnica of Bucharest, Romania}, author={Van-Thuan Pham and Marcel B{\"o}hme and Andrew E. Santosa and Alexandru R\u{a}zvan C\u{a}ciulescu and Abhik Roychoudhury}, journal={arXiv preprint arXiv:1811.09447}, url={https://arxiv.org/abs/1811.09447}, month=nov, year={2018} } @inproceedings{Wang2019superion, title={Superion: Grammar-Aware Greybox Fuzzing}, author={Junjie Wang and Bihuan Chen and Lei Wei and Yang Liu}, booktitle = {Proceedings of ICSE 2019}, year = {2019}, url = {https://2019.icse-conferences.org/event/icse-2019-technical-papers-superion-grammar-aware-greybox-fuzzing} } @inproceedings{Aschermann2019nautilus, title={{NAUTILUS:} Fishing for Deep Bugs with Grammars}, author={Cornelius Aschermann and Tommaso Frassetto and Thorsten Holz and Patrick Jauernig and Ahmad-Reza Sadeghi and Daniel Teuchert}, booktitle = {Proceedings of NDSS 2019}, year = {2019}, url = {https://www.ndss-symposium.org/ndss-paper/nautilus-fishing-for-deep-bugs-with-grammars/} } @inproceedings{Bettenburg2008, author = {Bettenburg, Nicolas and Just, Sascha and Schr\"{o}ter, Adrian and Weiss, Cathrin and Premraj, Rahul and Zimmermann, Thomas}, title = {What Makes a Good Bug Report?}, booktitle = {Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, series = {SIGSOFT '08/FSE-16}, year = {2008}, isbn = {978-1-59593-995-1}, location = {Atlanta, Georgia}, pages = {308--318}, numpages = {11}, url = {http://thomas-zimmermann.com/publications/files/bettenburg-fse-2008.pdf}, acmid = {1453146}, publisher = {ACM}, address = {New York, NY, USA}, } @inproceedings{Godefroid2017, author = {Godefroid, Patrice and Peleg, Hila and Singh, Rishabh}, title = {{Learn\&{}Fuzz}: Machine Learning for Input Fuzzing}, booktitle = {Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering}, series = {ASE 2017}, year = {2017}, isbn = {978-1-5386-2684-9}, location = {Urbana-Champaign, IL, USA}, pages = {50--59}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=3155562.3155573}, acmid = {3155573}, publisher = {IEEE Press}, address = {Piscataway, NJ, USA}, keywords = {deep learning, fuzzing, grammar learning, grammar-based fuzzing}, } @inproceedings{Sun2018, author = {Sun, Chengnian and Li, Yuanbo and Zhang, Qirun and Gu, Tianxiao and Su, Zhendong}, title = {Perses: Syntax-guided Program Reduction}, booktitle = {Proceedings of the 40th International Conference on Software Engineering}, series = {ICSE '18}, year = {2018}, isbn = {978-1-4503-5638-1}, location = {Gothenburg, Sweden}, pages = {361--371}, numpages = {11}, url = {http://doi.acm.org/10.1145/3180155.3180236}, doi = {10.1145/3180155.3180236}, acmid = {3180236}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {debugging, delta debugging, program reduction}, } @book{Aniche2020, title={Software Testing: From Theory to Practice}, author={Maur{\'i}cio Aniche and Arie van Deursen}, year={2020}, url={https://sttp.site}, } @book{Aniche2022, title={Effective Software Testing: A Developer's Guide}, author={Maur{\'i}cio Aniche}, year={2022}, publisher = {Manning}, url={https://www.effective-software-testing.com}, } @inproceedings{z3, author = {De Moura, Leonardo and Bj\o{}rner, Nikolaj}, title = {{Z3}: An Efficient {SMT} Solver}, year = {2008}, isbn = {3540787992}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, abstract = {Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in various software verification and analysis applications.}, booktitle = {Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems}, pages = {337--340}, numpages = {4}, location = {Budapest, Hungary}, series = {TACAS'08/ETAPS'08}, url={https://link.springer.com/chapter/10.1007/978-3-540-78800-3_24}, } @book{zeller2009-why-programs-fail, author = {Andreas Zeller}, title = {Why Programs Fail - {A} Guide to Systematic Debugging, 2nd Edition}, publisher = {Morgan Kaufmann}, year = {2009}, url = {http://www.whyprogramsfail.com/}, isbn = {978-0-12-374515-6}, timestamp = {Mon, 06 Feb 2017 15:25:22 +0100}, biburl = {https://dblp.org/rec/books/daglib/0039904.bib}, bibsource = {dblp computer science bibliography, https://dblp.org} } @book{spinellis2016-effective-debugging, author = {Diomidis Spinellis}, title = {Effective Debugging: 66 Specific Ways to Debug Software and Systems}, publisher = {Addison-Wesley Professional}, year = {2016}, url = {https://www.spinellis.gr/debugging/} } @book{agans2006-debugging, author = {Agans, David J.}, title = {DeBugging: The 9 Indispensable Rules for Finding Even the Most Elusive Software and Hardware Problems}, year = {2002}, isbn = {0814471684}, publisher = {American Management Assoc., Inc.}, address = {USA}, abstract = {From the Publisher: When the pressure is on to root out an elusive software or hardware glitch, what's needed is a cool head courtesy of a set of rulesguaranteed to work on any system, in any circumstance. Written in a frank but engaging style, Debugging provides simple, foolproof principles guaranteed to help find any bug quickly. This book makes those shelves of application-specific debugging books (on C++, Perl, Java, etc.) obsolete. It changes the way readers think about debugging, making those pesky problems suddenly much easier to find and fix. Illustrating the rules with real-life bug-detection war stories, the book shows readers how to: Understand the system: how perceiving the "roadmap" can hasten your journey Quit thinking and look: when hands-on investigation can't be avoided Isolate critical factors: why changing one element at a time can be an essential tool Keep an audit trail: how keeping a record of the debugging process can win the day Author Biography: David J. Agans (Milford, NH) is a recognized expert called in to help with tough debugging problems. He currently runs PointSource, a computer systems consultancy. He has worked with industrial control and monitoring systems, integrated circuit design, handheld PCs, videoconferencing, and countless other systems.}, url = {https://dl.acm.org/doi/book/10.5555/555103} } @article{Abreu2009, author = {Abreu, Rui and Zoeteweij, Peter and Golsteijn, Rob and van Gemund, Arjan J. C.}, title = {A Practical Evaluation of Spectrum-Based Fault Localization}, year = {2009}, issue_date = {November, 2009}, publisher = {Elsevier Science Inc.}, address = {USA}, volume = {82}, number = {11}, issn = {0164-1212}, url = {https://doi.org/10.1016/j.jss.2009.06.035}, doi = {10.1016/j.jss.2009.06.035}, abstract = {Spectrum-based fault localization (SFL) shortens the test-diagnose-repair cycle by reducing the debugging effort. As a light-weight automated diagnosis technique it can easily be integrated with existing testing schemes. Since SFL is based on discovering statistical coincidences between system failures and the activity of the different parts of a system, its diagnostic accuracy is inherently limited. Using a common benchmark consisting of the Siemens set and the space program, we investigate this diagnostic accuracy as a function of several parameters (such as quality and quantity of the program spectra collected during the execution of the system), some of which directly relate to test design. Our results indicate that the superior performance of a particular similarity coefficient, used to analyze the program spectra, is largely independent of test design. Furthermore, near-optimal diagnostic accuracy (exonerating over 80% of the blocks of code on average) is already obtained for low-quality error observations and limited numbers of test cases. In addition to establishing these results in the controlled environment of our benchmark set, we show that SFL can effectively be applied in the context of embedded software development in an industrial environment.}, journal = {J. Syst. Softw.}, month = nov, pages = {1780--1792}, numpages = {13}, keywords = {Real-time and embedded systems, Software fault diagnosis, Program spectra, Test data analysis, Consumer electronics} } @inproceedings{Jones2002, author = {Jones, James A. and Harrold, Mary Jean and Stasko, John}, title = {Visualization of Test Information to Assist Fault Localization}, year = {2002}, isbn = {158113472X}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/581339.581397}, doi = {10.1145/581339.581397}, abstract = {One of the most expensive and time-consuming components of the debugging process is locating the errors or faults. To locate faults, developers must identify statements involved in failures and select suspicious statements that might contain faults. This paper presents a new technique that uses visualization to assist with these tasks. The technique uses color to visually map the participation of each program statement in the outcome of the execution of the program with a test suite, consisting of both passed and failed test cases. Based on this visual mapping, a user can inspect the statements in the program, identify statements involved in failures, and locate potentially faulty statements. The paper also describes a prototype tool that implements our technique along with a set of empirical studies that use the tool for evaluation of the technique. The empirical studies show that, for the subject we studied, the technique can be effective in helping a user locate faults in a program.}, booktitle = {Proceedings of the 24th International Conference on Software Engineering}, pages = {467--477}, numpages = {11}, location = {Orlando, Florida}, series = {ICSE '02} } @article{daSilvaMeyer2004, title = {Comparison of similarity coefficients used for cluster analysis with dominant markers in maize ({Zea mays L})}, journal = {Genetics and Molecular Biology}, author={da Silva Meyer, Andr\'eia and Garcia, Antonio Augusto Franco and de Souza, Anete Pereira and de Souza Jr., Cl\'audio Lopes}, ISSN = {1415-4757}, url = {https://doi.org/10.1590/S1415-47572004000100014}, doi = {https://doi.org/10.1590/S1415-47572004000100014}, volume = {27}, year = {2004}, month = {00}, pages = {83--91}, publisher = {scielo}, crossref = {10.1590/S1415-47572004000100014} } @article{Wong2016, author = {Wong, W. Eric and Gao, Ruizhi and Li, Yihao and Abreu, Rui and Wotawa, Franz}, title = {A Survey on Software Fault Localization}, year = {2016}, issue_date = {August 2016}, publisher = {IEEE Press}, volume = {42}, number = {8}, issn = {0098-5589}, url = {https://doi.org/10.1109/TSE.2016.2521368}, doi = {10.1109/TSE.2016.2521368}, abstract = {Software fault localization, the act of identifying the locations of faults in a program, is widely recognized to be one of the most tedious, time consuming, and expensive---yet equally critical---activities in program debugging. Due to the increasing scale and complexity of software today, manually locating faults when failures occur is rapidly becoming infeasible, and consequently, there is a strong demand for techniques that can guide software developers to the locations of faults in a program with minimal human intervention. This demand in turn has fueled the proposal and development of a broad spectrum of fault localization techniques, each of which aims to streamline the fault localization process and make it more effective by attacking the problem in a unique way. In this article, we catalog and provide a comprehensive overview of such techniques and discuss key issues and concerns that are pertinent to software fault localization as a whole.}, journal = {IEEE Trans. Softw. Eng.}, month = aug, pages = {707--740}, numpages = {34} } @inproceedings{Parnin2011, author = {Parnin, Chris and Orso, Alessandro}, title = {Are Automated Debugging Techniques Actually Helping Programmers?}, year = {2011}, isbn = {9781450305624}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2001420.2001445}, doi = {10.1145/2001420.2001445}, abstract = {Debugging is notoriously difficult and extremely time consuming. Researchers have therefore invested a considerable amount of effort in developing automated techniques and tools for supporting various debugging tasks. Although potentially useful, most of these techniques have yet to demonstrate their practical effectiveness. One common limitation of existing approaches, for instance, is their reliance on a set of strong assumptions on how developers behave when debugging (e.g., the fact that examining a faulty statement in isolation is enough for a developer to understand and fix the corresponding bug). In more general terms, most existing techniques just focus on selecting subsets of potentially faulty statements and ranking them according to some criterion. By doing so, they ignore the fact that understanding the root cause of a failure typically involves complex activities, such as navigating program dependencies and rerunning the program with different inputs. The overall goal of this research is to investigate how developers use and benefit from automated debugging tools through a set of human studies. As a first step in this direction, we perform a preliminary study on a set of developers by providing them with an automated debugging tool and two tasks to be performed with and without the tool. Our results provide initial evidence that several assumptions made by automated debugging techniques do not hold in practice. Through an analysis of the results, we also provide insights on potential directions for future work in the area of automated debugging.}, booktitle = {Proceedings of the 2011 International Symposium on Software Testing and Analysis}, pages = {199--209}, numpages = {11}, keywords = {statistical debugging, user studies}, location = {Toronto, Ontario, Canada}, series = {ISSTA '11} } @article{Ochiai1957, title={Zoogeographical Studies on the Soleoid Fishes Found in Japan and its Neighbouring Regions-III}, author={Akira Ochiai}, journal={Nippon Suisan Gakkaishi}, year={1957}, url={https://www.jstage.jst.go.jp/article/suisan1932/22/9/22_9_522/_article/-char/ja/}, volume={22}, pages={522--525} } @inproceedings{Kirschner2020, author = {Kirschner, Lukas and Soremekun, Ezekiel and Zeller, Andreas}, title = {Debugging Inputs}, year = {2020}, isbn = {9781450371223}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://publications.cispa.saarland/3060/}, XXXdoi = {10.1145/3377812.3390797}, abstract = {Program failures are often caused by invalid inputs, for instance due to input corruption. To obtain the passing input, one needs to debug the data. In this paper we present a generic technique called ddmax that (1) identifies which parts of the input data prevent processing, and (2) recovers as much of the (valuable) input data as possible. To the best of our knowledge, ddmax is the first approach that fixes faults in the input data without requiring program analysis. In our evaluation, ddmax repaired about 69% of input files and recovered about 78% of data within one minute per input.}, booktitle = {Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings}, pages = {300--301}, numpages = {2}, location = {Seoul, South Korea}, series = {ICSE '20} } @inproceedings{Ness1997, author = {Ness, Brian and Ngo, Viet}, title = {Regression Containment through Source Change Isolation}, year = {1997}, isbn = {0818681055}, publisher = {IEEE Computer Society}, url={https://www.computer.org/csdl/proceedings-article/compsac/1997/81050616/12OmNANBZnS}, address = {USA}, abstract = {Effective regression containment is an important factor in the design of development and testing processes for large software projects, especially when many developers are doing concurrent work on a common set of sources. Source change isolation provides an inexpensive, mechanical alternative to analytical methods for identifying the cause of software regressions. It also provides the advantage of enabling regressions to be eliminated by reversing the effect of source changes that introduced errant behavior, without the need to write new code, and without halting other development work on the same software. Deliverability is also improved.}, booktitle = {Proceedings of the 21st International Computer Software and Applications Conference}, pages = {616}, numpages = {1}, series = {COMPSAC '97} } @inproceedings{zheng2003, author = {Zheng, Alice X. and Jordan, Michael I. and Liblit, Ben and Aiken, Alex}, title = {Statistical Debugging of Sampled Programs}, year = {2003}, publisher = {MIT Press}, address = {Cambridge, MA, USA}, abstract = {We present a novel strategy for automatically debugging programs given sampled data from thousands of actual user runs. Our goal is to pinpoint those features that are most correlated with crashes. This is accomplished by maximizing an appropriately defined utility function. It has analogies with intuitive debugging heuristics, and, as we demonstrate, is able to deal with various types of bugs that occur in real programs.}, booktitle = {Proceedings of the 16th International Conference on Neural Information Processing Systems}, pages = {603--610}, numpages = {8}, location = {Whistler, British Columbia, Canada}, series = {NIPS'03} } @inproceedings{Liblit2003, author = {Liblit, Ben and Aiken, Alex and Zheng, Alice X. and Jordan, Michael I.}, title = {Bug Isolation via Remote Program Sampling}, year = {2003}, isbn = {1581136625}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/781131.781148}, doi = {10.1145/781131.781148}, abstract = {We propose a low-overhead sampling infrastructure for gathering information from the executions experienced by a program's user community. Several example applications illustrate ways to use sampled instrumentation to isolate bugs. Assertion-dense code can be transformed to share the cost of assertions among many users. Lacking assertions, broad guesses can be made about predicates that predict program errors and a process of elimination used to whittle these down to the true bug. Finally, even for non-deterministic bugs such as memory corruption, statistical modeling based on logistic regression allows us to identify program behaviors that are strongly correlated with failure and are therefore likely places to look for the error.}, booktitle = {Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation}, pages = {141–-154}, numpages = {14}, keywords = {statistical debugging, bug isolation, random sampling, logistic regression, assertions, feature selection}, location = {San Diego, California, USA}, series = {PLDI '03} } @inproceedings{Zeller1999, author = {Zeller, Andreas}, title = {Yesterday, My Program Worked. Today, It Does Not. Why?}, year = {1999}, isbn = {3540665382}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, abstract = {Imagine some program and a number of changes. If none of these changes is applied (“yesterday”), the program works. If all changes are applied (“today”), the program does not work. Which change is responsible for the failure? We present an efficient algorithm that determines the minimal set of failure-inducing changes. Our delta debugging prototype tracked down a single failure-inducing change from 178,000 changed GDB lines within a few hours.}, booktitle = {Proceedings of the 7th European Software Engineering Conference Held Jointly with the 7th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, url = {https://doi.org/10.1145/318774.318946}, doi = {10.1145/318774.318946}, pages = {253--267}, numpages = {15}, location = {Toulouse, France}, series = {ESEC/FSE-7} } @inproceedings{Chen2014, author={Z. Chen and L. Chen and Y. Zhou and Z. Xu and W. C. Chu and B. Xu}, booktitle={2014 IEEE 38th Annual Computer Software and Applications Conference}, title={Dynamic Slicing of Python Programs}, year={2014}, volume={}, number={}, pages={219-228}, doi={10.1109/COMPSAC.2014.30} } @article{Weiser1982, author = {Weiser, Mark}, title = {Programmers Use Slices When Debugging}, year = {1982}, issue_date = {July 1982}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {25}, number = {7}, issn = {0001-0782}, url = {https://doi.org/10.1145/358557.358577}, doi = {10.1145/358557.358577}, abstract = {Computer programmers break apart large programs into smaller coherent pieces. Each of these pieces: functions, subroutines, modules, or abstract datatypes, is usually a contiguous piece of program text. The experiment reported here shows that programmers also routinely break programs into one kind of coherent piece which is not contiguous. When debugging unfamiliar programs programmers use program pieces called slices which are sets of statements related by their flow of data. The statements in a slice are not necessarily textually contiguous, but may be scattered through a program.}, journal = {Commun. ACM}, month = jul, pages = {446–452}, numpages = {7}, keywords = {slice, program decomposition} } @inproceedings{Weiser1981, author = {Weiser, Mark}, title = {Program Slicing}, year = {1981}, isbn = {0897911466}, publisher = {IEEE Press}, abstract = {Program slicing is a method used by experienced computer programmers for abstracting from programs. Starting from a subset of a program's behavior, slicing reduces that program to a minimal form which still produces that behavior. The reduced program, called a “slice”, is an independent program guaranteed to faithfully represent the original program within the domain of the specified subset of behavior. Finding a slice is in general unsolvable. A dataflow algorithm is presented for approximating slices when the behavior subset is specified as the values of a set of variables at a statement. Experimental evidence is presented that these slices are used by programmers during debugging. Experience with two automatic slicing tools is summarized. New measures of program complexity are suggested based on the organization of a program's slices.}, booktitle = {Proceedings of the 5th International Conference on Software Engineering}, pages = {439–449}, numpages = {11}, keywords = {Human factors, Data flow analysis, Program metrics, Program maintenance, Debugging, Software tools}, location = {San Diego, California, USA}, series = {ICSE '81} } @article{Tip1995, title={A survey of program slicing techniques}, author={Tip, Frank}, journal={Journal of programming languages}, volume={3}, number={3}, pages={121--189}, url={https://www.franktip.org/pubs/jpl1995.pdf}, year={1995} } @article{Korel1988, author = {Korel, B. and Laski, J.}, title = {Dynamic Program Slicing}, year = {1988}, issue_date = {October 26, 1988}, publisher = {Elsevier North-Holland, Inc.}, address = {USA}, volume = {29}, number = {3}, issn = {0020-0190}, url = {https://doi.org/10.1016/0020-0190(88)90054-3}, doi = {10.1016/0020-0190(88)90054-3}, journal = {Inf. Process. Lett.}, month = oct, pages = {155–163}, numpages = {9} } @inproceedings{Agrawal1990, author = {Agrawal, Hiralal and Horgan, Joseph R.}, title = {Dynamic Program Slicing}, year = {1990}, isbn = {0897913647}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/93542.93576}, doi = {10.1145/93542.93576}, abstract = {Program slices are useful in debugging, testing, maintenance, and understanding of programs. The conventional notion of a program slice, the static slice, is the set of all statements that might affect the value of a given variable occurrence. In this paper, we investigate the concept of the dynamic slice consisting of all statements that actually affect the value of a variable occurrence for a given program input. The sensitivity of dynamic slicing to particular program inputs makes it more useful in program debugging and testing than static slicing. Several approaches for computing dynamic slices are examined. The notion of a Dynamic Dependence Graph and its use in computing dynamic slices is discussed. The Dynamic Dependence Graph may be unbounded in length; therefore, we introduce the economical concept of a Reduced Dynamic Dependence Graph, which is proportional in size to the number of dynamic slices arising during the program execution.}, booktitle = {Proceedings of the ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation}, pages = {246–256}, numpages = {11}, location = {White Plains, New York, USA}, series = {PLDI '90} } @inproceedings{Ko2004, author = {Ko, Andrew J. and Myers, Brad A.}, title = {Designing the Whyline: A Debugging Interface for Asking Questions about Program Behavior}, year = {2004}, isbn = {1581137028}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/985692.985712}, doi = {10.1145/985692.985712}, abstract = {Debugging is still among the most common and costly of programming activities. One reason is that current debugging tools do not directly support the inquisitive nature of the activity. Interrogative Debugging is a new debugging paradigm in which programmers can ask why did and even why didn't questions directly about their program's runtime failures. The Whyline is a prototype Interrogative Debugging interface for the Alice programming environment that visualizes answers in terms of runtime events directly relevant to a programmer's question. Comparisons of identical debugging scenarios from user tests with and without the Whyline showed that the Whyline reduced debugging time by nearly a factor of 8, and helped programmers complete 40% more tasks.}, booktitle = {Proceedings of the SIGCHI Conference on Human Factors in Computing Systems}, pages = {151–158}, numpages = {8}, keywords = {debugging, program slicing, Alice}, location = {Vienna, Austria}, series = {CHI '04} } @article{Soremekun2021, title = {Locating Faults with Program Slicing: An Empirical Analysis}, author = {Ezekiel Soremekun and Lukas Kirschner and Marcel B{\"o}hme and Andreas Zeller}, journal = {Empirical Software Engineering}, year = {2021}, url = {https://figshare.com/articles/conference_contribution/Locating_Faults_with_Program_Slicing_-_An_Empirical_Analysis_-_Replication_Package/13369400/1} } @ARTICLE{LeGoues2012, author={C. Le Goues and T. Nguyen and S. Forrest and W. Weimer}, journal={IEEE Transactions on Software Engineering}, title={GenProg: A Generic Method for Automatic Software Repair}, year={2012}, volume={38}, number={1}, pages={54--72}, doi={10.1109/TSE.2011.104}, url={https://ieeexplore.ieee.org/document/6035728} } @article{Pei2014, author={Y. Pei and C. A. Furia and M. Nordio and Y. Wei and B. Meyer and A. Zeller}, journal={IEEE Transactions on Software Engineering}, title={Automated Fixing of Programs with Contracts}, year={2014}, volume={40}, number={5}, pages={427--449}, doi={10.1109/TSE.2014.2312918}, url={https://ieeexplore.ieee.org/document/6776507} } @inproceedings{Nguyen2013, author = {Nguyen, Hoang Duong Thien and Qi, Dawei and Roychoudhury, Abhik and Chandra, Satish}, title = {SemFix: Program Repair via Semantic Analysis}, year = {2013}, isbn = {9781467330763}, publisher = {IEEE Press}, abstract = {Debugging consumes significant time and effort in any major software development project. Moreover, even after the root cause of a bug is identified, fixing the bug is non-trivial. Given this situation, automated program repair methods are of value. In this paper, we present an automated repair method based on symbolic execution, constraint solving and program synthesis. In our approach, the requirement on the repaired code to pass a given set of tests is formulated as a constraint. Such a constraint is then solved by iterating over a layered space of repair expressions, layered by the complexity of the repair code. We compare our method with recently proposed genetic programming based repair on SIR programs with seeded bugs, as well as fragments of GNU Coreutils with real bugs. On these subjects, our approach reports a higher success-rate than genetic programming based repair, and produces a repair faster.}, booktitle = {Proceedings of the 2013 International Conference on Software Engineering}, pages = {772--781}, numpages = {10}, location = {San Francisco, CA, USA}, url = {https://dl.acm.org/doi/10.5555/2486788.2486890}, series = {ICSE '13} } @inproceedings{Kalhauge2019, author = {Kalhauge, Christian Gram and Palsberg, Jens}, title = {Binary Reduction of Dependency Graphs}, year = {2019}, isbn = {9781450355728}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3338906.3338956}, doi = {10.1145/3338906.3338956}, abstract = {Delta debugging is a technique for reducing a failure-inducing input to a small input that reveals the cause of the failure. This has been successful for a wide variety of inputs including C programs, XML data, and thread schedules. However, for input that has many internal dependencies, delta debugging scales poorly. Such input includes C#, Java, and Java bytecode and they have presented a major challenge for input reduction until now. In this paper, we show that the core challenge is a reduction problem for dependency graphs, and we present a general strategy for reducing such graphs. We combine this with a novel algorithm for reduction called Binary Reduction in a tool called J-Reduce for Java bytecode. Our experiments show that our tool is 12x faster and achieves more reduction than delta debugging on average. This enabled us to create and submit short bug reports for three Java bytecode decompilers.}, booktitle = {Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}, pages = {556--566}, numpages = {11}, keywords = {dependencies, Debugging, reduction}, location = {Tallinn, Estonia}, series = {ESEC/FSE 2019} } @inproceedings{Gopinath2020, author = {Gopinath, Rahul and Mathis, Bj\"{o}rn and Zeller, Andreas}, title = {Mining Input Grammars from Dynamic Control Flow}, year = {2020}, isbn = {9781450370431}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3368089.3409679}, abstract = {One of the key properties of a program is its input specification. Having a formal input specification can be critical in fields such as vulnerability analysis, reverse engineering, software testing, clone detection, or refactoring. Unfortunately, accurate input specifications for typical programs are often unavailable or out of date. In this paper, we present a general algorithm that takes a program and a small set of sample inputs and automatically infers a readable context-free grammar capturing the input language of the program. We infer the syntactic input structure only by observing access of input characters at different locations of the input parser. This works on all stack based recursive descent input parsers, including parser combinators, and works entirely without program specific heuristics. Our Mimid prototype produced accurate and readable grammars for a variety of evaluation subjects, including complex languages such as JSON, TinyC, and JavaScript.}, booktitle = {Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}, pages = {172–183}, numpages = {12} } @inproceedings{Bettenburg2008, author = {Bettenburg, Nicolas and Just, Sascha and Schr\"{o}ter, Adrian and Weiss, Cathrin and Premraj, Rahul and Zimmermann, Thomas}, title = {What Makes a Good Bug Report?}, year = {2008}, isbn = {9781595939951}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1453101.1453146}, doi = {10.1145/1453101.1453146}, abstract = {In software development, bug reports provide crucial information to developers. However, these reports widely differ in their quality. We conducted a survey among developers and users of APACHE, ECLIPSE, and MOZILLA to find out what makes a good bug report.The analysis of the 466 responses revealed an information mismatch between what developers need and what users supply. Most developers consider steps to reproduce, stack traces, and test cases as helpful, which are at the same time most difficult to provide for users. Such insight is helpful to design new bug tracking tools that guide users at collecting and providing more helpful information.Our CUEZILLA prototype is such a tool and measures the quality of new bug reports; it also recommends which elements should be added to improve the quality. We trained CUEZILLA on a sample of 289 bug reports, rated by developers as part of the survey. In our experiments, CUEZILLA was able to predict the quality of 31--48% of bug reports accurately.}, booktitle = {Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering}, pages = {308–318}, numpages = {11}, location = {Atlanta, Georgia}, series = {SIGSOFT '08/FSE-16} } @inproceedings{Bertram2010, author = {Bertram, Dane and Voida, Amy and Greenberg, Saul and Walker, Robert}, title = {Communication, Collaboration, and Bugs: The Social Nature of Issue Tracking in Small, Collocated Teams}, year = {2010}, isbn = {9781605587950}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1718918.1718972}, doi = {10.1145/1718918.1718972}, abstract = {Issue tracking systems help organizations manage issue reporting, assignment, tracking, resolution, and archiving. Traditionally, it is the Software Engineering community that researches issue tracking systems, where software defects are reported and tracked as 'bug reports' within an archival database. Yet, as issue tracking is fundamentally a social process, it is important to understand the design and use of issue tracking systems from that perspective. Consequently, we conducted a qualitative study of issue tracking systems as used by small, collocated software development teams. We found that an issue tracker is not just a database for tracking bugs, features, and inquiries, but also a focal point for communication and coordination for many stakeholders within and beyond the software team. Customers, project managers, quality assurance personnel, and programmers all contribute to the shared knowledge and persistent communication that exists within the issue tracking system. These results were all the more striking because in spite of teams being collocated--which afforded frequent, face-to-face communication--the issue tracker was still used as a fundamental communication channel. We articulate various real-world practices surrounding issue trackers and offer design considerations for future systems.}, booktitle = {Proceedings of the 2010 ACM Conference on Computer Supported Cooperative Work}, pages = {291–300}, numpages = {10}, keywords = {shared knowledge, software engineering, issue tracking}, location = {Savannah, Georgia, USA}, series = {CSCW '10} } @inproceedings{Bissyande2013, author={T. F. Bissyandé and D. Lo and L. Jiang and L. Réveillère and J. Klein and Y. L. Traon}, booktitle={2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE)}, title={Got issues? Who cares about it? A large scale investigation of issue trackers from GitHub}, year={2013}, volume={}, number={}, pages={188-197}, doi={10.1109/ISSRE.2013.6698918} } @inproceedings{Herzig2013, author={K. Herzig and S. Just and A. Zeller}, booktitle={2013 35th International Conference on Software Engineering (ICSE)}, title={It's not a bug, it's a feature: How misclassification impacts bug prediction}, year={2013}, volume={}, number={}, pages={392-401}, doi={10.1109/ICSE.2013.6606585} } @inproceedings{Anvik2006, author = {Anvik, John and Hiew, Lyndon and Murphy, Gail C.}, title = {Who Should Fix This Bug?}, year = {2006}, isbn = {1595933751}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1134285.1134336}, doi = {10.1145/1134285.1134336}, abstract = {Open source development projects typically support an open bug repository to which both developers and users can report bugs. The reports that appear in this repository must be triaged to determine if the report is one which requires attention and if it is, which developer will be assigned the responsibility of resolving the report. Large open source developments are burdened by the rate at which new bug reports appear in the bug repository. In this paper, we present a semi-automated approach intended to ease one part of this process, the assignment of reports to a developer. Our approach applies a machine learning algorithm to the open bug repository to learn the kinds of reports each developer resolves. When a new report arrives, the classifier produced by the machine learning technique suggests a small number of developers suitable to resolve the report. With this approach, we have reached precision levels of 57% and 64% on the Eclipse and Firefox development projects respectively. We have also applied our approach to the gcc open source development with less positive results. We describe the conditions under which the approach is applicable and also report on the lessons we learned about applying machine learning to repositories used in open source development.}, booktitle = {Proceedings of the 28th International Conference on Software Engineering}, pages = {361–370}, numpages = {10}, keywords = {bug report assignment, problem tracking, bug triage, issue tracking, machine learning}, location = {Shanghai, China}, series = {ICSE '06} } @article{Kim2013, author={D. Kim and Y. Tao and S. Kim and A. Zeller}, journal={IEEE Transactions on Software Engineering}, title={Where Should We Fix This Bug? A Two-Phase Recommendation Model}, year={2013}, volume={39}, number={11}, pages={1597-1610}, doi={10.1109/TSE.2013.24} } @inproceedings{Wang2008, author = {Wang, Xiaoyin and Zhang, Lu and Xie, Tao and Anvik, John and Sun, Jiasu}, title = {An Approach to Detecting Duplicate Bug Reports Using Natural Language and Execution Information}, year = {2008}, isbn = {9781605580791}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1368088.1368151}, doi = {10.1145/1368088.1368151}, abstract = {An open source project typically maintains an open bug repository so that bug reports from all over the world can be gathered. When a new bug report is submitted to the repository, a person, called a triager, examines whether it is a duplicate of an existing bug report. If it is, the triager marks it as DUPLICATE and the bug report is removed from consideration for further work. In the literature, there are approaches exploiting only natural language information to detect duplicate bug reports. In this paper we present a new approach that further involves execution information. In our approach, when a new bug report arrives, its natural language information and execution information are compared with those of the existing bug reports. Then, a small number of existing bug reports are suggested to the triager as the most similar bug reports to the new bug report. Finally, the triager examines the suggested bug reports to determine whether the new bug report duplicates an existing bug report. We calibrated our approach on a subset of the Eclipse bug repository and evaluated our approach on a subset of the Firefox bug repository. The experimental results show that our approach can detect 67%-93% of duplicate bug reports in the Firefox bug repository, compared to 43%-72% using natural language information alone.}, booktitle = {Proceedings of the 30th International Conference on Software Engineering}, pages = {461–470}, numpages = {10}, keywords = {execution information, duplicate bug report, information retrieval}, location = {Leipzig, Germany}, series = {ICSE '08} } @inproceedings{Gopinath2020, author = {Gopinath, Rahul and Kampmann, Alexander and Havrikov, Nikolas and Soremekun, Ezekiel O. and Zeller, Andreas}, title = {Abstracting Failure-Inducing Inputs}, year = {2020}, isbn = {9781450380089}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3395363.3397349}, doi = {10.1145/3395363.3397349}, abstract = {A program fails. Under which circumstances does the failure occur? Starting with a single failure-inducing input ("The input ((4)) fails") and an input grammar, the DDSET algorithm uses systematic tests to automatically generalize the input to an abstract failure-inducing input that contains both (concrete) terminal symbols and (abstract) nonterminal symbols from the grammar—for instance, "(())", which represents any expression in double parentheses. Such an abstract failure-inducing input can be used (1) as a debugging diagnostic, characterizing the circumstances under which a failure occurs ("The error occurs whenever an expression is enclosed in double parentheses"); (2) as a producer of additional failure-inducing tests to help design and validate fixes and repair candidates ("The inputs ((1)), ((3 * 4)), and many more also fail"). In its evaluation on real-world bugs in JavaScript, Clojure, Lua, and UNIX command line utilities, DDSET’s abstract failure-inducing inputs provided to-the-point diagnostics, and precise producers for further failure inducing inputs.}, booktitle = {Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis}, pages = {237–248}, numpages = {12}, keywords = {error diagnosis, debugging, grammars, failure-inducing inputs}, location = {Virtual Event, USA}, series = {ISSTA 2020} } @inproceedings{Kampmann2020, author = {Kampmann, Alexander and Havrikov, Nikolas and Soremekun, Ezekiel O. and Zeller, Andreas}, title = {When Does My Program Do This? Learning Circumstances of Software Behavior}, year = {2020}, isbn = {9781450370431}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3368089.3409687}, abstract = {A program fails. Under which circumstances does the failure occur? Our Alhazenapproach starts with a run that exhibits a particular behavior and automatically determines input features associated with the behavior in question: (1) We use a grammar to parse the input into individual elements. (2) We use a decision tree learner to observe and learn which input elements are associated with the behavior in question. (3) We use the grammar to generate additional inputs to further strengthen or refute hypotheses as learned associations. (4) By repeating steps 2 and 3, we obtain a theory that explains and predicts the given behavior. In our evaluation using inputs for find, grep, NetHack, and a JavaScript transpiler, the theories produced by Alhazen predict and produce failures with high accuracy and allow developers to focus on a small set of input features: “grep fails whenever the --fixed-strings option is used in conjunction with an empty search string.”}, booktitle = {Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering}, pages = {1228–1239}, numpages = {12} } @inproceedings{Gopinath2021, title = {Input Algebras}, author = {Gopinath, Rahul and Nemati, Hamed and Zeller, Andreas}, booktitle = {International Conference on Software Engineering (ICSE 2021)}, year = {2021}, url = {https://publications.cispa.saarland/3208/}, note = {To Appear} } @inproceedings{King2005, author = {Samuel T. King and George W. Dunlap and Peter M. Chen}, title = {Debugging Operating Systems with Time-Traveling Virtual Machines}, booktitle = {2005 {USENIX} Annual Technical Conference ({USENIX} {ATC} 05)}, year = {2005}, address = {Anaheim, CA}, url = {https://www.usenix.org/conference/2005-usenix-annual-technical-conference/debugging-operating-systems-time-traveling}, publisher = {{USENIX} Association}, month = apr, } @inproceedings{Glerum2009, author = {Glerum, Kirk and Kinshumann, Kinshuman and Greenberg, Steve and Aul, Gabriel and Orgovan, Vince and Nichols, Greg and Grant, David and Loihle, Gretchen and Hunt, Galen}, title = {Debugging in the (Very) Large: Ten Years of Implementation and Experience}, year = {2009}, isbn = {9781605587523}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1629575.1629586}, doi = {10.1145/1629575.1629586}, abstract = {Windows Error Reporting (WER) is a distributed system that automates the processing of error reports coming from an installed base of a billion machines. WER has collected billions of error reports in ten years of operation. It collects error data automatically and classifies errors into buckets, which are used to prioritize developer effort and report fixes to users. WER uses a progressive approach to data collection, which minimizes overhead for most reports yet allows developers to collect detailed information when needed. WER takes advantage of its scale to use error statistics as a tool in debugging; this allows developers to isolate bugs that could not be found at smaller scale. WER has been designed for large scale: one pair of database servers can record all the errors that occur on all Windows computers worldwide.}, booktitle = {Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles}, pages = {103–116}, numpages = {14}, keywords = {classifying, statistics-based debugging., error reports, blue screen of death, minidump, bucketing, labeling}, location = {Big Sky, Montana, USA}, series = {SOSP '09} } @inproceedings{Schuler2011, author = {Schuler, David and Zeller, Andreas}, title = {Assessing Oracle Quality with Checked Coverage}, year = {2011}, isbn = {9780769543420}, publisher = {IEEE Computer Society}, address = {USA}, url = {https://doi.org/10.1109/ICST.2011.32}, doi = {10.1109/ICST.2011.32}, abstract = {A known problem of traditional coverage metrics is that they do not assess oracle quality -- that is, whether the computation result is actually checked against expectations. In this paper, we introduce the concept of checked coverage -- the dynamic slice of covered statements that actually influence an oracle. Our experiments on seven open-source projects show that checked coverage is a sure indicator for oracle quality -- and even more sensitive than mutation testing, its much more demanding alternative.}, booktitle = {Proceedings of the 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation}, pages = {90–99}, numpages = {10}, keywords = {dynamic slicing, test suite quality, coverage metrics, mutation testing}, series = {ICST '11} } @inproceedings{Barr2014, author = {Barr, Earl T. and Brun, Yuriy and Devanbu, Premkumar and Harman, Mark and Sarro, Federica}, title = {The Plastic Surgery Hypothesis}, year = {2014}, isbn = {9781450330565}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2635868.2635898}, doi = {10.1145/2635868.2635898}, abstract = { Recent work on genetic-programming-based approaches to automatic program patching have relied on the insight that the content of new code can often be assembled out of fragments of code that already exist in the code base. This insight has been dubbed the plastic surgery hypothesis; successful, well-known automatic repair tools such as GenProg rest on this hypothesis, but it has never been validated. We formalize and validate the plastic surgery hypothesis and empirically measure the extent to which raw material for changes actually already exists in projects. In this paper, we mount a large-scale study of several large Java projects, and examine a history of 15,723 commits to determine the extent to which these commits are graftable, i.e., can be reconstituted from existing code, and find an encouraging degree of graftability, surprisingly independent of commit size and type of commit. For example, we find that changes are 43% graftable from the exact version of the software being changed. With a view to investigating the difficulty of finding these grafts, we study the abundance of such grafts in three possible sources: the immediately previous version, prior history, and other projects. We also examine the contiguity or chunking of these grafts, and the degree to which grafts can be found in the same file. Our results are quite promising and suggest an optimistic future for automatic program patching methods that search for raw material in already extant code in the project being patched. }, booktitle = {Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering}, pages = {306–317}, numpages = {12}, keywords = {code reuse, automated program repair, mining software repositories, Software graftability, empirical software engineering}, location = {Hong Kong, China}, series = {FSE 2014} } @inproceedings{Mechtaev2016, author = {Mechtaev, Sergey and Yi, Jooyong and Roychoudhury, Abhik}, title = {Angelix: Scalable Multiline Program Patch Synthesis via Symbolic Analysis}, year = {2016}, isbn = {9781450339001}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2884781.2884807}, doi = {10.1145/2884781.2884807}, abstract = {Since debugging is a time-consuming activity, automated program repair tools such as GenProg have garnered interest. A recent study revealed that the majority of GenProg repairs avoid bugs simply by deleting functionality. We found that SPR, a state-of-the-art repair tool proposed in 2015, still deletes functionality in their many "plausible" repairs. Unlike generate-and-validate systems such as GenProg and SPR, semantic analysis based repair techniques synthesize a repair based on semantic information of the program. While such semantics-based repair methods show promise in terms of quality of generated repairs, their scalability has been a concern so far. In this paper, we present Angelix, a novel semantics-based repair method that scales up to programs of similar size as are handled by search-based repair tools such as GenProg and SPR. This shows that Angelix is more scalable than previously proposed semantics based repair methods such as SemFix and DirectFix. Furthermore, our repair method can repair multiple buggy locations that are dependent on each other. Such repairs are hard to achieve using SPR and GenProg. In our experiments, Angelix generated repairs from large-scale real-world software such as wireshark and php, and these generated repairs include multi-location repairs. We also report our experience in automatically repairing the well-known Heartbleed vulnerability.}, booktitle = {Proceedings of the 38th International Conference on Software Engineering}, pages = {691–701}, numpages = {11}, keywords = {multiline patch, scalable semantics-based repair, program repair, angelic forest}, location = {Austin, Texas}, series = {ICSE '16} } @inproceedings{bucur2014prototyping, author = {Bucur, Stefan and Kinder, Johannes and Candea, George}, title = {Prototyping Symbolic Execution Engines for Interpreted Languages}, year = {2014}, isbn = {9781450323055}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2541940.2541977}, doi = {10.1145/2541940.2541977}, abstract = {Symbolic execution is being successfully used to automatically test statically compiled code. However, increasingly more systems and applications are written in dynamic interpreted languages like Python. Building a new symbolic execution engine is a monumental effort, and so is keeping it up-to-date as the target language evolves. Furthermore, ambiguous language specifications lead to their implementation in a symbolic execution engine potentially differing from the production interpreter in subtle ways.We address these challenges by flipping the problem and using the interpreter itself as a specification of the language semantics. We present a recipe and tool (called Chef) for turning a vanilla interpreter into a sound and complete symbolic execution engine. Chef symbolically executes the target program by symbolically executing the interpreter's binary while exploiting inferred knowledge about the program's high-level structure.Using Chef, we developed a symbolic execution engine for Python in 5 person-days and one for Lua in 3 person-days. They offer complete and faithful coverage of language features in a way that keeps up with future language versions at near-zero cost. Chef-produced engines are up to 1000 times more performant than if directly executing the interpreter symbolically without Chef.}, booktitle = {Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems}, pages = {239–254}, numpages = {16}, keywords = {software analysis optimizations, interpreter instrumentation, state selection strategies}, location = {Salt Lake City, Utah, USA}, series = {ASPLOS '14} } @inproceedings{KLEE, author = {Cadar, Cristian and Dunbar, Daniel and Engler, Dawson}, title = {KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs}, year = {2008}, publisher = {USENIX Association}, address = {USA}, abstract = {We present a new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs. We used KLEE to thoroughly check all 89 stand-alone programs in the GNU COREUTILS utility suite, which form the core user-level environment installed on millions of Unix systems, and arguably are the single most heavily tested set of open-source programs in existence. KLEE-generated tests achieve high line coverage -- on average over 90% per tool (median: over 94%) -- and significantly beat the coverage of the developers' own hand-written test suite. When we did the same for 75 equivalent tools in the BUSYBOX embedded system suite, results were even better, including 100% coverage on 31 of them.We also used KLEE as a bug finding tool, applying it to 452 applications (over 430K total lines of code), where it found 56 serious bugs, including three in COREUTILS that had been missed for over 15 years. Finally, we used KLEE to crosscheck purportedly identical BUSYBOX and COREUTILS utilities, finding functional correctness errors and a myriad of inconsistencies.}, booktitle = {Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation}, pages = {209–224}, numpages = {16}, location = {San Diego, California}, series = {OSDI'08} } @article{Boehme2018stads, author = {B\"{o}hme, Marcel}, title = {STADS: Software Testing as Species Discovery}, year = {2018}, issue_date = {July 2018}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {27}, number = {2}, issn = {1049-331X}, url = {https://doi.org/10.1145/3210309}, doi = {10.1145/3210309}, abstract = {A fundamental challenge of software testing is the statistically well-grounded extrapolation from program behaviors observed during testing. For instance, a security researcher who has run the fuzzer for a week has currently no means (1) to estimate the total number of feasible program branches, given that only a fraction has been covered so far; (2) to estimate the additional time required to cover 10% more branches (or to estimate the coverage achieved in one more day, respectively); or (3) to assess the residual risk that a vulnerability exists when no vulnerability has been discovered. Failing to discover a vulnerability does not mean that none exists—even if the fuzzer was run for a week (or a year). Hence, testing provides no formal correctness guarantees.In this article, I establish an unexpected connection with the otherwise unrelated scientific field of ecology and introduce a statistical framework that models Software Testing and Analysis as Discovery of Species (STADS). For instance, in order to study the species diversity of arthropods in a tropical rain forest, ecologists would first sample a large number of individuals from that forest, determine their species, and extrapolate from the properties observed in the sample to properties of the whole forest. The estimations (1) of the total number of species, (2) of the additional sampling effort required to discover 10% more species, or (3) of the probability to discover a new species are classical problems in ecology. The STADS framework draws from over three decades of research in ecological biostatistics to address the fundamental extrapolation challenge for automated test generation. Our preliminary empirical study demonstrates a good estimator performance even for a fuzzer with adaptive sampling bias—AFL, a state-of-the-art vulnerability detection tool. The STADS framework provides statistical correctness guarantees with quantifiable accuracy.}, journal = {ACM Trans. Softw. Eng. Methodol.}, month = jun, articleno = {7}, numpages = {52}, keywords = {extrapolation, security, measure of confidence, discovery probability, fuzzing, stopping rule, reliability, measure of progress, code coverage, Statistical guarantees, species coverage} }