Mining Input Grammars

So far, the grammars we have seen have been mostly specified manually – that is, you (or the person knowing the input format) had to design and write a grammar in the first place. While the grammars we have seen so far have been rather simple, creating a grammar for complex inputs can involve quite some effort. In this chapter, we therefore introduce techniques that automatically mine grammars from programs – by executing the programs and observing how they process which parts of the input. In conjunction with a grammar fuzzer, this allows us to

  1. take a program,
  2. extract its input grammar, and
  3. fuzz it with high efficiency and effectiveness, using the concepts in this book.
from bookutils import YouTubeVideo
YouTubeVideo("ddM1oL2LYDI")

Prerequisites

Synopsis

To use the code provided in this chapter, write

>>> from fuzzingbook.GrammarMiner import <identifier>

and then make use of the following features.

This chapter provides a number of classes to mine input grammars from existing programs. The function recover_grammar() could be the easiest to use. It takes a function and a set of inputs, and returns a grammar that describes its input language.

We apply recover_grammar() on a url_parse() function that takes and decomposes URLs:

>>> url_parse('https://www.fuzzingbook.org/')
>>> URLS
['http://user:pass@www.google.com:80/?q=path#ref',
 'https://www.cispa.saarland:80/',
 'http://www.fuzzingbook.org/#News']

We extract the input grammar for url_parse() using recover_grammar():

>>> grammar = recover_grammar(url_parse, URLS, files=['urllib/parse.py'])
>>> grammar
{'<start>': ['<urlsplit@437:url>'],
 '<urlsplit@437:url>': ['<urlparse@394:scheme>:<_splitnetloc@411:url>'],
 '<urlparse@394:scheme>': ['https', 'http'],
 '<_splitnetloc@411:url>': ['//<urlparse@394:netloc><urlsplit@481:url>',
  '//<urlparse@394:netloc>/'],
 '<urlparse@394:netloc>': ['www.cispa.saarland:80',
  'user:pass@www.google.com:80',
  'www.fuzzingbook.org'],
 '<urlsplit@481:url>': ['<urlsplit@486:url>#<urlparse@394:fragment>',
  '/#<urlparse@394:fragment>'],
 '<urlsplit@486:url>': ['/?<urlparse@394:query>'],
 '<urlparse@394:query>': ['q=path'],
 '<urlparse@394:fragment>': ['News', 'ref']}

The names of nonterminals are a bit technical; but the grammar nicely represents the structure of the input; for instance, the different schemes ("http", "https") are all identified:

>>> syntax_diagram(grammar)
start

urlsplit@437:url

urlsplit@437:url

urlparse@394:scheme : _splitnetloc@411:url

urlparse@394:scheme

https http

_splitnetloc@411:url

// urlparse@394:netloc urlsplit@481:url // urlparse@394:netloc /

urlparse@394:netloc

www.cispa.saarland:80 user:pass@www.google.com:80 www.fuzzingbook.org

urlsplit@481:url

urlsplit@486:url # urlparse@394:fragment /# urlparse@394:fragment

urlsplit@486:url

/? urlparse@394:query

urlparse@394:query

q=path

urlparse@394:fragment

News ref

The grammar can be immediately used for fuzzing, producing arbitrary combinations of input elements, which are all syntactically valid.

>>> from GrammarCoverageFuzzer import GrammarCoverageFuzzer
>>> fuzzer = GrammarCoverageFuzzer(grammar)
>>> [fuzzer.fuzz() for i in range(5)]
['https://www.cispa.saarland:80/',
 'http://www.fuzzingbook.org/#ref',
 'https://user:pass@www.google.com:80/?q=path#News',
 'http://user:pass@www.google.com:80/#ref',
 'https://www.fuzzingbook.org/#News']

Being able to automatically extract a grammar and to use this grammar for fuzzing makes for very effective test generation with a minimum of manual work.

A Grammar Challenge

Consider the process_inventory() method from the chapter on parsers:

from typing import List, Tuple, Callable, Any
from collections.abc import Iterable
from Parser import process_inventory, process_vehicle, process_car, process_van, lr_graph  # minor dependency

It takes inputs of the following form.

INVENTORY = """\
1997,van,Ford,E350
2000,car,Mercury,Cougar
1999,car,Chevy,Venture\
"""
print(process_inventory(INVENTORY))
We have a Ford E350 van from 1997 vintage.
It is an old but reliable model!
We have a Mercury Cougar car from 2000 vintage.
It is an old but reliable model!
We have a Chevy Venture car from 1999 vintage.
It is an old but reliable model!

We found from the chapter on parsers that coarse grammars do not work well for fuzzing when the input format includes details expressed only in code. That is, even though we have the formal specification of CSV files (RFC 4180), the inventory system includes further rules as to what is expected at each index of the CSV file. The solution of simply recombining existing inputs, while practical, is incomplete. In particular, it relies on a formal input specification being available in the first place. However, we have no assurance that the program obeys the input specification given.

One of the ways out of this predicament is to interrogate the program under test as to what its input specification is. That is, if the program under test is written in a style such that specific methods are responsible for handling specific parts of the input, one can recover the parse tree by observing the process of parsing. Further, one can recover a reasonable approximation of the grammar by abstraction from multiple input trees.

We start with the assumption (1) that the program is written in such a fashion that specific methods are responsible for parsing specific fragments of the program -- This includes almost all ad hoc parsers.

The idea is as follows:

  • Hook into the Python execution and observe the fragments of input string as they are produced and named in different methods.
  • Stitch the input fragments together in a tree structure to retrieve the Parse Tree.
  • Abstract common elements from multiple parse trees to produce the Context Free Grammar of the input.

A Simple Grammar Miner

Say we want to obtain the input grammar for the function process_vehicle(). We first collect the sample inputs for this function.

VEHICLES = INVENTORY.split('\n')

The set of methods responsible for processing inventory are the following.

INVENTORY_METHODS = {
    'process_inventory',
    'process_vehicle',
    'process_van',
    'process_car'}

We have seen from the chapter on configuration fuzzing that one can hook into the Python runtime to observe the arguments to a function and any local variables created. We have also seen that one can obtain the context of execution by inspecting the frame argument. Here is a simple tracer that can return the local variables and other contextual information in a traced function. We reuse the Coverage tracing class.

Tracer

from Coverage import Coverage
import inspect
class Tracer(Coverage):
    def traceit(self, frame, event, arg):
        method_name = inspect.getframeinfo(frame).function
        if method_name not in INVENTORY_METHODS:
            return
        file_name = inspect.getframeinfo(frame).filename

        param_names = inspect.getargvalues(frame).args
        lineno = inspect.getframeinfo(frame).lineno
        local_vars = inspect.getargvalues(frame).locals
        print(event, file_name, lineno, method_name, param_names, local_vars)
        return self.traceit

We run the code under trace context.

with Tracer() as tracer:
    process_vehicle(VEHICLES[0])
call Parser.ipynb 29 process_vehicle ['vehicle'] {'vehicle': '1997,van,Ford,E350'}
line Parser.ipynb 30 process_vehicle ['vehicle'] {'vehicle': '1997,van,Ford,E350'}
line Parser.ipynb 31 process_vehicle ['vehicle'] {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350', '_': []}
line Parser.ipynb 32 process_vehicle ['vehicle'] {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350', '_': []}
call Parser.ipynb 40 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line Parser.ipynb 41 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line Parser.ipynb 42 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350', 'res': ['We have a Ford E350 van from 1997 vintage.']}
line Parser.ipynb 43 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350', 'res': ['We have a Ford E350 van from 1997 vintage.'], 'iyear': 1997}
line Parser.ipynb 46 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350', 'res': ['We have a Ford E350 van from 1997 vintage.'], 'iyear': 1997}
line Parser.ipynb 47 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350', 'res': ['We have a Ford E350 van from 1997 vintage.', 'It is an old but reliable model!'], 'iyear': 1997}
return Parser.ipynb 47 process_van ['year', 'company', 'model'] {'year': '1997', 'company': 'Ford', 'model': 'E350', 'res': ['We have a Ford E350 van from 1997 vintage.', 'It is an old but reliable model!'], 'iyear': 1997}
return Parser.ipynb 32 process_vehicle ['vehicle'] {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350', '_': []}

The main thing that we want out of tracing is a list of assignments of input fragments to different variables. We can use the tracing facility settrace() to get that as we showed above.

However, the settrace() function hooks into the Python debugging facility. When it is in operation, no debugger can hook into the program. That is, if there is a problem with our grammar miner, we will not be able to attach a debugger to it to understand what is happening. This is not ideal. Hence, we limit the tracer to the simplest implementation possible, and implement the core of grammar mining in later stages.

The traceit() function relies on information from the frame variable which exposes Python internals. We define a context class that encapsulates the information that we need from the frame.

Context

The Context class provides easy access to the information such as the current module, and parameter names.

class Context:
    def __init__(self, frame, track_caller=True):
        self.method = inspect.getframeinfo(frame).function
        self.parameter_names = inspect.getargvalues(frame).args
        self.file_name = inspect.getframeinfo(frame).filename
        self.line_no = inspect.getframeinfo(frame).lineno

    def _t(self):
        return (self.file_name, self.line_no, self.method,
                ','.join(self.parameter_names))

    def __repr__(self):
        return "%s:%d:%s(%s)" % self._t()

Here we add a few convenience methods that operate on the frame to Context.

class Context(Context):
    def extract_vars(self, frame):
        return inspect.getargvalues(frame).locals

    def parameters(self, all_vars):
        return {k: v for k, v in all_vars.items() if k in self.parameter_names}

    def qualified(self, all_vars):
        return {"%s:%s" % (self.method, k): v for k, v in all_vars.items()}

We hook printing the context to our traceit() to see it in action. First we define a log_event() for displaying events.

def log_event(event, var):
    print({'call': '->', 'return': '<-'}.get(event, '  '), var)

And use the log_event() in the traceit() function.

class Tracer(Tracer):
    def traceit(self, frame, event, arg):
        log_event(event, Context(frame))
        return self.traceit

Running process_vehicle() under trace prints the contexts encountered.

with Tracer() as tracer:
    process_vehicle(VEHICLES[0])
-> Parser.ipynb:29:process_vehicle(vehicle)
   Parser.ipynb:30:process_vehicle(vehicle)
   Parser.ipynb:31:process_vehicle(vehicle)
   Parser.ipynb:32:process_vehicle(vehicle)
-> Parser.ipynb:40:process_van(year,company,model)
   Parser.ipynb:41:process_van(year,company,model)
   Parser.ipynb:42:process_van(year,company,model)
   Parser.ipynb:43:process_van(year,company,model)
   Parser.ipynb:46:process_van(year,company,model)
   Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:32:process_vehicle(vehicle)
-> Coverage.ipynb:102:__exit__(self,exc_type,exc_value,tb)
   Coverage.ipynb:105:__exit__(self,exc_type,exc_value,tb)

The trace produced by executing any function can get overwhelmingly large. Hence, we need to restrict our attention to specific modules. Further, we also restrict our attention exclusively to str variables since these variables are more likely to contain input fragments. (We will show how to deal with complex objects later in exercises.)

The Context class we developed earlier is used to decide which modules to monitor, and which variables to trace.

We store the current input string so that it can be used to determine if any particular string fragments came from the current input string. Any optional arguments are processed separately.

class Tracer(Tracer):
    def __init__(self, my_input, **kwargs):
        self.options(kwargs)
        self.my_input, self.trace = my_input, []

We use an optional argument files to indicate the specific source files we are interested in, and methods to indicate which specific methods are of interest. Further, we also use log to specify whether verbose logging should be enabled during trace. We use the log_event() method we defined earlier for logging.

The options processing is as below.

class Tracer(Tracer):
    def options(self, kwargs):
        self.files = kwargs.get('files', [])
        self.methods = kwargs.get('methods', [])
        self.log = log_event if kwargs.get('log') else lambda _evt, _var: None

The files and methods are checked to determine, if a particular event should be traced or not

class Tracer(Tracer):
    def tracing_context(self, cxt, event, arg):
        fres = not self.files or any(
            cxt.file_name.endswith(f) for f in self.files)
        mres = not self.methods or any(cxt.method == m for m in self.methods)
        return fres and mres

Similar to the context of events, we also want to restrict our attention to specific variables. For now, we want to focus only on strings. (See the Exercises at the end of the chapter on how to extend it to other kinds of objects).

class Tracer(Tracer):
    def tracing_var(self, k, v):
        return isinstance(v, str)

We modify the traceit() to call an on_event() function with the context information only on the specific events we are interested in.

class Tracer(Tracer):
    def on_event(self, event, arg, cxt, my_vars):
        self.trace.append((event, arg, cxt, my_vars))

    def create_context(self, frame):
        return Context(frame)

    def traceit(self, frame, event, arg):
        cxt = self.create_context(frame)
        if not self.tracing_context(cxt, event, arg):
            return self.traceit
        self.log(event, cxt)

        my_vars = {
            k: v
            for k, v in cxt.extract_vars(frame).items()
            if self.tracing_var(k, v)
        }
        self.on_event(event, arg, cxt, my_vars)
        return self.traceit

The Tracer class can now focus on specific kinds of events on specific files. Further, it provides a first level filter for variables that we find interesting. For example, we want to focus specifically on variables from process_* methods that contain input fragments. Here is how our updated Tracer can be used.

with Tracer(VEHICLES[0], methods=INVENTORY_METHODS, log=True) as tracer:
    process_vehicle(VEHICLES[0])
-> Parser.ipynb:29:process_vehicle(vehicle)
   Parser.ipynb:30:process_vehicle(vehicle)
   Parser.ipynb:31:process_vehicle(vehicle)
   Parser.ipynb:32:process_vehicle(vehicle)
-> Parser.ipynb:40:process_van(year,company,model)
   Parser.ipynb:41:process_van(year,company,model)
   Parser.ipynb:42:process_van(year,company,model)
   Parser.ipynb:43:process_van(year,company,model)
   Parser.ipynb:46:process_van(year,company,model)
   Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:32:process_vehicle(vehicle)

The execution produced the following trace.

for t in tracer.trace:
    print(t[0], t[2].method, dict(t[3]))
call process_vehicle {'vehicle': '1997,van,Ford,E350'}
line process_vehicle {'vehicle': '1997,van,Ford,E350'}
line process_vehicle {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350'}
line process_vehicle {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350'}
call process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
line process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
return process_van {'year': '1997', 'company': 'Ford', 'model': 'E350'}
return process_vehicle {'vehicle': '1997,van,Ford,E350', 'year': '1997', 'kind': 'van', 'company': 'Ford', 'model': 'E350'}

Since we are saving the input already in Tracer, it is redundant to specify it separately again as an argument.

with Tracer(VEHICLES[0], methods=INVENTORY_METHODS, log=True) as tracer:
    process_vehicle(tracer.my_input)
-> Parser.ipynb:29:process_vehicle(vehicle)
   Parser.ipynb:30:process_vehicle(vehicle)
   Parser.ipynb:31:process_vehicle(vehicle)
   Parser.ipynb:32:process_vehicle(vehicle)
-> Parser.ipynb:40:process_van(year,company,model)
   Parser.ipynb:41:process_van(year,company,model)
   Parser.ipynb:42:process_van(year,company,model)
   Parser.ipynb:43:process_van(year,company,model)
   Parser.ipynb:46:process_van(year,company,model)
   Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:47:process_van(year,company,model)
<- Parser.ipynb:32:process_vehicle(vehicle)

DefineTracker

We define a DefineTracker class that processes the trace from the Tracer. The idea is to store different variable definitions which are input fragments.

The tracker identifies string fragments that are part of the input string, and stores them in a dictionary my_assignments. It saves the trace, and the corresponding input for processing. Finally, it calls process() to process the trace it was given. We will start with a simple tracker that relies on certain assumptions, and later see how these assumptions can be relaxed.

class DefineTracker:
    def __init__(self, my_input, trace, **kwargs):
        self.options(kwargs)
        self.my_input = my_input
        self.trace = trace
        self.my_assignments = {}
        self.process()

One of the problems of using substring search is that short string sequences tend to be included in other string sequences even though they may not have come from the original string. That is, say the input fragment is v, it could have equally come from either van or chevy. We rely on being able to predict the exact place in the input where a given fragment occurred. Hence, we define a constant FRAGMENT_LEN such that we ignore strings up to that length. We also incorporate a logging facility as before.

FRAGMENT_LEN = 3
class DefineTracker(DefineTracker):
    def options(self, kwargs):
        self.log = log_event if kwargs.get('log') else lambda _evt, _var: None
        self.fragment_len = kwargs.get('fragment_len', FRAGMENT_LEN)

Our tracer simply records the variable values as they occur. We next need to check if the variables contain values from the input string. Common ways to do this is to rely on symbolic execution or at least dynamic tainting, which are powerful, but also complex. However, one can obtain a reasonable approximation by simply relying on substring search. That is, we consider any value produced that is a substring of the original input string to have come from the original input.

We define an is_input_fragment() method that relies on string inclusion to detect if the string came from the input.

class DefineTracker(DefineTracker):
    def is_input_fragment(self, var, value):
        return len(value) >= self.fragment_len and value in self.my_input

We can use is_input_fragment() to select only a subset of variables defined, as implemented below in fragments().

class DefineTracker(DefineTracker):
    def fragments(self, variables):
        return {k: v for k, v in variables.items(
        ) if self.is_input_fragment(k, v)}

The tracker processes each event, and at each event, it updates the dictionary my_assignments with the current local variables that contain strings that are part of the input. Note that there is a choice here with respect to what happens during reassignment. We can either discard all the reassignments, or keep only the last assignment. Here, we choose the latter. If you want the former behavior, check whether the value exists in my_assignments before storing a fragment.

class DefineTracker(DefineTracker):
    def track_event(self, event, arg, cxt, my_vars):
        self.log(event, (cxt.method, my_vars))
        self.my_assignments.update(self.fragments(my_vars))

    def process(self):
        for event, arg, cxt, my_vars in self.trace:
            self.track_event(event, arg, cxt, my_vars)

Using the tracker, we can obtain the input fragments. For example, say we are only interested in strings that are at least 5 characters long.

tracker = DefineTracker(tracer.my_input, tracer.trace, fragment_len=5)
for k, v in tracker.my_assignments.items():
    print(k, '=', repr(v))
vehicle = '1997,van,Ford,E350'

Or strings that are 2 characters long (the default).

tracker = DefineTracker(tracer.my_input, tracer.trace)
for k, v in tracker.my_assignments.items():
    print(k, '=', repr(v))
vehicle = '1997,van,Ford,E350'
year = '1997'
kind = 'van'
company = 'Ford'
model = 'E350'
class DefineTracker(DefineTracker):
    def assignments(self):
        return self.my_assignments.items()

Assembling a Derivation Tree

from Grammars import START_SYMBOL, syntax_diagram, \
    is_nonterminal, Grammar
from GrammarFuzzer import GrammarFuzzer, display_tree, \
    DerivationTree

The input fragments from the DefineTracker only tell half the story. The fragments may be created at different stages of parsing. Hence, we need to assemble the fragments to a derivation tree of the input. The basic idea is as follows:

Our input from the previous step was:

"1997,van,Ford,E350"

We start a derivation tree, and associate it with the start symbol in the grammar.

derivation_tree: DerivationTree = (START_SYMBOL, [("1997,van,Ford,E350", [])])
display_tree(derivation_tree)
0 <start> 1 1997,van,Ford,E350 0->1

The next input was:

vehicle = "1997,van,Ford,E350"

Since vehicle covers the <start> node's value completely, we replace the value with the vehicle node.

derivation_tree: DerivationTree = (START_SYMBOL, 
                                   [('<vehicle>', [("1997,van,Ford,E350", [])],
                                                   [])])
display_tree(derivation_tree)
0 <start> 1 <vehicle> 0->1 2 1997,van,Ford,E350 1->2

The next input was:

year = '1997'

Traversing the derivation tree from <start>, we see that it replaces a portion of the <vehicle> node's value. Hence we split the <vehicle> node's value to two children, where one corresponds to the value "1997" and the other to ",van,Ford,E350", and replace the first one with the node <year>.

derivation_tree: DerivationTree = (START_SYMBOL, 
                                   [('<vehicle>', [('<year>', [('1997', [])]),
                                                   (",van,Ford,E350", [])], [])])
display_tree(derivation_tree)
0 <start> 1 <vehicle> 0->1 2 <year> 1->2 4 ,van,Ford,E350 1->4 3 1997 2->3

We perform similar operations for

company = 'Ford'
derivation_tree: DerivationTree = (START_SYMBOL, 
                                   [('<vehicle>', [('<year>', [('1997', [])]),
                                                   (",van,", []),
                                                   ('<company>', [('Ford', [])]),
                                                   (",E350", [])], [])])
display_tree(derivation_tree)
0 <start> 1 <vehicle> 0->1 2 <year> 1->2 4 ,van, 1->4 5 <company> 1->5 7 ,E350 1->7 3 1997 2->3 6 Ford 5->6

Similarly for

kind = 'van'

and

model = 'E350'
derivation_tree: DerivationTree = (START_SYMBOL, 
                                   [('<vehicle>', [('<year>', [('1997', [])]),
                                                   (",", []),
                                                   ("<kind>", [('van', [])]),
                                                   (",", []),
                                                   ('<company>', [('Ford', [])]),
                                                   (",", []),
                                                   ("<model>", [('E350', [])])
                                                   ], [])])
display_tree(derivation_tree)
0 <start> 1 <vehicle> 0->1 2 <year> 1->2 4 , (44) 1->4 5 <kind> 1->5 7 , (44) 1->7 8 <company> 1->8 10 , (44) 1->10 11 <model> 1->11 3 1997 2->3 6 van 5->6 9 Ford 8->9 12 E350 11->12

We now develop the complete algorithm with the above described steps. The derivation tree TreeMiner is initialized with the input string, and the variable assignments, and it converts the assignments to the corresponding derivation tree.

class TreeMiner:
    def __init__(self, my_input, my_assignments, **kwargs):
        self.options(kwargs)
        self.my_input = my_input
        self.my_assignments = my_assignments
        self.tree = self.get_derivation_tree()

    def options(self, kwargs):
        self.log = log_call if kwargs.get('log') else lambda _i, _v: None

    def get_derivation_tree(self):
        return (START_SYMBOL, [])

The log_call() is as follows.

def log_call(indent, var):
    print('\t' * indent, var)

The basic idea is as follows:

  • For now, we assume that the value assigned to a variable is stable. That is, it is never reassigned. In particular, there are no recursive calls, or multiple calls to the same function from different parts. (We will show how to overcome this limitation later).
  • For each pair var, value found in my_assignments:
    1. We search for occurrences of value val in the derivation tree recursively.
    2. If an occurrence was found as a value V1 of a node P1, we partition the value of the node P1 into three parts, with the central part matching the value val, and the first and last part, the corresponding prefix and suffix in V1.
    3. Reconstitute the node P1 with three children, where prefix and suffix mentioned earlier are string values, and the matching value val is replaced by a node var with a single value val.

First, we define a wrapper to generate a nonterminal from a variable name.

def to_nonterminal(var):
    return "<" + var.lower() + ">"

The string_part_of_value() method checks whether the given part value was part of the whole.

class TreeMiner(TreeMiner):
    def string_part_of_value(self, part, value):
        return (part in value)

The partition_by_part() splits the value by the given part if it matches, and returns a list containing the first part, the part that was replaced, and the last part. This is a format that can be used as a part of the list of children.

class TreeMiner(TreeMiner):
    def partition(self, part, value):
        return value.partition(part)
class TreeMiner(TreeMiner):
    def partition_by_part(self, pair, value):
        k, part = pair
        prefix_k_suffix = [
                    (k, [[part, []]]) if i == 1 else (e, [])
                    for i, e in enumerate(self.partition(part, value))
                    if e]
        return prefix_k_suffix

The insert_into_tree() method accepts a given tree tree and a (k,v) pair. It recursively checks whether the given pair can be applied. If the pair can be applied, it applies the pair and returns True.

class TreeMiner(TreeMiner):
    def insert_into_tree(self, my_tree, pair):
        var, values = my_tree
        k, v = pair
        self.log(1, "- Node: %s\t\t? (%s:%s)" % (var, k, repr(v)))
        applied = False
        for i, value_ in enumerate(values):
            value, arr = value_
            self.log(2, "-> [%d] %s" % (i, repr(value)))
            if is_nonterminal(value):
                applied = self.insert_into_tree(value_, pair)
                if applied:
                    break
            elif self.string_part_of_value(v, value):
                prefix_k_suffix = self.partition_by_part(pair, value)
                del values[i]
                for j, rep in enumerate(prefix_k_suffix):
                    values.insert(j + i, rep)
                applied = True

                self.log(2, " > %s" % (repr([i[0] for i in prefix_k_suffix])))
                break
            else:
                continue
        return applied

Here is how insert_into_tree() is used.

tree: DerivationTree = (START_SYMBOL, [("1997,van,Ford,E350", [])])
m = TreeMiner('', {}, log=True)

First, we have our input string as the only node.

display_tree(tree)
0 <start> 1 1997,van,Ford,E350 0->1

Inserting the <vehicle> node.

v = m.insert_into_tree(tree, ('<vehicle>', "1997,van,Ford,E350"))
	 - Node: <start>		? (<vehicle>:'1997,van,Ford,E350')
		 -> [0] '1997,van,Ford,E350'
		  > ['<vehicle>']
display_tree(tree)
0 <start> 1 <vehicle> 0->1 2 1997,van,Ford,E350 1->2

Inserting <model> node.

v = m.insert_into_tree(tree, ('<model>', 'E350'))
	 - Node: <start>		? (<model>:'E350')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<model>:'E350')
		 -> [0] '1997,van,Ford,E350'
		  > ['1997,van,Ford,', '<model>']
display_tree((tree))
0 <start> 1 <vehicle> 0->1 2 1997,van,Ford, 1->2 3 <model> 1->3 4 E350 3->4

Inserting <company>.

v = m.insert_into_tree(tree, ('<company>', 'Ford'))
	 - Node: <start>		? (<company>:'Ford')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<company>:'Ford')
		 -> [0] '1997,van,Ford,'
		  > ['1997,van,', '<company>', ',']
display_tree(tree)
0 <start> 1 <vehicle> 0->1 2 1997,van, 1->2 3 <company> 1->3 5 , (44) 1->5 6 <model> 1->6 4 Ford 3->4 7 E350 6->7

Inserting <kind>.

v = m.insert_into_tree(tree, ('<kind>', 'van'))
	 - Node: <start>		? (<kind>:'van')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<kind>:'van')
		 -> [0] '1997,van,'
		  > ['1997,', '<kind>', ',']
display_tree(tree)
0 <start> 1 <vehicle> 0->1 2 1997, 1->2 3 <kind> 1->3 5 , (44) 1->5 6 <company> 1->6 8 , (44) 1->8 9 <model> 1->9 4 van 3->4 7 Ford 6->7 10 E350 9->10

Inserting <year>.

v = m.insert_into_tree(tree, ('<year>', '1997'))
	 - Node: <start>		? (<year>:'1997')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<year>:'1997')
		 -> [0] '1997,'
		  > ['<year>', ',']
display_tree(tree)
0 <start> 1 <vehicle> 0->1 2 <year> 1->2 4 , (44) 1->4 5 <kind> 1->5 7 , (44) 1->7 8 <company> 1->8 10 , (44) 1->10 11 <model> 1->11 3 1997 2->3 6 van 5->6 9 Ford 8->9 12 E350 11->12

To make life simple, we define a wrapper function nt_var() that will convert a token to its corresponding nonterminal symbol.

class TreeMiner(TreeMiner):
    def nt_var(self, var):
        return var if is_nonterminal(var) else to_nonterminal(var)

Now, we need to apply a new definition to an entire grammar.

class TreeMiner(TreeMiner):
    def apply_new_definition(self, tree, var, value):
        nt_var = self.nt_var(var)
        return self.insert_into_tree(tree, (nt_var, value))

This algorithm is implemented as get_derivation_tree().

class TreeMiner(TreeMiner):
    def get_derivation_tree(self):
        tree = (START_SYMBOL, [(self.my_input, [])])

        for var, value in self.my_assignments:
            self.log(0, "%s=%s" % (var, repr(value)))
            self.apply_new_definition(tree, var, value)
        return tree

The TreeMiner is used as follows:

with Tracer(VEHICLES[0]) as tracer:
    process_vehicle(tracer.my_input)
assignments = DefineTracker(tracer.my_input, tracer.trace).assignments()
dt = TreeMiner(tracer.my_input, assignments, log=True)
dt.tree
 vehicle='1997,van,Ford,E350'
	 - Node: <start>		? (<vehicle>:'1997,van,Ford,E350')
		 -> [0] '1997,van,Ford,E350'
		  > ['<vehicle>']
 year='1997'
	 - Node: <start>		? (<year>:'1997')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<year>:'1997')
		 -> [0] '1997,van,Ford,E350'
		  > ['<year>', ',van,Ford,E350']
 kind='van'
	 - Node: <start>		? (<kind>:'van')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<kind>:'van')
		 -> [0] '<year>'
	 - Node: <year>		? (<kind>:'van')
		 -> [0] '1997'
		 -> [1] ',van,Ford,E350'
		  > [',', '<kind>', ',Ford,E350']
 company='Ford'
	 - Node: <start>		? (<company>:'Ford')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<company>:'Ford')
		 -> [0] '<year>'
	 - Node: <year>		? (<company>:'Ford')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind>'
	 - Node: <kind>		? (<company>:'Ford')
		 -> [0] 'van'
		 -> [3] ',Ford,E350'
		  > [',', '<company>', ',E350']
 model='E350'
	 - Node: <start>		? (<model>:'E350')
		 -> [0] '<vehicle>'
	 - Node: <vehicle>		? (<model>:'E350')
		 -> [0] '<year>'
	 - Node: <year>		? (<model>:'E350')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind>'
	 - Node: <kind>		? (<model>:'E350')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company>'
	 - Node: <company>		? (<model>:'E350')
		 -> [0] 'Ford'
		 -> [5] ',E350'
		  > [',', '<model>']
('<start>',
 [('<vehicle>',
   [('<year>', [['1997', []]]),
    (',', []),
    ('<kind>', [['van', []]]),
    (',', []),
    ('<company>', [['Ford', []]]),
    (',', []),
    ('<model>', [['E350', []]])])])

The obtained derivation tree is as below.

display_tree(TreeMiner(tracer.my_input, assignments).tree)
0 <start> 1 <vehicle> 0->1 2 <year> 1->2 4 , (44) 1->4 5 <kind> 1->5 7 , (44) 1->7 8 <company> 1->8 10 , (44) 1->10 11 <model> 1->11 3 1997 2->3 6 van 5->6 9 Ford 8->9 12 E350 11->12

Combining all the pieces:

trees = []
for vehicle in VEHICLES:
    print(vehicle)
    with Tracer(vehicle) as tracer:
        process_vehicle(tracer.my_input)
    assignments = DefineTracker(tracer.my_input, tracer.trace).assignments()
    trees.append((tracer.my_input, assignments))
    for var, val in assignments:
        print(var + " = " + repr(val))
    print()
1997,van,Ford,E350
vehicle = '1997,van,Ford,E350'
year = '1997'
kind = 'van'
company = 'Ford'
model = 'E350'

2000,car,Mercury,Cougar
vehicle = '2000,car,Mercury,Cougar'
year = '2000'
kind = 'car'
company = 'Mercury'
model = 'Cougar'

1999,car,Chevy,Venture
vehicle = '1999,car,Chevy,Venture'
year = '1999'
kind = 'car'
company = 'Chevy'
model = 'Venture'

The corresponding derivation trees are below.

csv_dt = []
for inputstr, assignments in trees:
    print(inputstr)
    dt = TreeMiner(inputstr, assignments)
    csv_dt.append(dt)
    display_tree(dt.tree)
1997,van,Ford,E350
2000,car,Mercury,Cougar
1999,car,Chevy,Venture

Recovering Grammars from Derivation Trees

We define a class Miner that can combine multiple derivation trees to produce the grammar. The initial grammar is empty.

class GrammarMiner:
    def __init__(self):
        self.grammar = {}

The tree_to_grammar() method converts our derivation tree to a grammar by picking one node at a time, and adding it to the grammar. The node name becomes the key, and any list of children it has becomes another alternative for that key.

class GrammarMiner(GrammarMiner):
    def tree_to_grammar(self, tree):
        node, children = tree
        one_alt = [ck for ck, gc in children]
        hsh = {node: [one_alt] if one_alt else []}
        for child in children:
            if not is_nonterminal(child[0]):
                continue
            chsh = self.tree_to_grammar(child)
            for k in chsh:
                if k not in hsh:
                    hsh[k] = chsh[k]
                else:
                    hsh[k].extend(chsh[k])
        return hsh
gm = GrammarMiner()
gm.tree_to_grammar(csv_dt[0].tree)
{'<start>': [['<vehicle>']],
 '<vehicle>': [['<year>', ',', '<kind>', ',', '<company>', ',', '<model>']],
 '<year>': [['1997']],
 '<kind>': [['van']],
 '<company>': [['Ford']],
 '<model>': [['E350']]}

The grammar being generated here is canonical. We define a function readable() that takes in a canonical grammar and returns it in a readable form.

def readable(grammar):
    def readable_rule(rule):
        return ''.join(rule)

    return {k: list(set(readable_rule(a) for a in grammar[k]))
            for k in grammar}
syntax_diagram(readable(gm.tree_to_grammar(csv_dt[0].tree)))
start
vehicle
vehicle
year , kind , company , model
year
1997
kind
van
company
Ford
model
E350

The add_tree() method gets a combined list of non-terminals from current grammar, and the tree to be added to the grammar, and updates the definitions of each non-terminal.

import itertools
class GrammarMiner(GrammarMiner):
    def add_tree(self, t):
        t_grammar = self.tree_to_grammar(t.tree)
        self.grammar = {
            key: self.grammar.get(key, []) + t_grammar.get(key, [])
            for key in itertools.chain(self.grammar.keys(), t_grammar.keys())
        }

The add_tree() is used as follows:

inventory_grammar_miner = GrammarMiner()
for dt in csv_dt:
    inventory_grammar_miner.add_tree(dt)
syntax_diagram(readable(inventory_grammar_miner.grammar))
start
vehicle
vehicle
year , kind , company , model
year
2000 1999 1997
kind
car van
company
Mercury Ford Chevy
model
Cougar E350 Venture

Given execution traces from various inputs, one can define update_grammar() to obtain the complete grammar from the traces.

class GrammarMiner(GrammarMiner):
    def update_grammar(self, inputstr, trace):
        at = self.create_tracker(inputstr, trace)
        dt = self.create_tree_miner(inputstr, at.assignments())
        self.add_tree(dt)
        return self.grammar

    def create_tracker(self, *args):
        return DefineTracker(*args)

    def create_tree_miner(self, *args):
        return TreeMiner(*args)

The complete grammar recovery is implemented in recover_grammar().

def recover_grammar(fn: Callable, inputs: Iterable[str], 
                    **kwargs: Any) -> Grammar:
    miner = GrammarMiner()

    for inputstr in inputs:
        with Tracer(inputstr, **kwargs) as tracer:
            fn(tracer.my_input)
        miner.update_grammar(tracer.my_input, tracer.trace)

    return readable(miner.grammar)

Note that the grammar could have been retrieved directly from the tracker, without the intermediate derivation tree stage. However, going through the derivation tree allows one to inspect the inputs being fragmented and verify that it happens correctly.

Example 1. Recovering the Inventory Grammar

inventory_grammar = recover_grammar(process_vehicle, VEHICLES)
inventory_grammar
{'<start>': ['<vehicle>'],
 '<vehicle>': ['<year>,<kind>,<company>,<model>'],
 '<year>': ['2000', '1999', '1997'],
 '<kind>': ['car', 'van'],
 '<company>': ['Mercury', 'Ford', 'Chevy'],
 '<model>': ['Cougar', 'E350', 'Venture']}

Example 2. Recovering URL Grammar

Our algorithm is robust enough to recover grammar from real world programs. For example, the urlparse function in the Python urlib module accepts the following sample URLs.

URLS = [
    'http://user:pass@www.google.com:80/?q=path#ref',
    'https://www.cispa.saarland:80/',
    'http://www.fuzzingbook.org/#News',
]

The urllib caches its intermediate results for faster access. Hence, we need to disable it using clear_cache() after every invocation.

from urllib.parse import urlparse, clear_cache

We use the sample URLs to recover grammar as follows. The urlparse function tends to cache its previous parsing results. Hence, we define a new method url_parse() that clears the cache before each call.

def url_parse(url):
    clear_cache()
    urlparse(url)
trees = []
for url in URLS:
    print(url)
    with Tracer(url) as tracer:
        url_parse(tracer.my_input)
    assignments = DefineTracker(tracer.my_input, tracer.trace).assignments()
    trees.append((tracer.my_input, assignments))
    for var, val in assignments:
        print(var + " = " + repr(val))
    print()

url_dt = []
for inputstr, assignments in trees:
    print(inputstr)
    dt = TreeMiner(inputstr, assignments)
    url_dt.append(dt)
    display_tree(dt.tree)
http://user:pass@www.google.com:80/?q=path#ref
url = 'http://user:pass@www.google.com:80/?q=path#ref'
scheme = 'http'
netloc = 'user:pass@www.google.com:80'
fragment = 'ref'
query = 'q=path'

https://www.cispa.saarland:80/
url = 'https://www.cispa.saarland:80/'
scheme = 'https'
netloc = 'www.cispa.saarland:80'

http://www.fuzzingbook.org/#News
url = 'http://www.fuzzingbook.org/#News'
scheme = 'http'
netloc = 'www.fuzzingbook.org'
fragment = 'News'

http://user:pass@www.google.com:80/?q=path#ref
https://www.cispa.saarland:80/
http://www.fuzzingbook.org/#News

Let us use url_parse() to recover the grammar:

url_grammar = recover_grammar(url_parse, URLS, files=['urllib/parse.py'])
syntax_diagram(url_grammar)
start
url
url
scheme :// netloc / scheme :// netloc /? query # fragment scheme :// netloc /# fragment
scheme
https http
netloc
www.fuzzingbook.org user:pass@www.google.com:80 www.cispa.saarland:80
query
q=path
fragment
News ref

The recovered grammar describes the URL format reasonably well.

Fuzzing

We can now use our recovered grammar for fuzzing as follows.

First, the inventory grammar.

f = GrammarFuzzer(inventory_grammar)
for _ in range(10):
    print(f.fuzz())
1997,car,Mercury,Cougar
1999,car,Ford,E350
1997,van,Mercury,Venture
2000,car,Chevy,Venture
1999,car,Mercury,Cougar
1999,car,Mercury,E350
1997,car,Ford,Cougar
1997,car,Ford,Cougar
1997,car,Mercury,E350
2000,car,Ford,Cougar

Next, the URL grammar.

f = GrammarFuzzer(url_grammar)
for _ in range(10):
    print(f.fuzz())
https://www.cispa.saarland:80/?q=path#News
https://www.fuzzingbook.org/
http://user:pass@www.google.com:80/?q=path#ref
https://user:pass@www.google.com:80/#News
https://www.cispa.saarland:80/#ref
http://user:pass@www.google.com:80/
https://user:pass@www.google.com:80/?q=path#ref
https://www.fuzzingbook.org/#ref
https://www.cispa.saarland:80/
https://www.fuzzingbook.org/#ref

What this means is that we can now take a program and a few samples, extract its grammar, and then use this very grammar for fuzzing. Now that's quite an opportunity!

Problems with the Simple Miner

One of the problems with our simple grammar miner is the assumption that the values assigned to variables are stable. Unfortunately, that may not hold true in all cases. For example, here is a URL with a slightly different format.

URLS_X = URLS + ['ftp://freebsd.org/releases/5.8']

The grammar generated from this set of samples is not as nice as what we got earlier

url_grammar = recover_grammar(url_parse, URLS_X, files=['urllib/parse.py'])
syntax_diagram(url_grammar)
start
scheme :// netloc url url
url
scheme :// netloc /? query # fragment scheme :// netloc / /releases/5.8 scheme :// netloc /# fragment
scheme
https ftp http
netloc
www.fuzzingbook.org freebsd.org user:pass@www.google.com:80 www.cispa.saarland:80
query
q=path
fragment
News ref

Clearly, something has gone wrong.

To investigate why the url definition has gone wrong, let us inspect the trace for the URL.

clear_cache()
with Tracer(URLS_X[0]) as tracer:
    urlparse(tracer.my_input)
for i, t in enumerate(tracer.trace):
    if t[0] in {'call', 'line'} and 'parse.py' in str(t[2]) and t[3]:
        print(i, t[2]._t()[1], t[3:])
0 372 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
1 392 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
5 124 ({'arg': ''},)
6 121 ({'arg': ''},)
7 126 ({'arg': ''},)
8 127 ({'arg': ''},)
10 393 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
11 437 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
12 458 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
16 124 ({'arg': ''},)
17 121 ({'arg': ''},)
18 126 ({'arg': ''},)
19 127 ({'arg': ''},)
21 460 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
22 461 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\t'},)
23 462 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\t'},)
24 460 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\t'},)
25 461 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\r'},)
26 462 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\r'},)
27 460 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\r'},)
28 461 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
29 462 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
30 460 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
31 464 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
32 465 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
33 466 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
34 467 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
35 469 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
36 471 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n'},)
37 472 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': ''},)
38 473 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': ''},)
39 474 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': ''},)
40 475 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'h'},)
41 474 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'h'},)
42 475 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 't'},)
43 474 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 't'},)
44 475 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 't'},)
45 474 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 't'},)
46 475 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'p'},)
47 474 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'p'},)
48 478 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': '', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'p'},)
49 480 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'p'},)
50 481 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': '', 'query': '', 'fragment': '', 'c': 'p'},)
51 411 ({'url': '//user:pass@www.google.com:80/?q=path#ref'},)
52 412 ({'url': '//user:pass@www.google.com:80/?q=path#ref'},)
53 413 ({'url': '//user:pass@www.google.com:80/?q=path#ref'},)
54 414 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '/'},)
55 415 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '/'},)
56 416 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '/'},)
57 413 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '/'},)
58 414 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '?'},)
59 415 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '?'},)
60 416 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '?'},)
61 413 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '?'},)
62 414 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '#'},)
63 415 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '#'},)
64 416 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '#'},)
65 413 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '#'},)
66 417 ({'url': '//user:pass@www.google.com:80/?q=path#ref', 'c': '#'},)
68 482 ({'url': '/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': '', 'c': 'p'},)
69 483 ({'url': '/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': '', 'c': 'p'},)
70 482 ({'url': '/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': '', 'c': 'p'},)
71 485 ({'url': '/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': '', 'c': 'p'},)
72 486 ({'url': '/?q=path#ref', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': '', 'c': 'p'},)
73 487 ({'url': '/?q=path', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': 'ref', 'c': 'p'},)
74 488 ({'url': '/?q=path', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': '', 'fragment': 'ref', 'c': 'p'},)
75 489 ({'url': '/', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'c': 'p'},)
76 419 ({'netloc': 'user:pass@www.google.com:80'},)
77 420 ({'netloc': 'user:pass@www.google.com:80'},)
78 421 ({'netloc': 'user:pass@www.google.com:80'},)
80 490 ({'url': '/', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'c': 'p'},)
84 491 ({'url': '/', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'c': 'p'},)
85 492 ({'url': '/', 'scheme': 'http', 'b': '\n', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'c': 'p'},)
90 394 ({'url': 'http://user:pass@www.google.com:80/?q=path#ref', 'scheme': ''},)
91 395 ({'url': '/', 'scheme': 'http', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref'},)
92 398 ({'url': '/', 'scheme': 'http', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref'},)
93 399 ({'url': '/', 'scheme': 'http', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'params': ''},)
97 400 ({'url': '/', 'scheme': 'http', 'netloc': 'user:pass@www.google.com:80', 'query': 'q=path', 'fragment': 'ref', 'params': ''},)

Notice how the value of url changes as the parsing progresses? This violates our assumption that the value assigned to a variable is stable. We next look at how this limitation can be removed.

Grammar Miner with Reassignment

One way to uniquely identify different variables is to annotate them with line numbers both when they are defined and also when their value changes. Consider the code fragment below

Tracking variable assignment locations

def C(cp_1):
    c_2 = cp_1 + '@2'
    c_3 = c_2 + '@3'
    return c_3
def B(bp_7):
    b_8 = bp_7 + '@8'
    return C(b_8)
def A(ap_12):
    a_13 = ap_12 + '@13'
    a_14 = B(a_13) + '@14'
    a_14 = a_14 + '@15'
    a_13 = a_14 + '@16'
    a_14 = B(a_13) + '@17'
    a_14 = B(a_13) + '@18'

Notice how all variables are either named corresponding to either where they are defined, or the value is annotated to indicate that it was changed.

Let us run this under the trace.

with Tracer('____') as tracer:
    A(tracer.my_input)

for t in tracer.trace:
    print(t[0], "%d:%s" % (t[2].line_no, t[2].method), t[3])
call 1:A {'ap_12': '____'}
line 2:A {'ap_12': '____'}
line 3:A {'ap_12': '____', 'a_13': '____@13'}
call 1:B {'bp_7': '____@13'}
line 2:B {'bp_7': '____@13'}
line 3:B {'bp_7': '____@13', 'b_8': '____@13@8'}
call 1:C {'cp_1': '____@13@8'}
line 2:C {'cp_1': '____@13@8'}
line 3:C {'cp_1': '____@13@8', 'c_2': '____@13@8@2'}
line 4:C {'cp_1': '____@13@8', 'c_2': '____@13@8@2', 'c_3': '____@13@8@2@3'}
return 4:C {'cp_1': '____@13@8', 'c_2': '____@13@8@2', 'c_3': '____@13@8@2@3'}
return 3:B {'bp_7': '____@13', 'b_8': '____@13@8'}
line 4:A {'ap_12': '____', 'a_13': '____@13', 'a_14': '____@13@8@2@3@14'}
line 5:A {'ap_12': '____', 'a_13': '____@13', 'a_14': '____@13@8@2@3@14@15'}
line 6:A {'ap_12': '____', 'a_13': '____@13@8@2@3@14@15@16', 'a_14': '____@13@8@2@3@14@15'}
call 1:B {'bp_7': '____@13@8@2@3@14@15@16'}
line 2:B {'bp_7': '____@13@8@2@3@14@15@16'}
line 3:B {'bp_7': '____@13@8@2@3@14@15@16', 'b_8': '____@13@8@2@3@14@15@16@8'}
call 1:C {'cp_1': '____@13@8@2@3@14@15@16@8'}
line 2:C {'cp_1': '____@13@8@2@3@14@15@16@8'}
line 3:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2'}
line 4:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2', 'c_3': '____@13@8@2@3@14@15@16@8@2@3'}
return 4:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2', 'c_3': '____@13@8@2@3@14@15@16@8@2@3'}
return 3:B {'bp_7': '____@13@8@2@3@14@15@16', 'b_8': '____@13@8@2@3@14@15@16@8'}
line 7:A {'ap_12': '____', 'a_13': '____@13@8@2@3@14@15@16', 'a_14': '____@13@8@2@3@14@15@16@8@2@3@17'}
call 1:B {'bp_7': '____@13@8@2@3@14@15@16'}
line 2:B {'bp_7': '____@13@8@2@3@14@15@16'}
line 3:B {'bp_7': '____@13@8@2@3@14@15@16', 'b_8': '____@13@8@2@3@14@15@16@8'}
call 1:C {'cp_1': '____@13@8@2@3@14@15@16@8'}
line 2:C {'cp_1': '____@13@8@2@3@14@15@16@8'}
line 3:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2'}
line 4:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2', 'c_3': '____@13@8@2@3@14@15@16@8@2@3'}
return 4:C {'cp_1': '____@13@8@2@3@14@15@16@8', 'c_2': '____@13@8@2@3@14@15@16@8@2', 'c_3': '____@13@8@2@3@14@15@16@8@2@3'}
return 3:B {'bp_7': '____@13@8@2@3@14@15@16', 'b_8': '____@13@8@2@3@14@15@16@8'}
return 7:A {'ap_12': '____', 'a_13': '____@13@8@2@3@14@15@16', 'a_14': '____@13@8@2@3@14@15@16@8@2@3@18'}
call 102:__exit__ {}
line 105:__exit__ {}

Each variable was referenced first as follows:

  • cp_1 -- call 1:C
  • c_2 -- line 3:C (but the previous event was line 2:C)
  • c_3 -- line 4:C (but the previous event was line 3:C)
  • bp_7 -- call 7:B
  • b_8 -- line 9:B (but the previous event was line 8:B)
  • ap_12 -- call 12:A
  • a_13 -- line 14:A (but the previous event was line 13:A)
  • a_14 -- line 15:A (the previous event was return 9:B. However, the previous event in A() was line 14:A)
  • reassign a_14 at 15 -- line 16:A (the previous event was line 15:A)
  • reassign a_13 at 16 -- line 17:A (the previous event was line 16:A)
  • reassign a_14 at 17 -- return 17:A (the previous event in A() was line 17:A)
  • reassign a_14 at 18 -- return 18:A (the previous event in A() was line 18:A)

So, our observations are that, if it is a call, the current location is the right one for any new variables being defined. On the other hand, if the variable being referenced for the first time (or reassigned a new value), then the right location to consider is the previous location in the same method invocation. Next, let us see how we can incorporate this information into variable naming.

Next, we need a way to track the individual method calls as they are being made. For this we define the class CallStack. Each method invocation gets a separate identifier, and when the method call is over, the identifier is reset.

CallStack

class CallStack:
    def __init__(self, **kwargs):
        self.options(kwargs)
        self.method_id = (START_SYMBOL, 0)
        self.method_register = 0
        self.mstack = [self.method_id]

    def enter(self, method):
        self.method_register += 1
        self.method_id = (method, self.method_register)
        self.log('call', "%s%s" % (self.indent(), str(self)))
        self.mstack.append(self.method_id)

    def leave(self):
        self.mstack.pop()
        self.log('return', "%s%s" % (self.indent(), str(self)))
        self.method_id = self.mstack[-1]

A few extra functions to make life simpler.

class CallStack(CallStack):
    def options(self, kwargs):
        self.log = log_event if kwargs.get('log') else lambda _evt, _var: None

    def indent(self):
        return len(self.mstack) * "\t"

    def at(self, n):
        return self.mstack[n]

    def __len__(self):
        return len(mstack) - 1

    def __str__(self):
        return "%s:%d" % self.method_id

    def __repr__(self):
        return repr(self.method_id)

We also define a convenience method to display a given stack.

def display_stack(istack):
    def stack_to_tree(stack):
        current, *rest = stack
        if not rest:
            return (repr(current), [])
        return (repr(current), [stack_to_tree(rest)])
    display_tree(stack_to_tree(istack.mstack), graph_attr=lr_graph)

Here is how we can use the CallStack.

cs = CallStack()
display_stack(cs)
cs
('<start>', 0)
cs.enter('hello')
display_stack(cs)
cs
('hello', 1)
cs.enter('world')
display_stack(cs)
cs
('world', 2)
cs.leave()
display_stack(cs)
cs
('hello', 1)
cs.enter('world')
display_stack(cs)
cs
('world', 3)
cs.leave()
display_stack(cs)
cs
('hello', 1)

In order to account for variable reassignments, we need to have a more intelligent data structure than a dictionary for storing variables. We first define a simple interface Vars. It acts as a container for variables, and is instantiated at my_assignments.

Vars

The Vars stores references to variables as they occur during parsing in its internal dictionary defs. We initialize the dictionary with the original string.

class Vars:
    def __init__(self, original):
        self.defs = {}
        self.my_input = original

The dictionary needs two methods: update() that takes a set of key-value pairs to update itself, and _set_kv() that updates a particular key-value pair.

class Vars(Vars):
    def _set_kv(self, k, v):
        self.defs[k] = v

    def __setitem__(self, k, v):
        self._set_kv(k, v)

    def update(self, v):
        for k, v in v.items():
            self._set_kv(k, v)

The Vars is a proxy for the internal dictionary. For example, here is how one can use it.

v = Vars('')
v.defs
{}
v['x'] = 'X'
v.defs
{'x': 'X'}
v.update({'x': 'x', 'y': 'y'})
v.defs
{'x': 'x', 'y': 'y'}

AssignmentVars

We now extend the simple Vars to account for variable reassignments. For this, we define AssignmentVars.

The idea for detecting reassignments and renaming variables is as follows: We keep track of the previous reassignments to particular variables using accessed_seq_var. It contains the last rename of any particular variable as its corresponding value. The new_vars contains a list of all new variables that were added on this iteration.

class AssignmentVars(Vars):
    def __init__(self, original):
        super().__init__(original)
        self.accessed_seq_var = {}
        self.var_def_lines = {}
        self.current_event = None
        self.new_vars = set()
        self.method_init()

The method_init() method takes care of keeping track of method invocations using records saved in the call_stack. event_locations is for keeping track of the locations accessed within this method. This is used for line number tracking of variable definitions.

class AssignmentVars(AssignmentVars):
    def method_init(self):
        self.call_stack = CallStack()
        self.event_locations = {self.call_stack.method_id: []}

The update() is now modified to track the changed line numbers if any, using var_location_register(). We reinitialize the new_vars after use for the next event.

class AssignmentVars(AssignmentVars):
    def update(self, v):
        for k, v in v.items():
            self._set_kv(k, v)
        self.var_location_register(self.new_vars)
        self.new_vars = set()

The variable name now incorporates an index of how many reassignments it has gone through, effectively making each reassignment a unique variable.

class AssignmentVars(AssignmentVars):
    def var_name(self, var):
        return (var, self.accessed_seq_var[var])

While storing variables, we need to first check whether it was previously known. If it is not, we need to initialize the rename count. This is accomplished by var_access.

class AssignmentVars(AssignmentVars):
    def var_access(self, var):
        if var not in self.accessed_seq_var:
            self.accessed_seq_var[var] = 0
        return self.var_name(var)

During a variable reassignment, we update the accessed_seq_var to reflect the new count.

class AssignmentVars(AssignmentVars):
    def var_assign(self, var):
        self.accessed_seq_var[var] += 1
        self.new_vars.add(self.var_name(var))
        return self.var_name(var)

These methods can be used as follows

sav = AssignmentVars('')
sav.defs
{}
sav.var_access('v1')
('v1', 0)
sav.var_assign('v1')
('v1', 1)

Assigning to it again increments the counter.

sav.var_assign('v1')
('v1', 2)

The core of the logic is in _set_kv(). When a variable is being assigned, we get the sequenced variable name s_var. If the sequenced variable name was previously unknown in defs, then we have no further concerns. We add the sequenced variable to defs.

If the variable is previously known, then it is an indication of a possible reassignment. In this case, we look at the value the variable is holding. We check if the value changed. If it has not, then it is not.

If the value has changed, it is a reassignment. We first increment the variable usage sequence using var_assign, retrieve the new name, update the new name in defs.

class AssignmentVars(AssignmentVars):
    def _set_kv(self, var, val):
        s_var = self.var_access(var)
        if s_var in self.defs and self.defs[s_var] == val:
            return
        self.defs[self.var_assign(var)] = val

Here is how it can be used. Assigning a variable the first time initializes its counter.

sav = AssignmentVars('')
sav['x'] = 'X'
sav.defs
{('x', 1): 'X'}

If the variable is assigned again with the same value, it is probably not a reassignment.

sav['x'] = 'X'
sav.defs
{('x', 1): 'X'}

However, if the value changed, it is a reassignment.

sav['x'] = 'Y'
sav.defs
{('x', 1): 'X', ('x', 2): 'Y'}

There is a subtlety here. It is possible for a child method to be called from the middle of a parent method, and for both to use the same variable name with different values. In this case, when the child returns, parent will have the old variable with old value in context. With our implementation, we consider this as a reassignment. However, this is OK because adding a new reassignment is harmless, but missing one is not. Further, we will discuss later how this can be avoided.

We also define bookkeeping codes for register_event() method_enter() and method_exit() which are the methods responsible for keeping track of the method stack. The basic idea is that, each method_enter() represents a new method invocation. Hence, it merits a new method id, which is generated from the method_register, and saved in the method_id. Since this is a new method, the method stack is extended by one element with this id. In the case of method_exit(), we pop the method stack, and reset the current method_id to what was below the current one.

class AssignmentVars(AssignmentVars):
    def method_enter(self, cxt, my_vars):
        self.current_event = 'call'
        self.call_stack.enter(cxt.method)
        self.event_locations[self.call_stack.method_id] = []
        self.register_event(cxt)
        self.update(my_vars)

    def method_exit(self, cxt, my_vars):
        self.current_event = 'return'
        self.register_event(cxt)
        self.update(my_vars)
        self.call_stack.leave()

    def method_statement(self, cxt, my_vars):
        self.current_event = 'line'
        self.register_event(cxt)
        self.update(my_vars)

For each of the method events, we also register the event using register_event() which keeps track of the line numbers that were referenced in this method.

class AssignmentVars(AssignmentVars):
    def register_event(self, cxt):
        self.event_locations[self.call_stack.method_id].append(cxt.line_no)

The var_location_register() keeps the locations of newly added variables. The definition location of variables in a call is the current location. However, for a line, it would be the previous event in the current method.

class AssignmentVars(AssignmentVars):
    def var_location_register(self, my_vars):
        def loc(mid):
            if self.current_event == 'call':
                return self.event_locations[mid][-1]
            elif self.current_event == 'line':
                return self.event_locations[mid][-2]
            elif self.current_event == 'return':
                return self.event_locations[mid][-2]
            else:
                assert False

        my_loc = loc(self.call_stack.method_id)
        for var in my_vars:
            self.var_def_lines[var] = my_loc

We define defined_vars() which returns the names of variables annotated with the line numbers as below.

class AssignmentVars(AssignmentVars):
    def defined_vars(self, formatted=True):
        def fmt(k):
            v = (k[0], self.var_def_lines[k])
            return "%s@%s" % v if formatted else v

        return [(fmt(k), v) for k, v in self.defs.items()]

Similar to defined_vars() we define seq_vars() which annotates different variables with the number of times they were used.

class AssignmentVars(AssignmentVars):
    def seq_vars(self, formatted=True):
        def fmt(k):
            v = (k[0], self.var_def_lines[k], k[1])
            return "%s@%s:%s" % v if formatted else v

        return {fmt(k): v for k, v in self.defs.items()}

AssignmentTracker

The AssignmentTracker keeps the assignment definitions using the AssignmentVars we defined previously.

class AssignmentTracker(DefineTracker):
    def __init__(self, my_input, trace, **kwargs):
        self.options(kwargs)
        self.my_input = my_input

        self.my_assignments = self.create_assignments(my_input)

        self.trace = trace
        self.process()

    def create_assignments(self, *args):
        return AssignmentVars(*args)

To fine-tune the process, we define an optional parameter called track_return. During tracing a method return, Python produces a virtual variable that contains the result of the returned value. If the track_return is set, we capture this value as a variable.

  • track_return -- if true, add a virtual variable to the Vars representing the return value
class AssignmentTracker(AssignmentTracker):
    def options(self, kwargs):
        self.track_return = kwargs.get('track_return', False)
        super().options(kwargs)

There can be different kinds of events during a trace, which includes call when a function is entered, return when the function returns, exception when an exception is thrown and line when a statement is executed.

The previous Tracker was too simplistic in that it did not distinguish between the different events. We rectify that and define on_call(), on_return(), and on_line() respectively, which get called on their corresponding events.

Note that on_line() is called also for on_return(). The reason is, that Python invokes the trace function before the corresponding line is executed. Hence, effectively, the on_return() is called with the binding produced by the execution of the previous statement in the environment. Our processing in effect is done on values that were bound by the previous statement. Hence, calling on_line() here is appropriate as it provides the event handler a chance to work on the previous binding.

class AssignmentTracker(AssignmentTracker):
    def on_call(self, arg, cxt, my_vars):
        my_vars = cxt.parameters(my_vars)
        self.my_assignments.method_enter(cxt, self.fragments(my_vars))

    def on_line(self, arg, cxt, my_vars):
        self.my_assignments.method_statement(cxt, self.fragments(my_vars))

    def on_return(self, arg, cxt, my_vars):
        self.on_line(arg, cxt, my_vars)
        my_vars = {'<-%s' % cxt.method: arg} if self.track_return else {}
        self.my_assignments.method_exit(cxt, my_vars)

    def on_exception(self, arg, cxt, my_vara):
        return

    def track_event(self, event, arg, cxt, my_vars):
        self.current_event = event
        dispatch = {
            'call': self.on_call,
            'return': self.on_return,
            'line': self.on_line,
            'exception': self.on_exception
        }
        dispatch[event](arg, cxt, my_vars)

We can now use AssignmentTracker to track the different variables. To verify that our variable line number inference works, we recover definitions from the functions A(), B() and C() (with data annotations removed so that the input fragments are correctly identified).

def C(cp_1):
    c_2 = cp_1
    c_3 = c_2
    return c_3
def B(bp_7):
    b_8 = bp_7
    return C(b_8)
def A(ap_12):
    a_13 = ap_12
    a_14 = B(a_13)
    a_14 = a_14
    a_13 = a_14
    a_14 = B(a_13)
    a_14 = B(a_14)[3:]

Running A() with sufficient input.

with Tracer('---xxx') as tracer:
    A(tracer.my_input)
tracker = AssignmentTracker(tracer.my_input, tracer.trace, log=True)
for k, v in tracker.my_assignments.seq_vars().items():
    print(k, '=', repr(v))
print()
for k, v in tracker.my_assignments.defined_vars(formatted=True):
    print(k, '=', repr(v))
ap_12@1:1 = '---xxx'
a_13@2:1 = '---xxx'
bp_7@1:1 = '---xxx'
b_8@2:1 = '---xxx'
cp_1@1:1 = '---xxx'
c_2@2:1 = '---xxx'
c_3@3:1 = '---xxx'
a_14@3:1 = '---xxx'
a_14@7:2 = 'xxx'

ap_12@1 = '---xxx'
a_13@2 = '---xxx'
bp_7@1 = '---xxx'
b_8@2 = '---xxx'
cp_1@1 = '---xxx'
c_2@2 = '---xxx'
c_3@3 = '---xxx'
a_14@3 = '---xxx'
a_14@7 = 'xxx'

As can be seen, the line numbers are now correctly identified for each variable.

Let us try retrieving the assignments for a real world example.

traces = []
for inputstr in URLS_X:
    clear_cache()
    with Tracer(inputstr, files=['urllib/parse.py']) as tracer:
        urlparse(tracer.my_input)
    traces.append((tracer.my_input, tracer.trace))

    tracker = AssignmentTracker(tracer.my_input, tracer.trace, log=True)
    for k, v in tracker.my_assignments.defined_vars():
        print(k, '=', repr(v))
    print()
url@372 = 'http://user:pass@www.google.com:80/?q=path#ref'
url@478 = '//user:pass@www.google.com:80/?q=path#ref'
scheme@478 = 'http'
url@481 = '/?q=path#ref'
netloc@481 = 'user:pass@www.google.com:80'
url@486 = '/?q=path'
fragment@486 = 'ref'
query@488 = 'q=path'
url@393 = 'http://user:pass@www.google.com:80/?q=path#ref'

url@372 = 'https://www.cispa.saarland:80/'
url@478 = '//www.cispa.saarland:80/'
scheme@478 = 'https'
netloc@481 = 'www.cispa.saarland:80'
url@393 = 'https://www.cispa.saarland:80/'

url@372 = 'http://www.fuzzingbook.org/#News'
url@478 = '//www.fuzzingbook.org/#News'
scheme@478 = 'http'
url@481 = '/#News'
netloc@481 = 'www.fuzzingbook.org'
fragment@486 = 'News'
url@393 = 'http://www.fuzzingbook.org/#News'

url@372 = 'ftp://freebsd.org/releases/5.8'
url@478 = '//freebsd.org/releases/5.8'
scheme@478 = 'ftp'
url@481 = '/releases/5.8'
netloc@481 = 'freebsd.org'
url@393 = 'ftp://freebsd.org/releases/5.8'
url@394 = '/releases/5.8'

The line numbers of variables can be verified from the source code of urllib/parse.py.

Recovering a Derivation Tree

Does handling variable reassignments help with our URL examples? We look at these next.

class TreeMiner(TreeMiner):
    def get_derivation_tree(self):
        tree = (START_SYMBOL, [(self.my_input, [])])
        for var, value in self.my_assignments:
            self.log(0, "%s=%s" % (var, repr(value)))
            self.apply_new_definition(tree, var, value)
        return tree

Example 1: Recovering URL Derivation Tree

First we obtain the derivation tree of the URL 1

URL 1 derivation tree
clear_cache()
with Tracer(URLS_X[0], files=['urllib/parse.py']) as tracer:
    urlparse(tracer.my_input)
sm = AssignmentTracker(tracer.my_input, tracer.trace)
dt = TreeMiner(tracer.my_input, sm.my_assignments.defined_vars())
display_tree(dt.tree)
0 <start> 1 <url@372> 0->1 2 <scheme@478> 1->2 4 : (58) 1->4 5 <url@478> 1->5 3 http 2->3 6 // 5->6 7 <netloc@481> 5->7 9 <url@481> 5->9 8 user:pass@www.google.com:80 7->8 10 <url@486> 9->10 14 # (35) 9->14 15 <fragment@486> 9->15 11 /? 10->11 12 <query@488> 10->12 13 q=path 12->13 16 ref 15->16

Next, we obtain the derivation tree of URL 4

URL 4 derivation tree
clear_cache()
with Tracer(URLS_X[-1], files=['urllib/parse.py']) as tracer:
    urlparse(tracer.my_input)
sm = AssignmentTracker(tracer.my_input, tracer.trace)
dt = TreeMiner(tracer.my_input, sm.my_assignments.defined_vars())
display_tree(dt.tree)
0 <start> 1 <url@372> 0->1 2 <scheme@478> 1->2 4 : (58) 1->4 5 <url@478> 1->5 3 ftp 2->3 6 // 5->6 7 <netloc@481> 5->7 9 <url@481> 5->9 8 freebsd.org 7->8 10 <url@394> 9->10 11 /releases/5.8 10->11

The derivation trees seem to belong to the same grammar. Hence, we obtain the grammar for the complete set. First, we update the recover_grammar() to use AssignTracker.

Recover Grammar

class GrammarMiner(GrammarMiner):
    def update_grammar(self, inputstr, trace):
        at = self.create_tracker(inputstr, trace)
        dt = self.create_tree_miner(inputstr, at.my_assignments.defined_vars())
        self.add_tree(dt)
        return self.grammar

    def create_tracker(self, *args):
        return AssignmentTracker(*args)

    def create_tree_miner(self, *args):
        return TreeMiner(*args)

Next, we use the modified recover_grammar() on derivation trees obtained from URLs.

url_grammar = recover_grammar(url_parse, URLS_X, files=['urllib/parse.py'])

The recovered grammar is below.

syntax_diagram(url_grammar)
start
url@372
url@372
scheme@478 : url@478
scheme@478
https ftp http
url@478
// netloc@481 url@481 // netloc@481 /
netloc@481
www.fuzzingbook.org freebsd.org user:pass@www.google.com:80 www.cispa.saarland:80
url@481
url@486 # fragment@486 /# fragment@486 url@394
url@486
/? query@488
query@488
q=path
fragment@486
News ref
url@394
/releases/5.8

Let us fuzz a little to see if the produced values are sane.

f = GrammarFuzzer(url_grammar)
for _ in range(10):
    print(f.fuzz())
ftp://www.cispa.saarland:80/#ref
http://www.fuzzingbook.org/#ref
ftp://freebsd.org/
https://www.cispa.saarland:80/#News
http://freebsd.org/releases/5.8
http://www.fuzzingbook.org/
https://www.fuzzingbook.org/
http://www.cispa.saarland:80/releases/5.8
https://www.fuzzingbook.org/releases/5.8
https://www.cispa.saarland:80/

Our modifications do seem to help. Next, we check whether we can still retrieve the grammar for inventory.

Example 2: Recovering Inventory Grammar

inventory_grammar = recover_grammar(process_vehicle, VEHICLES)
syntax_diagram(inventory_grammar)
start
vehicle@29
vehicle@29
year@30 , kind@30 , company@30 , model@30
year@30
2000 1999 1997
kind@30
car van
company@30
Mercury Ford Chevy
model@30
Cougar E350 Venture

Using fuzzing to produce values from the grammar.

f = GrammarFuzzer(inventory_grammar)
for _ in range(10):
    print(f.fuzz())
1999,car,Ford,E350
2000,car,Ford,Cougar
2000,van,Chevy,Venture
1997,car,Mercury,Venture
1999,van,Ford,Venture
1997,van,Mercury,Cougar
1997,car,Chevy,Cougar
1997,car,Ford,E350
2000,van,Chevy,Venture
1997,car,Ford,Venture

Problems with the Grammar Miner with Reassignment

One of the problems with our grammar miner is that it doesn't yet account for the current context. That is, when replacing, a variable can replace tokens that it does not have access to (and hence, it is not a fragment of). Consider this example.

with Tracer(INVENTORY) as tracer:
    process_inventory(tracer.my_input)
sm = AssignmentTracker(tracer.my_input, tracer.trace)
dt = TreeMiner(tracer.my_input, sm.my_assignments.defined_vars())
display_tree(dt.tree, graph_attr=lr_graph)
0 <start> 1 <inventory@22> 0->1 2 <vehicle@24> 1->2 14 \n (10) 1->14 15 <vehicle@24> 1->15 27 \n (10) 1->27 28 <vehicle@24> 1->28 3 <year@30> 2->3 5 , (44) 2->5 6 <kind@30> 2->6 8 , (44) 2->8 9 <company@30> 2->9 11 , (44) 2->11 12 <model@30> 2->12 4 1997 3->4 7 van 6->7 10 Ford 9->10 13 E350 12->13 16 <year@30> 15->16 18 , (44) 15->18 19 <kind@30> 15->19 21 , (44) 15->21 22 <company@30> 15->22 24 , (44) 15->24 25 <model@30> 15->25 17 2000 16->17 20 car 19->20 23 Mercury 22->23 26 Cougar 25->26 29 <year@30> 28->29 31 ,car, 28->31 32 <company@30> 28->32 34 , (44) 28->34 35 <model@30> 28->35 30 1999 29->30 33 Chevy 32->33 36 Venture 35->36

As can be seen, the derivation tree obtained is not quite what we expected. The issue is easily seen if we enable logging in the TreeMiner.

dt = TreeMiner(tracer.my_input, sm.my_assignments.defined_vars(), log=True)
 inventory@22='1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture'
	 - Node: <start>		? (<inventory@22>:'1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture')
		 -> [0] '1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture'
		  > ['<inventory@22>']
 vehicle@24='1997,van,Ford,E350'
	 - Node: <start>		? (<vehicle@24>:'1997,van,Ford,E350')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<vehicle@24>:'1997,van,Ford,E350')
		 -> [0] '1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture'
		  > ['<vehicle@24>', '\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture']
 year@30='1997'
	 - Node: <start>		? (<year@30>:'1997')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<year@30>:'1997')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'1997')
		 -> [0] '1997,van,Ford,E350'
		  > ['<year@30>', ',van,Ford,E350']
 kind@30='van'
	 - Node: <start>		? (<kind@30>:'van')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<kind@30>:'van')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<kind@30>:'van')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<kind@30>:'van')
		 -> [0] '1997'
		 -> [1] ',van,Ford,E350'
		  > [',', '<kind@30>', ',Ford,E350']
 company@30='Ford'
	 - Node: <start>		? (<company@30>:'Ford')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<company@30>:'Ford')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Ford')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Ford')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<company@30>:'Ford')
		 -> [0] 'van'
		 -> [3] ',Ford,E350'
		  > [',', '<company@30>', ',E350']
 model@30='E350'
	 - Node: <start>		? (<model@30>:'E350')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<model@30>:'E350')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'E350')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'E350')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<model@30>:'E350')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'E350')
		 -> [0] 'Ford'
		 -> [5] ',E350'
		  > [',', '<model@30>']
 vehicle@24='2000,car,Mercury,Cougar'
	 - Node: <start>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<vehicle@24>:'2000,car,Mercury,Cougar')
		 -> [0] 'E350'
		 -> [1] '\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture'
		  > ['\n', '<vehicle@24>', '\n1999,car,Chevy,Venture']
 year@30='2000'
	 - Node: <start>		? (<year@30>:'2000')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<year@30>:'2000')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'2000')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<year@30>:'2000')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<year@30>:'2000')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<year@30>:'2000')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<year@30>:'2000')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'2000')
		 -> [0] '2000,car,Mercury,Cougar'
		  > ['<year@30>', ',car,Mercury,Cougar']
 kind@30='car'
	 - Node: <start>		? (<kind@30>:'car')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<kind@30>:'car')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<kind@30>:'car')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<kind@30>:'car')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<kind@30>:'car')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<kind@30>:'car')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<kind@30>:'car')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<kind@30>:'car')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<kind@30>:'car')
		 -> [0] '2000'
		 -> [1] ',car,Mercury,Cougar'
		  > [',', '<kind@30>', ',Mercury,Cougar']
 company@30='Mercury'
	 - Node: <start>		? (<company@30>:'Mercury')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<company@30>:'Mercury')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Mercury')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Mercury')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<company@30>:'Mercury')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<company@30>:'Mercury')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<company@30>:'Mercury')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Mercury')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Mercury')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<company@30>:'Mercury')
		 -> [0] 'car'
		 -> [3] ',Mercury,Cougar'
		  > [',', '<company@30>', ',Cougar']
 model@30='Cougar'
	 - Node: <start>		? (<model@30>:'Cougar')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<model@30>:'Cougar')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'Cougar')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'Cougar')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<model@30>:'Cougar')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'Cougar')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<model@30>:'Cougar')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'Cougar')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'Cougar')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<model@30>:'Cougar')
		 -> [0] 'car'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'Cougar')
		 -> [0] 'Mercury'
		 -> [5] ',Cougar'
		  > [',', '<model@30>']
 vehicle@24='1999,car,Chevy,Venture'
	 - Node: <start>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'car'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'Mercury'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<vehicle@24>:'1999,car,Chevy,Venture')
		 -> [0] 'Cougar'
		 -> [3] '\n1999,car,Chevy,Venture'
		  > ['\n', '<vehicle@24>']
 year@30='1999'
	 - Node: <start>		? (<year@30>:'1999')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<year@30>:'1999')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'1999')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<year@30>:'1999')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<year@30>:'1999')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<year@30>:'1999')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<year@30>:'1999')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'1999')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<year@30>:'1999')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<year@30>:'1999')
		 -> [0] 'car'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<year@30>:'1999')
		 -> [0] 'Mercury'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<year@30>:'1999')
		 -> [0] 'Cougar'
		 -> [3] '\n'
		 -> [4] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<year@30>:'1999')
		 -> [0] '1999,car,Chevy,Venture'
		  > ['<year@30>', ',car,Chevy,Venture']
 company@30='Chevy'
	 - Node: <start>		? (<company@30>:'Chevy')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<company@30>:'Chevy')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Chevy')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Chevy')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<company@30>:'Chevy')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<company@30>:'Chevy')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<company@30>:'Chevy')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Chevy')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Chevy')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<company@30>:'Chevy')
		 -> [0] 'car'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<company@30>:'Chevy')
		 -> [0] 'Mercury'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<company@30>:'Chevy')
		 -> [0] 'Cougar'
		 -> [3] '\n'
		 -> [4] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<company@30>:'Chevy')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<company@30>:'Chevy')
		 -> [0] '1999'
		 -> [1] ',car,Chevy,Venture'
		  > [',car,', '<company@30>', ',Venture']
 model@30='Venture'
	 - Node: <start>		? (<model@30>:'Venture')
		 -> [0] '<inventory@22>'
	 - Node: <inventory@22>		? (<model@30>:'Venture')
		 -> [0] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'Venture')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'Venture')
		 -> [0] '1997'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<model@30>:'Venture')
		 -> [0] 'van'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'Venture')
		 -> [0] 'Ford'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<model@30>:'Venture')
		 -> [0] 'E350'
		 -> [1] '\n'
		 -> [2] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'Venture')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'Venture')
		 -> [0] '2000'
		 -> [1] ','
		 -> [2] '<kind@30>'
	 - Node: <kind@30>		? (<model@30>:'Venture')
		 -> [0] 'car'
		 -> [3] ','
		 -> [4] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'Venture')
		 -> [0] 'Mercury'
		 -> [5] ','
		 -> [6] '<model@30>'
	 - Node: <model@30>		? (<model@30>:'Venture')
		 -> [0] 'Cougar'
		 -> [3] '\n'
		 -> [4] '<vehicle@24>'
	 - Node: <vehicle@24>		? (<model@30>:'Venture')
		 -> [0] '<year@30>'
	 - Node: <year@30>		? (<model@30>:'Venture')
		 -> [0] '1999'
		 -> [1] ',car,'
		 -> [2] '<company@30>'
	 - Node: <company@30>		? (<model@30>:'Venture')
		 -> [0] 'Chevy'
		 -> [3] ',Venture'
		  > [',', '<model@30>']

Look at the last statement. We have a value 1999,car, where only the year got replaced. We no longer have a 'car' variable to continue the replacement here. This happens because the 'car' value in '1999,car,Chevy,Venture' is not treated as a new value because the value 'car' had occurred for 'vehicle' variable in the exact same location for a different method call (for '2000,car,Mercury,Cougar').

A Grammar Miner with Scope

We need to incorporate inspection of the variables in the current context. We already have a stack of method calls so that we can obtain the current method at any point. We need to do the same for variables.

For that, we extend the CallStack to a new class InputStack which holds the method invoked as well as the parameters observed. It is essentially the record of activation of the method. We start with the original input at the base of the stack, and for each new method-call, we push the parameters of that call into the stack as a new record.

Input Stack

class InputStack(CallStack):
    def __init__(self, i, fragment_len=FRAGMENT_LEN):
        self.inputs = [{START_SYMBOL: i}]
        self.fragment_len = fragment_len
        super().__init__()

In order to check if a particular variable be saved, we define in_current_record() which checks only the variables in the current scope for inclusion (rather than the original input string).

class InputStack(InputStack):
    def in_current_record(self, val):
        return any(val in var for var in self.inputs[-1].values())
my_istack = InputStack('hello my world')
my_istack.in_current_record('hello')
True
my_istack.in_current_record('bye')
False
my_istack.inputs.append({'greeting': 'hello', 'location': 'world'})
my_istack.in_current_record('hello')
True
my_istack.in_current_record('my')
False

We define the method ignored() that returns true if either the variable is not a string, or the variable length is less than the defined fragment_len.

class InputStack(InputStack):
    def ignored(self, val):
        return not (isinstance(val, str) and len(val) >= self.fragment_len)
my_istack = InputStack('hello world')
my_istack.ignored(1)
True
my_istack.ignored('a')
True
my_istack.ignored('help')
False

We can now define the in_scope() method that checks whether the variable needs to be ignored, and if it is not to be ignored, whether the variable value is present in the current scope.

class InputStack(InputStack):
    def in_scope(self, k, val):
        if self.ignored(val):
            return False
        return self.in_current_record(val)

Finally, we update enter() that pushes relevant variables in the current context to the stack.

class InputStack(InputStack):
    def enter(self, method, inputs):
        my_inputs = {k: v for k, v in inputs.items() if self.in_scope(k, v)}
        self.inputs.append(my_inputs)
        super().enter(method)

When a method returns, we also need a corresponding leave() to pop out the inputs and unwind the stack.

class InputStack(InputStack):
    def leave(self):
        self.inputs.pop()
        super().leave()

ScopedVars

We need to update our AssignmentVars to include information about which scope the variable was defined in. We start by updating method_init().

class ScopedVars(AssignmentVars):
    def method_init(self):
        self.call_stack = self.create_call_stack(self.my_input)
        self.event_locations = {self.call_stack.method_id: []}

    def create_call_stack(self, i):
        return InputStack(i)

Similarly, the method_enter() now initializes the accessed_seq_var for the current method call.

class ScopedVars(ScopedVars):
    def method_enter(self, cxt, my_vars):
        self.current_event = 'call'
        self.call_stack.enter(cxt.method, my_vars)
        self.accessed_seq_var[self.call_stack.method_id] = {}
        self.event_locations[self.call_stack.method_id] = []
        self.register_event(cxt)
        self.update(my_vars)

The update() method now saves the context in which the value is defined. In the case of a parameter to a function, the context should be the context in which the function was called. On the other hand, a value defined during a statement execution would have the current context.

Further, we annotate on value rather than key because we do not want to duplicate variables when parameters are in context in the next line. They will have same value, but different context because they are present in a statement execution.

class ScopedVars(ScopedVars):
    def update(self, v):
        if self.current_event == 'call':
            context = -2
        elif self.current_event == 'line':
            context = -1
        else:
            context = -1
        for k, v in v.items():
            self._set_kv(k, (v, self.call_stack.at(context)))
        self.var_location_register(self.new_vars)
        self.new_vars = set()

We also need to save the current method invocation to determine which variables are in scope. This information is now incorporated in the variable name as accessed_seq_var[method_id][var].

class ScopedVars(ScopedVars):
    def var_name(self, var):
        return (var, self.call_stack.method_id,
                self.accessed_seq_var[self.call_stack.method_id][var])

As before, var_access simply initializes the corresponding counter, this time in the context of method_id.

class ScopedVars(ScopedVars):
    def var_access(self, var):
        if var not in self.accessed_seq_var[self.call_stack.method_id]:
            self.accessed_seq_var[self.call_stack.method_id][var] = 0
        return self.var_name(var)

During a variable reassignment, we update the accessed_seq_var to reflect the new count.

class ScopedVars(ScopedVars):
    def var_assign(self, var):
        self.accessed_seq_var[self.call_stack.method_id][var] += 1
        self.new_vars.add(self.var_name(var))
        return self.var_name(var)

We now update defined_vars() to account for the new information.

class ScopedVars(ScopedVars):
    def defined_vars(self, formatted=True):
        def fmt(k):
            method, i = k[1]
            v = (method, i, k[0], self.var_def_lines[k])
            return "%s[%d]:%s@%s" % v if formatted else v

        return [(fmt(k), v) for k, v in self.defs.items()]

Updating seq_vars() to account for new information.

class ScopedVars(ScopedVars):
    def seq_vars(self, formatted=True):
        def fmt(k):
            method, i = k[1]
            v = (method, i, k[0], self.var_def_lines[k], k[2])
            return "%s[%d]:%s@%s:%s" % v if formatted else v

        return {fmt(k): v for k, v in self.defs.items()}

Scope Tracker

With the InputStack and Vars defined, we can now define the ScopeTracker. The ScopeTracker only saves variables if the value is present in the current scope.

class ScopeTracker(AssignmentTracker):
    def __init__(self, my_input, trace, **kwargs):
        self.current_event = None
        super().__init__(my_input, trace, **kwargs)

    def create_assignments(self, *args):
        return ScopedVars(*args)

We define a wrapper for checking whether a variable is present in the scope.

class ScopeTracker(ScopeTracker):
    def is_input_fragment(self, var, value):
        return self.my_assignments.call_stack.in_scope(var, value)

We can use the ScopeTracker as follows.

vehicle_traces = []
with Tracer(INVENTORY) as tracer:
    process_inventory(tracer.my_input)
sm = ScopeTracker(tracer.my_input, tracer.trace)
vehicle_traces.append((tracer.my_input, sm))
for k, v in sm.my_assignments.seq_vars().items():
    print(k, '=', repr(v))
process_inventory[1]:inventory@22:1 = ('1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture', ('<start>', 0))
process_inventory[1]:inventory@22:2 = ('1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture', ('process_inventory', 1))
process_inventory[1]:vehicle@24:1 = ('1997,van,Ford,E350', ('process_inventory', 1))
process_vehicle[2]:vehicle@29:1 = ('1997,van,Ford,E350', ('process_inventory', 1))
process_vehicle[2]:vehicle@29:2 = ('1997,van,Ford,E350', ('process_vehicle', 2))
process_vehicle[2]:year@30:1 = ('1997', ('process_vehicle', 2))
process_vehicle[2]:kind@30:1 = ('van', ('process_vehicle', 2))
process_vehicle[2]:company@30:1 = ('Ford', ('process_vehicle', 2))
process_vehicle[2]:model@30:1 = ('E350', ('process_vehicle', 2))
process_van[3]:year@40:1 = ('1997', ('process_vehicle', 2))
process_van[3]:company@40:1 = ('Ford', ('process_vehicle', 2))
process_van[3]:model@40:1 = ('E350', ('process_vehicle', 2))
process_van[3]:year@40:2 = ('1997', ('process_van', 3))
process_van[3]:company@40:2 = ('Ford', ('process_van', 3))
process_van[3]:model@40:2 = ('E350', ('process_van', 3))
process_inventory[1]:vehicle@24:2 = ('2000,car,Mercury,Cougar', ('process_inventory', 1))
process_vehicle[4]:vehicle@29:1 = ('2000,car,Mercury,Cougar', ('process_inventory', 1))
process_vehicle[4]:vehicle@29:2 = ('2000,car,Mercury,Cougar', ('process_vehicle', 4))
process_vehicle[4]:year@30:1 = ('2000', ('process_vehicle', 4))
process_vehicle[4]:kind@30:1 = ('car', ('process_vehicle', 4))
process_vehicle[4]:company@30:1 = ('Mercury', ('process_vehicle', 4))
process_vehicle[4]:model@30:1 = ('Cougar', ('process_vehicle', 4))
process_car[5]:year@49:1 = ('2000', ('process_vehicle', 4))
process_car[5]:company@49:1 = ('Mercury', ('process_vehicle', 4))
process_car[5]:model@49:1 = ('Cougar', ('process_vehicle', 4))
process_car[5]:year@49:2 = ('2000', ('process_car', 5))
process_car[5]:company@49:2 = ('Mercury', ('process_car', 5))
process_car[5]:model@49:2 = ('Cougar', ('process_car', 5))
process_inventory[1]:vehicle@24:3 = ('1999,car,Chevy,Venture', ('process_inventory', 1))
process_vehicle[6]:vehicle@29:1 = ('1999,car,Chevy,Venture', ('process_inventory', 1))
process_vehicle[6]:vehicle@29:2 = ('1999,car,Chevy,Venture', ('process_vehicle', 6))
process_vehicle[6]:year@30:1 = ('1999', ('process_vehicle', 6))
process_vehicle[6]:kind@30:1 = ('car', ('process_vehicle', 6))
process_vehicle[6]:company@30:1 = ('Chevy', ('process_vehicle', 6))
process_vehicle[6]:model@30:1 = ('Venture', ('process_vehicle', 6))
process_car[7]:year@49:1 = ('1999', ('process_vehicle', 6))
process_car[7]:company@49:1 = ('Chevy', ('process_vehicle', 6))
process_car[7]:model@49:1 = ('Venture', ('process_vehicle', 6))
process_car[7]:year@49:2 = ('1999', ('process_car', 7))
process_car[7]:company@49:2 = ('Chevy', ('process_car', 7))
process_car[7]:model@49:2 = ('Venture', ('process_car', 7))

Recovering a Derivation Tree

The main difference in apply_new_definition() is that we add a second condition that checks for scope. In particular, variables are only allowed to replace portions of string fragments that were in scope. The variable scope is indicated by scope. However, merely accounting for scope is not sufficient. For example, consider the fragment below.

def my_fn(stringval):
    partA, partB = stringval.split('/')
    return partA, partB

svalue = ...
v1, v2 = my_fn(svalue)

Here, v1 and v2 get their values from a previous function call. Not from their current context. That is, we have to provide an exception for cases where an internal child method call may have generated a large fragment as we showed above. To account for that, we define mseq() that retrieves the method call sequence. In the above case, the mseq() of the internal child method call would be larger than the current mseq(). If so, we allow the replacement to proceed.

class ScopeTreeMiner(TreeMiner):
    def mseq(self, key):
        method, seq, var, lno = key
        return seq

The nt_var() method needs to take the tuple and generate a non-terminal symbol out of it. We skip the method sequence because it is not relevant for the grammar.

class ScopeTreeMiner(ScopeTreeMiner):
    def nt_var(self, key):
        method, seq, var, lno = key
        return to_nonterminal("%s@%d:%s" % (method, lno, var))

We now redefine the apply_new_definition() to account for context and scope. In particular, a variable is allowed to replace a part of a value only if the variable is in scope -- that is, it's scope (method sequence number of either its calling context in case it is a parameter or the current context in case it is a statement) is same as that of the value's method sequence number. An exception is made when the value's method sequence number is greater than the variable's method sequence number. In that case, the value may have come from an internal call. We allow the replacement to proceed in that case.

class ScopeTreeMiner(ScopeTreeMiner):
    def partition(self, part, value):
        return value.partition(part)
    def partition_by_part(self, pair, value):
        (nt_var, nt_seq), (v, v_scope) = pair
        prefix_k_suffix = [
                    (nt_var, [(v, [], nt_seq)]) if i == 1 else (e, [])
                    for i, e in enumerate(self.partition(v, value))
                    if e]
        return prefix_k_suffix

    def insert_into_tree(self, my_tree, pair):
        var, values, my_scope = my_tree
        (nt_var, nt_seq), (v, v_scope) = pair
        applied = False
        for i, value_ in enumerate(values):
            key, arr, scope = value_
            self.log(2, "-> [%d] %s" % (i, repr(value_)))
            if is_nonterminal(key):
                applied = self.insert_into_tree(value_, pair)
                if applied:
                    break
            else:
                if v_scope != scope:
                    if nt_seq > scope:
                        continue
                if not v or not self.string_part_of_value(v, key):
                    continue
                prefix_k_suffix = [(k, children, scope) for k, children
                                   in self.partition_by_part(pair, key)]
                del values[i]
                for j, rep in enumerate(prefix_k_suffix):
                    values.insert(j + i, rep)

                applied = True
                self.log(2, " > %s" % (repr([i[0] for i in prefix_k_suffix])))
                break
        return applied

The apply_new_definition() is now modified to carry additional contextual information mseq.

class ScopeTreeMiner(ScopeTreeMiner):
    def apply_new_definition(self, tree, var, value_):
        nt_var = self.nt_var(var)
        seq = self.mseq(var)
        val, (smethod, mseq) = value_
        return self.insert_into_tree(tree, ((nt_var, seq), (val, mseq)))

We also modify get_derivation_tree() so that the initial node carries the context.

class ScopeTreeMiner(ScopeTreeMiner):
    def get_derivation_tree(self):
        tree = (START_SYMBOL, [(self.my_input, [], 0)], 0)
        for var, value in self.my_assignments:
            self.log(0, "%s=%s" % (var, repr(value)))
            self.apply_new_definition(tree, var, value)
        return tree

Example 1: Recovering URL Parse Tree

We verify that our URL parse tree recovery still works as expected.

url_dts = []
for inputstr in URLS_X:
    clear_cache()
    with Tracer(inputstr, files=['urllib/parse.py']) as tracer:
        urlparse(tracer.my_input)
    sm = ScopeTracker(tracer.my_input, tracer.trace)
    for k, v in sm.my_assignments.defined_vars(formatted=False):
        print(k, '=', repr(v))
    dt = ScopeTreeMiner(
        tracer.my_input,
        sm.my_assignments.defined_vars(
            formatted=False))
    display_tree(dt.tree, graph_attr=lr_graph)
    url_dts.append(dt)
('urlparse', 1, 'url', 372) = ('http://user:pass@www.google.com:80/?q=path#ref', ('<start>', 0))
('urlparse', 1, 'url', 372) = ('http://user:pass@www.google.com:80/?q=path#ref', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('http://user:pass@www.google.com:80/?q=path#ref', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('http://user:pass@www.google.com:80/?q=path#ref', ('urlsplit', 3))
('urlsplit', 3, 'url', 478) = ('//user:pass@www.google.com:80/?q=path#ref', ('urlsplit', 3))
('urlsplit', 3, 'scheme', 478) = ('http', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//user:pass@www.google.com:80/?q=path#ref', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//user:pass@www.google.com:80/?q=path#ref', ('_splitnetloc', 5))
('urlsplit', 3, 'url', 481) = ('/?q=path#ref', ('urlsplit', 3))
('urlsplit', 3, 'netloc', 481) = ('user:pass@www.google.com:80', ('urlsplit', 3))
('urlsplit', 3, 'url', 486) = ('/?q=path', ('urlsplit', 3))
('urlsplit', 3, 'fragment', 486) = ('ref', ('urlsplit', 3))
('urlsplit', 3, 'query', 488) = ('q=path', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('user:pass@www.google.com:80', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('user:pass@www.google.com:80', ('_checknetloc', 6))
('urlparse', 1, 'scheme', 394) = ('http', ('urlparse', 1))
('urlparse', 1, 'netloc', 394) = ('user:pass@www.google.com:80', ('urlparse', 1))
('urlparse', 1, 'query', 394) = ('q=path', ('urlparse', 1))
('urlparse', 1, 'fragment', 394) = ('ref', ('urlparse', 1))
('urlparse', 1, 'url', 372) = ('https://www.cispa.saarland:80/', ('<start>', 0))
('urlparse', 1, 'url', 372) = ('https://www.cispa.saarland:80/', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('https://www.cispa.saarland:80/', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('https://www.cispa.saarland:80/', ('urlsplit', 3))
('urlsplit', 3, 'url', 478) = ('//www.cispa.saarland:80/', ('urlsplit', 3))
('urlsplit', 3, 'scheme', 478) = ('https', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//www.cispa.saarland:80/', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//www.cispa.saarland:80/', ('_splitnetloc', 5))
('urlsplit', 3, 'netloc', 481) = ('www.cispa.saarland:80', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('www.cispa.saarland:80', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('www.cispa.saarland:80', ('_checknetloc', 6))
('urlparse', 1, 'scheme', 394) = ('https', ('urlparse', 1))
('urlparse', 1, 'netloc', 394) = ('www.cispa.saarland:80', ('urlparse', 1))
('urlparse', 1, 'url', 372) = ('http://www.fuzzingbook.org/#News', ('<start>', 0))
('urlparse', 1, 'url', 372) = ('http://www.fuzzingbook.org/#News', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('http://www.fuzzingbook.org/#News', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('http://www.fuzzingbook.org/#News', ('urlsplit', 3))
('urlsplit', 3, 'url', 478) = ('//www.fuzzingbook.org/#News', ('urlsplit', 3))
('urlsplit', 3, 'scheme', 478) = ('http', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//www.fuzzingbook.org/#News', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//www.fuzzingbook.org/#News', ('_splitnetloc', 5))
('urlsplit', 3, 'url', 481) = ('/#News', ('urlsplit', 3))
('urlsplit', 3, 'netloc', 481) = ('www.fuzzingbook.org', ('urlsplit', 3))
('urlsplit', 3, 'fragment', 486) = ('News', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('www.fuzzingbook.org', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('www.fuzzingbook.org', ('_checknetloc', 6))
('urlparse', 1, 'scheme', 394) = ('http', ('urlparse', 1))
('urlparse', 1, 'netloc', 394) = ('www.fuzzingbook.org', ('urlparse', 1))
('urlparse', 1, 'fragment', 394) = ('News', ('urlparse', 1))
('urlparse', 1, 'url', 372) = ('ftp://freebsd.org/releases/5.8', ('<start>', 0))
('urlparse', 1, 'url', 372) = ('ftp://freebsd.org/releases/5.8', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('ftp://freebsd.org/releases/5.8', ('urlparse', 1))
('urlsplit', 3, 'url', 437) = ('ftp://freebsd.org/releases/5.8', ('urlsplit', 3))
('urlsplit', 3, 'url', 478) = ('//freebsd.org/releases/5.8', ('urlsplit', 3))
('urlsplit', 3, 'scheme', 478) = ('ftp', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//freebsd.org/releases/5.8', ('urlsplit', 3))
('_splitnetloc', 5, 'url', 411) = ('//freebsd.org/releases/5.8', ('_splitnetloc', 5))
('urlsplit', 3, 'url', 481) = ('/releases/5.8', ('urlsplit', 3))
('urlsplit', 3, 'netloc', 481) = ('freebsd.org', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('freebsd.org', ('urlsplit', 3))
('_checknetloc', 6, 'netloc', 419) = ('freebsd.org', ('_checknetloc', 6))
('urlparse', 1, 'url', 394) = ('/releases/5.8', ('urlparse', 1))
('urlparse', 1, 'scheme', 394) = ('ftp', ('urlparse', 1))
('urlparse', 1, 'netloc', 394) = ('freebsd.org', ('urlparse', 1))

Example 2: Recovering Inventory Parse Tree

Next, we look at recovering the parse tree from process_inventory() which failed last time.

with Tracer(INVENTORY) as tracer:
    process_inventory(tracer.my_input)

sm = ScopeTracker(tracer.my_input, tracer.trace)
for k, v in sm.my_assignments.defined_vars():
    print(k, '=', repr(v))
inventory_dt = ScopeTreeMiner(
    tracer.my_input,
    sm.my_assignments.defined_vars(
        formatted=False))
display_tree(inventory_dt.tree, graph_attr=lr_graph)
process_inventory[1]:inventory@22 = ('1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture', ('<start>', 0))
process_inventory[1]:inventory@22 = ('1997,van,Ford,E350\n2000,car,Mercury,Cougar\n1999,car,Chevy,Venture', ('process_inventory', 1))
process_inventory[1]:vehicle@24 = ('1997,van,Ford,E350', ('process_inventory', 1))
process_vehicle[2]:vehicle@29 = ('1997,van,Ford,E350', ('process_inventory', 1))
process_vehicle[2]:vehicle@29 = ('1997,van,Ford,E350', ('process_vehicle', 2))
process_vehicle[2]:year@30 = ('1997', ('process_vehicle', 2))
process_vehicle[2]:kind@30 = ('van', ('process_vehicle', 2))
process_vehicle[2]:company@30 = ('Ford', ('process_vehicle', 2))
process_vehicle[2]:model@30 = ('E350', ('process_vehicle', 2))
process_van[3]:year@40 = ('1997', ('process_vehicle', 2))
process_van[3]:company@40 = ('Ford', ('process_vehicle', 2))
process_van[3]:model@40 = ('E350', ('process_vehicle', 2))
process_van[3]:year@40 = ('1997', ('process_van', 3))
process_van[3]:company@40 = ('Ford', ('process_van', 3))
process_van[3]:model@40 = ('E350', ('process_van', 3))
process_inventory[1]:vehicle@24 = ('2000,car,Mercury,Cougar', ('process_inventory', 1))
process_vehicle[4]:vehicle@29 = ('2000,car,Mercury,Cougar', ('process_inventory', 1))
process_vehicle[4]:vehicle@29 = ('2000,car,Mercury,Cougar', ('process_vehicle', 4))
process_vehicle[4]:year@30 = ('2000', ('process_vehicle', 4))
process_vehicle[4]:kind@30 = ('car', ('process_vehicle', 4))
process_vehicle[4]:company@30 = ('Mercury', ('process_vehicle', 4))
process_vehicle[4]:model@30 = ('Cougar', ('process_vehicle', 4))
process_car[5]:year@49 = ('2000', ('process_vehicle', 4))
process_car[5]:company@49 = ('Mercury', ('process_vehicle', 4))
process_car[5]:model@49 = ('Cougar', ('process_vehicle', 4))
process_car[5]:year@49 = ('2000', ('process_car', 5))
process_car[5]:company@49 = ('Mercury', ('process_car', 5))
process_car[5]:model@49 = ('Cougar', ('process_car', 5))
process_inventory[1]:vehicle@24 = ('1999,car,Chevy,Venture', ('process_inventory', 1))
process_vehicle[6]:vehicle@29 = ('1999,car,Chevy,Venture', ('process_inventory', 1))
process_vehicle[6]:vehicle@29 = ('1999,car,Chevy,Venture', ('process_vehicle', 6))
process_vehicle[6]:year@30 = ('1999', ('process_vehicle', 6))
process_vehicle[6]:kind@30 = ('car', ('process_vehicle', 6))
process_vehicle[6]:company@30 = ('Chevy', ('process_vehicle', 6))
process_vehicle[6]:model@30 = ('Venture', ('process_vehicle', 6))
process_car[7]:year@49 = ('1999', ('process_vehicle', 6))
process_car[7]:company@49 = ('Chevy', ('process_vehicle', 6))
process_car[7]:model@49 = ('Venture', ('process_vehicle', 6))
process_car[7]:year@49 = ('1999', ('process_car', 7))
process_car[7]:company@49 = ('Chevy', ('process_car', 7))
process_car[7]:model@49 = ('Venture', ('process_car', 7))
0 <start> 1 <process_inventory@22:inventory> 0->1 2 <process_inventory@22:inventory> 1->2 3 <process_inventory@24:vehicle> 2->3 23 \n (10) 2->23 24 <process_inventory@24:vehicle> 2->24 44 \n (10) 2->44 45 <process_inventory@24:vehicle> 2->45 4 <process_vehicle@29:vehicle> 3->4 5 <process_vehicle@29:vehicle> 4->5 6 <process_vehicle@30:year> 5->6 10 , (44) 5->10 11 <process_vehicle@30:kind> 5->11 13 , (44) 5->13 14 <process_vehicle@30:company> 5->14 18 , (44) 5->18 19 <process_vehicle@30:model> 5->19 7 <process_van@40:year> 6->7 8 <process_van@40:year> 7->8 9 1997 8->9 12 van 11->12 15 <process_van@40:company> 14->15 16 <process_van@40:company> 15->16 17 Ford 16->17 20 <process_van@40:model> 19->20 21 <process_van@40:model> 20->21 22 E350 21->22 25 <process_vehicle@29:vehicle> 24->25 26 <process_vehicle@29:vehicle> 25->26 27 <process_vehicle@30:year> 26->27 31 , (44) 26->31 32 <process_vehicle@30:kind> 26->32 34 , (44) 26->34 35 <process_vehicle@30:company> 26->35 39 , (44) 26->39 40 <process_vehicle@30:model> 26->40 28 <process_car@49:year> 27->28 29 <process_car@49:year> 28->29 30 2000 29->30 33 car 32->33 36 <process_car@49:company> 35->36 37 <process_car@49:company> 36->37 38 Mercury 37->38 41 <process_car@49:model> 40->41 42 <process_car@49:model> 41->42 43 Cougar 42->43 46 <process_vehicle@29:vehicle> 45->46 47 <process_vehicle@29:vehicle> 46->47 48 <process_vehicle@30:year> 47->48 52 , (44) 47->52 53 <process_vehicle@30:kind> 47->53 55 , (44) 47->55 56 <process_vehicle@30:company> 47->56 60 , (44) 47->60 61 <process_vehicle@30:model> 47->61 49 <process_car@49:year> 48->49 50 <process_car@49:year> 49->50 51 1999 50->51 54 car 53->54 57 <process_car@49:company> 56->57 58 <process_car@49:company> 57->58 59 Chevy 58->59 62 <process_car@49:model> 61->62 63 <process_car@49:model> 62->63 64 Venture 63->64

The recovered parse tree seems reasonable.

One of the things that one might notice from our Example (2) is that the three subtrees -- vehicle[2:1], vehicle[4:1] and vehicle[6:1] are quite alike. We will examine how this can be exploited to generate a grammar directly, next.

Grammar Mining

The tree_to_grammar() is now redefined as follows, to account for the extra scope in nodes.

class ScopedGrammarMiner(GrammarMiner):
    def tree_to_grammar(self, tree):
        key, children, scope = tree
        one_alt = [ckey for ckey, gchildren, cscope in children if ckey != key]
        hsh = {key: [one_alt] if one_alt else []}
        for child in children:
            (ckey, _gc, _cscope) = child
            if not is_nonterminal(ckey):
                continue
            chsh = self.tree_to_grammar(child)
            for k in chsh:
                if k not in hsh:
                    hsh[k] = chsh[k]
                else:
                    hsh[k].extend(chsh[k])
        return hsh

The grammar is in canonical form, which needs to be massaged to display. First, the recovered grammar for inventory.

si = ScopedGrammarMiner()
si.add_tree(inventory_dt)
syntax_diagram(readable(si.grammar))
start
process_inventory@22:inventory
process_inventory@22:inventory
process_inventory@24:vehicle process_inventory@24:vehicle process_inventory@24:vehicle
process_inventory@24:vehicle
process_vehicle@29:vehicle
process_vehicle@29:vehicle
process_vehicle@30:year , process_vehicle@30:kind , process_vehicle@30:company , process_vehicle@30:model
process_vehicle@30:year
process_car@49:year process_van@40:year
process_van@40:year
1997
process_vehicle@30:kind
car van
process_vehicle@30:company
process_van@40:company process_car@49:company
process_van@40:company
Ford
process_vehicle@30:model
process_van@40:model process_car@49:model
process_van@40:model
E350
process_car@49:year
2000 1999
process_car@49:company
Mercury Chevy
process_car@49:model
Cougar Venture

The recovered grammar for URLs.

su = ScopedGrammarMiner()
for t in url_dts:
    su.add_tree(t)
syntax_diagram(readable(su.grammar))
start
urlparse@372:url
urlparse@372:url
urlsplit@437:url
urlsplit@437:url
urlsplit@478:scheme : urlsplit@478:url
urlsplit@478:scheme
urlparse@394:scheme
urlparse@394:scheme
https ftp http
urlsplit@478:url
_splitnetloc@411:url
_splitnetloc@411:url
// urlsplit@481:netloc urlsplit@481:url // urlsplit@481:netloc /
urlsplit@481:netloc
_checknetloc@419:netloc
_checknetloc@419:netloc
urlparse@394:netloc
urlparse@394:netloc
www.fuzzingbook.org freebsd.org user:pass@www.google.com:80 www.cispa.saarland:80
urlsplit@481:url
urlparse@394:url /# urlsplit@486:fragment urlsplit@486:url # urlsplit@486:fragment
urlsplit@486:url
/? urlsplit@488:query
urlsplit@488:query
urlparse@394:query
urlparse@394:query
q=path
urlsplit@486:fragment
urlparse@394:fragment
urlparse@394:fragment
News ref
urlparse@394:url
/releases/5.8

One might notice that the grammar is not entirely human-readable, with a number of single token definitions.

Hence, the last piece of the puzzle is the cleanup method clean_grammar(), which cleans up such definitions. The idea is to look for single token definitions such that a key is defined exactly by another key (single alternative, single token, nonterminal).

class ScopedGrammarMiner(ScopedGrammarMiner):
    def get_replacements(self, grammar):
        replacements = {}
        for k in grammar:
            if k == START_SYMBOL:
                continue
            alts = grammar[k]
            if len(set([str(i) for i in alts])) != 1:
                continue
            rule = alts[0]
            if len(rule) != 1:
                continue
            tok = rule[0]
            if not is_nonterminal(tok):
                continue
            replacements[k] = tok
        return replacements

Once we have such a list, iteratively replace the original key where ever it is used with the token we found earlier. Repeat until none is left.

class ScopedGrammarMiner(ScopedGrammarMiner):
    def clean_grammar(self):
        replacements = self.get_replacements(self.grammar)

        while True:
            changed = set()
            for k in self.grammar:
                if k in replacements:
                    continue
                new_alts = []
                for alt in self.grammar[k]:
                    new_alt = []
                    for t in alt:
                        if t in replacements:
                            new_alt.append(replacements[t])
                            changed.add(t)
                        else:
                            new_alt.append(t)
                    new_alts.append(new_alt)
                self.grammar[k] = new_alts
            if not changed:
                break
            for k in changed:
                self.grammar.pop(k, None)
        return readable(self.grammar)

The clean_grammar() is used as follows:

si = ScopedGrammarMiner()
si.add_tree(inventory_dt)
syntax_diagram(readable(si.clean_grammar()))
start
process_inventory@22:inventory
process_inventory@22:inventory
process_vehicle@29:vehicle process_vehicle@29:vehicle process_vehicle@29:vehicle
process_vehicle@29:vehicle
process_vehicle@30:year , process_vehicle@30:kind , process_vehicle@30:company , process_vehicle@30:model
process_vehicle@30:year
process_car@49:year process_van@40:year
process_van@40:year
1997
process_vehicle@30:kind
car van
process_vehicle@30:company
process_van@40:company process_car@49:company
process_van@40:company
Ford
process_vehicle@30:model
process_van@40:model process_car@49:model
process_van@40:model
E350
process_car@49:year
2000 1999
process_car@49:company
Mercury Chevy
process_car@49:model
Cougar Venture

We update the update_grammar() to use the right tracker and miner.

class ScopedGrammarMiner(ScopedGrammarMiner):
    def update_grammar(self, inputstr, trace):
        at = self.create_tracker(inputstr, trace)
        dt = self.create_tree_miner(
            inputstr, at.my_assignments.defined_vars(
                formatted=False))
        self.add_tree(dt)
        return self.grammar

    def create_tracker(self, *args):
        return ScopeTracker(*args)

    def create_tree_miner(self, *args):
        return ScopeTreeMiner(*args)

The recover_grammar() uses the right miner, and returns a cleaned grammar.

def recover_grammar(fn, inputs, **kwargs):
    miner = ScopedGrammarMiner()
    for inputstr in inputs:
        with Tracer(inputstr, **kwargs) as tracer:
            fn(tracer.my_input)
        miner.update_grammar(tracer.my_input, tracer.trace)
    return readable(miner.clean_grammar())
url_grammar = recover_grammar(url_parse, URLS_X, files=['urllib/parse.py'])
syntax_diagram(url_grammar)
start
urlsplit@437:url
urlsplit@437:url
urlparse@394:scheme : _splitnetloc@411:url
urlparse@394:scheme
https ftp http
_splitnetloc@411:url
// urlparse@394:netloc urlsplit@481:url // urlparse@394:netloc /
urlparse@394:netloc
freebsd.org www.cispa.saarland:80 user:pass@www.google.com:80 www.fuzzingbook.org
urlsplit@481:url
urlsplit@486:url # urlparse@394:fragment /# urlparse@394:fragment urlparse@394:url
urlsplit@486:url
/? urlparse@394:query
urlparse@394:query
q=path
urlparse@394:fragment
News ref
urlparse@394:url
/releases/5.8
f = GrammarFuzzer(url_grammar)
for _ in range(10):
    print(f.fuzz())
ftp://www.fuzzingbook.org/?q=path#News
ftp://www.cispa.saarland:80/
ftp://www.fuzzingbook.org/#ref
ftp://freebsd.org/#ref
ftp://user:pass@www.google.com:80/
ftp://www.cispa.saarland:80/
http://www.cispa.saarland:80/?q=path#News
http://freebsd.org/#ref
http://www.cispa.saarland:80/releases/5.8
ftp://freebsd.org/releases/5.8
inventory_grammar = recover_grammar(process_inventory, [INVENTORY])
syntax_diagram(inventory_grammar)
start
process_inventory@22:inventory
process_inventory@22:inventory
process_vehicle@29:vehicle process_vehicle@29:vehicle process_vehicle@29:vehicle
process_vehicle@29:vehicle
process_vehicle@30:year , process_vehicle@30:kind , process_vehicle@30:company , process_vehicle@30:model
process_vehicle@30:year
process_car@49:year process_van@40:year
process_van@40:year
1997
process_vehicle@30:kind
car van
process_vehicle@30:company
process_van@40:company process_car@49:company
process_van@40:company
Ford
process_vehicle@30:model
process_van@40:model process_car@49:model
process_van@40:model
E350
process_car@49:year
2000 1999
process_car@49:company
Mercury Chevy
process_car@49:model
Cougar Venture
f = GrammarFuzzer(inventory_grammar)
for _ in range(10):
    print(f.fuzz())
2000,van,Ford,E350
1999,car,Chevy,Venture
1997,van,Ford,E350
2000,van,Ford,E350
1999,car,Mercury,E350
1997,van,Chevy,E350
1999,car,Chevy,Venture
2000,van,Mercury,Cougar
1997,van,Mercury,Cougar
1997,car,Ford,Cougar
1997,car,Chevy,E350
1997,car,Ford,E350
1997,van,Ford,Venture
1997,van,Chevy,Venture
1999,van,Chevy,Cougar
1997,van,Ford,Venture
2000,van,Ford,Cougar
1999,van,Ford,Cougar
1999,car,Chevy,E350
1997,car,Chevy,Cougar
1997,car,Chevy,E350
1997,van,Chevy,Cougar
1999,car,Ford,Venture
1997,van,Mercury,Venture
1997,car,Chevy,E350
1997,van,Ford,E350
1999,car,Ford,Cougar
1999,van,Chevy,E350
1997,van,Ford,Venture
2000,van,Ford,Cougar

We see how tracking scope helps us to extract an even more precise grammar.

Notice that we use String inclusion testing as a way of determining whether a particular string fragment came from the original input string. While this may seem rather error-prone compared to dynamic tainting, we note that numerous tracing tools such as dtrace() and ptrace() allow one to obtain the information we seek from execution of binaries directly in different platforms. However, methods for obtaining dynamic taints almost always involve instrumenting the binaries before they can be used. Hence, this method of string inclusion can be more generally applied than dynamic tainting approaches. Further, dynamic taints are often lost due to implicit transmission, or at the boundary between Python and C code. String inclusion has not such problems. Hence, our approach can often obtain better results than relying on dynamic tainting.

Lessons Learned

  • Given a set of sample inputs for a program, we can learn an input grammar by examining variable values during execution if the program relies on handwritten parsers.
  • Simple string inclusion checks are sufficient to obtain reasonably accurate grammars from real world programs.
  • The resulting grammars can be directly used for fuzzing, and can have a multiplier effect on any samples you have.

Next Steps

  • Learn how to use information flow to further improve mapping inputs to states.

Background

Recovering the language from a set of samples (i.e., not taking into account a possible program that might process them) is a well researched topic. The excellent reference by Higuera [De la Higuera et al, 2010] covers all the classical approaches. The current state of the art in black box grammar mining is described by Clark [Clark et al, 2013].

Learning an input language from a program, with or without samples, is yet an emerging topic, despite its potential for fuzzing. The pioneering work in this area was done by Lin et al. [Lin et al, 2008] who invented a way to retrieve the parse trees from top down and bottom up parsers. The approach described in this chapter is based directly on the AUTOGRAM work of Hoschele et al. [Höschele et al, 2017].

Exercises

Exercise 1: Flattening complex objects

Our grammar miners only check for string fragments. However, programs may often pass containers or custom objects containing input fragments. For example, consider the plausible modification for our inventory processor, where we use a custom object Vehicle to carry fragments.

class Vehicle:
    def __init__(self, vehicle: str):
        year, kind, company, model, *_ = vehicle.split(',')
        self.year, self.kind, self.company, self.model = year, kind, company, model
def process_inventory_with_obj(inventory: str) -> str:
    res = []
    for vehicle in inventory.split('\n'):
        ret = process_vehicle(vehicle)
        res.extend(ret)

    return '\n'.join(res)
def process_vehicle_with_obj(vehicle: str) -> List[str]:
    v = Vehicle(vehicle)
    if v.kind == 'van':
        return process_van_with_obj(v)

    elif v.kind == 'car':
        return process_car_with_obj(v)

    else:
        raise Exception('Invalid entry')
def process_van_with_obj(vehicle: Vehicle) -> List[str]:
    res = [
        "We have a %s %s van from %s vintage." % (vehicle.company,
                                                  vehicle.model, vehicle.year)
    ]
    iyear = int(vehicle.year)
    if iyear > 2010:
        res.append("It is a recent model!")
    else:
        res.append("It is an old but reliable model!")
    return res
def process_car_with_obj(vehicle: Vehicle) -> List[str]:
    res = [
        "We have a %s %s car from %s vintage." % (vehicle.company,
                                                  vehicle.model, vehicle.year)
    ]
    iyear = int(vehicle.year)
    if iyear > 2016:
        res.append("It is a recent model!")
    else:
        res.append("It is an old but reliable model!")
    return res

We recover the grammar as before.

vehicle_grammar = recover_grammar(
    process_inventory_with_obj,
    [INVENTORY],
    methods=INVENTORY_METHODS)

The new vehicle grammar is missing in details, especially as to the different models and company for a van and car.

syntax_diagram(vehicle_grammar)
start
process_vehicle@29:vehicle process_vehicle@29:vehicle process_vehicle@29:vehicle
process_vehicle@29:vehicle
process_vehicle@30:year , process_vehicle@30:kind , process_vehicle@30:company , process_vehicle@30:model
process_vehicle@30:year
process_car@49:year process_van@40:year
process_van@40:year
1997
process_vehicle@30:kind
car van
process_vehicle@30:company
process_van@40:company process_car@49:company
process_van@40:company
Ford
process_vehicle@30:model
process_van@40:model process_car@49:model
process_van@40:model
E350
process_car@49:year
2000 1999
process_car@49:company
Mercury Chevy
process_car@49:model
Cougar Venture

The problem is that, we are looking specifically for string objects that contain fragments of the input string during tracing. Can you modify our grammar miner to correctly account for the complex objects too?

Exercise 2: Incorporating Taints from InformationFlow

We have been using string inclusion to check whether a particular fragment came from the input string. This is unsatisfactory as it required us to compromise on the size of the strings tracked, which was limited to those greater than FRAGMENT_LEN. Further, it is possible that a single method could process a string where a fragment repeats, but is part of different tokens. For example, an embedded comma in the CSV file would cause our parser to fail. One way to avoid this is to rely on dynamic taints, and check for taint inclusion rather than string inclusion.

The chapter on information flow details how to incorporate dynamic taints. Can you update our grammar miner based on scope to use dynamic taints instead?

Creative Commons License The content of this project is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. The source code that is part of the content, as well as the source code used to format and display that content is licensed under the MIT License. Last change: 2023-11-11 18:18:06+01:00CiteImprint