{ "cells": [ { "cell_type": "markdown", "metadata": { "button": false, "new_sheet": false, "run_control": { "read_only": false }, "slideshow": { "slide_type": "slide" }, "tags": [], "toc-hr-collapsed": false }, "source": [ "# Probabilistic Grammar Fuzzing\n", "\n", "Let us give grammars even more power by assigning _probabilities_ to individual expansions. This allows us to control how many of each element should be produced, and thus allows us to _target_ our generated tests towards specific functionality. We also show how to learn such probabilities from given sample inputs, and specifically direct our tests towards input features that are uncommon in these samples." ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.104519Z", "iopub.status.busy": "2022-05-18T10:54:22.104358Z", "iopub.status.idle": "2022-05-18T10:54:22.161156Z", "shell.execute_reply": "2022-05-18T10:54:22.160700Z" }, "slideshow": { "slide_type": "skip" } }, "outputs": [ { "data": { "text/html": [ "\n", " \n", " " ], "text/plain": [ "" ] }, "execution_count": 1, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from bookutils import YouTubeVideo\n", "YouTubeVideo('9htOliNwopc')" ] }, { "cell_type": "markdown", "metadata": { "button": false, "new_sheet": false, "run_control": { "read_only": false }, "slideshow": { "slide_type": "subslide" } }, "source": [ "**Prerequisites**\n", "\n", "* You should have read the [chapter on grammars](Grammars.ipynb).\n", "* Our implementation hooks into the grammar-based fuzzer introduced in [\"Efficient Grammar Fuzzing\"](GrammarFuzzer.ipynb)\n", "* For learning probabilities from samples, we make use of [parsers](Parser.ipynb)." ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "skip" } }, "source": [ "## Synopsis\n", "\n", "\n", "To [use the code provided in this chapter](Importing.ipynb), write\n", "\n", "python\n", ">>> from fuzzingbook.ProbabilisticGrammarFuzzer import \n", "\n", "\n", "and then make use of the following features.\n", "\n", "\n", "A _probabilistic_ grammar allows to attach individual _probabilities_ to production rules. To set the probability of an individual expansion S to the value X (between 0 and 1), replace it with a pair\n", "\n", "python\n", "(S, opts(prob=X))\n", "\n", "\n", "If we want to ensure that 90% of phone numbers generated have an area code starting with 9, we can write:\n", "\n", "python\n", ">>> from Grammars import US_PHONE_GRAMMAR, extend_grammar, opts\n", ">>> PROBABILISTIC_US_PHONE_GRAMMAR: Grammar = extend_grammar(US_PHONE_GRAMMAR,\n", ">>> {\n", ">>> \"\": [\n", ">>> \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\",\n", ">>> (\"9\", opts(prob=0.9))\n", ">>> ],\n", ">>> })\n", "\n", "A ProbabilisticGrammarFuzzer will extract and interpret these options. Here is an example:\n", "\n", "python\n", ">>> probabilistic_us_phone_fuzzer = ProbabilisticGrammarFuzzer(PROBABILISTIC_US_PHONE_GRAMMAR)\n", ">>> [probabilistic_us_phone_fuzzer.fuzz() for i in range(5)]\n", "['(918)925-2501',\n", " '(981)925-0792',\n", " '(934)995-5029',\n", " '(955)999-7801',\n", " '(964)927-0877']\n", "\n", "As you can see, the large majority of area codes now starts with 9.\n", "\n", "![](PICS/ProbabilisticGrammarFuzzer-synopsis-1.svg)\n", "\n" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "slide" } }, "source": [ "## The Law of Leading Digits" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "fragment" } }, "source": [ "In all our examples so far, you may have noted that inputs generated by a program differ quite a bit from \"natural\" inputs as they occur in real life. This is true even for innocuous elements such as numbers – yes, the numbers we have generated so far actually _differ_ from numbers in the real world. This is because in real-life sets of numerical data, the _leading significant digit_ is likely to be small: Actually, on average, the leading digit 1 occurs more than _six times_ as often as the leading digit 8 or 9. It has been shown that this result applies to a wide variety of data sets, including electricity bills, street addresses, stock prices, house prices, population numbers, death rates, lengths of rivers, physical and mathematical constants (Wikipedia)." ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "subslide" } }, "source": [ "This law of leading digits was first observed by Newcomb \\cite{Newcomb1881} and later formalized by Benford in \\cite{Benford1938}. Let us take a look at the conditions that determine the first digit of a number. We can easily compute the first digit by converting the number into a string and take the first character:" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.174599Z", "iopub.status.busy": "2022-05-18T10:54:22.174431Z", "iopub.status.idle": "2022-05-18T10:54:22.176363Z", "shell.execute_reply": "2022-05-18T10:54:22.176121Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [], "source": [ "def first_digit_via_string(x: int) -> int:\n", " return ord(repr(x)[0]) - ord('0')" ] }, { "cell_type": "code", "execution_count": 3, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.177774Z", "iopub.status.busy": "2022-05-18T10:54:22.177671Z", "iopub.status.idle": "2022-05-18T10:54:22.179744Z", "shell.execute_reply": "2022-05-18T10:54:22.179478Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [ { "data": { "text/plain": [ "2" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "first_digit_via_string(2001)" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "subslide" } }, "source": [ "To do this mathematically, though, we have to take the fractional part of their logarithm, or formally\n", "\n", "$$\n", "d = 10^{\\{\\log_{10}(x)\\}}\n", "$$\n", "\n", "where $\\{x\\}$ is the fractional part of $x$ (i.e. $\\{1.234\\} = 0.234$)." ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.181254Z", "iopub.status.busy": "2022-05-18T10:54:22.181141Z", "iopub.status.idle": "2022-05-18T10:54:22.182733Z", "shell.execute_reply": "2022-05-18T10:54:22.182507Z" }, "slideshow": { "slide_type": "skip" } }, "outputs": [], "source": [ "import math" ] }, { "cell_type": "code", "execution_count": 5, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.184137Z", "iopub.status.busy": "2022-05-18T10:54:22.184053Z", "iopub.status.idle": "2022-05-18T10:54:22.185877Z", "shell.execute_reply": "2022-05-18T10:54:22.185647Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [], "source": [ "def first_digit_via_log(x: int) -> int:\n", " frac, whole = math.modf(math.log10(x))\n", " return int(10 ** frac)" ] }, { "cell_type": "code", "execution_count": 6, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.187179Z", "iopub.status.busy": "2022-05-18T10:54:22.187096Z", "iopub.status.idle": "2022-05-18T10:54:22.189215Z", "shell.execute_reply": "2022-05-18T10:54:22.188936Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [ { "data": { "text/plain": [ "2" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "first_digit_via_log(2001)" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "subslide" } }, "source": [ "Most sets of \"naturally\" occurring numbers should not have any bias in the fractional parts of their logarithms, and hence, the fractional part $\\{\\log_{10}(x)\\}$ is typically uniformly distributed. However, the fractional parts for the individual digits are _not_ evenly distributed. " ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "fragment" } }, "source": [ "For a number to start with a digit $d$, the condition $d < 10^{\\{\\log_{10}(x)\\}} < d + 1$ must hold. To start with the digit 1, the fractional part $\\{\\log_{10}(x)\\}$ must thus be in the range" ] }, { "cell_type": "code", "execution_count": 7, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.190620Z", "iopub.status.busy": "2022-05-18T10:54:22.190538Z", "iopub.status.idle": "2022-05-18T10:54:22.192688Z", "shell.execute_reply": "2022-05-18T10:54:22.192457Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [ { "data": { "text/plain": [ "(0.0, 0.3010299956639812)" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "(math.log10(1), math.log10(2))" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "fragment" } }, "source": [ "To start with the digit 2, though, it must be in the range" ] }, { "cell_type": "code", "execution_count": 8, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.194158Z", "iopub.status.busy": "2022-05-18T10:54:22.194076Z", "iopub.status.idle": "2022-05-18T10:54:22.196173Z", "shell.execute_reply": "2022-05-18T10:54:22.195972Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [ { "data": { "text/plain": [ "(0.3010299956639812, 0.47712125471966244)" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "(math.log10(2), math.log10(3))" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "subslide" } }, "source": [ "which is much smaller. Formally, the probability $P(d)$ for a leading digit $d$ (again, assuming uniformly distributed fractional parts) is known as Benford's law:\n", "$$\n", "P(d) = \\log_{10}(d + 1) - \\log_{10}(d)\n", "$$\n", "which gives us:" ] }, { "cell_type": "code", "execution_count": 9, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.197606Z", "iopub.status.busy": "2022-05-18T10:54:22.197515Z", "iopub.status.idle": "2022-05-18T10:54:22.199210Z", "shell.execute_reply": "2022-05-18T10:54:22.198993Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [], "source": [ "def prob_leading_digit(d: int) -> float:\n", " return math.log10(d + 1) - math.log10(d)" ] }, { "cell_type": "markdown", "metadata": { "slideshow": { "slide_type": "fragment" } }, "source": [ "Let us compute these probabilities for all digits:" ] }, { "cell_type": "code", "execution_count": 10, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.200682Z", "iopub.status.busy": "2022-05-18T10:54:22.200588Z", "iopub.status.idle": "2022-05-18T10:54:22.203222Z", "shell.execute_reply": "2022-05-18T10:54:22.202998Z" }, "slideshow": { "slide_type": "subslide" } }, "outputs": [ { "data": { "text/plain": [ "[(1, '0.30'),\n", " (2, '0.18'),\n", " (3, '0.12'),\n", " (4, '0.10'),\n", " (5, '0.08'),\n", " (6, '0.07'),\n", " (7, '0.06'),\n", " (8, '0.05'),\n", " (9, '0.05')]" ] }, "execution_count": 10, "metadata": {}, "output_type": "execute_result" } ], "source": [ "digit_probs = [prob_leading_digit(d) for d in range(1, 10)]\n", "[(d, \"%.2f\" % digit_probs[d - 1]) for d in range(1, 10)]" ] }, { "cell_type": "code", "execution_count": 11, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.204582Z", "iopub.status.busy": "2022-05-18T10:54:22.204495Z", "iopub.status.idle": "2022-05-18T10:54:22.632661Z", "shell.execute_reply": "2022-05-18T10:54:22.632381Z" }, "slideshow": { "slide_type": "fragment" } }, "outputs": [], "source": [ "# ignore\n", "import matplotlib.pyplot as plt # type: ignore" ] }, { "cell_type": "code", "execution_count": 12, "metadata": { "execution": { "iopub.execute_input": "2022-05-18T10:54:22.634445Z", "iopub.status.busy": "2022-05-18T10:54:22.634311Z", "iopub.status.idle": "2022-05-18T10:54:22.725048Z", "shell.execute_reply": "2022-05-18T10:54:22.724613Z" }, "slideshow": { "slide_type": "subslide" } }, "outputs": [ { "data": { "image/png": "\n", "text/plain": [ "