Merge branch 'master' into ssrf-url-name-test

Author: seran

README.md

@@ -198,6 +198,8 @@ Examples of Fortune 500 companies using _EvoMaster_ are:
 
 ![](docs/img/video-player-flaticon.png)
 
+* A [45-minute talk given at TestCon'25](https://www.youtube.com/watch?v=uKKRo3LrNiw&list=PLqYhGsQ9iSEoXaRmW9WQjjXJK_1NbLlZ6&index=15) on Fuzz Testing Web APIs gives an overview of what can be expected from this kind of fuzzers.   
+
 * A [short video](https://youtu.be/3mYxjgnhLEo) (5 minutes)
   shows the use of _EvoMaster_ on one of the
   case studies in [EMB](https://github.com/WebFuzzing/EMB).

core/src/main/kotlin/org/evomaster/core/EMConfig.kt

@@ -1162,7 +1162,7 @@ class EMConfig {
 
     enum class Algorithm {
         DEFAULT, SMARTS, MIO, RANDOM, WTS, MOSA, RW,
-        StandardGA, MonotonicGA, SteadyStateGA, BreederGA, CellularGA, OnePlusLambdaLambdaGA, MuLambdaEA, MuPlusLambdaEA // GA variants still work-in-progress.
+        StandardGA, MonotonicGA, SteadyStateGA, BreederGA, CellularGA, OnePlusLambdaLambdaGA, MuLambdaEA, MuPlusLambdaEA, LIPS // GA variants still work-in-progress.
     }
 
     @Cfg("The algorithm used to generate test cases. The default depends on whether black-box or white-box testing is done.")

core/src/main/kotlin/org/evomaster/core/Main.kt

@@ -645,6 +645,8 @@ class Main {
                 EMConfig.Algorithm.StandardGA ->
                     Key.get(object : TypeLiteral<StandardGeneticAlgorithm<GraphQLIndividual>>() {})
 
+                EMConfig.Algorithm.LIPS ->
+                    Key.get(object : TypeLiteral<org.evomaster.core.search.algorithms.LIPSAlgorithm<GraphQLIndividual>>() {})
                 EMConfig.Algorithm.MuPlusLambdaEA ->
                     Key.get(object : TypeLiteral<MuPlusLambdaEvolutionaryAlgorithm<GraphQLIndividual>>() {})
 
@@ -684,6 +686,8 @@ class Main {
 
                 EMConfig.Algorithm.RW ->
                     Key.get(object : TypeLiteral<RandomWalkAlgorithm<RPCIndividual>>() {})
+                EMConfig.Algorithm.LIPS ->
+                    Key.get(object : TypeLiteral<org.evomaster.core.search.algorithms.LIPSAlgorithm<RPCIndividual>>() {})
 
                 EMConfig.Algorithm.MuPlusLambdaEA ->
                     Key.get(object : TypeLiteral<MuPlusLambdaEvolutionaryAlgorithm<RPCIndividual>>() {})
@@ -722,6 +726,8 @@ class Main {
 
                 EMConfig.Algorithm.RW ->
                     Key.get(object : TypeLiteral<RandomWalkAlgorithm<WebIndividual>>() {})
+                EMConfig.Algorithm.LIPS ->
+                    Key.get(object : TypeLiteral<org.evomaster.core.search.algorithms.LIPSAlgorithm<WebIndividual>>() {})
 
                 EMConfig.Algorithm.MuPlusLambdaEA ->
                     Key.get(object : TypeLiteral<MuPlusLambdaEvolutionaryAlgorithm<WebIndividual>>() {})
@@ -769,6 +775,8 @@ class Main {
 
                 EMConfig.Algorithm.RW ->
                     Key.get(object : TypeLiteral<RandomWalkAlgorithm<RestIndividual>>() {})
+                EMConfig.Algorithm.LIPS ->
+                    Key.get(object : TypeLiteral<org.evomaster.core.search.algorithms.LIPSAlgorithm<RestIndividual>>() {})
                 EMConfig.Algorithm.MuPlusLambdaEA ->
                     Key.get(object : TypeLiteral<MuPlusLambdaEvolutionaryAlgorithm<RestIndividual>>() {})
                 EMConfig.Algorithm.MuLambdaEA ->

core/src/main/kotlin/org/evomaster/core/problem/rest/service/RestIndividualBuilder.kt

@@ -102,6 +102,9 @@ class RestIndividualBuilder {
                 .forEach { it.revertToWeakReference() }
             other.resetLocalIdRecursively()
 
+            //avoid possible taint id conflicts
+            other.seeAllActions().forEach { it.forceNewTaints() }
+
             val duplicates = base.addInitializingActions(other.seeInitializingActions())
 
             other.getFlattenMainEnterpriseActionGroup()!!.forEach { group ->

core/src/main/kotlin/org/evomaster/core/search/algorithms/LIPSAlgorithm.kt

@@ -0,0 +1,139 @@
+package org.evomaster.core.search.algorithms
+
+import com.google.inject.Inject
+import org.evomaster.core.EMConfig
+import org.evomaster.core.search.Individual
+import org.evomaster.core.search.algorithms.wts.WtsEvalIndividual
+import org.evomaster.client.java.instrumentation.shared.ObjectiveNaming
+import org.evomaster.core.search.service.IdMapper
+
+/**
+ * Linearly Independent Path-based Search (LIPS).
+ *
+ * A single-objective GA that optimizes one branch target at a time.
+ *
+ * - Initializes a random individual i and build the initial population P = random ∪ {i}.
+ * - Maintains a current branch target.
+ * - Per-target budget is a fair share of the global TIME/ACTIONS budget; switches target when the target is covered or its budget is exhausted.
+ */
+class LIPSAlgorithm<T> : AbstractGeneticAlgorithm<T>() where T : Individual {
+
+    @Inject
+    private lateinit var idMapper: IdMapper
+
+    private var currentTarget: Int? = null
+    private lateinit var budget: LipsBudget
+
+    override fun getType(): EMConfig.Algorithm = EMConfig.Algorithm.LIPS
+
+    override fun initPopulation() {
+        population.clear()
+        // 1) Generate Random Individual
+        val i = sampleSuite()
+        // 2) P <- RandomPopulation(ps-1) ∪ {i}
+        population.add(i)
+        while (population.size < config.populationSize) {
+            population.add(sampleSuite())
+        }
+        // Initialize budget manager and first per-target budget using current uncovered targets
+        budget = LipsBudget(config, time)
+        val initUncoveredSize = archive.notCoveredTargets().size
+        budget.budgetLeftForCurrentTarget = budget.computePerTargetBudget(initUncoveredSize)
+    }
+
+    override fun searchOnce() {
+        beginGeneration()
+        // record budget usage for this generation
+        val startActions = time.evaluatedActions
+        val startSeconds = time.getElapsedSeconds()
+
+        // Compute uncovered goals
+        val uncovered = archive.notCoveredTargets()
+
+        // current target is null if covered by previous generation or out of budget
+        // Pick target if null, or if previously covered (check coverage directly)
+        val needNewTarget = currentTarget == null || archive.isCovered(currentTarget!!)
+        if (needNewTarget) {
+            val target = lastUncoveredBranchTargetId()
+            currentTarget = target
+            // Initialize budget for this NEW target
+            budget.budgetLeftForCurrentTarget = budget.computePerTargetBudget(uncovered.size)
+        }
+
+        // Focus scoring on the single selected target if present; otherwise use global fitness
+        if (currentTarget == null) {
+            frozenTargets = emptySet()
+        } else {
+            frozenTargets = setOf(currentTarget!!)
+        }
+
+        val n = config.populationSize
+        val nextPop: MutableList<WtsEvalIndividual<T>> = formTheNextPopulation(population)
+
+        while (nextPop.size < n) {
+            beginStep()
+
+            val p1 = tournamentSelection()
+            val p2 = tournamentSelection()
+
+            val o1 = p1.copy()
+            val o2 = p2.copy()
+
+            if (randomness.nextBoolean(config.xoverProbability)) {
+                xover(o1, o2)
+            }
+            if (randomness.nextBoolean(config.fixedRateMutation)) {
+                mutate(o1)
+            }
+            if (randomness.nextBoolean(config.fixedRateMutation)) {
+                mutate(o2)
+            }
+
+            nextPop.add(o1)
+            nextPop.add(o2)
+
+            // Stop if global budget or target budget is up
+            val usedForTarget = budget.usedForCurrentTarget(startActions, startSeconds)
+            if (!time.shouldContinueSearch() || usedForTarget >= budget.budgetLeftForCurrentTarget) {
+                endStep()
+                break
+            }
+            endStep()
+        }
+
+        population.clear()
+        population.addAll(nextPop)
+
+        // Update budget usage for this target
+        budget.updatePerTargetBudget(startActions, startSeconds)
+
+        // Switch target if covered or out of budget
+        val coveredNow = population.any { score(it) >= 1.0 }
+        val switching = budget.shouldSwitchTarget(coveredNow)
+        if (switching) currentTarget = null
+
+        endGeneration()
+    }
+
+    fun lastUncoveredBranchTargetId(): Int? {
+        val snapshot = archive.getSnapshotOfBestIndividuals()
+        if (snapshot.isEmpty()) return null
+
+        // Iterate targets by numeric id in descending order
+        val orderedIds = snapshot.keys.sortedDescending()
+
+        for (targetId in orderedIds) {
+            val description = idMapper.getDescriptiveId(targetId)
+            val isBranch = description.startsWith(ObjectiveNaming.BRANCH)
+            val covered = archive.isCovered(targetId)
+            if (isBranch) {
+                if (!covered) {
+                    return targetId
+                }
+            }
+        }
+        return null
+    }
+}
+
+

core/src/main/kotlin/org/evomaster/core/search/algorithms/LipsBudget.kt

@@ -0,0 +1,51 @@
+package org.evomaster.core.search.algorithms
+
+import org.evomaster.core.EMConfig
+import org.evomaster.core.search.service.SearchTimeController
+
+/**
+ * Encapsulates per-target budget accounting for LIPS.
+ * It derives fair-share budgets from the global stopping criterion
+ * and tracks the remaining budget for the current target.
+ */
+class LipsBudget(
+    private val config: EMConfig,
+    private val time: SearchTimeController
+) {
+
+    var budgetLeftForCurrentTarget: Int = 0
+
+    fun computePerTargetBudget(uncoveredSize: Int): Int {
+        return when (config.stoppingCriterion) {
+            EMConfig.StoppingCriterion.ACTION_EVALUATIONS -> {
+                val remaining = (config.maxEvaluations - time.evaluatedActions).coerceAtLeast(0)
+                if (uncoveredSize <= 0) remaining else remaining / uncoveredSize
+            }
+            EMConfig.StoppingCriterion.TIME -> {
+                val remaining = (config.timeLimitInSeconds() - time.getElapsedSeconds()).coerceAtLeast(0)
+                if (uncoveredSize <= 0) remaining else remaining / uncoveredSize
+            }
+            else -> Int.MAX_VALUE
+        }
+    }
+
+    fun usedForCurrentTarget(startActions: Int, startSeconds: Int): Int {
+        return when (config.stoppingCriterion) {
+            EMConfig.StoppingCriterion.ACTION_EVALUATIONS -> time.evaluatedActions - startActions
+            EMConfig.StoppingCriterion.TIME -> time.getElapsedSeconds() - startSeconds
+            else -> 0
+        }
+    }
+
+    fun updatePerTargetBudget(actionsAtGenStart: Int, secondsAtGenStart: Int) {
+        val used = usedForCurrentTarget(actionsAtGenStart, secondsAtGenStart)
+        budgetLeftForCurrentTarget -= used
+    }
+
+    fun shouldSwitchTarget(coveredNow: Boolean): Boolean {
+        val outOfBudget = budgetLeftForCurrentTarget <= 0
+        return coveredNow || outOfBudget
+    }
+}
+
+

core/src/main/kotlin/org/evomaster/core/search/gene/string/StringGene.kt

@@ -178,10 +178,15 @@ class StringGene(
 //        }
 //        return true
         return maxLength > 0 //otherwise there is only 1 value, the empty string ""
+                && !isDependentTaint()
     }
 
     override fun randomize(randomness: Randomness, tryToForceNewValue: Boolean) {
 
+        /*
+            randomization does not apply any taint, and remove it if any is there
+         */
+
         /*
             Even if through mutation we can get large string, we should
             avoid sampling very large strings by default
@@ -227,7 +232,7 @@ class StringGene(
          */
         //assert(!tainted)
 
-        if(name == TaintInputName.TAINTED_MAP_EM_LABEL_IDENTIFIER){
+        if(isDependentTaint()){
             /*
                 TODO should have a better check to specify a StringGene is immutable.
                 If we end up in other cases for this, should add an "immutable" field to this gene
@@ -267,6 +272,12 @@ class StringGene(
             //not applied if used data pool
             if (!successfulDataPool && config.taintOnSampling) {
 
+                /*
+                    the method is called when gene is globally initialized, which is done when sampling.
+                    when sampling a new gene, and we want to use taint, when we can check if using
+                    global info or a direct taint value
+                 */
+
                 if (state.spa.hasInfoFor(name) && randomness.nextDouble() < state.config.useGlobalTaintInfoProbability) {
                     val spec = state.spa.chooseSpecialization(name, randomness)!!
                     assert(specializations.size == 0)
@@ -305,27 +316,40 @@ class StringGene(
     }
 
 
-    override fun shallowMutate(randomness: Randomness, apc: AdaptiveParameterControl, mwc: MutationWeightControl,
-                               selectionStrategy: SubsetGeneMutationSelectionStrategy, enableAdaptiveGeneMutation: Boolean, additionalGeneMutationInfo: AdditionalGeneMutationInfo?) : Boolean{
+    override fun shallowMutate(
+        randomness: Randomness,
+        apc: AdaptiveParameterControl,
+        mwc: MutationWeightControl,
+        selectionStrategy: SubsetGeneMutationSelectionStrategy,
+        enableAdaptiveGeneMutation: Boolean,
+        additionalGeneMutationInfo: AdditionalGeneMutationInfo?
+    ) : Boolean{
 
         val allGenes = getAllGenesInIndividual()
 
         if (enableAdaptiveGeneMutation){
-            additionalGeneMutationInfo?:throw IllegalArgumentException("archive-based gene mutation cannot be applied without AdditionalGeneMutationInfo")
+            additionalGeneMutationInfo
+                ?: throw IllegalArgumentException("archive-based gene mutation cannot be applied without AdditionalGeneMutationInfo")
+
             additionalGeneMutationInfo.archiveGeneMutator.mutateStringGene(
-                    this, allGenes = allGenes, selectionStrategy = selectionStrategy, targets = additionalGeneMutationInfo.targets, additionalGeneMutationInfo = additionalGeneMutationInfo, changeSpecSetting = PROB_CHANGE_SPEC
+                this,
+                allGenes = allGenes,
+                selectionStrategy = selectionStrategy,
+                targets = additionalGeneMutationInfo.targets,
+                additionalGeneMutationInfo = additionalGeneMutationInfo,
+                changeSpecSetting = PROB_CHANGE_SPEC
             )
             return true
         }
 
         val didSpecializationMutation = standardSpecializationMutation(
                 randomness, apc, mwc, selectionStrategy, allGenes, enableAdaptiveGeneMutation, additionalGeneMutationInfo
         )
+
         if (!didSpecializationMutation){
-            standardValueMutation(
-                    randomness, allGenes, apc
-            )
+            standardValueMutation(randomness, allGenes, apc)
         }
+
         return true
     }
 
@@ -401,6 +425,11 @@ class StringGene(
         if(TaintInputName.isTaintInput(value)){
             //standard mutation on a tainted value makes little sense, so randomize instead
             randomize(randomness, true)
+            /*
+                TODO weird... if we return here (as logically we should do), few tests start failing...
+                is there really a logical bug? or those are just brittle, seed-dependent tests?
+             */
+            //return
         }
 
         val p = randomness.nextDouble()
@@ -473,6 +502,9 @@ class StringGene(
             return false
         }
 
+        // we start with a high value for probability of using a tained value.
+        // however, during search we decrease it, but not lower than specified minimum here, until start of focused search.
+        // when focus search starts, we no longer use taint values
         val minPforTaint = 0.1
         val tp = apc.getBaseTaintAnalysisProbability(minPforTaint)
 
@@ -1079,7 +1111,8 @@ class StringGene(
     }
 
     override fun evolve() {
-        //TODO need refactoring
+        //there are a lot of edge cases here...
+        throw IllegalStateException("String genes should not be evolved directly, but via mutation")
     }
 
     /**

core/src/main/kotlin/org/evomaster/core/search/service/Archive.kt

@@ -700,5 +700,4 @@ class Archive<T> where T : Individual {
             it.individual.seeTopGenes().all { g-> g.isLocallyValid() }
         }
     }
-
 }

core/src/main/kotlin/org/evomaster/core/search/service/mutator/StandardMutator.kt

@@ -165,8 +165,9 @@ open class StandardMutator<T> : Mutator<T>() where T : Individual {
 
         if(config.taintForceSelectionOfGenesWithSpecialization){
             /*
-                FIXME this should be removed, and rather handled with an "evolve".
-                but need refactoring of StringGene mutation
+               Note that some gene are directly "evolved()" in TaintAnalysis.
+               however, StringGene is very special, and treated ad-hoc, by forcing
+               selection here
              */
             TaintAnalysis.dormantGenes(individual)
                 .forEach {