Rohan Padhye

Starting Fall 2020: Assistant Professor in the CMU School of Computer Science (ISR)
rohanpadhyebots-gotta-get-smarter-than-this@its-really-not-that-hardcmu.edu
(My name is pronounced "row-hun paa-dhyae")
GitHub | Twitter | Blog
CV | DBLP | Google Scholar

About Me

I research techniques to automatically discover software bugs. My work spans several areas including software engineering, programming languages, systems, and security. My recent projects make use of dynamic program analysis and coverage-guided fuzz testing. My papers have been published at venues such as ICSE, ASE, ISSTA, OOPSLA, SOSP, and USENIX Security. My research tools have been used to discover 50+ new bugs in widely used open-source software and have been adopted by various firms in industry.

I completed my Ph.D. in Computer Science at UC Berkeley, where I was advised by Koushik Sen. My dissertation investigated techniques for specializing program analysis and automated testing tools using artifacts that incorporate the knowledge of domain experts. Complementing my doctoral research, I collaborated with Microsoft Research on detecting thousands of concurrency bugs at industry-scale and with Samsung Research America on fuzzing trusted execution environments. Before going to Berkeley, I spent two years at IBM Research India, developing productivity tools using data mined from GitHub and other repositories. I hold a Master's degree from IIT Bombay.

I am also the lead designer of the ChocoPy programming language, which is used to teach the undergraduate compilers courses at UC Berkeley (and increasingly at other universities too).

My academic ancestors include Newton, Galelio, Kepler, and Copernicus.

News

2020-07-30: Paper on BigFuzz, scaling JQF to Apache Spark applications, is accepted to ASE 2020.
2020-06-10: Joined the ISSTA 2021 Program Committee.
2020-05-19: Joined the OOPSLA 2020 External Review Committee.
2020-04-27: Accepted a tenure-track faculty position at Carnegie Mellon University (Institute for Software Research).
2020-04-27: Gave my Ph.D. dissertation talk! (Video).
2020-04-20: Received the C.V. Ramamoorthy Distinguished Research Award.
2020-04-01: Received an Outstanding Graduate Student Instructor Award from UC Berkeley.
2019-12-08: Paper on RLCheck, boosting JQF with reinforcement learning, is accepted to ICSE 2020.
2019-11-09: Wrote an article on equity and inclusion in international conferences.
2019-10-29: SOSP 2019 paper received the best paper award!
more...
2019-10-25: Presented the FuzzFactory (Video), ChocoPy, and FailFast papers at SPLASH 2019 in Athens, Greece.
2019-09-16: JQF+Zest is now integrated into Fuzzit, a cloud-based continuous fuzzing service.
2019-09-13: ChocoPy is featured in an article on TechRepublic.
2019-09-12: ChocoPy was #4 on the front-page of Hacker News!
2019-08-07: Wrote an article on producing good artifacts for evaluation in PL/SE/Systems conferences.
2019-07-19: Presented the Zest and JQF (Video) papers at ISSTA 2019 in Beijing, China. Both papers won awards.

Projects

Star
FuzzFactory: Generalizes coverage-guided fuzzing to domain-specific testing goals. OOPSLA 2019.
- Pralhad Chaskar (c0d3xpl0it) wrote a blog post on using FuzzFactory.
Star
JQF+Zest: Coverage-guided fuzzing for inputs with complex structure and semantics. ISSTA 2019.
- Used to test Netflix's Message Security Layer.
- Made commercially available by FuzzIt: continuous fuzzing as a service.
- Used and endorsed by Pentagrid AG, a Swiss security firm.
- Danny van Heumen wrote a blog post on using JQF.
Star
PerfFuzz: Automatic generation of worst-case inputs using fuzzing. ISSTA 2018.
Star
TSVD: Thread-Safety-Violation Detector for .NET applications. SOSP 2019.
- Found 1000+ concurrency bugs in active projects within Microsoft.
Star
Travioli: Dynamic analysis of data-structure traversals in JavaScript programs. ICSE 2017.
Star
VASCO: Framework for inter-procedural data-flow analysis of Java programs. SOAP 2013.

Publications

BigFuzz: Efficient Fuzz Testing for Data Analytics using Framework Abstraction
Qian Zhang, Jiyuan Wang, Muhammad Ali Gulzar, Rohan Padhye, Miryung Kim
ASE 2020 (accepted)
Quickly Generating Diverse Valid Test Inputs with Reinforcement Learning
Sameer Reddy, Caroline Lemieux, Rohan Padhye, Koushik Sen
ICSE 2020 (DOI | PDF)
PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation
Lee Harrison, Hayawardh Vjayakumar, Rohan Padhye, Koushik Sen, and Michael Grace
USENIX Security 2020 (to appear | preprint PDF)
Efficient and Scalable Thread-Safety-Violation Detection --- Finding thousands of concurrency bugs during testing
Guangpu Li, Shan Lu, Madanlal Musuvathi, Suman Nath, and Rohan Padhye
SOSP 2019 (DOI | PDF | GitHub) Best Paper Award
SAFFRON: Adaptive Grammar-based Fuzzing for Worst-Case Analysis
Xuan Bach D. Le, Corina Pasareanu, Rohan Padhye, David Lo, Willem Visser, and Koushik Sen
JPF 2019 (DOI)
ChocoPy: A Programming Language for Compilers Courses
Rohan Padhye, Koushik Sen, and Paul N. Hilfinger
SPLASH-E 2019 (DOI | Paper PDF | Slides PDF)
Efficient Fail-Fast Dynamic Subtype Checking
Rohan Padhye and Koushik Sen
VMIL 2019 (DOI | Paper PDF | Slides PDF)
FuzzFactory: Domain-Specific Fuzzing with Waypoints
Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, and Hayawardh Vijayakumar
OOPSLA 2019 (DOI | Paper PDF | Slides PDF | Talk Video | GitHub)
Semantic Fuzzing with Zest
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon
ISSTA 2019 (DOI | Paper PDF | Slides PDF | GitHub) ACM SIGSOFT Distinguished Artifact Award
JQF: Coverage-Guided Property-Based Testing in Java
Rohan Padhye, Caroline Lemieux, and Koushik Sen
ISSTA-DEMO 2019 (DOI | PDF | Talk Video) ACM SIGSOFT Tool Demonstration Award
Validity Fuzzing and Parametric Generators for Effective Random Testing
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon
ICSE-POSTER 2019 (Abstract DOI | Poster)
PerfFuzz: Automatically Generating Pathological Inputs
Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song
ISSTA 2018 (DOI | PDF) ACM SIGSOFT Distinguished Paper Award
Travioli: A Dynamic Analysis for Detecting Data-Structure Traversals
Rohan Padhye and Koushik Sen
ICSE 2017 (DOI | PDF)
Mining API Expertise Profiles with Partial Program Analysis
Senthil Mani, Rohan Padhye, and Vibha Singhal Sinha
ISEC 2016 (DOI | PDF)
Detecting and Mitigating Secret-Key Leaks in Source Code Repositories
Vibha Singhal Sinha, Diptikalyan Saha, Pankaj Dhoolia, Rohan Padhye, and Senthil Mani
MSR 2015 (DOI)
The Synergy Between Voting and Acceptance of Answers on StackOverflow, or the Lack Thereof
Neelamadhav Gantayat, Pankaj Dhoolia, Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
MSR 2015 (DOI)
Smart Programming Playgrounds
Rohan Padhye, Pankaj Dhoolia, Senthil Mani, and Vibha Singhal Sinha
ICSE-NIER 2015 (DOI | PDF)
NeedFeed: Taming Change Notifications by Modeling Code Relevance
Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
ASE 2014 (DOI | PDF)
A Study of External Community Contribution to Open-Source Projects on GitHub
Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
MSR 2014 (DOI | PDF) Honorable Mention in the MSR Hall of Fame
API as a Social Glue
Rohan Padhye, Debdoot Mukherjee, and Vibha Singhal Sinha
ICSE-NIER 2014 (DOI | PDF) Award for Innovation and Potential Impact
Interprocedural Data Flow Analysis in Soot using Value Contexts
Rohan Padhye and Uday P. Khedker
SOAP 2013 (DOI | PDF)

Service

ISSTA 2021 (Program Committee)
OOPSLA 2020 (External Review Committee)
IEEE TDSC Journal (Reviewer, 2020)
IEEE TSE Journal (Reviewer, 2019–2020)
PLDI 2019 (Artifact Evaluation Committee)
PLDI 2018 (Artifact Evaluation Committee)
SPLASH 2017 (Student Volunteer)
ISEC 2016, ISEC 2017, ISEC 2018 (PC)
ASPLOS 2016, ISSTA 2016, PLDI 2017, ASPLOS 2018, PLDI 2018, CAV 2018, ICST 2020, ISSTA 2020 (Subreviewer)

Bug Trophy Case

Here are some issues in open-source software that were discovered using tools that I developed:

Performance Bugs

Google Closure Compiler: #3173
OpenJDK: CVE-2018-3214^[1]
Apache Commons: CVE-2018-11771^[1]
Apache Maven: #35
Apache PDFBox: CVE-2018-8036^[1]
Apache TIKA: CVE-2018-8017, CVE-2018-12418^[1]
LibArchive: #1237
D3.js: #44
Express.js: #3065

Memory-Safety Bugs

WavPack: #66, #67, #68
LibArchive: #1165 (CVE-2019-11463)

Correctness Bugs

Google Closure Compiler: #2842, #2843, #3220
OpenJDK: JDK-8190332, JDK-8190511, JDK-8190512, JDK-8190997, JDK-8191023, JDK-8191076, JDK-8191109, JDK-8191174, JDK-8191073, JDK-8193444, JDK-8193877
Apache Commons: LANG-1385, COMPRESS-424, COLLECTIONS-714
Apache Ant: #62655
Apache Maven: #34, #57
Apache PDFBox: PDFBOX-4333^[2], PDFBOX-4338^[2], PDFBOX-4339^[2]
Apache BCEL: BCEL-303, BCEL-307, BCEL-308, BCEL-309, BCEL-310, BCEL-311, BCEL-312, BCEL-313
Mozilla Rhino: #405, #406, #407, #409, #410
WavPack: #65
Python: issue34939^[3]

Academic Genealogy

Thanks to the MGP, I've discovered two very exciting lines in my academic ancestry! Here is a visualization that I made, complete with era-appropriate flags: