About Me

I research techniques to automatically discover software bugs. My work spans several areas including software engineering, programming languages, systems, and security. My recent projects make use of dynamic program analysis and coverage-guided fuzz testing. My papers have been published at venues such as ICSE, ASE, ISSTA, OOPSLA, SOSP, SoCC, and USENIX Security. My research tools have been used to discover 50+ new bugs in widely used open-source software and have been adopted by various firms in industry.

At CMU, I lead the Program Analysis, Software Testing, and Applications (PASTA) research group. At AWS, I am applying my research to cloud-based database services.

I completed my Ph.D. in Computer Science at UC Berkeley, where I was advised by Koushik Sen. My dissertation investigated techniques for specializing program analysis and automated testing tools using artifacts that incorporate the knowledge of domain experts. Complementing my doctoral research, I collaborated with Microsoft Research on detecting thousands of concurrency bugs at industry-scale and with Samsung Research America on fuzzing trusted execution environments. Before going to Berkeley, I spent two years at IBM Research India, developing productivity tools using data mined from GitHub and other repositories. I hold a Master's degree from IIT Bombay.

I am also the lead designer of the ChocoPy programming language, which is used to teach the undergraduate compilers courses at UC Berkeley (and increasingly at other universities too).

My academic ancestors include Newton, Galelio, Kepler, and Copernicus.

News

• 2021-07-19: Invited to the ICST 2023 Program Committee.
• 2022-07-18: Received an Amazon Research Award for continuing research on coverage-guided property-based testing.
• 2022-06-21: Will be co-organizing a Dagstuhl seminar on Software Bug Detection: Challenges and Synergies.
• 2022-03-25: PASTA Lab member John Billos is awarded the prestigious Goldwater Scholarship.
• 2022-03-08: Paper on the naturalness of fuzzer-generated code is accepted to MSR'22.
• 2021-09-24: Launched the PASTA Lab website.
• 2021-08-31: Paper on Filibuster, service-level fault injection in cloud applications, is accepted to SoCC 2021.
• 2021-08-12: Invited to the ESEC/FSE 2022 Program Committee.
• 2021-07-29: Invited to the ISSTA 2022 Program Committee.
• 2021-07-14: Awarded an NSF grant as PI on Future-Proof Test Corpus Synthesis for Evolving Software.
• 2021-02-19: Awarded seed funding from CyLab for Secure Software Evolution.
• 2020-12-15: Paper on Bonsai Fuzzing is accepted to ICSE 2021.
• 2020-12-03: Invited to the ICSE 2022 Program Committee.
• more...
• 2020-11-15: Had an amazing time chatting with enthusiastic students at the PL Mentoring Workshop at SPLASH 2020.
• 2020-10-18: Gave a talk on the academic job market at the JOBS workshop co-located with MICRO 2020.
• 2020-07-30: Paper on BigFuzz, scaling JQF to Apache Spark applications, is accepted to ASE 2020.
• 2020-06-10: Invited to the ISSTA 2021 Program Committee.
• 2020-05-19: Joined the OOPSLA 2020 External Review Committee.
• 2020-04-27: Accepted a tenure-track faculty position at Carnegie Mellon University (Institute for Software Research).
• 2020-04-27: Gave my Ph.D. dissertation talk! (Video).
• 2020-04-20: Received the C.V. Ramamoorthy Distinguished Research Award.
• 2020-04-01: Received an Outstanding Graduate Student Instructor Award from UC Berkeley.
• 2019-12-08: Paper on RLCheck, boosting JQF with reinforcement learning, is accepted to ICSE 2020.
• 2019-11-09: Wrote an article on equity and inclusion in international conferences.
• 2019-10-29: SOSP 2019 paper received the best paper award!
• 2019-10-25: Presented the FuzzFactory (Video), ChocoPy, and FailFast papers at SPLASH 2019 in Athens, Greece.
• 2019-09-16: JQF+Zest is now integrated into Fuzzit, a cloud-based continuous fuzzing service.
• 2019-09-13: ChocoPy is featured in an article on TechRepublic.
• 2019-09-12: ChocoPy was #4 on the front-page of Hacker News!
• 2019-08-07: Wrote an article on producing good artifacts for evaluation in PL/SE/Systems conferences.
• 2019-07-19: Presented the Zest and JQF (Video) papers at ISSTA 2019 in Beijing, China. Both papers won awards.

Projects

• Star
  FuzzFactory: Generalizes coverage-guided fuzzing to domain-specific testing goals. OOPSLA 2019.
  • Pralhad Chaskar (c0d3xpl0it) wrote a blog post on using FuzzFactory.
• Star
  JQF+Zest: Coverage-guided fuzzing for inputs with complex structure and semantics. ISSTA 2019.
  • Used to test Netflix's Message Security Layer.
  • Used and endorsed by Pentagrid AG, a Swiss security firm.
  • Danny van Heumen wrote a blog post on using JQF.
• Star
  PerfFuzz: Automatic generation of worst-case inputs using fuzzing. ISSTA 2018.
• Star
  TSVD: Thread-Safety-Violation Detector for .NET applications. SOSP 2019.
  • Found 1000+ concurrency bugs in active projects within Microsoft.
• Star
  Travioli: Dynamic analysis of data-structure traversals in JavaScript programs. ICSE 2017.
• Star
  VASCO: Framework for inter-procedural data-flow analysis of Java programs. SOAP 2013.

Publications

Drafts

• Guiding Greybox Fuzzing with Mutation Testing
  Isabella Laybourn*, Vasudev Vikram*, Rafaello Sanna, Ao Li, Rohan Padhye
  Paper PDF | GitHub [* = equal contribution]

Peer-Reviewed

• On the Naturalness of Fuzzer-Generated Code
  Rajeswari Hita Kambhamettu*, John R Billos*, Tomi Oluwaseun-Apo*, Benjamin Gafford, Rohan Padhye, Vincent J Hellendoorn
  MSR 2022 (DOI Link (to appear) | Paper PDF) [* = equal contribution]
• Service-Level Fault Injection Testing
  Christopher S. Meiklejohn, Andrea Estrada, Yiwen Song, Heather Miller, Rohan Padhye
  SoCC 2021 (DOI Link | Paper PDF | Talk Video | Project Website)
• Growing a Test Corpus with Bonsai Fuzzing
  Vasudev Vikram, Rohan Padhye, Koushik Sen
  ICSE 2021 (DOI Link | Paper PDF | GitHub)
• BigFuzz: Efficient Fuzz Testing for Data Analytics using Framework Abstraction
  Qian Zhang, Jiyuan Wang, Muhammad Ali Gulzar, Rohan Padhye, Miryung Kim
  ASE 2020 (DOI Link | Paper PDF | GitHub | ICSE'21 Tool Paper)
• 
  Quickly Generating Diverse Valid Test Inputs with Reinforcement Learning
  Sameer Reddy, Caroline Lemieux, Rohan Padhye, Koushik Sen
  ICSE 2020 (DOI Link | Paper PDF | Talk Video | GitHub)
• PARTEMU: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation
  Lee Harrison, Hayawardh Vjayakumar, Rohan Padhye, Koushik Sen, and Michael Grace
  USENIX Security 2020 (Paper PDF | Talk Video)
• 
  Efficient and Scalable Thread-Safety-Violation Detection --- Finding thousands of concurrency bugs during testing
  Guangpu Li, Shan Lu, Madanlal Musuvathi, Suman Nath, and Rohan Padhye
  SOSP 2019 (DOI Link | Paper PDF | Talk Video | GitHub) Best Paper Award
• SAFFRON: Adaptive Grammar-based Fuzzing for Worst-Case Analysis
  Xuan Bach D. Le, Corina Pasareanu, Rohan Padhye, David Lo, Willem Visser, and Koushik Sen
  JPF 2019 (DOI Link)
• ChocoPy: A Programming Language for Compilers Courses
  Rohan Padhye, Koushik Sen, and Paul N. Hilfinger
  SPLASH-E 2019 (DOI Link | Paper PDF | Slides PDF)
• Efficient Fail-Fast Dynamic Subtype Checking
  Rohan Padhye and Koushik Sen
  VMIL 2019 (DOI Link | Paper PDF | Slides PDF)
• 
  FuzzFactory: Domain-Specific Fuzzing with Waypoints
  Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, and Hayawardh Vijayakumar
  OOPSLA 2019 (DOI Link | Paper PDF | Slides PDF | Talk Video | GitHub)
• 
  Semantic Fuzzing with Zest
  Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon
  ISSTA 2019 (DOI Link | Paper PDF | Slides PDF | GitHub) ACM SIGSOFT Distinguished Artifact Award
• JQF: Coverage-Guided Property-Based Testing in Java
  Rohan Padhye, Caroline Lemieux, and Koushik Sen
  ISSTA 2019 Tool (DOI Link | Paper PDF | Talk Video) ACM SIGSOFT Tool Demonstration Award
  
• Validity Fuzzing and Parametric Generators for Effective Random Testing
  Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon
  ICSE 2019 Poster (Abstract DOI Link | Poster)
• PerfFuzz: Automatically Generating Pathological Inputs
  Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song
  ISSTA 2018 (DOI Link | Paper PDF) ACM SIGSOFT Distinguished Paper Award
  
• Travioli: A Dynamic Analysis for Detecting Data-Structure Traversals
  Rohan Padhye and Koushik Sen
  ICSE 2017 (DOI Link | Paper PDF)
• Mining API Expertise Profiles with Partial Program Analysis
  Senthil Mani, Rohan Padhye, and Vibha Singhal Sinha
  ISEC 2016 (DOI Link | Paper PDF)
• Detecting and Mitigating Secret-Key Leaks in Source Code Repositories
  Vibha Singhal Sinha, Diptikalyan Saha, Pankaj Dhoolia, Rohan Padhye, and Senthil Mani
  MSR 2015 (DOI Link)
  
• The Synergy Between Voting and Acceptance of Answers on StackOverflow, or the Lack Thereof
  Neelamadhav Gantayat, Pankaj Dhoolia, Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
  MSR 2015 (DOI Link)
  
• Smart Programming Playgrounds
  Rohan Padhye, Pankaj Dhoolia, Senthil Mani, and Vibha Singhal Sinha
  ICSE-NIER 2015 (DOI Link | Paper PDF)
• NeedFeed: Taming Change Notifications by Modeling Code Relevance
  Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
  ASE 2014 (DOI Link | Paper PDF)
• A Study of External Community Contribution to Open-Source Projects on GitHub
  Rohan Padhye, Senthil Mani, and Vibha Singhal Sinha
  MSR 2014 (DOI Link | Paper PDF) Honorable Mention in the MSR Hall of Fame
  
• API as a Social Glue
  Rohan Padhye, Debdoot Mukherjee, and Vibha Singhal Sinha
  ICSE-NIER 2014 (DOI Link | Paper PDF) Award for Innovation and Potential Impact
  
• Interprocedural Data Flow Analysis in Soot using Value Contexts
  Rohan Padhye and Uday P. Khedker
  SOAP 2013 (DOI Link | Paper PDF)

Dissertations

• Abstractions and Algorithms for Specializing Dynmamic Program Analysis and Random Fuzz Testing
  Rohan Padhye (advisor: Koushik Sen)
  Ph.D. Thesis, UC Berkeley (PDF | Talk Video)
• Interprocedural Heap Analysis using Access Graphs and Value Contexts
  Rohan Padhye (advisor: Uday Khedker)
  Master's Thesis, IIT Bombay (PDF | Talk Slides)

Service

Journals

• ACM TOSEM (Distinguished Reviewer)
• IEEE TSE (Reviewer)
• IEEE TDSC (Reviewer)

Conferences PCs

• ESEC/FSE 2022 (Program Committee)
• ISSTA 2022 (Program Committee)
• ICSE 2022 (Program Committee)
• ISSTA 2021 (Program Committee)
• ISSTA 2021 (Tool Demo PC)
• OOPSLA 2020 (External Review Committee)
• PLDI 2019 (Artifact Evaluation Committee)
• PLDI 2018 (Artifact Evaluation Committee)
• ISEC 2016, ISEC 2017, ISEC 2018 (Program Committee)

Other

• ISR@CMU DEI Committee
• ASPLOS 2021, OSDI 2020 (Invited reviewer)
• SPLASH 2020 (PLMW Mentor)
• MICRO 2020 (Panelist at the JOBS workshop)
• SPLASH 2017 (Student Volunteer)
• ISSTA 2020, ICST 2020, PLDI 2018, CAV 2018, ASPLOS 2018, PLDI 2017, ASPLOS 2016, ISSTA 2016 (Subreviewer)

Teaching

CMU:

• Spring 2022—17-355/17-665/17-819: Program Analysis
• Fall 2021—17-313: Foundations of Software Engineering (with Michael Hilton)
• Spring 2021—17-355/17-665/17-819: Program Analysis (with Jonathan Aldrich)
• Every Fall since 2020—17-808: Introduction to Software Engineering Research (with the core SE faculty)

UC Berkeley: (Graduate student instructor; OGSI)

• Fall 2019—CS164: Programming Languages and Compilers (with Koushik Sen)
• Fall 2018—CS164: Programming Languages and Compilers (with Koushik Sen)

IIT Bombay: (Teaching assistant)

• Spring 2013—CS316: Implementation of Programming Languages (with Uday Khedker)
• Fall 2012—CS699: Software Lab (with Supratim Biswas)
• Spring 2012—CS152: Abstractions and Paradigms of Programming (with Amitabha Sanyal)

Group

I lead the PASTA Lab, which conducts research on Program Analysis, Software Testing, and Applications.

Academic Genealogy

Thanks to the MGP, I've discovered two very exciting lines in my academic ancestry! Here is a visualization that I made, complete with era-appropriate flags:

Bug Trophy Case

Here are some issues in open-source software that were discovered using tools that I developed:

Performance Bugs

• Google Closure Compiler: #3173
• OpenJDK: CVE-2018-3214^[1]
• Apache Commons: CVE-2018-11771^[1]
• Apache Maven: #35
• Apache PDFBox: CVE-2018-8036^[1]
• Apache TIKA: CVE-2018-8017, CVE-2018-12418^[1]
• LibArchive: #1237
• D3.js: #44
• Express.js: #3065

Memory-Safety Bugs

• WavPack: #66, #67, #68
• LibArchive: #1165 (CVE-2019-11463)

Correctness Bugs

• Google Closure Compiler: #2842, #2843, #3220
• OpenJDK: JDK-8190332, JDK-8190511, JDK-8190512, JDK-8190997, JDK-8191023, JDK-8191076, JDK-8191109, JDK-8191174, JDK-8191073, JDK-8193444, JDK-8193877
• Apache Commons: LANG-1385, COMPRESS-424, COLLECTIONS-714
• Apache Ant: #62655
• Apache Maven: #34, #57
• Apache PDFBox: PDFBOX-4333^[2], PDFBOX-4338^[2], PDFBOX-4339^[2]
• Apache BCEL: BCEL-303, BCEL-307, BCEL-308, BCEL-309, BCEL-310, BCEL-311, BCEL-312, BCEL-313
• Mozilla Rhino: #405, #406, #407, #409, #410
• WavPack: #65
• Python: issue34939^[3]