# About the Author

I'm a senior at Allegheny College studying Computer Science and Physics.

![](me.jpg)

# Week 1

# Week 2

## SE1: Preface - Programming Over Time

#### Summary

In the preface of *Software Engineering at Google*, the section [Programming Over Time](https://abseil.io/resources/swe-book/html/pr01.html#programming_over_time) defines software engineering as "programming integrated over time." The purpose of the book is to answer reflective questions that Software Engineering (SWE) teams should have during the life cycle of a project and a company or institution. The thesis of the book is then laid out as motivated by three principles that should be held in the development process: **Time and Change**, **Scale and Growth**, and **Trade-offs and Costs**.

* **Time and Change** refers to how a codebase or stack adapts over the lifetime of a team or company.
* **Scale and Growth** refers to the need for an organization to adjust its practices and structure over the lifetime of a team or company.
* **Trade-offs and Costs** refers to how an organization analyzes historical data to make informed decisions from the previous two points.

#### Action Items & Reflection

* **Start doing:** In my professional and personal SWE experience, this reading reminds me that I need to be aware of the changes in the people and settings around me in order to be an amiable colleague. Paying attention to the culture that surrounds the work environment will be something that I will try to work on.
* **Stop doing:**I should also make steps towards stopping holding a certain attitude towards the tooling used in class. Software is about *adapting* to changes rather than resisting them. That said, one should maintain a discerning attitude when acquiring new tooling to avoid being distracted by its 'shininess.'
* **Keep doing:** As long as cs203 continues to meet regularly and heavily rely on the issue tracker, we will proceed to evolve as a group and reach an efficient workflow.

## FB1: Introduction to Software Testing

#### Summary

The chapter **Introduction to Software Testing** in the Fuzzing Book walks us through the most fundamental idea of what software testing looks like, starting from the most basic example of a square root finder that finds only real roots $(f : \mathbb{R}^+ \to \mathbb{R}^+)$. We are presented with the idea of proving the said function's correctness by a single example input; however we find the more general approach of verifying the function's result thanks to the fact that $\sqrt{x}\cdot\sqrt{x}=x$ for all $x \in \mathbb{R}$. We can do this for any number, say 2, to demonstrate:


In [None]:
def my_sqrt(x):
    """Computes the square root of x, using the Newton–Raphson method"""
    approx = None
    guess = x / 2
    while approx != guess:
        approx = guess
        guess = (approx + x / approx) / 2
    return approx

# does this *really* equal 2 exactly? Probably not
print(my_sqrt(2) * my_sqrt(2))

But, this manual approach becomes painful after writing even a small amount. The book then informs us of automating test execution, in which expected results are stored in values and checked against the actual result, throwing an error if they do not match. The only limitation with this is that python's numeric types rarely are exactly equal up to a certain precision. To flush this problem, the book explains that a potential solution could use a pre-set margin of error to ensure the result is within its bounds, or to simply use `math.isclose()`, which apparently is the way of a true *pythonista*.

More automated methods of testing are discussed, including timing execution time of iterated tests:


In [None]:
import time
EPSILON = 1e-8 # apparently good margin of error (don't take my word for it, ask Andreas Zeller)
start = time.time()
for i in range(1, 1000):
  assert (my_sqrt(i) * my_sqrt(i) - i) < EPSILON
print(time.time() - start)

Additionally, the book mentions opting for a range of randomly selected numbers to be used rather than incremental cases, which ensures an even distribution of numbers. The only caveat is that edge cases, also called counter examples, are found with a probability of roughly one in one million (e.g. 0). This idea brings us to the final one mentioned in this article, which is *the limits of testing*.

**The limits of testing** are that testing, as with any conjecture in a software setting, can never be 100% deterministic of correct results. Tests only go so far to ensure input will translate to a correct output, but they are the best weapon we as developers have to avoid runtime errors.

#### Action Items & Reflection

* **Start doing:** I plan to keep up with the test cases that we will be implementing in `chasten` this year. This will be a good idea because of the variety of developers we will have working on the project. I previously would never write test cases, but now that our development team is so large, I see this as a must. This will allow developers to add tests to eliminate the possibility of a certain function leading to a bug later in the development process.
* **Stop doing:** `null`
* **Keep doing:** The `chasten` team should, as a whole, continue to keep the discussion of the importance of testing in the foreground and collectively discuss how we can begin to approach test case creation for the more complex objects we will be working with this semester.

# Week 3

## SE2: What is Software Engineering?

#### Summary

In the chapter *What is Software Engineering?* of the [Software Engineering at Google Book](https://abseil.io/resources/swe-book/html/pr01.html), the author outlines the importance of developing structured behavior to succeed in a software engineering environment. Firstly, many of the responsibilities in SWE are because of **long-term project management**. SWE principles are less important for a project that will be used for a shorter lifespan. Good practices can lead to a sustainable project, meaning that the project is able to react and adopt valuable changes during its life span.

Technical debt and the cost of finesse are two things that negatively affect the health of a codebase. As said in this chapter: "We’ve taken to saying, “It’s programming if 'clever' is a compliment, but it’s software engineering if 'clever' is an accusation.”" 'Clever' work is seldom obvious and maintainable, which is why it harms a long lived system. If, for example, a side effect of some 'clever' code produced an unexpected behavior on the user-side, the user could begin to rely on that functionality *without realizing it was done unintentionally*. This idea is known as **Hyrum's Law**, which states that all observable behaviors in your tool will be relied on my some entity. A way to fight against technical debt is to implement scalability, which allows a codebase to be supported properly as it grows (i.e. the company grows with the code base). Weak points in scalability can be discovered by asking *"Does my organization have a procedure in place to grow the amount of man power when the codebase or workload grows?"* If the answer is no, then there is a high chance you have a scaling problem.

Cost is a large factor in decision making, and this chapter briefly discusses its weight. There are various costs associated with decision making in SWE. Some of which are:

* Financial costs (e.g., money)
* Resource costs (e.g., CPU time)
* Personnel costs (e.g., engineering effort)
* Transaction costs (e.g., what does it cost to take action?)
* Opportunity costs (e.g., what does it cost to not take action?)
* Societal costs (e.g., what impact will this choice have on society at large?)

Being able to weight cost effectively is a tool used in leadership. Google's example of effective cost analysis is the ironic value of markers in a work place setting. Markers are cheap, but they are often found missing or dried up in meeting rooms. Google weighed the cost of constantly supplying markers to their employees against the flow of a meeting or brainstorming session being brought to a halt, and they decided it was better to yield a free flowing brainstorming session than to pay the price for regularly new markers. The decision has proven to do them well.

#### Action Items & Reflection

* **Start doing:** From this reading, I recognize our development team should spend more time focusing on structure, at least in the first few weeks, to permit a steady workflow by the end of the semester.
* **Stop doing:** N/A
* **Keep doing:** We should keep regularly critiquing our process. For example, on Monday 2023-09-11 in our class session, we revised our process slightly, and I believe it was a great decision to split up work the way that we did.

## FB2: Coverage

#### Summary

In this chapter, we learn about black and white box testing. Black box testing allows us to test the *specified* behavior of a system, while white box testing focuses on revealing which part in the internal structure of the program went wrong during the testing process. Both have their beneifts, but generally white-box testing allows us to debug more easily. In assisting white-box testing, we can use `sys.settrace(f(frame, event, arg))` to trace the execution of the function. This provides us with the lines that are stepped through during program execution. These lines are then put into a set, which tells us the lines that have been covered *at least* once.

We can also compare coverage between various test cases, which can provide a different aspect of code usage based on input. If you incorporate fuzzing into this, you could input every possible kind of data type in a function to test how the branches are covered statistically. If you discover a branch that never is covered for all iterations of fuzzing, then you have a serious issue! This is just one example of the many benefits of code coverage used in tandem with fuzzing.

#### Action Items & Reflection

* **Start doing:** After we discuss this in class, we should all make it a point to include coverage analysis in `chasten` so that we only save the necessary code we have. In the branch I am currently working on, I will look into see if this is a possibility.
* **Stop doing:** N/A
* **Keep doing:** We should keep regularly talking about principles like these. It helps keep us all on the same page as to where we should be headed as a development team.

# Week 4

## SE3: How to Work Well on Teams

#### Summary

The chapter [How to Work Well on Teams](https://abseil.io/resources/swe-book/html/ch02.html) in the [Software Engineering at Google Book](https://abseil.io/resources/swe-book/html/toc.html) encourages healthy co working culture. The first principle to understand is that geniuses are never completely self made; every successful leader has had to work collaboratively at some point. The misconception that hard working individuals only get work done alone is a myth. It creates insecurity and sends narcissists on their own joy ride of self sufficiency (think about the connotations of "10x developer", for example). Too much lone ranger-esque coding in your company could lead to a higher bus factor: the number of people that need to get bit by a bus before your project is completely doomed.

Through team work, we must not only work collaboratively, but seek to encourage each other through correction and review.

> In a professional software engineering environment, criticism is almost never personal—it’s usually just part of the process of making a better project.  The trick is to make sure you (and those around you) understand the difference between a constructive criticism of someone’s creative output and a flat-out assault against someone’s character.

It is very easy to get offended from hearing that your work is not up-to-par. Supervisors and peers should be mindful of how they are leveraging their position of knowledge over those that they are helping.

I understand the consequences of individual based work in a company. I have worked with individuals where, if they were hit by a bus, the company would surely have lost hundreds of thousands of dollars over the course of a week. We were a team of four people, and each of us kept strictly to our own little feature sets and subset of our main stack. Although it can be tempting to take matters into one's own hands and micromanage or even take complete control of a project, I will steer clear of this in my future career, regardless of the position.

I would like to spend time analyzing our conflicts that we have had in class in order to understand the minds of my peers more. Looking back and thinking about our class discussions, I can definitely tell that some people in the class perform better when telling others what to do, while some people perform better while being told what to do. This dynamic is something that will have to discover together as a team.

As it stands, it is a good practice that we write up incident reports. This was mentioned in the book, and we have already written an incident report concerning a minor issue we had. Although painful, this fosters responsibility and awareness of mistakes towards a collective awareness.

#### Action Items & Reflection

* **Start doing:** Paying attention to my interactions with team members and noting what personality types are in the room around me.
* **Stop doing:** Working on feature branches strictly alone, or at least not writing *completely* indicative test cases that describe the intended functionality of my code.
* **Keep doing:** Writing out incident reports; although painful, those are helpful and help us to constructively criticize ourselves.

## FB3: Fuzzing: Breaking Things with Random Inputs

#### Summary

This chapter in the Fuzzing Book, **Fuzzing: Breaking Things with Random Inputs**, explains the more specific details of fuzzing and even provides some examples of fuzzing implementations. We are familiarized with the concept of a `Runner`, which is usually a class responsible for managing the testing of function inputs. We also learn about the origins of fuzzing, which came from a lab in UW-Madison during a thunderstorm, when interference coming through the phone lines falsely sent information to programs. The fuzziness of the random input from the phone lines was dubbed 'fuzzing', as we know it today.

Through reading this chapter, I certainly feel overwhelmed by the complexities of fuzzing. I do wish to continue to add fuzzing test cases to programs that we create, though. I have already implemented a few in my feature branch. The biggest hurdle in this is the use of `hypothesis`, a python library. It is fairly complex, and it requires thorough reading of its documentation to fully understand it.

#### Action Items & Reflection

* **Start doing:** Reading through the documentation of `hypothesis` in order to better implement fuzzing strategies in the `tests/` for chasten.
* **Stop doing:** N/A
* **Keep doing:** Trying to implement test cases in every feature branch.

# Week 5

## SE4: Knowledge Sharing

#### Summary

This excerpt, called [Knowledge Sharing](https://abseil.io/resources/swe-book/html/ch03.html), warns of the dangers of having a poor workplace environment. There are many problems that can arise from such a problem. Firstly, this may result in creating *islands of knowledge* that lead to the formation of a single point of failure. This is also known as doomsday for your team when any kind of trial comes. Secondly, your workplace culture may be so harsh that the team members have anxiety because of the adversarial nature of the senior developers. Here is a table outlining recommended patterns along with antipatterns of how to interact with lesser experienced individuals:

Recommended patterns (cooperative) | Antipatterns (adversarial)
---|---
Basic questions or mistakes are guided in the proper direction | Basic questions or mistakes are picked on, and the person asking the question is chastised
Explanations are given with the intent of helping the person asking the question learn | Explanations are given with the intent of showing off one’s own knowledge
Responses are kind, patient, and helpful | Responses are condescending, snarky, and unconstructive
Interactions are shared discussions for finding solutions | Interactions are arguments with “winners” and “losers”

When dealing with legacy code, we are presented the principle of Chesterton's Fence, in which someone who desires to remove a historically put-in-place item is confronted to discern why it's worth removing if they do not understand the purpose for why it was initially put in place. This mental challenge can yield grand results when put in practice.

As one navigates a legacy code base, many questions can arise; these questions should be sought after for answers, but, upon having the question(s) answered, one must document the response! The knowledge obtained from the answer should be piped right back into the knowledge base of the team. This especially applies to Discord, which we use while developing `chasten`.

> Code is read far more than it is written

Writing comments and aiming for high readability standards can assist the life span of a code base. At Google, this stems out of the culture they created in their development teams.

*As I reflect on this reading,* I am faced with the hard truth that "code is read far more than it is written." This makes me wonder of all of the time I was guilty of *programming* instead of doing *software engineering*, what I was supposed to be doing. Looking ahead towards our work with `chasten`, I see progress in the psychological safety we have fostered; I just wish that people would buy into it and ask more questions. I wish that I saw more effort from the whole team collectively, instead of only certain pockets of effort. The work load of writing all of these reflection assignments and having to ship the code is too much. For students who are just starting this thing we call **CS**, they're not prepared to dive in. They're spending hours on learning how to develop in the `chasten` code base while being tasked with writing a 500 word essay simultaneously. If anything is going to hinder our progress, I believe that will.

#### Action Items & Reflection

* **Start doing:** Incorporating the idea of Chesterton's Fence into not only my work on `chasten`, but my approach to interacting with other people. Being *slow to speak* and quick to encourage and contemplate the work that someone has already put into something is a valuable life skill. I also wish to be more conscious of my words to my peers in the class to avoid speaking in a way that is not welcoming to others! The last thing I want is for people to feel gated out of working on issues with each other.
* **Stop doing:** Stop leaving the information gained through Discord conversations to die in that channel. We need to be saving that information and posting it to our knowledge base.
* **Keep doing:** Keep having open discussions in the Discord chat for the purpose of helping each other out and resolving questions quickly.

## FB4: Mutation Analysis

#### Summary

[Mutation Analysis](https://www.fuzzingbook.org/html/MutationAnalysis.html) in the fuzzing book walks us through how *poking*, *prodding*, and slightly modifying the abstract syntax tree of our program can give us a keener insight as to how effective our test suite is.

We start by creating a base class for mutation, which we can call `MuFunctionAnalyzer`:


In [None]:
import ast
import inspect

class MuFunctionAnalyzer:
    def __init__(self, fn, log=False):
        self.fn = fn
        self.name = fn.__name__
        src = inspect.getsource(fn)
        self.ast = ast.parse(src)
        self.src = ast.unparse(self.ast)  # normalize
        self.mutator = self.mutator_object()
        self.nmutations = self.get_mutation_count()
        self.un_detected = set()
        self.mutants = []
        self.log = log

    def mutator_object(self, locations=None):
        return StmtDeletionMutator(locations)

    def register(self, m):
        self.mutants.append(m)

    def finish(self):
        pass

    def get_mutation_count(self):
        self.mutator.visit(self.ast)
        return self.mutator.count

We can then create a class responsible for atomically mutating the AST:


In [None]:
class Mutator(ast.NodeTransformer):
    def __init__(self, mutate_location=-1):
        self.count = 0
        self.mutate_location = mutate_location

    def mutable_visit(self, node):
        self.count += 1  # statements start at line no 1
        if self.count == self.mutate_location:
            return self.mutation_visit(node)
        return self.generic_visit(node)

I will save all of the class inheritance that follows in the fuzzing book; the usage of the `Mutator` is that it is inherited into a class that implements ways to actually *mutate* the AST. This may involve replacing meaningful statements with a `pass` statement before `return`, changing which mathematical infix operator is called, or short circuiting the execution of a function in some other way. Once all of the helper functions for performing mutation are written, we can implement ways to interpret this. It may involve looking at a file diff of the injected code or analyzing the AST. Thankfully, python allows you to convert AST expressions back into python code, so the author of this chapter opts to do so, using `difflib` to display the mutated changes.

After mutation analysis is implemented, we can analyze the effectiveness of a test case by seeing how well it flags for an error in exeuction after mutation. This score is usually a fraction representing how many times an error was caught out of the total run sequence of mutations.

Once you spend enough time experimenting with mutation, you will soon find that many false positives are created from mutation. That's why the following equation exists to keep you from asking any further questions:

$$
n \geq \hat{p}\left(1-\hat{p}\right)\left(\frac{Z_{\frac{\alpha}{2}}}{\Delta}\right)^2
$$

where $n$ is the number of samples, $p$ is the parameter for the probability distribution, $\alpha$ is the accuracy desired, and $\Delta$ is the precision. This essentially tells us that, in order to gain an effective approximation of a desired accuracy, we have to take $n$ number of samples to make the unhelpful cases irrelevant.

This reading has introduced to me a new topic; I never knew that this kind of analysis was possible. I am quite skeptical of its effectiveness, however, because in most other languages, there is not the convenience of the abstract syntax tree. I'm not quite sure how this could be done in compiled language, for example. In my opinion, the work it takes to do this kind of testing is not worth the effort. Software engineers should spend more time on more useful tasks, like making sure their code works when they write it.

#### Action Items & Reflection

* **Start doing:** We should begin to consider the kind of impacts that this kind of fuzzing can have on Chasten. I don't think it would be wise to implement this yet, though.
* **Stop doing:** N/A
* **Keep doing:** N/A

# Week 6

(Executable Examination)

# Week 7

## SE5: Engineering for Equity

#### Summary

[This article](https://abseil.io/resources/swe-book/html/ch04.html) from the Software Engineering Book at Google challenges a lax mindset on striving for workplace inclusiveness. The majority of employees in the sector of SWE are males, usually White or Asian. We have witnessed numerous facial recognition models with a bias because of an imbalance of input data. This cannot be exclusively attributed to the lack of facial data representing all races and genders; we must consider the fact that *many people have been slow to pursue diversity, race and gender wise, in the field of technology*.

> When engineers do not focus on users of different nationalities, ethnicities, races, genders, ages, socioeconomic statuses, abilities, and belief systems, even the most talented staff will inadvertently fail their users.

A common question concerning attaining diversity in the workplace or in a set of users goes something like this: "How can we seek to reverse [some large number of years] worth of inequity and exclusion?" Many managers and leaders stagger at the thought of combatting the centuries of inequality between different races and genders. They fail to realize that *this is not their concern*. The responsibility of a manager in a company is to consider how they can create *their* environment such that it provides a place of inclusion. It may involve asking themselves questions to discover how their workplace may be implicitly favoring a certain demographic, or it may be seeking to understand where the needs of other demographics come into play and how those needs can be met. One important example is women in the workplace. Many managers are not keen on the idea of maternity leave, and often, managers are not familiar with handling such situations. Another example may be companies that have never dealt with drug abuse among their employees. Often, individuals struggling with substance abuse are immediately fired, but an inclusive workplace would seek to help them and, in some cases, seek to help them in the rehabilitation process to retain their employment. I recall a coworker who dealt with substance abuse. They disappeared off the face of the earth, likely because they didn't think their place at our company was redeemable after the mistakes they made. This sad situation is not specific to me, however. Many employers are faced with the same situation.

Wrapping up, we are left with a few key points that will help us in our endeavor:

1. **Take a hard look in the mirror.**
  * One must evaluate their own approach and presuppositions.

2. **Don’t build for everyone.**
  * A team is powerless in trying to understand different demographics if they're not hiring them themselves.

3. **Design for the user who will have the most difficulty using your product.**
  * Creating accessible technology is the first step to making sure that **everyone is on board**.

4. **Don’t assume equity; measure equity throughout your systems.**
  * One must be thorough. Committing to a single process never means ruling out all others out.

5. **Change is possible.**
  * Change is the most important part of this. Resistance to change only slows the pursuit of eventual justice.

#### Action Items & Reflection

This article reminded me of what has been troubling me lately as I continue through my last year of undergrad. I am deeply concerned at how we will ever get ourselves out of this country-wide conflict of the so-called gender gap and systemic racism. I appreciated the frankness of the article in confronting these issues, but I am still lost in how I fall short. Because of the area that I come from (Meadville, PA), I'm not very skilled at understanding other cultures, but I am always curious about other cultures. In fact, I love learning about other people's daily lives in comparison to how I live; it helps widen my perspective and sometimes challenges my suppositions on how I think one should play the *game of life*. My thoughts are scrambled with this one, but this *is* my current mental state.

* **Start doing:** Considering what kinds of people will be using `chasten` in the future. Most likely, many AC CIS students will be *working on* `chasten`, so our code should be **extra** readable for that purpose! Just think about how much we understood the code base when we started...
* **Stop doing:** N/A
* **Keep doing:** Keep trying to improve our docs and striving for approachability in terms of our `README.md`, etc.

## FB5: Mutation-Based Fuzzing

[This article](https://www.fuzzingbook.org/html/MutationFuzzer.html) from the Fuzzing Book familiarizes us with **mutation-based fuzzing**, which is when we mutate valid inputs and supply them to the program that we are trying to test. Mutation-based fuzzing increases the possibility of having a valid input, and thus allow us to test the functionality of our program (when the inputs are valid) in a deeper way than what could be done with traditional fuzzing.

For example, this article walks us through how to create a mutation-based fuzzer for the input of a URL parser. First, we create three functions that 'mutate' the input. This will slightly modifying the input in some way. We'll create:

1. `delete_random_character(s: str) -> str`: Randomly delete a character from `s` and retunr the mutated `s`.
2. `insert_random_character(s: str) -> str`: Randomly insert a character into `s` and return the mutated `s`.
3. `flip_random_character(s):`: Randomly flip one bit in the ASCII representation of one of the bytes in `s` and return the mutated `s`. *(an interesting one, although, organically, it's virtually impossible with today's error correction techniques!)*


In [None]:
import random
from typing import Tuple, List, Callable, Set, Any
from urllib.parse import urlparse


def delete_random_character(s: str) -> str:
    if s == "":
        return s
    pos = random.randint(0, len(s) - 1)
    return s[:pos] + s[pos + 1:]


def insert_random_character(s: str) -> str:
    pos = random.randint(0, len(s))
    random_character = chr(random.randrange(32, 127))
    return s[:pos] + random_character + s[pos:]


def flip_random_character(s: str) -> str:
    if s == "":
        return s
    pos = random.randint(0, len(s) - 1)
    c = s[pos]
    bit = 1 << random.randint(0, 6)
    new_c = chr(ord(c) ^ bit)
    return s[:pos] + new_c + s[pos + 1:]

We can then create a function `mutate(s: str) -> str` which wraps the functions above:


In [None]:
def mutate(s: str) -> str:
    mutators = [
        delete_random_character,
        insert_random_character,
        flip_random_character
    ]
    mutator = random.choice(mutators)
    return mutator(s)

Now, let's create a function to mutate an input `n` number of times:


In [None]:
def multi_mutate(s: str, n: int) -> str:
    res = s
    for i in range(n):
        res = mutate(res)
    return res

print("Example:")
print(f"input: 'Testing 123!!', output: {multi_mutate('Testing 123!!', 10)}")

Now we have everything we need to test a basic function with our mutation-based fuzzing strategy we just created! As done in the Fuzzing Book, we'll test the function `http_program(url: str) -> bool`:


In [None]:
def http_program(url: str) -> bool:
    supported_schemes = ["http", "https"]
    result = urlparse(url)
    if result.scheme not in supported_schemes:
        raise ValueError("Scheme must be one of " + 
                         repr(supported_schemes))
    if result.netloc == '':
        raise ValueError("Host must be non-empty")
    return True


# test `http_program()`
seed_input = "http://www.google.com/search?q=fuzzing"
valid_inputs = set()
trials = 20
n_mutations = 15

for i in range(trials):
    input = multi_mutate(seed_input, n_mutations)
    try:
        result = http_program(input)
        # input is valid, we can add it
        # to the set of valid inputs
        valid_inputs.add(input)
        print(f"'{input}' is valid!")
    except ValueError:
        # input is invalid, do not add it
        # to the set of valid inputs
        print(f"'{input}' is invalid!")
        pass


print("Output:")
print(f"{len(valid_inputs) / trials * 100}% of the trials were valid inputs.")

The book also explains how we can use the `Coverage` module to measure how the code coverage behaves in response to fuzzed inputs.

#### Summary

Initially, I thought this chapter was going to be about fuzzing our test cases, which is what we had read about a few weeks earlier. I was pleased to see that this was another tidbit of information useful for our endeavors while working on `chasten`. While I don't think I plan to create a mutation-based fuzzing implementation from scratch, I *do* plan to keep this in mind when adding test cases to my feature branches. I am excited that I now know how to use this idea. Interestingly enough, my first feature branch on `chasten` featured a fuzzing-based test on a URL parser. What are the chances?

#### Action Items & Reflection

* **Start doing:** Keeping this fuzzing strategy in mind while working on our test cases, as we always should be doing anyways.
* **Stop doing:** N/A
* **Keep doing:** Keep chipping away at making test cases in our feature branches.

# Week 8

## SE6: How to Lead a Team

#### Summary

This chapter gives insight regarding how to effectively manage a team, whether or not the choice to be a leader was intentional. As stated in the book, this can be done by using the principles of "humility, respect, and trust."

> Above all, resist the urge to manage.

This chapter urges the reader, when put in a leadership position, to be a 'servant leader,' which is a position of authority to promote the well-being and productivity of the team. Thus, we have the saying: *Above all, resist the urge to manage.*

We hear a story about an employee named Jerry, who worked with the author shortly after leaving his position under an antagonistic manager. The author explains how Jerry was fearful that leaving fifteen minutes early for a personal commitment was going to get him into trouble, but the author, as his manager, assured him: "Look, as long as you get your job done, I don't care what time you leave the office." Treating one's team as adults rather than a baby in need of babysitting is a great way to have a team powered by positive pressure.

This chapter gives us a few actions to avoid as a manager:

* Hiring pushovers: Hiring malleable individuals is a way to gratify your own ego rather than hiring people who will think critically.
* Hiring low performers: Sometimes individuals' skills *do not* meet the standard of the team; it is important to identify low performers and help them as soon as possible or simply avoid hiring them so they do not weigh down the rest of the team.
* Ignoring human issues: A manager who overlooks the humanity of their team members will soon have a disjoint, agitated team.
* Being everyone's friend: Trying to forge friendships as a manager can lead to uncomfortable dichotomies down the road. It interferes with your role in being their leader.
* Compromising the hiring bar: Taking the due time to consider who you are hiring is a long-term investment worth devoting your cost to.
* Treat your team like children: This forms an antagonistic relationship that makes your team's commitment weak.

To counteract these antipatterns, a team leader is supposed to support their team by staying calm, being a respectable figure in how they act, being a teacher and mentor, having clarity in goal-setting and in their speech, paying attention to their team's emotional well-being, and persistently trying to motivate them. Although no team leader can be perfect, they can keep these 'pillars' of managing in mind in order to try to provider their employees with the best experience possible.

In the end, it's important to remember that people are like plants. They need to grow next to sources of nutrients and motivation to grow. One of Jesus' parables in the Bible goes as follows:

> 3 ...A farmer went out to sow his seed. 4 As he was scattering the seed, some fell along the path, and the birds came and ate it up. 5 Some fell on rocky places, where it did not have much soil. It sprang up quickly, because the soil was shallow. 6 But when the sun came up, the plants were scorched, and they withered because they had no root. 7 Other seed fell among thorns, which grew up and choked the plants, so that they did not bear grain. 8 Still other seed fell on good soil. It came up, grew and produced a crop, some multiplying thirty, some sixty, some a hundred times.” (Mark 4:3-8, NIV)

#### Action Items & Reflection

Although none of us in the development team for `chasten` are truly considered 'managers,' these are good principles to live by in how we approach people that are new to a group of people that we are in, and it is a good principle to apply to topics such as parenting. I have been impacted by a supervisor with traits similar to those mentioned in this chapter, and I have experienced the power of the 'positive pressure' that this chapter mentions.

* **Start doing:** Trusting each other, even if we make mistakes.
* **Stop doing:** N/A
* **Keep doing:** Delegating tasks among ourselves, making sure everyone is getting the right amount of work fitted for their ability.

## FB6: Fuzzing with Grammars

#### Summary

A grammar defines a set of rules around how something like a parser can validate a grouping of characters. Natural language, for example, follows a grammar that allows different human beings to speak to each other. When you tell me "Violeta runs to..." I expect to hear an object that *terminates* the prepositional phrase started by the word "to." Programming languages have a grammar that allows them to compile a file into machine code.

Here is an example of a basic grammar for a word, similar to how most programming languages would parse a variable identifier:

```
<start> ::= <word>
<word> ::= <word_char> | <word_char><word>
<word_char> ::= 
a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z | _
```

We represent many other things using this syntax, including arithmetic expressions. Let's build a simple grammar-based fuzzer that takes a grammar as a `Dict` input.


In [None]:
import random

Grammar = Dict[str, List[str]]

class ExpansionError(Exception):
    pass

def simple_grammar_fuzzer(grammar: Grammar, 
                          start_symbol: str = "<start>",
                          max_nonterminals: int = 10,
                          max_expansion_trials: int = 100,
                          log: bool = False) -> str:
    """Produce a string from `grammar`.
       `start_symbol`: use a start symbol other than `<start>` (default).
       `max_nonterminals`: the maximum number of nonterminals 
         still left for expansion
       `max_expansion_trials`: maximum # of attempts to produce a string
       `log`: print expansion progress if True"""

    term = start_symbol
    expansion_trials = 0

    while len(nonterminals(term)) > 0:
        symbol_to_expand = random.choice(nonterminals(term))
        expansions = grammar[symbol_to_expand]
        expansion = random.choice(expansions)
        # In later chapters, we allow expansions to be tuples,
        # with the expansion being the first element
        if isinstance(expansion, tuple):
            expansion = expansion[0]

        new_term = term.replace(symbol_to_expand, expansion, 1)

        if len(nonterminals(new_term)) < max_nonterminals:
            term = new_term
            if log:
                print("%-40s" % (symbol_to_expand + " -> " + expansion), term)
            expansion_trials = 0
        else:
            expansion_trials += 1
            if expansion_trials >= max_expansion_trials:
                raise ExpansionError("Cannot expand " + repr(term))

    return term

Now we can fuzz intelligently with a grammar. This chapter provides the grammar for URL, which we'll use:


In [None]:
URL_GRAMMAR: Grammar = {
    "<start>":
        ["<url>"],
    "<url>":
        ["<scheme>://<authority><path><query>"],
    "<scheme>":
        ["http", "https", "ftp", "ftps"],
    "<authority>":
        ["<host>", "<host>:<port>", "<userinfo>@<host>", "<userinfo>@<host>:<port>"],
    "<host>":  # Just a few
        ["cispa.saarland", "www.google.com", "fuzzingbook.com"],
    "<port>":
        ["80", "8080", "<nat>"],
    "<nat>":
        ["<digit>", "<digit><digit>"],
    "<digit>":
        ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9"],
    "<userinfo>":  # Just one
        ["user:password"],
    "<path>":  # Just a few
        ["", "/", "/<id>"],
    "<id>":  # Just a few
        ["abc", "def", "x<digit><digit>"],
    "<query>":
        ["", "?<params>"],
    "<params>":
        ["<param>", "<param>&<params>"],
    "<param>":  # Just a few
        ["<id>=<id>", "<id>=<nat>"],
}

Now we can use it to see that the generated inputs are all valid URLs:


In [None]:
for i in range(10);
    print(simple_grammar_fuzzer(grammar=URL_GRAMMAR, max_nonterminals=10))

The value `max_nonterminals` gives the fuzzer an upper limit on how many symbols it can randomly generate until ending the expression.

Grammars can be used as a kind of way to seed an input before mutating it. This way, instead of having a static seed for mutation, your seed can be randomized as well. Just when you thought fuzzing could not get any deeper, right?


In [None]:
n_grammar_seeds = 10
for i in range(n_grammar_seeds):
    original = simple_grammar_fuzzer(grammar=URL_GRAMMAR, max_nonterminals=10)
    mutated = multi_mutate(simple_grammar_fuzzer(grammar=URL_GRAMMAR, max_nonterminals=10), 5)
    print(f"original: {original}")
    print(f"mutated: {mutated}")

Grammars can be a powerful tool to allow us to create syntactically valid inputs for any file type or spec.


#### Action Items & Reflection

This chapter bundled up many loose ends to create a powerful point: we should consider using this strategy! This would allow us to better parse things like XPath expressions, YAML files, and many more things. We could really extend this to be everywhere in our test suite. Although we could spend all day writing more test cases, we will have to limit ourselves to implement only a few cases of this grammar-based fuzzing, however. I would like to see us use it for XPath expressions, if anything. I researched, and I was unable to find any examples of fuzzing that supplies syntactically-valid XPath expressions, so maybe this is our responsibility to create.

* **Start doing:** Considering using grammar-based fuzzing for XPath expressions.
* **Stop doing:** N/A
* **Keep doing:** N/A

# Week 9

## SE7: Leading at Scale

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## FB7: Efficient Grammar Fuzzing

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 10

## SE8: Style Guides and Rules

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## FB8: Parsing Inputs

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 11

(Executable Examination)

# Week 12

## SE9: Code Review

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## FB9: Reducing Failure-Inducing Inputs

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 13

## SE10: Documentation

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## DB1: Introduction to Debugging

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 14

## SE11: Testing Overview

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## DB2: Tracing Executions

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 15

## SE12: Unit Testing

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## DB3: Assertions

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

# Week 16

## DB4: Statistical Debugging (Automatic Fault Localization)

#### Summary

#### Action Items & Reflection

* **Start doing:**
* **Stop doing:**
* **Keep doing:**

## Final review of all content on Developer Development web site

Final exam for this class is December 14, 2023 at 09:00