Generator-based Fuzzing with Input Features

Generator-based fuzzing is a capable technique for testing semantic processing stages of a system under test (SUT). The idea is to use format-specific input generators, which can guarantee that inputs will be syntactically valid. One open question however is how to create inputs with generator-based fuzzing whose content exhibits particular qualities (or input features). This is a downside, as previous research suggests the importance of input features for triggering otherwise rarely reached functionalities of an SUT. We propose an approach to identify input features for rarely visited code by performing sequential pattern mining on the tree model of generated inputs. These features are regenerated by splicing (i.e., inserting) them into the model of newly generated inputs. We evaluate our approach on Ant, Maven, Closure and Rhino. The results indicate an increased diversity in the exploration of rarely executed code in most benchmarks. Significant improvements in valid rare branch hits were observed in half of the SUTs. JavaScript benchmarks tend to benefit more in terms of overall coverage but no statistically significant difference was found.