Closed UniverseFly closed 2 years ago
I think the only difference of this work from general greybox fuzzer is that the property provides a better test oracle, i.e. if an input doesn't satisfy some property, we consider it buggy.
I think the only difference of this work from general greybox fuzzer is that the property provides a better test oracle, i.e. if an input doesn't satisfy some property, we consider it buggy.
It's wrong.
Indeed, property-based testing is a different world from traditional fuzzing. It is more closed to the PL community. And this FuzzChick first offers an automatically derived generator to generate the target ADT, which may not pass certain constraints though, and meanwhile offers several auto-derived mutators to mutate the target ADT, which fit a coverage-guided loop to increase the rate that generated ADT would pass checks. FuzzChick claims that most data should be provided by the mutator, referring to the generator only when mutators got stuck to avoid local optima.
Pierce is one of the authors of FuzzChick. Also look into his other papers related to property-based testing and constrained data generation!
https://lemonidas.github.io/pdf/FuzzChick.pdf