Generative fuzzing (GBF) struggles to efficiently guide input generators toward covering specific code targets. Method: This paper proposes a type-structure–guided directed mutation strategy. Its core innovation is the first use of type composition information from input generators to inform mutation decisions, integrated with constant string pattern matching to precisely perturb critical subtypes influencing branch conditions. The approach comprises type inference, generator control-flow analysis, constant identification, and directed mutation scheduling—all implemented in Java. Contribution/Results: Experiments on AWS Lambda applications demonstrate an average 20% improvement in code coverage. The gains are especially pronounced when third-party code is introduced, confirming the method’s effectiveness and generalizability in complex, real-world scenarios.

As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20% average improvement in application coverage, and larger improvements when third-party code is included.