Coverage-guided fuzzing suffers from destructive frame-shift mutations due to its lack of input format knowledge, generating numerous invalid inputs and incurring substantial performance overhead. To address this, we propose a lightweight structure-aware mutation technique that requires no target program instrumentation or modification. It automatically infers semantic relationships among input fields—such as length–payload dependencies—and applies non-destructive, structure-preserving scaling mutations accordingly. Our approach is fully compatible with standard coverage feedback mechanisms and has been integrated into both AFL++ and LibAFL, supporting multi-language targets. Evaluated over 12+ CPU-years across diverse configurations, it consistently improves code coverage by over 50%. Empirical validation on multiple real-world software systems confirms its generality and effectiveness.

Coverage-guided fuzzers are powerful automated bug-finding tools. They mutate program inputs, observe coverage, and save any input that hits an unexplored path for future mutation. Unfortunately, without knowledge of input formats--for example, the relationship between formats' data fields and sizes--fuzzers are prone to generate destructive frameshift mutations. These time-wasting mutations yield malformed inputs that are rejected by the target program. To avoid such breaking mutations, this paper proposes a novel, lightweight technique that preserves the structure of inputs during mutation by detecting and using relation fields. Our technique, FrameShift, is simple, fast, and does not require additional instrumentation beyond standard coverage feedback. We implement our technique in two state-of-the-art fuzzers, AFL++ and LibAFL, and perform a 12+ CPU-year fuzzer evaluation, finding that FrameShift improves the performance of the fuzzer in each configuration, sometimes increasing coverage by more than 50%. Furthermore, through a series of case studies, we show that our technique is versatile enough to find important structural relationships in a variety of formats, even generalizing beyond C/C++ targets to both Rust and Python.