ConFuzz: Coverage-Guided Property Fuzzing for Event-Driven Programs

Bug-free concurrent programs are hard to write due to non-determinism arising out of concurrency and program inputs. Since concurrency bugs typically manifest under specific inputs and thread schedules, conventional testing methodologies for concurrent programs like stress testing and random testing, which explore random schedules, have a strong chance of missing buggy schedules. In this paper, we introduce a novel technique that combines property-based testing with mutation-based, grey box fuzzer, applied to event-driven OCaml programs. We have implemented this technique in ConFuzz, a directed concurrency bug-finding tool for event-driven OCaml programs. Using ConFuzz, programmers specify high-level program properties as assertions in the concurrent program. ConFuzz uses the popular greybox fuzzer AFL to generate inputs as well as concurrent schedules to maximise the likelihood of finding new schedules and paths in the program so as to make the assertion fail. ConFuzz does not require any modification to the concurrent program, which is free to perform arbitrary I/O operations. Our experimental results show that ConFuzz is easy-to-use, effective, detects concurrency bugs faster than Node.Fz - a random fuzzer for event-driven JavaScript programs, and is able to reproduce known concurrency bugs in widely used OCaml libraries.