useR! 2026

Fuzz Testing R-Based Research Software for Robustness

7 Jul 2026, 13:00

20m

Talks (15-20 minutes) Talks

Speaker

Marco Colombo (University of Heidelberg)

Description

Fuzz testing is a technique that generates random, unexpected or malformed
data and feeds them into a program. By observing how the software behaves
under such conditions, this approach may uncover potential weaknesses,
vulnerabilities and security flaws in applications.

A dynamically-typed language such as R poses some difficulties to fuzz testing,
as by definition no predefined typing information is available: typing only
occurs at execution time, and the task of rejecting invalid inputs thus falls
solely on the package developer.

The CBTF ("Caught by the Fuzz!") package implements a fuzz testing approach
designed specifically to improve robustness of R packages by identifying
function arguments that do not have sufficient argument validation. Besides,
fuzz testing can identify sets of inputs that, while satisfying the implicit
typing of a function signature, are problematic inside the function body.

We will detail how this testing approach has contributed to the robustness of
the research software package Luminescence, discovering over 270 failure cases,
which often (but not exclusively) concern presence of missing values, NULL
entries, dimensionality- or sign-related errors.

We will present aspects of the implementation approach of the package, such
as determining test inputs, identifying and reporting failure cases, handling
false positive results and parallelisation of execution.

If you used AI tools or services to support the preparation of this submission, please state the name and reason for using each of them.

No AI tools/services were used

Additional Material or Paper

https://replay.geog.uni-heidelberg.de/REPLAY-website/post/2025/08/fuzzing-luminescence-to-improve-it/