This part introduces test generation techniques that take the semantics of the input into account, notably the behavior of the program that processes the input.
Grammar Mining shows how to extract an input grammar from a program by analyzing how individual parts of the input are processed. The resulting grammars can be directly used for fuzzing.
Tracking Information Flow shows how to track inputs throughout the program, in order to discover information leaks and further improve analysis techniques.
Concolic Fuzzing analyzes program code to solve path constraints in the program to cover branches and behaviors that are hard to reach.
Symbolic Fuzzing works like concolic fuzzing, but does not require any executions at all.
Mining Function Specifications extracts type information as well as pre- and postconditions from program executions – useful information for program analysis, testing, and verification.