{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T23:50:26Z","timestamp":1769125826715,"version":"3.49.0"},"reference-count":79,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T00:00:00Z","timestamp":1689897600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"European Research Council (ERC) under the European Union\u2019s Horizon 2020 research and innovation programme","award":["864972"],"award-info":[{"award-number":["864972"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2023,9,30]]},"abstract":"<jats:p>\n            Remote Procedure Call (RPC) is a communication protocol to support client-server interactions among services over a network. RPC is widely applied in industry for building large-scale distributed systems, such as Microservices. Modern RPC frameworks include, for example, Thrift, gRPC, SOFARPC, and Dubbo. Testing such systems using RPC communications is very challenging, due to the complexity of distributed systems and various RPC frameworks the system could employ. To the best of our knowledge, there does not exist any tool or solution that could enable automated testing of modern RPC-based services. To fill this gap, in this article we propose the first approach in the literature, together with an open source tool, for fuzzing modern RPC-based APIs. The approach is in the context of white-box testing with search-based techniques. To tackle schema extraction of various RPC frameworks, we formulate a RPC schema specification along with a parser that allows the extraction from source code of any JVM RPC-based APIs. Then, with the extracted schema we employ a search to produce tests by maximizing white-box heuristics and newly defined heuristics specific to the RPC domain. We built our approach as an extension to an open source fuzzer (i.e.,\n            <jats:sc>EvoMaster<\/jats:sc>\n            ), and the approach has been integrated into a real industrial pipeline that could be applied to a real industrial development process for fuzzing RPC-based APIs. To assess our novel approach, we conducted an empirical study with two artificial and four industrial web services selected by our industrial partner. In addition, to further demonstrate its effectiveness and application in industrial settings, we report results of employing our tool for fuzzing another 50 industrial APIs autonomously conducted by our industrial partner in their testing processes. Results show that our novel approach is capable of enabling automated test case generation for industrial RPC-based APIs (i.e., 2 artificial and 54 industrial). We also compared with a simple gray-box technique and existing manually written tests. Our white-box solution achieves significant improvements on code coverage. Regarding fault detection, by conducting a careful review with our industrial partner of the tests generated by our novel approach in the selected four industrial APIs, a total of 41 real faults were identified, which have now been fixed. Another 8,377 detected faults are currently under investigation.\n          <\/jats:p>","DOI":"10.1145\/3585009","type":"journal-article","created":{"date-parts":[[2023,2,23]],"date-time":"2023-02-23T00:25:31Z","timestamp":1677111931000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":32,"title":["White-Box Fuzzing RPC-Based APIs with EvoMaster: An Industrial Case Study"],"prefix":"10.1145","volume":"32","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1204-9322","authenticated-orcid":false,"given":"Man","family":"Zhang","sequence":"first","affiliation":[{"name":"Kristiania University College, Oslo, Norway"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0799-2930","authenticated-orcid":false,"given":"Andrea","family":"Arcuri","sequence":"additional","affiliation":[{"name":"Kristiania University College and Oslo Metropolitan University, Oslo, Norway"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6778-1364","authenticated-orcid":false,"given":"Yonggang","family":"Li","sequence":"additional","affiliation":[{"name":"Meituan, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4925-0903","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Meituan, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1271-5076","authenticated-orcid":false,"given":"Kaiming","family":"Xue","sequence":"additional","affiliation":[{"name":"Meituan, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2023,7,21]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"[n. d.]. AFL. https:\/\/github.com\/google\/AFL. Accessed August 26 2022."},{"key":"e_1_3_2_3_2","unstructured":"[n. d.]. Dubbo. https:\/\/dubbo.apache.org\/en\/. Accessed August 26 2022."},{"key":"e_1_3_2_4_2","unstructured":"[n. d.]. EvoMaster. https:\/\/github.com\/EMResearch\/EvoMaster. Accessed August 26 2022."},{"key":"e_1_3_2_5_2","unstructured":"[n. d.]. EvoMaster Benchmark (EMB). https:\/\/github.com\/EMResearch\/EMB. Accessed August 26 2022."},{"key":"e_1_3_2_6_2","unstructured":"[n. d.]. GraphQL Foundation. https:\/\/graphql.org\/foundation\/. Accessed August 26 2022."},{"key":"e_1_3_2_7_2","unstructured":"[n. d.]. gRPC. https:\/\/grpc.io\/. Accessed August 26 2022."},{"key":"e_1_3_2_8_2","unstructured":"[n. d.]. Intellij IDEA Code Coverage. https:\/\/www.jetbrains.com\/help\/idea\/code-coverage.html. Accessed August 26 2022."},{"key":"e_1_3_2_9_2","unstructured":"[n. d.]. javax.validation.constraints. https:\/\/javaee.github.io\/javaee-spec\/javadocs\/javax\/validation\/constraints\/package-summary.html. Accessed August 26 2022."},{"key":"e_1_3_2_10_2","unstructured":"[n. d.]. OpenAPI\/Swagger. https:\/\/swagger.io\/. Accessed August 26 2022."},{"key":"e_1_3_2_11_2","unstructured":"[n. d.]. SOFARPC. https:\/\/www.sofastack.tech\/en\/. Accessed August 26 2022."},{"key":"e_1_3_2_12_2","unstructured":"[n. d.]. Status Code in gRPC. https:\/\/grpc.github.io\/grpc\/core\/md_doc_statuscodes.html. Accessed August 26 2022."},{"key":"e_1_3_2_13_2","unstructured":"[n. d.]. TApplicationException in Thrift. https:\/\/javadoc.io\/doc\/org.apache.thrift\/libthrift\/latest\/org\/apache\/thrift\/TApplicationException.html. Accessed August 26 2022."},{"key":"e_1_3_2_14_2","unstructured":"[n. d.]. thrift. https:\/\/thrift.apache.org\/. Accessed August 26 2022."},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2009.52"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66299-2_1"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/QRS.2017.11"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2018.00046"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9570-9"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2018.05.003"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3293455"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2020.3013820"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.1486"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3321707.3321732"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3391533"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00025"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3477271"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.21105\/joss.02153"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.6651631"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00083"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/SOSE.2005.1"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3182657"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2009.28"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3520304.3528952"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2209.05833"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/FOSE.2007.25"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/4236.991449"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.5555\/932295"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025179"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2012.14"},{"key":"e_1_3_2_41_2","first-page":"1","article-title":"Industry\u2013academia collaborations in software testing: Experience and success stories from Canada and Turkey","author":"Garousi Vahid","year":"2016","unstructured":"Vahid Garousi, Matt M. Eskandar, and Kadir Herkilo\u011flu. 2016. Industry\u2013academia collaborations in software testing: Experience and success stories from Canada and Turkey. Software Quality Journal (2016), 1\u201353.","journal-title":"Software Quality Journal"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2017.3641116"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/3084226.3084264"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09711-y"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3363824"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2212.14604"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2008.182"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion55297.2022.9793781"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2012.07380"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2204.08348"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534401"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3056505"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.20532\/cit.2016.1002727"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSSE.2008.790"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931054"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491038"},{"key":"e_1_3_2_57_2","volume-title":"Proceedings of the 4th International Workshop on SOA And Web Services Best Practices (SOAWS\u201906)","author":"Martin Evan","year":"2006","unstructured":"Evan Martin, Suranjana Basu, and Tao Xie. 2006. Automated robustness testing of web services. In Proceedings of the 4th International Workshop on SOA And Web Services Best Practices (SOAWS\u201906)."},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-65310-1_33"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3469082"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.5555\/2904388"},{"issue":"5","key":"e_1_3_2_61_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1022494.1022529","article-title":"Generating test cases for web services using data perturbation","volume":"29","author":"Offutt Jeff","year":"2004","unstructured":"Jeff Offutt and Wuzhi Xu. 2004. Generating test cases for web services using data perturbation. ACM SIGSOFT Software Engineering Notes 29, 5 (2004), 1\u201310.","journal-title":"ACM SIGSOFT Software Engineering Notes"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2663435"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00062"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-015-9424-2"},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/WSE.2006.24"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/HASE.2002.1173120"},{"key":"e_1_3_2_67_2","first-page":"1","volume-title":"Proceedings of the 11th International Workshop on Smalltalk Technologies (IWST\u201918)","author":"Vargas Daniela Meneses","year":"2018","unstructured":"Daniela Meneses Vargas, Alison Fernandez Blanco, Andreina Cota Vidaurre, Juan Pablo Sandoval Alcocer, Milton Mamani Torres, Alexandre Bergel, and St\u00e9phane Ducasse. 2018. Deviation testing: A test case generation technique for GraphQL APIs. In Proceedings of the 11th International Workshop on Smalltalk Technologies (IWST\u201918). 1\u20139."},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00024"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2021.111061"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510151"},{"key":"e_1_3_2_71_2","first-page":"10Pages","volume-title":"Proceedings of the16th IEEE International Symposium on Software Reliability Engineering (ISSRE\u201905)","author":"Xu Wuzhi","year":"2005","unstructured":"Wuzhi Xu, Jeff Offutt, and Juan Luo. 2005. Testing web services by XML perturbation. In Proceedings of the16th IEEE International Symposium on Software Reliability Engineering (ISSRE\u201905). IEEE, 10Pages."},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3464940"},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-88106-1_8"},{"key":"e_1_3_2_74_2","article-title":"Open problems in fuzzing RESTful APIs: A comparison of tools","author":"Zhang Man","year":"2022","unstructured":"Man Zhang and Andrea Arcuri. 2022. Open problems in fuzzing RESTful APIs: A comparison of tools. arXiv:2205.05325.","journal-title":"arXiv:2205.05325"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2208.03988"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST53961.2022.00022"},{"key":"e_1_3_2_77_2","doi-asserted-by":"publisher","DOI":"10.1145\/3321707.3321815"},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09937-1"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-022-00120-1"},{"key":"e_1_3_2_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2887384"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3585009","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3585009","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:07Z","timestamp":1750178227000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3585009"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,7,21]]},"references-count":79,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2023,9,30]]}},"alternative-id":["10.1145\/3585009"],"URL":"https:\/\/doi.org\/10.1145\/3585009","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,7,21]]},"assertion":[{"value":"2022-08-26","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-01-31","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-07-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}