Robotic systems are becoming an integral part of human lives.
Responding to the increased demands for robot productions, Robot
Operating System (ROS), an open-source middleware suite for robotic
development, is gaining traction by providing practical tools and
libraries for quickly developing robots. In this paper, we are
concerned with a relatively less-tested class of bugs in ROS and
ROS-based robotic systems, called semantic correctness bugs, including
the violation of specification, violation of physical laws, and
cyber-physical discrepancy. These bugs often stem from the
cyber-physical nature of robotic systems, in which noisy hardware
components are intertwined with software components, and thus cannot be
detected by existing fuzzing approaches that mostly focus on finding
memory-safety bugs.

We propose RoboFuzz, a feedback-driven fuzzing framework that integrates
with ROS and enables testing of the correctness bugs. RoboFuzz features
(1) data type-aware mutation for effectively stressing data-driven ROS
systems, (2) hybrid execution for acquiring robotic states from both
real-world and a simulator, capturing unforeseen cyber-physical
discrepancies, (3) an oracle handler that identifies correctness bugs by
checking the execution states against predefined correctness oracles,
and (4) a semantic feedback engine for providing augmented guidance to
the input mutator, complementing classic code coverage-based feedback,
which is less effective for distributed, data-driven robots. By
encoding the correctness invariants of ROS and four ROS-compatible
robotic systems into specialized oracles, RoboFuzz detected 30
previously unknown bugs, of which 25 are acknowledged and six have
been fixed.