The fast-and-loose, permissive semantics of dynamic programming
languages limit the power of static analyses. For that reason, soundness is often
traded for precision through dynamic program analysis. Dynamic
analysis is only as good as the available runnable code, and relying
solely on test suites is fraught as they do not cover the full gamut of
possible behaviors. Fuzzing is an approach for automatically
exercising code, and could be used to obtain more runnable code.
However, the shape of user-defined data in dynamic languages is
difficult to intuit, limiting a fuzzer's reach.

We propose a feedback-driven blackbox fuzzing approach which draws inputs from a
database of values recorded from existing code. We implement this
approach in a tool called signatr for the R language. We
present the insights of its design and implementation, and assess
signatr's ability to uncover new behaviors by fuzzing 4,829 R
functions from 100 R packages, revealing 1,195,184 new signatures.