To address the low efficiency of JavaScript engine fuzzing caused by random selection of mutation locations, this paper proposes CLUTCH—a novel fuzzing framework that introduces dynamic multi-armed bandit (MAB) combinatorial game theory into fuzzing for the first time. CLUTCH employs an attention-based sequence model to represent variable-length test cases and integrates Concrete Dropout for adaptive exploration, thereby minimizing decision regret under volatile environments. By unifying deep combinatorial game theory with sequential modeling in mutation target selection, CLUTCH significantly improves testing effectiveness and code coverage. Experimental evaluation demonstrates that, compared to state-of-the-art approaches, CLUTCH increases the number of effective test cases by 20.3%, boosts per-test-case coverage by 8.9%, and reduces cumulative regret by 78.1% under volatile conditions and by 4.1% in combinatorial scenarios.

JavaScript engines are widely used in web browsers, PDF readers, and server-side applications. The rise in concern over their security has led to the development of several targeted fuzzing techniques. However, existing approaches use random selection to determine where to perform mutations in JavaScript code. We postulate that the problem of selecting better mutation targets is suitable for combinatorial bandits with a volatile number of arms. Thus, we propose CLUTCH, a novel deep combinatorial bandit that can observe variable length JavaScript test case representations, using an attention mechanism from deep learning. Furthermore, using Concrete Dropout, CLUTCH can dynamically adapt its exploration. We show that CLUTCH increases efficiency in JavaScript fuzzing compared to three state-of-the-art solutions by increasing the number of valid test cases and coverage-per-testcase by, respectively, 20.3% and 8.9% on average. In volatile and combinatorial settings we show that CLUTCH outperforms state-of-the-art bandits, achieving at least 78.1% and 4.1% less regret in volatile and combinatorial settings, respectively.