Fuzzing Glossary

A fast memory-error detector that catches heap/stack buffer overflows, use-after-free, and similar bugs at runtime.

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

Fuzzing that generates inputs with no visibility into the target program's code or execution state.

Google's distributed coverage-guided fuzzer designed to scale across many machines with shared central corpus storage.

The evolving collection of test inputs a fuzzer maintains, used as the base for generating new mutations.

A metric measuring which branches, edges, or lines of code were executed during a fuzzing campaign.

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

The process of grouping distinct crash inputs that trigger the same underlying bug into a single unique report.

A file of format-specific tokens or magic bytes provided to the fuzzer to help it construct semantically meaningful mutations.

Automated software testing that generates many semi-random inputs to find crashes, hangs, and security vulnerabilities.

A fuzzing approach that synthesizes inputs from scratch using a grammar or format specification.

Fuzzing that uses partial runtime information — typically coverage feedback — without requiring full program analysis.

A security-oriented multi-process fuzzer from Google with hardware performance-counter coverage and a compact codebase.

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

An in-process, coverage-guided fuzzing library built into LLVM that links directly into the target binary.

A detector for uses of uninitialized memory in C/C++ programs, catching a class of bugs that ASan misses.

A fuzzing approach that generates new inputs by systematically modifying existing corpus entries.

A minimal input (and the command to run it) that reliably triggers a specific crash or bug found by the fuzzer.

The initial set of valid, well-structured inputs provided to a fuzzer before it begins mutation.

The workflow of reviewing, prioritizing, and reproducing crashes found by a fuzzer to determine exploitability and root cause.

A runtime checker that detects C/C++ undefined behavior — signed overflow, null dereference, misaligned access, and more.

Fuzzing that uses full program analysis — typically symbolic or concolic execution — to generate inputs that satisfy specific constraints.