Glossary

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

Coverage-guided fuzzing uses runtime instrumentation — typically compile-time branch or edge counters — to measure which parts of the target program an input exercised. The fuzzer maintains a corpus of inputs that collectively cover discovered edges. When a mutated input causes a previously unseen edge to be hit, it is added to the corpus; inputs that don't expand coverage are discarded. This feedback loop allows the fuzzer to climb through the program's control-flow graph systematically, reaching deep parsing logic and conditional branches that purely random inputs would almost never trigger. AFL++, libFuzzer, Honggfuzz, and Centipede all implement coverage-guided strategies, though they differ in how they measure coverage, schedule mutations, and share corpora across parallel instances.

Fuzz Testing

Automated software testing that generates many semi-random inputs to find crashes, hangs, and security vulnerabilities.

AFL++

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

libFuzzer

An in-process, coverage-guided fuzzing library built into LLVM that links directly into the target binary.

Instrumentation

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

Coverage

A metric measuring which branches, edges, or lines of code were executed during a fuzzing campaign.

Coverage-Guided Fuzzing

Related