Glossary

Instrumentation

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

Instrumentation is the mechanism by which a fuzzer observes the target's behavior during execution. At compile time, LLVM's SanitizerCoverage or AFL++'s LLVM pass inserts callbacks or inline counter increments at every edge or basic block; these fire during execution and update a shared-memory coverage bitmap the fuzzer reads after each run. Binary-only instrumentation (QEMU mode, Frida, DynamoRIO) rewrites the target at runtime without source changes, at the cost of higher overhead. Instrumentation granularity matters: basic-block coverage misses which edge was taken in a multi-way branch; edge (branch) coverage is the standard because it distinguishes which direction a conditional went. Higher-precision instrumentation — context-sensitive coverage, call-stack hashing — can improve the fuzzer's ability to distinguish functionally different paths but increases bitmap size and reduces throughput.

Coverage

A metric measuring which branches, edges, or lines of code were executed during a fuzzing campaign.

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

AddressSanitizer (ASan)

A fast memory-error detector that catches heap/stack buffer overflows, use-after-free, and similar bugs at runtime.

AFL++

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

libFuzzer

An in-process, coverage-guided fuzzing library built into LLVM that links directly into the target binary.

Instrumentation

Related