Glossary

libFuzzer

An in-process, coverage-guided fuzzing library built into LLVM that links directly into the target binary.

libFuzzer is an in-process fuzzing engine distributed as part of the LLVM toolchain. Rather than running the target as a separate process, libFuzzer links into the target binary and calls a `LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)` entry point in a tight loop. This eliminates process-startup overhead and enables extremely high throughput — often hundreds of thousands of executions per second. Coverage is measured via SanitizerCoverage edge counters. libFuzzer uses a value-profile mode to detect comparisons and checksums that block deeper exploration, and supports structured input via custom mutators and `LLVMFuzzerCustomMutator`. Its main limitation is single-process: crashes in the target crash the fuzzer itself, requiring a wrapper for fragile targets.

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

AFL++

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

Honggfuzz

A security-oriented multi-process fuzzer from Google with hardware performance-counter coverage and a compact codebase.

Instrumentation

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

AddressSanitizer (ASan)

A fast memory-error detector that catches heap/stack buffer overflows, use-after-free, and similar bugs at runtime.

libFuzzer

Related