Coverage-guided Fuzzing
ConceptCoverage-guided fuzzing (CGF) is a fuzz-testing approach in which code or design coverage feedback is used to guide input generation and mutation. The supplied evidence presents it as a software-testing technique capable of detecting large numbers of bugs, as a tool implemented by libFuzzer and AFL, as a method for verifying instruction set simulators and CPU RTL designs, and as the basis of recent frameworks (e.g., FLARE) that extend it to LLM-based multi-agent systems.
First seen 5/24/2026
Last seen 6/8/2026
Evidence 26 chunks
Wiki v6
WIKI
Coverage-guided Fuzzing
Coverage-guided fuzzing (CGF) is a fuzz-testing technique in which a coverage metric drives the generation, selection, and mutation of test inputs. The supplied evidence describes CGF as "an effective testing technique which has detected hundreds of thousands of bugs from various software applications" and that "focuses on maximizing code coverage to reveal more bugs during fuzzing."[C1] At the same time, the same evidence notes a key limitation: "a higher coverage does not necessarily imply a better fault detection capability," because triggering a bug requires not only exercising a particular program path but also reaching interesting program states in that path.[C1]
Core mechanism: libFuzzer as a representative engine
NEIGHBORHOOD
1 nodes · 0 edgesgraph · Coverage-guided Fuzzing · depth=1
RELATIONSHIPS
15 connectionsCoverage-guided fuzzing uses coverage to guide test generation
Coverage-guided fuzzing employs mutation-based techniques to generate test inputs.
AFL is a coverage-guided grey box fuzzer.
Cross-level processor verification via endless randomized instruction stream generation with coverage-guided aging ← mentions 90% 3e
The paper mentions coverage-guided fuzzing techniques as related work.
Coverage-guided fuzzing is guided by code coverage to maximize test effectiveness.
The paper leverages coverage-guided fuzzing techniques to generate processor-level input stimuli.
LLVM libFuzzer is listed as a representative of modern coverage-guided fuzzing.
The paper proposes leveraging coverage-guided fuzzing for processor verification.
Coverage-guided fuzzing is applied to processor verification in this work.
Virtual coverage is used within the coverage-guided fuzzing framework to improve measurement granularity.
Cross-level processor verification via endless randomized instruction stream generation with coverage-guided aging compares with → 85% 2e
The paper discusses coverage-guided fuzzing as a related technique.
MorFuzz is a coverage-guided processor fuzzer.
Coverage-guided fuzzing is contrasted with traditional generational/model-based test generation approaches.
RTL fuzzing employs coverage-guided fuzzing principles to drive test generation.
DifuzzRTL is a coverage-guided processor fuzzer.
LINKED ENTITIES
1 linksCITATIONS
9 sources9 citations — click to expand
[1] Coverage-guided fuzzing focuses on maximizing code coverage to reveal bugs but higher coverage does not necessarily imply better fault detection; mutation scores can be used as feedback to improve CGF in both code coverage and bug detection. Investigating Coverage Guided Fuzzing with Mutation Testing
[2] libFuzzer is an LLVM-based coverage-guided fuzzing engine that instruments the DUT via clang, does not use functional coverage metrics, applies pre-defined random mutations (shuffle bytes, insert bit, etc.), periodically increases input size, and performs in-process fuzzing via the LLVMFuzzerTestOneInput interface. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[3] Coverage-guided fuzzing, as represented by libFuzzer and AFL, mutates randomly created data and is guided by code coverage, avoiding the effort of creating an input model; both have been shown very effective and revealed various new bugs. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[4] The DATE 2019 paper implements a CGF approach on top of libFuzzer for ISS verification, adding functional coverage and a custom mutation procedure, and finds new errors in three publicly available RISC-V ISSs including one error in the official RISC-V reference simulator Spike. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[5] The CGF feedback loop for ISS verification consists of a fuzzer generating a bytestream of instructions that is injected into an ELF template, executed by the ISS-under-test instrumented with tracing, and feeds coverage back to the fuzzer when new coverage is observed on the execution frame. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[6] Instiller addresses three challenges in fuzzing CPU RTL: (1) distilling long input instruction sequences via a variant of ant colony optimization (VACO), (2) simulating realistic interruption and exception handling with priorities, and (3) hardware-related seed selection and mutation. Instiller: Towards Efficient and Realistic RTL Fuzzing
[7] Instiller increases coverage by 29.4%, produces input instruction sequences 79.3% shorter than DiFuzzRTL, finds 17.0% more mismatches in vulnerability discovery, and yields a 6.7% average increase in execution speed. Instiller: Towards Efficient and Realistic RTL Fuzzing
[8] FLARE applies coverage-guided fuzzing to LLM-based multi-agent systems by extracting specifications and behavioral spaces from agent definitions to build test oracles, achieving 96.9% inter-agent coverage and 91.1% intra-agent coverage on 16 open-source applications and uncovering 56 previously unknown failures. FLARE: Agentic Coverage-Guided Fuzzing for LLM-Based Multi-Agent Systems
[9] Model-based test generators use an input format specification to guide the generation process and can integrate constraints processed by CSP/SMT solvers, in contrast to CGF which mutates randomly created inputs guided by coverage without requiring an input model. Verifying Instruction Set Simulators using Coverage-guided Fuzzing