Overview

Edge coverage is a coverage mechanism referenced in the context of American Fuzzy Lop (AFL), an out-of-process coverage-guided grey-box fuzzer. In the cited processor-verification work, AFL's detection of new behaviors is described as being realized through edge coverage.^[1]

Role in AFL

AFL uses coverage feedback as part of its fuzzing loop. The evidence describes execution feedback as including coverage and a return code, and notes that AFL applies multiple mutation strategies to discover new behaviors.^[2]

The mutation strategies named in the evidence include:

• Bitflip mutations, which flip a varying number of bits.
• Arithmetic mutations, which add or subtract integers.
• Havoc mutation, which combines many individual mutations and applies them at random positions.^[3]

Within this process, edge coverage is the mechanism cited for recognizing when a mutated input has exposed new behavior.^[1]

Interaction with Test-Vector Trimming

The evidence also states that AFL uses a trim mutation to reduce the size of each test vector without changing the measured coverage. Smaller test vectors are described as tending to execute faster than larger ones.^[4]

Notes

The provided evidence identifies edge coverage as part of AFL's behavior-discovery mechanism, but it does not further define the internal representation or algorithmic details of edge coverage.

^[1]: AFL's detection of new behaviors is realized through edge coverage. ^[2]: The fuzzing loop uses execution feedback including coverage and return code. ^[3]: AFL uses bitflip, arithmetic, and havoc mutations. ^[4]: AFL trims test vectors without changing measured coverage, and smaller vectors tend to run faster.