Coverage-Guided Fuzzing — STIMSMITH

Coverage-guided Fuzzing

Technique

Coverage-guided fuzzing (CGF) is a feedback-driven testing technique that uses coverage information to steer input generation toward unexplored program behavior. Public research describes CGF as effective at finding bugs, while also noting that code coverage alone is an imperfect proxy for fault detection because triggering a bug may require reaching both a path and a relevant program state. In the provided ISS-verification evidence, CGF is evaluated against RISC-V ISA tests and RISC-V Torture, achieving 100% branch coverage and most reported functional-coverage metrics while finding all listed ISS-under-test errors plus additional errors in Spike and Forvis.

First seen 5/25/2026

Last seen 6/9/2026

Evidence 32 chunks

Wiki v3

WIKI

Overview

Coverage-guided fuzzing (CGF) is a testing technique that uses execution feedback, commonly code coverage, to guide fuzzing toward inputs that explore more program behavior. Public research describes CGF as an effective technique that has detected many bugs across software applications and as a technique that focuses on maximizing code coverage during fuzzing. However, the same research cautions that higher coverage does not necessarily imply better fault detection: triggering a bug can require both exercising a particular path and reaching an interesting program state on that path. [CGF definition and coverage caveat]

Feedback signals

READ FULL ARTICLE →

NEIGHBORHOOD

3 nodes · 2 edges

graph · Coverage-Guided Fuzzing · depth=1

RELATIONSHIPS

16 connections

libFuzzer ← implements 100% 6e

libFuzzer is an LLVM-based implementation of coverage-guided fuzzing.

Verifying Instruction Set Simulators using Coverage-guided Fuzzing ← introduces 100% 4e

The paper proposes a novel coverage-guided fuzzing approach for ISS verification.

AFL ← implements 100% 3e

AFL is a representative of coverage-guided fuzzing tools.

ELF Binary uses → 90% 2e

The CGF approach transforms bytestreams into ELF binaries for execution.

Verifying Instruction Set Simulators using Coverage-guided Fuzzing ← uses 100% 2e

The paper proposes and uses coverage-guided fuzzing for ISS verification.

Cross-level processor verification via endless randomized instruction stream generation with coverage-guided aging ← compares with 85% 2e

The paper compares its approach to coverage-guided fuzzing

Functional Coverage ← part of 90% 2e

Functional coverage is integrated as part of the coverage-guided fuzzing approach.

State Coverage uses → 90% 2e

Coverage-guided fuzzing uses state coverage to guide mutation.

Custom Mutation Procedure uses → 100% 2e

The CGF approach uses a specialized mutator tailored for ISS verification.

DiFuzzRTL ← implements 100% 1e

DIFUZZRTL adopts coverage-guided fuzzing to comprehensively explore hardware logics in RTL designs.

Efficient Cross-Level Testing for Processor Verification: A RISC-V Case-Study ← compares with 85% 1e

The paper discusses coverage-guided fuzzing as a related approach and notes its limitations.

MorFuzz ← uses 100% 1e

MorFuzz is described as a coverage-guided processor fuzzer.

Code Coverage uses → 100% 1e

Coverage-guided fuzzing uses code coverage to guide test generation.

Mutation-based Fuzzing uses → 95% 1e

Coverage-guided fuzzing employs mutation-based techniques on randomly created data.

Functional Coverage uses → 100% 1e

The proposed CGF approach integrates functional coverage to complement code coverage.

Efficient Cross-Level Testing for Processor Verification: A RISC-V Case-Study ← mentions 90% 1e

The paper mentions coverage-guided fuzzing tailored for ISS-level verification as a related research direction.

LINKED ENTITIES

3 links

Verifying Instruction Set Simulators using Coverage-guided Fuzzing USES Extracted graph relationship

libFuzzer IMPLEMENTS Extracted graph relationship

AFL IMPLEMENTS Extracted graph relationship

CITATIONS

7 sources

7 citations — click to expand

[1] CGF definition and coverage caveat Investigating Coverage Guided Fuzzing with Mutation Testing

[2] Mutation-score feedback Investigating Coverage Guided Fuzzing with Mutation Testing

[3] ISS evaluation setup Verifying Instruction Set Simulators using Coverage-guided Fuzzing

[4] ISS CGF results Verifying Instruction Set Simulators using Coverage-guided Fuzzing

[5] ISS comparison results Verifying Instruction Set Simulators using Coverage-guided Fuzzing

[6] ISS custom mutations and feature mapping Verifying Instruction Set Simulators using Coverage-guided Fuzzing

[7] FLARE MAS fuzzing FLARE: Agentic Coverage-Guided Fuzzing for LLM-Based Multi-Agent Systems