coverage-analysis

Coverage analysis is essential for understanding which parts of your code are exercised during fuzzing. It helps identify fuzzing blockers like magic value checks and tracks the effectiveness of harness improvements over time. Code coverage during fuzzing serves two critical purposes: Coverage is a proxy for fuzzer capability and performance. While coverage is not ideal for measuring fuzzer performance in absolute terms, it reliably indicates whether your harness works effectively in a given setup. Apply this technique when: Skip this technique when: The following workflow represents best practices for integrating coverage analysis into your fuzzing campaigns: Key principle : Use the corpus generated after each fuzzing campaign to calculate coverage, rather than real-time fuzzer statistics. This approach provides reproducible, comparable measurements across different fuzzing tools. Choose your instrumentation method based on toolchain: LLVM/Clang (C/C++): GCC (C/C++): Rust: For C/C++ projects, create a runtime that executes your corpus: LLVM (C/C++): GCC (C/C++): Rust: Coverage data is automatically generated when running cargo fuzz coverage . LLVM: GCC with gcovr: Rust: Review the coverage report to identify: Problem : Fuzzer cannot discover paths guarded by magic value checks.