how do syz-manager and syz-fuzzer utilize coverage information
21 views
Skip to first unread message
Kingler Kebro
Feb 12, 2026, 10:43:41 PMFeb 12
to syzkaller
hi, syz-executor obtain coverage information,how do syz-manager and syz-fuzzer utilize coverage information (eg: PC, CMP PC)? Where is the specific implementation code located?
Looking forward to your response, thanks!
Aleksandr Nogikh
Feb 13, 2026, 3:45:55 AMFeb 13
to Kingler Kebro, syzkaller
Hi,
Note that there's no syz-fuzzer component anymore (since almost 2 years now).
You could explore the code e.g. starting with pkg/fuzzer and pkg/rpcserver.
--
Aleksandr
On Fri, Feb 13, 2026 at 4:43 AM Kingler Kebro <kingle...@gmail.com> wrote:
>
> hi, syz-executor obtain coverage information,how do syz-manager and syz-fuzzer utilize coverage information (eg: PC, CMP PC)? Where is the specific implementation code located?
> Looking forward to your response, thanks!
>
> --
Note that there's no syz-fuzzer component anymore (since almost 2 years now).
You could explore the code e.g. starting with pkg/fuzzer and pkg/rpcserver.
--
Aleksandr
On Fri, Feb 13, 2026 at 4:43 AM Kingler Kebro <kingle...@gmail.com> wrote:
>
> hi, syz-executor obtain coverage information,how do syz-manager and syz-fuzzer utilize coverage information (eg: PC, CMP PC)? Where is the specific implementation code located?
> Looking forward to your response, thanks!
>
Message has been deleted
Kingler Kebro
Feb 13, 2026, 7:17:40 AMFeb 13
to syzkaller
Thank you for your reply. I have carefully explored the mechanism and believe the role of coverage is as follows:
When new coverage is observed, the corresponding program (prog) is added to corpus.db.
The fuzzer itself is implemented independently of coverage, but through the selection mechanism, coverage feedback is provided to the fuzzer. This means that programs (seeds) that generate new coverage are given higher priority for mutation and execution.
I’m not sure whether my understanding is correct. May I ask if you have any further comments or additions? I look forward to your reply.
When new coverage is observed, the corresponding program (prog) is added to corpus.db.
The fuzzer itself is implemented independently of coverage, but through the selection mechanism, coverage feedback is provided to the fuzzer. This means that programs (seeds) that generate new coverage are given higher priority for mutation and execution.
I’m not sure whether my understanding is correct. May I ask if you have any further comments or additions? I look forward to your reply.
Reply all
Reply to author
Forward
0 new messages