Understanding the fuzzer interface

I’m fuzzing a simple tokenizer using zig build test --fuzz, and I opened the web interface, but I feel like I need some help to interpret what I’m seeing, as I don’t know very much about fuzzing. Here’s a snapshot of the statistics:

* Total Runs: 1291225
* Unique Runs: 1288803 (99.8%)
* Speed (Runs/Second): 57899
* Coverage: 119 / 6871 (1.7%)

“Total Runs” and “Speed” are obvious, the other two I’m not so sure about.

  1. What exactly makes a run “unique”?
  2. What do the numbers represent in “Coverage”? I’m guessing it’s ‘current / total’, but the total of what exactly?
  3. Why does the coverage very quickly arrive at 119, and then not make any more progress?
  4. I understand the the dots in the source view represent branches that the fuzzer has hit, but how do the red and green dots differ?
3 Likes

Program counter addresses.

Branches reported as Coverage.SourceLocation.

1 Like

Interesting, would you mind expanding on this? So is it the exact sequence of program counter addresses throughout the entire run?

Ok, so I’m guessing the reason the coverage reaches a limit is because the total is all the branches in my entire module, is that right?