Fuzzing Terminology


Fuzzers run millions of procedurally generated inputs in an attempt to try and find inputs that cause bugs. The corpus is the set of inputs that the fuzzer considers "interesting", because they cover some code or program state that was previously untested. The fuzzer saves these inputs as "checkpoints" that it can use for further generation of test cases in the future.

Fuzzbuzz saves the fuzz corpus as regression tests, and runs all old corpus values whenever a new job is started, to ensure no regressions are introduced.

Fuzz Test

Also known as: fuzz target, fuzz function.

A function or class that receives arbitrary input from a fuzzer, and uses it to execute & test code.


Also known as: fuzzing engine.

A fuzzer is the test framework responsible for generating new inputs, executing the fuzz test with the generated input, reading code coverage instrumentation, managing the corpus, and reporting bugs.


A form of instrumentation that reports specific bugs at runtime, usually injected into code at compile-time or runtime. Examples include: Address Sanitizer, Leak Sanitizer, Memory Sanitizer, Thread Sanitizer, Undefined Behavior Sanitizer.

Seed input

Seed inputs are a set of user-provided inputs to a fuzz test. Usually a set of hand-built inputs created by the developer to cover interesting parts of their code, to give the fuzzer a starting point from which to begin testing more of the program.