trailofbits · ahpaleus · Nov 10, 2025 · Oct 20, 2025
@@ -25,7 +25,7 @@ Secondly, when switching your fuzzer or updating your harness or SUT, you want t
 
 Fuzzing coverage is a proxy for the capability and performance of the fuzzer. Even though it is widely accepted that coverage [is not ideal for measuring the performance](https://arxiv.org/abs/1808.09700) of a fuzzing engine, coverage can tell you whether your harness works in a given setup.
 
-The following flow chart shows an ideal coverage analysis workflow. The workflow uses the corpus generated after each fuzzing campaign to calculate the coverage, which is the preferred method. 
+The following flow chart shows an ideal coverage analysis workflow. The workflow uses the corpus generated after each fuzzing campaign to calculate the coverage, which is the preferred method.
 
 
 
@@ -143,7 +143,7 @@ LLVM_PROFILE_FILE=fuzz.profraw ./fuzz_exec corpus/
 ```
 
 
-The `.profraw` file must now be converted to an indexed `.profdata` file. Make sure to have the required LLVM tools installed. On Debian/Ubuntu, the package is called `llvm` (e.g., `apt install llvm`). 
+The `.profraw` file must now be converted to an indexed `.profdata` file. Make sure to have the required LLVM tools installed. On Debian/Ubuntu, the package is called `llvm` (e.g., `apt install llvm`).
 
 
 ```shell
@@ -212,7 +212,7 @@ HTML coverage report generated by `llvm-cov`
 {{< /resourceFigure >}}
 
 {{< hint info >}}
-PRO TIP: Version 18 of LLVM and Clang (not yet released) can generate index pages for each directory, so that the root page of the report is not filled with hundreds of individual files. Simply append the flags `-format=html`, `-output-dir fuzz_html/`  and `-show-directory-coverage` when invoking `llvm-cov show`.
+PRO TIP: Version 18 of LLVM and Clang can generate index pages for each directory, so that the root page of the report is not filled with hundreds of individual files. Simply append the flags `-format=html`, `-output-dir fuzz_html/`  and `-show-directory-coverage` when invoking `llvm-cov show`.
 {{< /hint >}}
 
 Note: Generating coverage data is impossible if your corpus contains inputs that crash. Generating coverage data is possible only if the SUT exits gracefully. Ideally, fix the bugs and then rerun the fuzzer to gather coverage data. That way you can gather coverage data for previously crashing inputs.

@@ -290,7 +290,7 @@ cargo +nightly fuzz run fuzz_target_1
 
 The corpus is stored at `fuzz/corpus/fuzz_target_1/`. Check out the [FAQ]({{% relref "05-faq" %}}) to learn how to use a corpus over the long term.
 
-The next step is to investigate the coverage and see if the harness or seed corpus can be improved (refer to the [Coverage analysis](#real-world-examples)).
+The next step is to investigate the coverage and see if the harness or seed corpus can be improved (refer to the [Coverage analysis]({{% relref "techniques/01-coverage/index.md" %}})).
 
 ## Additional resources {#additional-resources}
 

@@ -23,7 +23,7 @@ Secondly, when switching your fuzzer or updating your harness or SUT, you want t
 
 Fuzzing coverage is a proxy for the capability and performance of the fuzzer. Even though it is widely accepted that coverage [is not ideal for measuring the performance](https://arxiv.org/abs/1808.09700) of a fuzzing engine, coverage can tell you whether your harness works in a given setup.
 
-The following flow chart shows an ideal coverage analysis workflow. The workflow uses the corpus generated after each fuzzing campaign to calculate the coverage, which is the preferred method. 
+The following flow chart shows an ideal coverage analysis workflow. The workflow uses the corpus generated after each fuzzing campaign to calculate the coverage, which is the preferred method.
 
 {{< resourceFigure "coverage-flow.svg" "alt" 300>}}
 Ideal fuzzing workflow: After each fuzzing campaign the code coverage is evaluated. Based on the results, the SUT or harness is updated and a new fuzzing campaign is started.
@@ -129,8 +129,6 @@ Then we generate merged coverage data from the corpus:
 cargo +nightly fuzz coverage fuzz_target_1
 ```
 
-Finally, we generate an HTML report and use domain knowledge to assess the fuzzing performance by using the `generate_html` script introduced in the [Coverage analysis](#coverage-analysis) section. 
+Finally, we generate an HTML report and use domain knowledge to assess the fuzzing performance by using the `generate_html` script introduced in the [Coverage analysis](#coverage-analysis) section.
 
 We may need to find more diverse seeds or fix bugs in our harness if the code coverage is unexpectedly low. However, no single number determines bad coverage; this depends significantly on how the crate is written and how difficult it is to reach certain code.
-
-