Mutational grammar fuzzing is effective but has two key flaws: coverage metrics don't reliably correlate with bug discovery (especially when bugs require chaining multiple function calls), and mutational fuzzing tends to produce low-diversity corpora due to its greedy nature. A practical mitigation is periodically restarting fuzzing workers with empty corpora while keeping a central server, so each worker independently builds fresh samples before syncing with the server's accumulated coverage. Experiments on libxslt showed this periodic-restart approach found more unique crashes faster than a single long-running session, with the optimal restart interval being target-dependent.
Table of contents
Issue #1: More coverage does not mean more bugsIssue #2: Mutational grammar fuzzing tends to produce samples that are very similarA simple solution?ConclusionSort: