Author here. Thanks for your great advice. We will apply this experimental project to testing TiDB in the future and output the report to https://github.com/fuzzdebugplatform/fuzz_debug_platform/iss.... Through the statistics of code block coverage, we can not only identify suspicious code blocks but also count code coverage.
The fuzzer we implemented is driven by BNF expressions. We can adjust the inputs of the fuzzer based on the statistics.
One of the tricks you should try is adding Swarm Testing. It tends to make this sort of fuzzing more effective at finding bugs, and I would not be surprised if it improves your coverage also.
The fuzzer we implemented is driven by BNF expressions. We can adjust the inputs of the fuzzer based on the statistics.