Conjecture on inefficiency of coverage-guided and heuristic fuzzing for JavaScript engines

Determine whether traditional coverage-guided fuzzing and heuristic-based mitigation approaches for JavaScript engines disproportionately mutate irrelevant code, thereby wasting computational resources.

Background

The paper argues that coverage-guided fuzzing and manual heuristic strategies often fail to prioritize high-risk execution paths in JavaScript engines, leading to inefficiencies. Drawing on analyses of historical V8 vulnerabilities and experiments demonstrating missed risky inputs under coverage-centric selection, the authors suggest a fundamental shortcoming in those approaches.

In the conclusion, the authors explicitly conjecture that these methods spend significant effort on mutating code that is irrelevant to triggering vulnerabilities. This conjecture motivates their data-centric, feature-guided alternative and highlights a need to empirically test whether coverage-guided and heuristic techniques indeed waste resources by focusing on non-risky mutations.

References

This paper addresses the inefficiencies involved with fuzzing JS engines which involves the failure to prioritize high-risk paths in traditional coverage guided and limited mitigations from manual rules and observations in the literature. We conjecture that such methods spend a lot of effort mutating irrelevant codes, thereby wasting resources.

From Coverage to Causes: Data-Centric Fuzzing for JavaScript Engines (2512.18102 - Ganguly et al., 19 Dec 2025) in Section 8 Conclusion