Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Coverage-Guided Multi-Agent Harness Generation for Java Library Fuzzing

Nils Loose, Nico Winkel, Kristoffer Hempel, Felix Mächtle, Julian Hans, Thomas Eisenbarth

TL;DR

A multi-agent architecture that automates fuzz harness generation for Java libraries through specialized LLM-powered agents and introduces method-targeted coverage that tracks coverage only during target method execution to isolate target behavior, and agent-guided termination that examines uncovered source code to distinguish productive refinement opportunities from diminishing returns is presented.

Abstract

Coverage-guided fuzzing has proven effective for software testing, but targeting library code requires specialized fuzz harnesses that translate fuzzer-generated inputs into valid API invocations. Manual harness creation is time-consuming and requires deep understanding of API semantics, initialization sequences, and exception handling contracts. We present a multi-agent architecture that automates fuzz harness generation for Java libraries through specialized LLM-powered agents. Five ReAct agents decompose the workflow into research, synthesis, compilation repair, coverage analysis, and refinement. Rather than preprocessing entire codebases, agents query documentation, source code, and callgraph information on demand through the Model Context Protocol, maintaining focused context while exploring complex dependencies. To enable effective refinement, we introduce method-targeted coverage that tracks coverage only during target method execution to isolate target behavior, and agent-guided termination that examines uncovered source code to distinguish productive refinement opportunities from diminishing returns. We evaluated our approach on seven target methods from six widely-deployed Java libraries totaling 115,000+ Maven dependents. Our generated harnesses achieve a median 26\% improvement over OSS-Fuzz baselines and outperform Jazzer AutoFuzz by 5\% in package-scope coverage. Generation costs average \$3.20 and 10 minutes per harness, making the approach practical for continuous fuzzing workflows. During a 12-hour fuzzing campaign, our generated harnesses discovered 3 bugs in projects that are already integrated into OSS-Fuzz, demonstrating the effectiveness of the generated harnesses.

Coverage-Guided Multi-Agent Harness Generation for Java Library Fuzzing

TL;DR

A multi-agent architecture that automates fuzz harness generation for Java libraries through specialized LLM-powered agents and introduces method-targeted coverage that tracks coverage only during target method execution to isolate target behavior, and agent-guided termination that examines uncovered source code to distinguish productive refinement opportunities from diminishing returns is presented.

Abstract

Coverage-guided fuzzing has proven effective for software testing, but targeting library code requires specialized fuzz harnesses that translate fuzzer-generated inputs into valid API invocations. Manual harness creation is time-consuming and requires deep understanding of API semantics, initialization sequences, and exception handling contracts. We present a multi-agent architecture that automates fuzz harness generation for Java libraries through specialized LLM-powered agents. Five ReAct agents decompose the workflow into research, synthesis, compilation repair, coverage analysis, and refinement. Rather than preprocessing entire codebases, agents query documentation, source code, and callgraph information on demand through the Model Context Protocol, maintaining focused context while exploring complex dependencies. To enable effective refinement, we introduce method-targeted coverage that tracks coverage only during target method execution to isolate target behavior, and agent-guided termination that examines uncovered source code to distinguish productive refinement opportunities from diminishing returns. We evaluated our approach on seven target methods from six widely-deployed Java libraries totaling 115,000+ Maven dependents. Our generated harnesses achieve a median 26\% improvement over OSS-Fuzz baselines and outperform Jazzer AutoFuzz by 5\% in package-scope coverage. Generation costs average \$3.20 and 10 minutes per harness, making the approach practical for continuous fuzzing workflows. During a 12-hour fuzzing campaign, our generated harnesses discovered 3 bugs in projects that are already integrated into OSS-Fuzz, demonstrating the effectiveness of the generated harnesses.
Paper Structure (21 sections, 5 figures, 3 tables)

This paper contains 21 sections, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Harness Design for Coverage-Guided Fuzzing
  4. Tool-Augmented Reasoning
  5. Multi-Agent LLM Architectures
  6. Model Context Protocol
  7. Agent-Based Harness Generation
  8. Static Analysis and Instrumentation
  9. Tool-Augmented Exploration
  10. Target Research
  11. Harness Generation
  12. Coverage-Guided Refinement
  13. Evaluation
  14. Experimental Setup
  15. Coverage Effectiveness
  16. ...and 6 more sections

Figures (5)

  • Figure 1: Schematic overview of the harness generation workflow. Agents are ReAct agents with specialized tool access.
  • Figure 2: Overview of exposed tools through the model context protocol (MCP).
  • Figure 3: Sequence diagram showing initial tool interactions during the research phase for Jsoup.parse(String).
  • Figure 4: Coverage comparison across five Java libraries with three runs over 8-hour fuzzing campaigns. Top row: Method-targeted coverage for our generated harnesses, focusing exclusively on target method execution. Bottom row: Full target-scope coverage enabling fair comparison with AutoFuzz baseline. Each plot shows average branch coverage percentage over time with min and max coverage shown as shaded regions.
  • Figure 5: Method-targeted coverage for ANTLR4's two target methods.