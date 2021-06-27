Fuzzing: can’t understand the concept of lookahead analysis?

Hi,

I am reading the paper at: https://arxiv.org/abs/1905.07147 ( Targeted greybox fuzzing with lookahead analysis)

I am trying to understand lookahead analysis page 4 out of 12. According to paper:

The no-target-ahead prefixes computed by Power schedule.

the lookahead analysis are used to control the fuzzer’s power sched

ule [15], which assigns more energy to certain inputs according to

two criteria.

First, it assigns more energy to inputs that exercise a rare (i.e.,

rarely explored) no-target-ahead prefix. The intuition is to fuzz

these inputs more in order to increase the chances of flipping a

branch along the rare prefix, and thereby, reaching a target loca

tion.

Note that flipping a branch in a suffix path can never lead to a

target location. For this reason, our power schedule no longer distin

guishes inputs based on the program path they exercise, but rather

based on their no-target-ahead prefix. To maximize the chances of

discovering a target location with fuzzing, the lookahead analysis

tries to identify the shortest no-target-ahead prefixes, which are

shared by the most suffix paths.

I can’t understand how this approach can easily access line#22 of figure2 of the paper.

