Most fuzz engines use coverage signals (for example line coverage or edge coverage) to determine which fuzz inputs to keep. This works generally well, unless the fuzzed logic is stateful.

One example is the script interpreter / script parsing. I believe there is no difference in coverage signals between a 1-of-1 multisig and a 1-of-16 multisig, which is presumably why it took several months to find a bug in the script fuzz target: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39152

There is -use_value_profile=1, which might help a bit here, but apparently it didn't help enough.

I am wondering what the best way is to address this shortcoming, so that it is possible to find the above bug (and similar ones) in less CPU time?

cc @guidovranken @agroce @practicalswift