However much we test a software system, some \emph{residual risk} of undiscovered bugs always remains. If we model test generation as a sampling process, a residual risk can be defined as the probability that the next test input reveals a bug. This risk is upper-bounded by the \emph{discovery probability (DP)}, i.e., the probability that the next test input covers new code, which itself is upper-bounded by the \emph{coverage rate}, i.e., the expected number of new coverage elements per test input. Prior work introduced the \emph{Good-Turing estimator (GoTu)} to estimate residual risk via coverage rate. However, we find that GoTu substantially overestimates, leading to undue optimism in bug finding because (i) the coverage rate is only a loose upper bound, and (ii) it ignores \emph{dependencies} among coverage elements.

We propose \emph{dependency-aware DP estimation} for residual risk analysis. Our estimator directly estimates DP \emph{and} accounting for coverage dependencies using Ma and Chao’s sample coverage estimation. A naive implementation requires space proportional to the number of coverage elements and executions, which can be prohibitively large. To make it practical, we introduce two optimizations: dependency-aware node removal, which reduces the number of coverage elements to observe, and online singleton cluster maintenance, which eliminates the need to record observed coverage elements in each execution.

A comparison of our estimator and GoTu on real-world software from FuzzBench demonstrates a substantial reduction in estimation error. If we stopped the campaign when the estimate of residual risk falls below a certain threshold, GoTu would lead a tester to waste $7\times$ more time than our estimator before deciding to stop. Our estimator achieves a median absolute error of only one-fifth that of GoTu. Finally, our bug-based analysis shows that our estimator achieves one to two orders of magnitude lower error than GoTu in residual risk estimation.