After several years of writing Linux kernel tests. My conclusion is that reproducers of existing bugs, find the most new bugs.
Possibly fuzzers find more bugs than anything else. This does not contradict my hypotheses because fuzzers generate reproducers. At least Syzkaller can generate a C based reproducer or replay its activity some other way.
With some difficulty the C based reproducers can be run independently. In a number of cases we have manually converted them to Linux Test Project (LTP) test cases. These are much better behaved. The LTP is relatively easy to install and run.
Of course fuzzers…