clusterfuzzlite icon indicating copy to clipboard operation
clusterfuzzlite copied to clipboard
verified publisher icon google

Affordances for "local maxima" in coverage

Open alex opened this issue 3 years ago • 4 comments

clusterfuzz has various strategies to try to handle the problem of getting stuck in a local maxima for coverage.

clusterfuzzlite doesn't appear to have these, as a result some fuzzers may find themselves stuck, unable to make progress.

I believe https://github.com/alex/rust-asn1 is experiencing this. The fuzzer is not making much progress, however if I blow away all coverage and run it from the start I can often get it to advance further.

alex avatar Aug 24 '22 00:08 alex

Interesting idea! I'll have to think about this. Thanks for making the effort to explore this yourself btw.

jonathanmetzman avatar Aug 25 '22 13:08 jonathanmetzman

Would you like to see this feature in batch fuzzing mode? It seems like putting this feature in CI mode would break CI mode's attempt to be deterministic (ie it's bad if we don't find a bug when it's introduced but find it in a later PR, it would be best if we found it the first time, second best if we don't find it at all and worst if we find it on another PR)

jonathanmetzman avatar Sep 16 '22 20:09 jonathanmetzman

My interest here is for the batch fuzzing.

alex avatar Sep 16 '22 20:09 alex

Makes sense!

jonathanmetzman avatar Sep 16 '22 20:09 jonathanmetzman