fuzzbench icon indicating copy to clipboard operation
fuzzbench copied to clipboard

Published 20 hours ago verified publisher icon google

How to record unique covered regions

Open jiradeto opened this issue 3 years ago • 1 comments

I am wondering how the covered regions in fuzzbench are being identified. I check code and found coverage_utils.extract_covered_regions_from_summary_json extracts information from Clang's sourced base coverage but not pretty sure how this approach guarantee the unique code regions.

    for function_data in functions_data:
            for region in function_data['regions']:
                if region[hit_index] != 0 and region[type_index] == 0:
                    covered_regions.append(region[:hit_index] +
                                           region[file_index:])

The above loop checks all covered regions in each function and construct the code locations (starting and ending line/column, file id, etc.) that have been executed. I'd like to understand what actually happen when we have the exact starting and ending lines/columns but from different functions.

Let's say we have two executed regions a) 3:6 to 3:12 in function foo() and another region b) 3:6 to 3:12 in function bar(), would these be considered different region?

Also, I'd like to get some ideas why fuzzbench uses region coverage as the primary coverage measurement. I notice clang source-based also offers branch coverage which will perhaps give more granular view, are there any advantages of region coverage over branch coverage? Does fuzzbench also support branch coverage now?

Thank you very much.

jiradeto avatar Jan 17 '22 05:01 jiradeto

The above loop checks all covered regions in each function and construct the code locations (starting and ending line/column, file id, etc.) that have been executed. I'd like to understand what actually happen when we have the exact starting and ending lines/columns but from different functions.

This is a good question. I can inspect the data and try to figure this out on Monday.

Also, I'd like to get some ideas why fuzzbench uses region coverage as the primary coverage measurement. I notice clang source-based also offers branch coverage which will perhaps give more granular view, are there any advantages of region coverage over branch coverage? Does fuzzbench also support branch coverage now?

I didn't know that it offers branch coverage. I guess we can switch. I thought region (which is sort of like a basicblock) was what it offered

jonathanmetzman avatar Jan 21 '22 20:01 jonathanmetzman