cargo-fuzz icon indicating copy to clipboard operation
cargo-fuzz copied to clipboard
verified publisher icon rust-fuzz

Print basic coverage

Open emk opened this issue 8 years ago • 3 comments

According to the tutorial, libfuzzer supports a -print_coverage=1 option to print out some basic coverage information.

This doesn't seem to work with cargo fuzz at the moment:

     Running `target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1 -artifact_prefix=artifacts/ -max_len=200 -dict=dictionary.txt -print_coverage=1 corpus`
Dictionary: 10 entries
INFO: Seed: 1877614280
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
#0	READ units: 108
#108	INITED cov: 1584 corp: 83/10958b exec/s: 0 rss: 29Mb
#8192	pulse  cov: 1584 corp: 83/10958b exec/s: 4096 rss: 82Mb
#16384	pulse  cov: 1584 corp: 83/10958b exec/s: 5461 rss: 133Mb
#32768	pulse  cov: 1584 corp: 83/10958b exec/s: 5461 rss: 232Mb
#65536	pulse  cov: 1584 corp: 83/10958b exec/s: 6553 rss: 414Mb
^C==22321== libFuzzer: run interrupted; exiting
INFO: __sanitizer_symbolize_pc or __sanitizer_get_module_and_offset_for_pc is not available, not printing coverage

I'm not sure if this is the right way to get coverage or not, but it would certainly be interesting to see if there are any big chunks of my code that haven't been hit. (It's been 120 million runs since I last saw a new basic block, so I think this run has plateaued, and it's worth manually checking coverage now.)

emk avatar Mar 05 '17 21:03 emk

Yup, coverage is stuck at 1584 for more than a half-billion runs. Either I've found everything, or cargo fuzz can't find it's way into the remaining corners of the code without help.

It looks like the missing functions are invoked from here. It sounds like AddressSanitizer might supply these?

  // This function is a part of the sanitizer run-time.
  // To use it, link with AddressSanitizer or other sanitizer.
  __sanitizer_symbolize_pc(PC, "%p %F %L", PcDescr, sizeof(PcDescr));
  printf("guard: %p %x PC %s\n", guard, *guard, PcDescr);

emk avatar Mar 07 '17 12:03 emk

One reason coverage may not be increasing is that libfuzzer is expecting instruction profiler instrumentation (the equivalent of clang -fprofile-instr-generate). This requires explicit frontend support. Right now, even with the recent coverage PR merged, we do not have that in rustc.

Note: this is an educated guess.

whitequark avatar Jun 24 '17 10:06 whitequark

Yeah, pretty sure my comment above in correct. Pending changes in rustc this won't work.

whitequark avatar Oct 05 '17 08:10 whitequark