-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coverage never reaches 100% #510
Comments
The reason is using initial guardNo=1 here honggfuzz/libhfuzz/instrument.c Line 259 in 348a472
IIRC it's required by clang instrumentation API (ie. value > 0), otherwise it'll be skipped when calling back into honggfuzz instrumentation code. I believe the proper fix is to fix display.c and lower the displayed number of total edges by 1. E.g. even if there's no instrumentation, display.c still shows it as 1
|
Easy fix would be: diff --git a/display.c b/display.c
index 54644acb..0c6506ad 100644
--- a/display.c
+++ b/display.c
@@ -415,7 +415,7 @@ void display_display(honggfuzz_t* hfuzz) {
uint64_t softCntPc = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntPc);
uint64_t softCntEdge = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntEdge);
uint64_t softCntCmp = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntCmp);
- uint64_t guardNb = ATOMIC_GET(hfuzz->feedback.covFeedbackMap->guardNb);
+ uint64_t guardNb = ATOMIC_GET(hfuzz->feedback.covFeedbackMap->guardNb)-1;
display_put(" edge: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET "/"
"%" _HF_NONMON_SEP PRIu64 " [%" PRId64 "%%]",
softCntEdge, guardNb, guardNb ? ((softCntEdge * 100) / guardNb) : 0); |
After trying a simple LLVM persistent fuzzing example:
using this command to cover the edges (default is edge coverage):
$hfuzz-clang -g -fsanitize=address -fsanitize-coverage=edge edge.c -o edge
Hongfuzz output always shows
Coverage : edge: 4/5 [80%] pc: 0 cmp: 64
which is an edge more than expected, and it is never reached.
Also after trying to cover number of functions:
hfuzz-clang -g -fsanitize=address -fsanitize-coverage=func edge.c -o edge
output shows
Coverage : edge: 2/3 [66%] pc: 0 cmp: 64
After doing some simple search, I think the missing function here is the main() function used by llvm to call the LLVMFuzzerTestOneInput() function.
Is there any way I can exclude this from coverage to reach 100% ?
The text was updated successfully, but these errors were encountered: