Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coverage never reaches 100% #510

Open
AntwanEmil opened this issue Feb 22, 2024 · 2 comments
Open

Coverage never reaches 100% #510

AntwanEmil opened this issue Feb 22, 2024 · 2 comments

Comments

@AntwanEmil
Copy link

After trying a simple LLVM persistent fuzzing example:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <inttypes.h>

int func2(size_t len){
        int i=0;
        if(len>0){
                i = 5;
        }
        return 1;
}

extern int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len){
        int i=func2(len);
        return 0;
}

using this command to cover the edges (default is edge coverage):
$hfuzz-clang -g -fsanitize=address -fsanitize-coverage=edge edge.c -o edge

Hongfuzz output always shows Coverage : edge: 4/5 [80%] pc: 0 cmp: 64
which is an edge more than expected, and it is never reached.

Also after trying to cover number of functions:
hfuzz-clang -g -fsanitize=address -fsanitize-coverage=func edge.c -o edge
output shows Coverage : edge: 2/3 [66%] pc: 0 cmp: 64

After doing some simple search, I think the missing function here is the main() function used by llvm to call the LLVMFuzzerTestOneInput() function.
Is there any way I can exclude this from coverage to reach 100% ?
@robertswiecki
Copy link
Collaborator

The reason is using initial guardNo=1 here

honggfuzz/libhfuzz/instrument.c

Line 259 in 348a472

static size_t guardCnt = 1;

IIRC it's required by clang instrumentation API (ie. value > 0), otherwise it'll be skipped when calling back into honggfuzz instrumentation code.

I believe the proper fix is to fix display.c and lower the displayed number of total edges by 1. E.g. even if there's no instrumentation, display.c still shows it as 1

$ gcc edge.c -o edge ~/src/honggfuzz/libhfuzz/libhfuzz.a ~/src/honggfuzz/libhfcommon/libhfcommon.a

------------------------[  0 days 00 hrs 03 mins 25 secs ]----------------------
  Iterations : 11,423,715 [11.42M]
  Mode [3/3] : Feedback Driven Mode
      Target : ./edge
     Threads : 1, CPUs: 12, CPU%: 82% [6%/CPU]
       Speed : 53,637/sec [avg: 55,725]
     Crashes : 0 [unique: 0, blocklist: 0, verified: 0]
    Timeouts : 0 [1 sec]
 Corpus Size : 1, max: 8,192 bytes, init: 3 files
  Cov Update : 0 days 00 hrs 03 mins 25 secs ago
    Coverage : edge: 0/1 [0%] pc: 0 cmp: 0
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.6 /-

@AntwanEmil
Copy link
Author

Easy fix would be:

diff --git a/display.c b/display.c
index 54644acb..0c6506ad 100644
--- a/display.c
+++ b/display.c
@@ -415,7 +415,7 @@ void display_display(honggfuzz_t* hfuzz) {
         uint64_t softCntPc   = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntPc);
         uint64_t softCntEdge = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntEdge);
         uint64_t softCntCmp  = ATOMIC_GET(hfuzz->feedback.hwCnts.softCntCmp);
-        uint64_t guardNb     = ATOMIC_GET(hfuzz->feedback.covFeedbackMap->guardNb);
+        uint64_t guardNb     = ATOMIC_GET(hfuzz->feedback.covFeedbackMap->guardNb)-1;
         display_put(" edge: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET "/"
                     "%" _HF_NONMON_SEP PRIu64 " [%" PRId64 "%%]",
             softCntEdge, guardNb, guardNb ? ((softCntEdge * 100) / guardNb) : 0);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robertswiecki @AntwanEmil