[Development] Submitting Qt to oss-fuzz
Robert Löhning
robert.loehning at qt.io
Wed Sep 5 13:08:50 CEST 2018
Am 05.09.2018 um 12:40 schrieb Peter Hartmann:
> Hello Robert,
>
> On 04.09.2018 14:03, Robert Löhning wrote:
>> I saw your post and it helped me get started. Thanks for that!
>
> cool, thanks for the feedback!
>
>>
>> By the way: In step 1 you use
>> -fsanitize-coverage=edge
>> whereas I followed LLVM's example [1] and used
>> -fsanitize-coverage=trace-pc-guard
>>
>> Unfortunately the documentation seems to be a bit scarce. Could you
>> please tell me briefly about the advantages of either one?
>>
>> I guess I should include "edge" to [2], shouldn't I? Instead of
>> hacking the mkspec you could then just use
>> <src>/configure -sanitize address -coverage edge <further params>
>
> The "-fsanitize-coverage=edge" just comes from an older clang version
> when there was no trace-pc-guard. Nowadays "trace-pc-guard" without
> other args implies "edge", so the latter can be ignored when configuring
> with address sanitizer.
>
> IIUC edge just provided information on whether a piece of code was
> executed or not, while trace-pc-guard provides a callback which allows
> for more fine-grained coverage information; the callback itself is then
> implemented in libFuzzer.
>
> What might be interesting to look at is "-fsanitize-coverage=trace-cmp"
> though...
Definitely interesting, but will it be useful for fuzzing? If I get this
right, it will record all different values at comparisons. So, if we
take a simple example:
if (x == 0)
foo()
else
bar()
Then all values of x will be considered different. For fuzzing, though,
only the two cases x == 0 and x != 0 will matter.
Do I miss something here?
Cheers,
Robert
More information about the Development
mailing list