Measure code coverage during fuzzing

Question

Measure code coverage during fuzzing

kmcallister opened this issue 10 years ago · 3 comments

Measure the code paths & conditions that occur. Don't stop a fuzzing run until we've hit a quota for each.

Answer 1 · 2019-07-31T07:47:00.000Z

I would like to give this a poke by porting the existing fuzzer to cargo-fuzz. The idea is to do this in the following steps:

move existing code into a fuzz directory (under src?) and wrap in cargo-fuzz fuzz-target
expand existing code to include functions that are not covered. A quick glance shows me only 8 match different cases whereas cargo-geiger tells me there are 22 methods using unsafe.
(optional) split existing code into separate fuzzing targets, so we can fuzz functions individually

Makes sense?

Answer 2 · 2019-08-14T11:34:36.000Z

I would like to give this a poke by porting the existing fuzzer to cargo-fuzz. The idea is to do this in the following steps:

* [ ]  move existing code into a `fuzz` directory  (under `src`?) and wrap in cargo-fuzz `fuzz-target`

* [ ]  expand existing code to include functions that are not covered. A quick glance shows me [only 8 match different cases](https://github.com/servo/tendril/blob/master/examples/fuzz.rs#L35) whereas cargo-geiger tells me there are 22 methods using unsafe.

* [ ]  (optional) split existing code into separate fuzzing targets, so we can fuzz functions individually

Makes sense?

@kmcallister @SimonSapin Any kind of feedback would be appreciated :-)

Answer 3 · 2019-08-26T17:02:37.000Z

@mozfreddyb That plan sounds fine.