Measure code coverage during fuzzing
kmcallister opened this issue · 3 comments
kmcallister commented
Measure the code paths & conditions that occur. Don't stop a fuzzing run until we've hit a quota for each.
mozfreddyb commented
I would like to give this a poke by porting the existing fuzzer to cargo-fuzz. The idea is to do this in the following steps:
- move existing code into a
fuzz
directory (undersrc
?) and wrap in cargo-fuzzfuzz-target
- expand existing code to include functions that are not covered. A quick glance shows me only 8 match different cases whereas cargo-geiger tells me there are 22 methods using unsafe.
- (optional) split existing code into separate fuzzing targets, so we can fuzz functions individually
Makes sense?
mozfreddyb commented
I would like to give this a poke by porting the existing fuzzer to cargo-fuzz. The idea is to do this in the following steps:
* [ ] move existing code into a `fuzz` directory (under `src`?) and wrap in cargo-fuzz `fuzz-target` * [ ] expand existing code to include functions that are not covered. A quick glance shows me [only 8 match different cases](https://github.com/servo/tendril/blob/master/examples/fuzz.rs#L35) whereas cargo-geiger tells me there are 22 methods using unsafe. * [ ] (optional) split existing code into separate fuzzing targets, so we can fuzz functions individually
Makes sense?
@kmcallister @SimonSapin Any kind of feedback would be appreciated :-)
jdm commented
@mozfreddyb That plan sounds fine.