Open
Conversation
CountersTracker provides a flexible API for mapping program state to coverage counters, enabling incremental progress feedback to libFuzzer. Key features: - ensureCountersAllocated(id, numCounters): allocate counter range - setCounter/setCounterRange: set counter values by ID and offset - Thread-safe allocation via ConcurrentHashMap - Separate memory region from main coverage map This lays the foundation for the maximize() hill-climbing API.
Add Jazzer.maximize(value, id, minValue, maxValue) for guiding the fuzzer to maximize a value over time. For each observed value v in [minValue, maxValue], sets counters [0, v-minValue] to signal progress. Features: - Enables corpus minimization (only max-value input retained) - Convenience overload without explicit ID (uses instrumentation hook) - Delegates to CountersTracker for counter management - No state in Jazzer.java - all managed by CountersTracker
Example shows how maximize() helps fuzz a chaotic feedback system where standard coverage provides no guidance. The fuzzer is guided to increase "temperature" through complex state-dependent logic.
Replace the tracePcIndir-based value profiling approach with dedicated coverage counters via CountersTracker. This removes the dependency on -use_value_profile=1 and tracks all 256 byte values (up from 128) by mapping each to a unique (counter, bucket) pair across 32 counters.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is based on #1036. Thus, it should be reviewed after merging that PR and rebasing on
main