cyruscyliu
commented
1 year ago It's the second argument of __sanitizer_cov_trace_state() that matters.
In practice, we use continuous numbers as state indicators, i.e., 1, 2, 3, ....
For example,
state 1
-- pci_dma_read()
-- __sanitizer_cov_trace_state(0, 1);
state 2
-- pci_dma_read()
-- __sanitizer_cov_trace_state(0, 2); The instrumented xhci is here.
libFuzzer part is here.
Chan9Yan9
I don't quiet understand the virtual device state transition in the paper of ViDeZZo, how to distinguish different states? could you please open-source the part of ViDeZZo?