Open josharian opened 5 years ago
Another method to consider is AddDataCoverage(hash uint64)
We are experimented with data space-guided coverage and it shows very strong result. Basically if we hash our model state and modify coverage bitmap based on this hash, then fuzzer is able to explore not only code space, but data space as well.
Explained here.
The current Fuzz function signature is
I think we should migrate it to something more like:
(That import path will obviously have to change if go-fuzz moves into the standard toolchain. Or if we migrate to github.com/go-fuzz/go-fuzz, or the like.)
I imagine starting
fuzz.F
(fuzzing.F
?) with:There's plenty more to add, e.g. key-value-based requests for bools/ints/etc instead of having to parse them out of a byte slice. But this would be a good first start.
In order to avoid people having to change their fuzz functions, I'd automatically detect the old style of signature and have go-fuzz-build insert a shim.
Discuss. :)
(P.S. I think you had a similar proposal, Dmitry. I know that I need to go look at it. Apologies.)