Large path gap in ChakraCore fuzz #10
Comments
|
Thats a really good question! You REALLY shouldn't look at the number of paths found (nor at the number of unique crashes). Sometimes it can be very completely independent of the coverage found. Please check if the number of bits in the bitmap is also differing strongly. If it is, I'd recommend you to use a tool like kcov to inspect the code coverage found by each fuzzer. That will also allow you to look at the difference between the individual runs. I assume, there is some part of the codebase that's really hard to reach using the current grammar. If you identify that part, you can improve the grammar so that the fuzzer gets better coverage. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I found when I fuzz ChakraCore with nautilus( with the builtin js grammar), the path number of different instance can be extremely different.
I launched 10 fuzz instances at the same time and fuzz for 24 hours, one instance discovered 13.3k path while others discovered only 6~7k.
As the paper shows, the p-value of nautilus is low. So I wonder the reason for this situation.
The text was updated successfully, but these errors were encountered: