Comments (4)
Hi Manda,
Thanks for your interest in K-Scheduler!
- K-Scheduler would incur slight runtime overhead due to the graph centrality analysis, but our evaluation results show that the drop in fuzzing throughput would not affect fuzzing performance. What do you mean by "discrepancy when there is no calculation"?
- Regarding llvm sanitizer coverage, please look at the official llvm documents https://clang.llvm.org/docs/SanitizerCoverage.html. In short, llvm sanitizer coverage is collision-free instrumentation widely used in fuzzers (e.g., AFL++'s default instrumentation is an inline version of llvm sanitizer edge coverage with the pruning feature). In K-Scheduler, we use the default setting of llvm sanitizer edge coverage without the pruning feature. I am guessing you were asking, since we are instrumenting the edge (the C code snippet in your post), why can we delete nodes (the Python code snippet in your post)?
The short answer is that "edge coverage without prune feature" = "node coverage" + "critical edge coverage" (Please see the definition of prune feature and critical edge in https://clang.llvm.org/docs/SanitizerCoverage.html). I will use the same example from llvm sanitizer coverage to explain how it works as follows:
Code:
void foo(int *a) {
if (a)
*a = 0;
}
It contains three basic blocks, let’s name them A, B, C. If we do node instrumentation, we can have three nodes (each node corresponds to a basic block)
A -> node coverage
|\
| \
| B -> node coverage
| /
|/
C -> node coverage
But such node coverage is coarse-grained and fails to detect certain edges(A->C). Please read llvm sanitizer coverage document for more details. That's what we call critical edge. To solve this problem, edge coverage would add an explicit node to catch the critical edge shown as node D as follows:
A
|\
| \
D B (A,B,C -> node coverage; D -> critical edge coverage )
| /
|/
C
For this code example, K-Scheduler uses llvm sanitizer edge coverage without the pruning to instrument four locations (A, B, C, and D nodes). Therefore, we can literally delete nodes on an "edge coverage graph". Let me know if you have any questions.
Best,
Dongdong
from k-scheduler.
Can it be understood in this way? this edge coverage is not the edge identifier calculated by the two basic block identifiers in llvmmode in afl. through the introduction of virtual nodes, as long as normal nodes and virtual nodes are covered, it can be considered as covering all edges. Indirect calculation of edge coverage by node coverage
from k-scheduler.
Yes, exactly.
from k-scheduler.
Thank you very much for your prompt reply
from k-scheduler.
Related Issues (15)
- It seems not to work when set clang as below. HOT 2
- interprocedure graph problem HOT 1
- build harfbuzz fuzzer wrapper problem HOT 1
- Problem about running K-Scheduler-based afl on an example program harfbuzz HOT 2
- list index out of range when generate a graph by the gen_graph.py HOT 4
- Segmentation fault when running afl-fuzz_kscheduler HOT 7
- 'grep "llvm.compiler.used" xxx_fix.ll' return non-zero exit status 1 HOT 2
- How do I set up the graph analysis module when running multiple K-Schedulers at the same time HOT 4
- Dynamically-linked binary error on K-Scheduler and corresponding fix. HOT 7
- The problem of edge coverage result deviation HOT 2
- `ValueError: max() arg is an empty sequence` on gen_graph.py HOT 2
- Questions about the Fuzzbench HOT 2
- Compiling harfbuzz reports an error HOT 2
- About the running of multiple fuzzing instances of the afl_integration. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k-scheduler.