definitioninstrumentationfuzzinglibfuzzer

What are PCs and PC tables in LibFuzzer


I am trying to understand how code instrumentation works in LibFuzzer. From the documentation, i get that I can choose different type of instrumentation with the option -fsanitize-coverage.

When starting the fuzzer, the INFO section indicates which instrumentation is used (here 8-bit counters)

...
INFO: Loaded 1 modules   (46994 inline 8-bit counters): 46994 [0x978cc0, 0x984452),
INFO: Loaded 1 PC tables (46994 PCs): 46994 [0x861098,0x9189b8)
...

It also mentions the number of loaded PC tables with the total PC number. However, i have not found anywhere what does PC means in this context. My guess so far is that it means "Program Counter" or "Path Coverage" but I have not found any source to confirm it.

My question is : In the context of code instrumentation with LibFuzzer, what does "PC" means, and are there any sources to confirm it ?


Solution

  • In this context, PC means Program Counter as explained in this blog post

    In order to log coverage, the function trace_pc will log the program counter. With this information, the fuzzer knows, which paths are traversed on the given input values. Each fuzzing engine runs through this process differently.