I am trying to understand how code instrumentation works in LibFuzzer.
From the documentation, i get that I can choose different type of instrumentation with the option -fsanitize-coverage
.
When starting the fuzzer, the INFO
section indicates which instrumentation is used (here 8-bit counters)
...
INFO: Loaded 1 modules (46994 inline 8-bit counters): 46994 [0x978cc0, 0x984452),
INFO: Loaded 1 PC tables (46994 PCs): 46994 [0x861098,0x9189b8)
...
It also mentions the number of loaded PC tables with the total PC number.
However, i have not found anywhere what does PC
means in this context.
My guess so far is that it means "Program Counter" or "Path Coverage" but I have not found any source to confirm it.
My question is : In the context of code instrumentation with LibFuzzer, what does "PC" means, and are there any sources to confirm it ?
In this context, PC
means Program Counter
as explained in this blog post
In order to log coverage, the function trace_pc will log the program counter. With this information, the fuzzer knows, which paths are traversed on the given input values. Each fuzzing engine runs through this process differently.