search for: save_minimized_corpus

...> With -fsanitize-coverage=indirect-calls it will also track indir call > edges (uniq pairs of caller-callee). > >> Ok, I think the parallel jobs and unique caller/callee pairs must be where it got amped up a bit. I'm using "bb,indirect-calls,8bit-counters". > save_minimized_corpus 0 If 1, the minimized corpus is >>> saved into the first input directory >>> ------------- >>> >>>> >> Ohh, ok. I think I misunderstood this to trying to minimize the size of >> the test case while still reproducing a crash. Similar...

...> I haven't looked into why yet, this is probably something simple but > for the sake of it this is what I'm getting now with the above fixed: > > /usr/local/pgsql/bin/psql -c 'select fuzz()' > Flag: verbosity 9 > Flag: iterations 100 > Flag: runs 10 > Flag: save_minimized_corpus 1 > Seed: 3416380570 > SetTimer 601 > Tokens: {} > PreferSmall: 1 > #0 READ cov: 0 bits: 0 units: 1 exec/s: 0 > Called with Data=(nil) size=0 > #1 pulse cov: 13790 bits: 21 units: 1 exec/s: 0 > NEW0: 13790 L 0 > #1 INITED cov: 13790 bits: 21 units: 1 exec/s: 0 > Wri...

...s. > > I think afl-cmin uses some afl-specific behavior. > I find that sometimes I get an enormous amount of tests and it becomes >> unmanageable. >> > > libFuzzer has an option to minimize the corpus. > It's not perfect, but very simple. > ------------- > save_minimized_corpus 0 If 1, the minimized corpus is > saved into the first input directory > ------------- > >> Ohh, ok. I think I misunderstood this to trying to minimize the size of the test case while still reproducing a crash. Similar to how afl-tmin works, I was thinking. I'll...

Looks correct. Can you post the output of libFuzzer here? Something like #0 READ cov: 0 bits: 0 units: 97701 exec/s: 0 #1 pulse cov: 732 bits: 0 units: 97701 exec/s: 0 #2 pulse cov: 737 bits: 0 units: 97701 exec/s: 1 #4 pulse cov: 858 bits: 0 units: 97701 exec/s: 2 #8 pulse cov: 880 bits: 0 units: 97701 exec/s: 4 On Thu, Sep 3, 2015 at 10:50 AM, Greg Stark

First off, thanks -- this is a pretty great library and it feels like I'm learning a lot. I'm getting some more experience with libfuzzer and finding that I have a couple of questions: - How does libfuzzer decide to write a new test file? What distinguishes this one from all the other cases for which new test inputs were not written? Must be something about the path taken through the