fuzz: Enable and document code coverage for zkas

Libfuzzer has more capabilities to provide a helpful code coverage report for fuzz testing. (Or at least is has better documentation.) This commit copies the zkas-compile harness from honggfuzz into libfuzzer. It also includes instructions for generating coverage reports.
2026-01-08 22:28:12 -05:00 · 2023-09-19 14:41:25 -04:00
parent 989d049452
commit a0e78b576a
2 changed files with 45 additions and 0 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -51,3 +51,9 @@ name = "decode-string"
 path = "fuzz_targets/decode_string.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "zkas-compile"
+path = "fuzz_targets/zkas_compile.rs"
+test = false
+doc = false
--- a/fuzz/README.md
+++ b/fuzz/README.md
@@ -126,3 +126,42 @@ errors found during fuzzing are likely to be precisely the edge-cases that
 trigger incompatibilites between build architectures.

 Further research is needed here to find a reliable solution.
+
+## Code Coverage
+
+It's very helpful to know how much of the code is actually being reached through fuzzing.
+
+We can generate code coverage in the following way. Note that these instructions
+are based on the [rust-fuzz book entry](https://rust-fuzz.github.io/book/cargo-fuzz/coverage.html) 
+(which is incorrect) and the [rustc documentation](https://doc.rust-lang.org/rustc/instrument-coverage.html). 
+
+If you encounter errors, review these documents. Also, ensure you are using the nightly toolchain.
+
+For this example, our `<target>` is `zkas-compile`. Replace this with the harness you are interested in.
+
+```sh
+# Install depedencies
+cargo install rustfilt
+rustup component add llvm-tools-preview
+
+# Generate coverage files. Run this from fuzz/
+# This step will be faster if you minimize the corpus first.
+cargo fuzz coverage zkas-compile
+
+# Manually create a .profdata file. (One is generated by the above command, but it appears to be broken)
+llvm-profdata merge -sparse coverage/zkas-compile/raw/* -o zkas-compile.profdata
+
+# Now we have a file `zkas-compile.profdata`
+# Your architecture triple may be different. Use tab-completion to find the right file.
+# The duplication triple is intentional.
+
+llvm-cov show target/x86_64-unknown-linux-gnu/coverage/x86_64-unknown-linux-gnu/release/zkas-compile \
+--format=html \
+-instr-profile=manual.profdata \
+-show-line-counts-or-regions \
+-show-instantiations \
+> zkas-compile-report.html
+```
+
+You can now open `zkas-compile-report.html` in a browser and view the code coverage.
+