While Jackalope is primarily a black box binary fuzzer, it can also fuzz targets compiled with Sanitizer Coverage. This mode is only available on Linux via -instrumentation sancov flag.
The fuzzing target for this mode must be prepared as follows:
- The target project must include
sancovclient.h/sancovclient.cpp - The target must call
__pre_fuzz()before and__post_fuzz()aafter the code being fuzzed. This defines a fuzzing iteration. Alternately, the target can useJACKALOPE_FUZZ_LOOPmacro defined insancovclient.h - The target should be compiled with
-fsanitize-coverage=trace-pc-guard
Plese refer to sancovtest.cpp and the appropriate section in CMakeLists.txt as an example on how to prepare and build a target.
On Linux, Jackalope should be built using Clang, otherwise building the example target binary with Sanitizer Coverage will fail.
Build Example:
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++
mkdir build
cd build
cmake ..
cmake --build . --config Release
Example:
./fuzzer -instrumentation sancov -in in -out out -t 1000 -delivery shmem -iterations 10000 -mute_child -- ./sancovtest -m @@