trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon Ackee-Blockchain

clarification on coverage guidance

Open 0xalpharush opened this issue 7 months ago • 5 comments

https://github.com/Ackee-Blockchain/trident/blob/de2eed33169f32b728f519df8bac1792dc996b38/documentation/docs/basics/faq.md?plain=1#L26

Hi, the docs say the fuzzer is coverage guided but I have not been able to find how coverage of the program under test is gathered. It appears that the program is registered as a builtin and thus the SBPF interpreter/JIT is not used. Is the program being instrumented with sancov and that's what informs AFL/hongfuzz or something else? I saw this open PR but this appears to be for coverage reports and not to improve the performance of the fuzzer

0xalpharush avatar Jul 17 '25 00:07 0xalpharush

Hello, the coverage is handled by the AFL and Honggfuzz. Yes, the program is registered as a built-in, and the JIT is not used. The PR is referring to a similar feature where we will show coverage with the VSCode Extension.

The next release (most likely) will switch the fuzzer to the Manually Guided, where we will not use AFL and Honggfuzz anymore.

lukacan avatar Jul 17 '25 06:07 lukacan

Thanks for the reply.

Hello, the coverage is handled by the AFL and Honggfuzz

Could you elaborate please? Is the program built with sanitizers e.g. trace pc or it is being done blackbox? I didn't see mention of instrumentation or qemu mode in the code

0xalpharush avatar Jul 17 '25 14:07 0xalpharush

Yes, that is because Honggfuzz/AFL handles this. In principle, Trident just runs the Honggfuzz / AFL commands, which handle the instrumentation by themselves.

lukacan avatar Jul 18 '25 06:07 lukacan

Does this mean Agave's code is also being instrumented?

0xalpharush avatar Jul 18 '25 15:07 0xalpharush

What precisely do u mean by that ? If there are Solana crates that are instrumented? Yes.

lukacan avatar Jul 22 '25 13:07 lukacan