Open
Conversation
kyakdan
force-pushed
the
CIF-1902-maximize
branch
from
97db30c to
390836b
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a maximize() API to Jazzer that enables hill-climbing fuzzing scenarios where standard code coverage is insufficient. The API guides the fuzzer to maximize a value by setting coverage counters for all values from the minimum up to the observed value, creating incremental progress feedback.
Changes:
- Added
CountersTrackerinfrastructure (Java and C++) to manage extra coverage counters separate from regular code coverage - Added
Jazzer.maximize()API with automatic call-site ID generation via instrumentation hooks - Added comprehensive test coverage for the new APIs
- Added ReactorFuzzTest example demonstrating the maximize API on a chaotic feedback system
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/native/com/code_intelligence/jazzer/driver/counters_tracker.h | Refactored header from CoverageTracker to CountersTracker, adding support for separate extra counters region |
| src/main/native/com/code_intelligence/jazzer/driver/counters_tracker.cpp | New implementation managing both coverage and extra counters with libFuzzer registration |
| src/main/native/com/code_intelligence/jazzer/driver/BUILD.bazel | Updated build dependencies to reference counters_tracker instead of coverage_tracker |
| src/main/java/com/code_intelligence/jazzer/runtime/CountersTracker.java | New Java class providing thread-safe counter allocation and management API |
| src/main/java/com/code_intelligence/jazzer/runtime/BUILD.bazel | Added CountersTracker build target and dependencies |
| src/main/java/com/code_intelligence/jazzer/runtime/JazzerApiHooks.java | Added instrumentation hook to auto-generate call-site IDs for maximize() calls |
| src/main/java/com/code_intelligence/jazzer/api/Jazzer.java | Added maximize() API methods with documentation |
| src/test/java/com/code_intelligence/jazzer/runtime/CountersTrackerTest.java | Comprehensive unit tests for CountersTracker including concurrency tests |
| src/test/java/com/code_intelligence/jazzer/api/MaximizeTest.java | Unit tests for the maximize() API covering edge cases |
| examples/junit/src/test/java/com/example/ReactorFuzzTest.java | Example demonstrating maximize() on a temperature maximization problem |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/main/native/com/code_intelligence/jazzer/driver/counters_tracker.cpp
Show resolved
Hide resolved
src/test/java/com/code_intelligence/jazzer/api/MaximizeTest.java
Outdated
Show resolved
Hide resolved
src/test/java/com/code_intelligence/jazzer/api/MaximizeTest.java
Outdated
Show resolved
Hide resolved
kyakdan
force-pushed
the
CIF-1902-maximize
branch
from
390836b to
ae1b9e1
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/main/java/com/code_intelligence/jazzer/runtime/CountersTracker.java
Outdated
Show resolved
Hide resolved
src/test/java/com/code_intelligence/jazzer/api/MaximizeTest.java
Outdated
Show resolved
Hide resolved
src/test/java/com/code_intelligence/jazzer/api/MaximizeTest.java
Outdated
Show resolved
Hide resolved
CountersTracker provides a flexible API for mapping program state to coverage counters, enabling incremental progress feedback to libFuzzer. Key features: - ensureCountersAllocated(id, numCounters): allocate counter range - setCounter/setCounterRange: set counter values by ID and offset - Thread-safe allocation via ConcurrentHashMap - Separate memory region from main coverage map This lays the foundation for the maximize() hill-climbing API.
kyakdan
force-pushed
the
CIF-1902-maximize
branch
from
ae1b9e1 to
ba805b4
Compare
Add Jazzer.maximize(value, id, minValue, maxValue) for guiding the fuzzer to maximize a value over time. For each observed value v in [minValue, maxValue], sets counters [0, v-minValue] to signal progress. Features: - Enables corpus minimization (only max-value input retained) - Convenience overload without explicit ID (uses instrumentation hook) - Delegates to CountersTracker for counter management - No state in Jazzer.java - all managed by CountersTracker
Example shows how maximize() helps fuzz a chaotic feedback system where standard coverage provides no guidance. The fuzzer is guided to increase "temperature" through complex state-dependent logic.
kyakdan
force-pushed
the
CIF-1902-maximize
branch
from
ba805b4 to
789e759
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/main/java/com/code_intelligence/jazzer/runtime/CountersTracker.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a hill-climbing
maximize()API to Jazzer that guides the fuzzer toward maximizing a value over time. This enables fuzzing scenarios where standard code coverage provides insufficient guidance, such as finding inputs that maximize some computed metric.Changes
Jazzer.maximize()APIHow it works: For each observed value v, sets coverage counters [0, v-minValue] to 1. This creates incremental progress feedback - higher values trigger more "coverage," guiding the fuzzer toward the maximum. Corpus minimization naturally retains only the input producing the highest value.
Example
Added ReactorFuzzTest demonstrating the API on a chaotic feedback system where standard coverage is constant but the fuzzer needs to maximize a computed temperature value.