I am studying the Oss-fuzz and found the following strange behavior, which I cannot understand.
I created a simple C project with the only function with 3 branches (if incoming values equal 0, 32 and whatever else). Here is the testing function:
1 int func(int a)
2 {
3 FILE *fptr;
4 if ((fptr = fopen("tdata.bin","ab")) != NULL)
5 {
6 fwrite(&a, 1, 1, fptr);
7 fclose(fptr);
8 }
9
10 if (a == 0x00)
11 return 0;
12 else if (a == 0x20)
13 return 1;
14
15 printf("last line is reached!");
16 return 2;
17 }
Here is the fuzzer:
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
func((int)(*data));
return 0;
}
The issue that if I run the introspector test with the following command:
python3 infra/helper.py introspector test02
it shows me that the function coverage is only 90%. The lines 15-16 are not covered. Although the fuzzing is passing those lines. It can be seen in output console (I can see "last line is reached!") and also in the debug file "tdata.bin" I can see about 562k randomized bytes with values not equal 0 and 32. There are also two corpuses with values 0 and 32. So it seems the fuzzer is reached the lines 15-16 but for some reason does not count them in the report. Can someone explain me this strange thing?