Crate foundry_evm_sancov

Expand description

SanitizerCoverage callbacks for coverage-guided fuzzing of native Rust code.

Provides LLVM SanitizerCoverage callbacks and a coverage map that can be set by the fuzzing executor to collect edge coverage from instrumented Rust crates (e.g. precompile implementations compiled with -Cpasses=sancov-module).

Additionally provides trace-cmp callbacks that capture comparison operands and surface them to the fuzzer’s dictionary, enabling it to solve comparison guards (balance checks, overflow guards, etc.).

Only crates compiled with sancov instrumentation (via a RUSTC_WRAPPER) will trigger these callbacks — no runtime filtering needed.

Structs§

CmpSample: A single comparison operand captured by a trace-cmp callback.

Constants§

CMP_OPERANDS 🔒
MAX_CMP_OPERANDS 🔒
UNASSIGNED 🔒

Statics§

COVERAGE_MAP_LEN 🔒
COVERAGE_MAP_PTR 🔒
GUARD_COUNTER 🔒
GUARD_LOOKUP 🔒
NEXT_SANCOV_IDX 🔒

Functions§

__sanitizer_cov_trace_cmp1^⚠: Safety
__sanitizer_cov_trace_cmp2^⚠: Safety
__sanitizer_cov_trace_cmp4^⚠: Safety
__sanitizer_cov_trace_cmp8^⚠: Safety
__sanitizer_cov_trace_const_cmp1^⚠: Safety
__sanitizer_cov_trace_const_cmp2^⚠: Safety
__sanitizer_cov_trace_const_cmp4^⚠: Safety
__sanitizer_cov_trace_const_cmp8^⚠: Safety
__sanitizer_cov_trace_pc_guard^⚠: Safety
__sanitizer_cov_trace_pc_guard_init^⚠: Safety
__sanitizer_cov_trace_switch^⚠: Safety
clear_cmp_operands: Clear all captured comparison operands on the current thread.
clear_coverage_map: Deactivate the coverage map.
drain_cmp_operands: Drain all captured comparison operands from the current thread.
is_active: Whether a coverage map is currently active.
record_cmp 🔒
record_hit: Record a hit for the given guard ID into the active coverage map.
sancov_edge_count: Number of unique sancov edges discovered so far.
set_coverage_map: Point the coverage map at the given buffer. Subsequent __sanitizer_cov_trace_pc_guard calls will record hits into this buffer.