This change enables a fuzz-target to locate the coverage bitmaps that are
checked at the end of each fuzz-run. The main use-case for this is
a fuzz-target which, similarly to AFL, forks to reset state. Unlike AFL,
libfuzzer doesn't place the coverage data in shared memory. To work around
this, the target can map some shared memory and copy the coverage data from the
child to the parent, at the end of each fuzz run. There is an example of such a
fuzz target in test/fuzzer/DeferredForkTest.cpp
Another use-case is state-resetting through memory-snapshotting. In this case,
the target would use the information to roll-back changes to memory outside of
the fuzzer-related pages.
I am fuzzing virtual QEMU devices as part of Google Summer of Code 2019.
Previously, I used virtual machine snapshots and reboots to reset state, but the
fork-based approach often performs better.
The patch exposes a LLVMFuzzerIterateFeatureRegions() function to the guest,
which leaves the actual implementation of the forking/other type of resetting
logic up to the fuzz-target developer, offering some flexibility over an afl-style