From 529df8c0075a1a91860523ed33c475473d332ae3 Mon Sep 17 00:00:00 2001
From: Andrew Kelley <andrew@ziglang.org>
Date: Mon, 5 Aug 2024 18:37:19 -0700
Subject: [PATCH] libfuzzer: fix looking at wrong memory for pc counters

this fix bypasses the slice bounds, reading garbage data for up to the
last 7 bits (which are technically supposed to be ignored). that's going
to need to be fixed, let's fix that along with switching from byte elems
to usize elems.
---
 lib/fuzzer.zig | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/fuzzer.zig b/lib/fuzzer.zig
index a3446f9823..a5d8c9bbbf 100644
--- a/lib/fuzzer.zig
+++ b/lib/fuzzer.zig
@@ -276,7 +276,7 @@ const Fuzzer = struct {
                 .score = 0,
             }, {});
         } else {
-            if (f.n_runs % 1000 == 0) f.dumpStats();
+            if (f.n_runs % 10000 == 0) f.dumpStats();
 
             const analysis = f.analyzeLastRun();
             const gop = f.recent_cases.getOrPutAssumeCapacity(.{
@@ -303,16 +303,16 @@ const Fuzzer = struct {
                 {
                     const seen_pcs = f.seen_pcs.items[@sizeOf(SeenPcsHeader) + f.flagged_pcs.len * @sizeOf(usize) ..];
                     for (seen_pcs, 0..) |*elem, i| {
-                        const byte_i = i / 8;
+                        const byte_i = i * 8;
                         const mask: u8 =
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 0] != 0)) << 0) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 1] != 0)) << 1) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 2] != 0)) << 2) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 3] != 0)) << 3) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 4] != 0)) << 4) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 5] != 0)) << 5) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 6] != 0)) << 6) |
-                            (@as(u8, @intFromBool(f.pc_counters[byte_i + 7] != 0)) << 7);
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 0] != 0)) << 0) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 1] != 0)) << 1) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 2] != 0)) << 2) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 3] != 0)) << 3) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 4] != 0)) << 4) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 5] != 0)) << 5) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 6] != 0)) << 6) |
+                            (@as(u8, @intFromBool(f.pc_counters.ptr[byte_i + 7] != 0)) << 7);
 
                         _ = @atomicRmw(u8, elem, .Or, mask, .monotonic);
                     }