I'm curious about that whether JQF instruments applications while fuzzing? Specifically, what means "Janala instruments all applications classes and several JDK classes"? Whether a class /method is not instrumented until a seed executes it and emit a trace event? If so, whether i cannot find an expected class/method is invoked until it is executed and instrumented? Thanks for your help!

Hi,

JQF instruments application classes that are in the classpath to collect code coverage information. Instrumentation is done on-the-fly, as classes are loaded by the classloader. I do not understand the question:

If so, whether i cannot find an expected class/method is invoked until it is executed and instrumented?

If you are asking whether a method will be instrumented only when invoked, then no. A method is instrumented when its class is loaded the first time by the Java classloader. It may be instrumented even if it is never invoked by the application. However, classes can be loaded dynamically; so, JQF only instruments those classes that actually get loaded in an application (and not all the classes in the classpath).

It helps! Another question is that whether JQF computes edge coverage?

JQF computes branch coverage. It instruments conditional jumps---such as "jump if less than zero" in bytecode, which are emitted by if-then-else or looping constructs in Java, as well as tableswitch, which is emitted by switch-case in Java---as well as virtual method calls. The destination of the jump (e.g. true/false for conditional, case number for switch, target type for virtual methods) is the "branch".