While working on potential improvements to libFuzzer’s mutations based on the table of recent compares, I came across this line in FuzzerMutate.cpp (https://github.com/llvm/llvm-project/blob/920c0f7e09e2a55a800a181fb9bfe296a8733c89/compiler-rt/lib/fuzzer/FuzzerMutate.cpp#L469):
PersistentAutoDictionary.push_back({DE->GetW(), 1});
It adds an entry to the persistent auto dictionary with a position hint for position 1, meaning that the mutator would (50% of the time) try to insert or overwrite some bytes with the entry specifically after the first byte of the input.
I’m somewhat puzzled about this particular choice. I would have expected the position hint value to be either std::numeric_limits<size_t>::max(), which would make the mutator always pick an insertion position at random, or an existing position hint. Is there something I’m missing here that would explain the preferred position 1?
Fabian