[llvm] r234571 - [lib/Fuzzer] Section: How good is my fuzzer?
Kostya Serebryany
kcc at google.com
Thu Apr 9 23:32:29 PDT 2015
Author: kcc
Date: Fri Apr 10 01:32:29 2015
New Revision: 234571
URL: http://llvm.org/viewvc/llvm-project?rev=234571&view=rev
Log:
[lib/Fuzzer] Section: How good is my fuzzer?
Modified:
llvm/trunk/docs/LibFuzzer.rst
Modified: llvm/trunk/docs/LibFuzzer.rst
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/docs/LibFuzzer.rst?rev=234571&r1=234570&r2=234571&view=diff
==============================================================================
--- llvm/trunk/docs/LibFuzzer.rst (original)
+++ llvm/trunk/docs/LibFuzzer.rst Fri Apr 10 01:32:29 2015
@@ -256,6 +256,21 @@ You can run both fuzzers on the same cor
Periodically restart both fuzzers so that they can use each other's findings.
+How good is my fuzzer?
+----------------------
+
+Once you implement your target function ``TestOneInput`` and fuzz it to death,
+you will want to know whether the function or the corpus can be improved further.
+One easy to use metric is, of course, code coverage.
+You can get the coverage for your corpus like this::
+
+ ASAN_OPTIONS=coverage_pcs=1 ./fuzzer CORPUS_DIR -runs=0
+
+This will run all the tests in the CORPUS_DIR but will not generate any new tests
+and dump covered PCs to disk before exiting.
+Then you can subtract the set of covered PCs from the set of all instrumented PCs in the binary,
+see SanitizerCoverage_ for details.
+
Fuzzing components of LLVM
==========================
More information about the llvm-commits
mailing list