[llvm] r279587 - [libFuzzer] docs on value profile

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 23 16:36:21 PDT 2016 

Author: kcc
Date: Tue Aug 23 18:36:21 2016
New Revision: 279587

URL: http://llvm.org/viewvc/llvm-project?rev=279587&view=rev
Log:
[libFuzzer] docs on value profile

Modified:
    llvm/trunk/docs/LibFuzzer.rst

Modified: llvm/trunk/docs/LibFuzzer.rst
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/docs/LibFuzzer.rst?rev=279587&r1=279586&r2=279587&view=diff
==============================================================================
--- llvm/trunk/docs/LibFuzzer.rst (original)
+++ llvm/trunk/docs/LibFuzzer.rst Tue Aug 23 18:36:21 2016
@@ -256,6 +256,8 @@ The most important command line options
 ``-use_counters``
   Use `coverage counters`_ to generate approximate counts of how often code
   blocks are hit; defaults to 1.
+``-use_value_profile``
+  Use `value profile`_ to guide corpus expansion; defaults to 0.
 ``-use_traces``
   Use instruction traces (experimental, defaults to 0); see `Data-flow-guided fuzzing`_.
 ``-only_ascii``
@@ -334,6 +336,8 @@ Each output line also reports the follow
 ``cov:``
   Total number of code blocks or edges covered by the executing the current
   corpus.
+``vp:``
+  Size of the `value profile`_.
 ``bits:``
   Rough measure of the number of code blocks or edges covered, and how often;
   only valid if the fuzzer is run with ``-use_counters=1``.
@@ -588,6 +592,29 @@ The dictionary syntax is similar to that
   # the name of the keyword followed by '=' may be omitted:
   "foo\x0Abar"
 
+Value Profile
+---------------
+
+*EXPERIMENTAL*.
+With an additional compiler flag ``-fsanitize-coverage=trace-cmp``
+(see SanitizerCoverageTraceDataFlow_)
+and extra run-time flag ``-use_value_profile=1`` the fuzzer will
+collect value profiles for the parameters of compare instructions
+and treat some new values as new coverage.
+
+The current imlpementation does roughly the following:
+
+* The compiler instruments all CMP instructions with a callback that receives both CMP arguments.
+* The callback computes `(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)` and uses this value to set a bit in a bitset.
+* Every new observed bit in the bitset is treated as new coverage.
+
+
+This feature has a potential to discover many interesting inputs,
+but there are two downsides.
+First, the extra instrumentation may bring up to 2x additional slowdown.
+Second, the corpus may grow by several times.
+
+
 Data-flow-guided fuzzing
 ------------------------
 
@@ -900,6 +927,7 @@ Trophies
 .. _MemorySanitizer: http://clang.llvm.org/docs/MemorySanitizer.html
 .. _UndefinedBehaviorSanitizer: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
 .. _`coverage counters`: http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters
+.. _`value profile`: http://clang.llvm.org/docs/SanitizerCoverage.html#value-profile
 .. _`caller-callee pairs`: http://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage
 .. _BoringSSL: https://boringssl.googlesource.com/boringssl/
 .. _`fuzz various parts of LLVM itself`: `Fuzzing components of LLVM`_

More information about the llvm-commits mailing list