[libFuzzer] docs: update the examples

llvm-svn: 285344
2024-11-26 12:43:36 +01:00 · 2016-10-27 21:03:48 +00:00 · 2016-10-27 21:03:48 +00:00 · 20e3021a2f
commit 20e3021a2f
parent bf2ad1b205
1 changed files with 30 additions and 30 deletions
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@ -92,9 +92,7 @@ options. Note that the libFuzzer library contains the ``main()`` function:
 .. code-block:: console
-  svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
+  svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer  # or git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
  # Alternative: get libFuzzer from a dedicated git mirror:
  # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
  ./Fuzzer/build.sh  # Produces libFuzzer.a
 Then build the fuzzing target function and the library under test using
@ -116,7 +114,7 @@ latent bugs by making incorrect behavior generate errors at runtime:
 Finally, link with ``libFuzzer.a``::
-  clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
+  clang -fsanitize-coverage=trace-pc-guard -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
 Corpus
 ------
@ -305,14 +303,16 @@ Output
 During operation the fuzzer prints information to ``stderr``, for example::
-  INFO: Seed: 3338750330
+  INFO: Seed: 1523017872
-  Loaded 1024/1211 files from corpus/
+  INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), 
  INFO: -max_len is not provided, using 64
-  #0	READ   units: 1211 exec/s: 0
+  INFO: A corpus is not provided, starting from an empty corpus
-  #1211	INITED cov: 2575 bits: 8855 indir: 5 units: 830 exec/s: 1211
+  #0	READ units: 1
-  #1422	NEW    cov: 2580 bits: 8860 indir: 5 units: 831 exec/s: 1422 L: 21 MS: 1 ShuffleBytes-
+  #1	INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
-  #1688	NEW    cov: 2581 bits: 8865 indir: 5 units: 832 exec/s: 1688 L: 19 MS: 2 EraseByte-CrossOver-
+  #3811	NEW    cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
-  #1734	NEW    cov: 2583 bits: 8879 indir: 5 units: 833 exec/s: 1734 L: 27 MS: 3 ChangeBit-EraseByte-ShuffleBytes-
+  #3827	NEW    cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
  #3963	NEW    cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
  #4167	NEW    cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
  ...
 The early parts of the output include information about the fuzzer options and
@ -350,19 +350,16 @@ Each output line also reports the following statistics (when non-zero):
 ``cov:``
  Total number of code blocks or edges covered by the executing the current
  corpus.
-``vp:``
+``ft:``
-  Size of the `value profile`_.
+  libFuzzer uses different signals to evaluate the code coverage:
-``bits:``
+  edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc.
-  Rough measure of the number of code blocks or edges covered, and how often;
+  These signals combined are called *features* (`ft:`).
-  only valid if the fuzzer is run with ``-use_counters=1``.
+``corp:``
-``indir:``
+  Number of entries in the current in-memory test corpus and its size in bytes.
  Number of distinct function `caller-callee pairs`_ executed with the
  current corpus; only valid if the code under test was built with
  ``-fsanitize-coverage=indirect-calls``.
 ``units:``
  Number of entries in the current input corpus.
 ``exec/s:``
  Number of fuzzer iterations per second.
 ``rss:``
  Current memory consumption.
 For ``NEW`` events, the output line also includes information about the mutation
 operation that produced the new input:
@ -397,19 +394,22 @@ A simple function that does something interesting if it receives the input
  }
  EOF
  # Build test_fuzzer.cc with asan and link against libFuzzer.a
-  clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc libFuzzer.a
+  clang++ -fsanitize=address -fsanitize-coverage=trace-pc-guard test_fuzzer.cc libFuzzer.a
  # Run the fuzzer with no corpus.
  ./a.out
 You should get an error pretty quickly::
-  #0  READ   units: 1 exec/s: 0
+  INFO: Seed: 1523017872
-  #1  INITED cov: 3 units: 1 exec/s: 0
+  INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), 
-  #2  NEW    cov: 5 units: 2 exec/s: 0 L: 64 MS: 0
+  INFO: -max_len is not provided, using 64
-  #19237  NEW    cov: 9 units: 3 exec/s: 0 L: 64 MS: 0
+  INFO: A corpus is not provided, starting from an empty corpus
-  #20595  NEW    cov: 10 units: 4 exec/s: 0 L: 1 MS: 4 ChangeASCIIInt-ShuffleBytes-ChangeByte-CrossOver-
+  #0	READ units: 1
-  #34574  NEW    cov: 13 units: 5 exec/s: 0 L: 2 MS: 3 ShuffleBytes-CrossOver-ChangeBit-
+  #1	INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
-  #34807  NEW    cov: 15 units: 6 exec/s: 0 L: 3 MS: 1 CrossOver-
+  #3811	NEW    cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
  #3827	NEW    cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
  #3963	NEW    cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
  #4167	NEW    cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
  ==31511== ERROR: libFuzzer: deadly signal
  ...
  artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed