mirror of
https://github.com/RPCS3/llvm-mirror.git
synced 2024-11-26 04:32:44 +01:00
285f1f0e41
Introduce -mllvm -sanitizer-coverage-8bit-counters=1 which adds imprecise thread-unfriendly 8-bit coverage counters. The run-time library maps these 8-bit counters to 8-bit bitsets in the same way AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does: counter values are divided into 8 ranges and based on the counter value one of the bits in the bitset is set. The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+. These counters provide a search heuristic for single-threaded coverage-guided fuzzers, we do not expect them to be useful for other purposes. Depending on the value of -fsanitize-coverage=[123] flag, these counters will be added to the function entry blocks (=1), every basic block (=2), or every edge (=3). Use these counters as an optional search heuristic in the Fuzzer library. Add a test where this heuristic is critical. llvm-svn: 231166
47 lines
2.4 KiB
Modula-2
47 lines
2.4 KiB
Modula-2
//===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
|
|
//
|
|
// The LLVM Compiler Infrastructure
|
|
//
|
|
// This file is distributed under the University of Illinois Open Source
|
|
// License. See LICENSE.TXT for details.
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
// Flags. FUZZER_FLAG macro should be defined at the point of inclusion.
|
|
// We are not using any flag parsing library for better portability and
|
|
// independence.
|
|
//===----------------------------------------------------------------------===//
|
|
FUZZER_FLAG(int, verbosity, 1, "Verbosity level.")
|
|
FUZZER_FLAG(int, seed, 0, "Random seed. If 0, seed is generated.")
|
|
FUZZER_FLAG(int, iterations, -1,
|
|
"Number of iterations of the fuzzer internal loop"
|
|
" (-1 for infinite iterations).")
|
|
FUZZER_FLAG(int, runs, -1,
|
|
"Number of individual test runs (-1 for infinite runs).")
|
|
FUZZER_FLAG(int, max_len, 64, "Maximal length of the test input.")
|
|
FUZZER_FLAG(int, cross_over, 1, "If 1, cross over inputs.")
|
|
FUZZER_FLAG(int, mutate_depth, 5,
|
|
"Apply this number of consecutive mutations to each input.")
|
|
FUZZER_FLAG(
|
|
int, prefer_small_during_initial_shuffle, -1,
|
|
"If 1, always prefer smaller inputs during the initial corpus shuffle."
|
|
" If 0, never do that. If -1, do it sometimes.")
|
|
FUZZER_FLAG(int, exit_on_first, 0,
|
|
"If 1, exit after the first new interesting input is found.")
|
|
FUZZER_FLAG(int, timeout, -1, "Timeout in seconds (if positive).")
|
|
FUZZER_FLAG(int, help, 0, "Print help.")
|
|
FUZZER_FLAG(
|
|
int, save_minimized_corpus, 0,
|
|
"If 1, the minimized corpus is saved into the first input directory")
|
|
FUZZER_FLAG(int, use_counters, 0, "Use coverage counters")
|
|
FUZZER_FLAG(int, use_full_coverage_set, 0,
|
|
"Experimental: Maximize the number of different full"
|
|
" coverage sets as opposed to maximizing the total coverage."
|
|
" This is potentially MUCH slower, but may discover more paths.")
|
|
FUZZER_FLAG(int, use_coverage_pairs, 0,
|
|
"Experimental: Maximize the number of different coverage pairs.")
|
|
FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
|
|
" this number of jobs in separate worker processes"
|
|
" with stdout/stderr redirected to fuzz-JOB.log.")
|
|
FUZZER_FLAG(int, workers, 0,
|
|
"Number of simultaneous worker processes to run the jobs.")
|