1
0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-11-26 04:32:44 +01:00
llvm-mirror/lib/Fuzzer/FuzzerFlags.def
Kostya Serebryany 285f1f0e41 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
2015-03-03 23:27:02 +00:00

47 lines
2.4 KiB
Modula-2

//===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// Flags. FUZZER_FLAG macro should be defined at the point of inclusion.
// We are not using any flag parsing library for better portability and
// independence.
//===----------------------------------------------------------------------===//
FUZZER_FLAG(int, verbosity, 1, "Verbosity level.")
FUZZER_FLAG(int, seed, 0, "Random seed. If 0, seed is generated.")
FUZZER_FLAG(int, iterations, -1,
"Number of iterations of the fuzzer internal loop"
" (-1 for infinite iterations).")
FUZZER_FLAG(int, runs, -1,
"Number of individual test runs (-1 for infinite runs).")
FUZZER_FLAG(int, max_len, 64, "Maximal length of the test input.")
FUZZER_FLAG(int, cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG(int, mutate_depth, 5,
"Apply this number of consecutive mutations to each input.")
FUZZER_FLAG(
int, prefer_small_during_initial_shuffle, -1,
"If 1, always prefer smaller inputs during the initial corpus shuffle."
" If 0, never do that. If -1, do it sometimes.")
FUZZER_FLAG(int, exit_on_first, 0,
"If 1, exit after the first new interesting input is found.")
FUZZER_FLAG(int, timeout, -1, "Timeout in seconds (if positive).")
FUZZER_FLAG(int, help, 0, "Print help.")
FUZZER_FLAG(
int, save_minimized_corpus, 0,
"If 1, the minimized corpus is saved into the first input directory")
FUZZER_FLAG(int, use_counters, 0, "Use coverage counters")
FUZZER_FLAG(int, use_full_coverage_set, 0,
"Experimental: Maximize the number of different full"
" coverage sets as opposed to maximizing the total coverage."
" This is potentially MUCH slower, but may discover more paths.")
FUZZER_FLAG(int, use_coverage_pairs, 0,
"Experimental: Maximize the number of different coverage pairs.")
FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
" this number of jobs in separate worker processes"
" with stdout/stderr redirected to fuzz-JOB.log.")
FUZZER_FLAG(int, workers, 0,
"Number of simultaneous worker processes to run the jobs.")