[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 4/4] docs/fuzz: add instructions for generating a coverage re
From: |
Alexander Bulekov |
Subject: |
Re: [PATCH 4/4] docs/fuzz: add instructions for generating a coverage report |
Date: |
Tue, 7 Jul 2020 00:41:24 -0400 |
User-agent: |
NeoMutt/20180716 |
On 200706 1555, Alexander Bulekov wrote:
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> docs/devel/fuzzing.txt | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
> index 284d57f8fd..a9816ffce9 100644
> --- a/docs/devel/fuzzing.txt
> +++ b/docs/devel/fuzzing.txt
> @@ -85,6 +85,25 @@ better coverage performance, depending on the target.
> Note that libFuzzer's exact behavior will depend on the version of
> clang and libFuzzer used to build the device fuzzers.
>
> +== Generating Coverage Reports ==
> +Code coverage is a crucial metric for evaluating a fuzzer's performance.
> +libFuzzer's output provides a "cov: " column that provides a total number of
> +unique blocks/edges covered. To examine coverage on a line-by-line basis we
> +can use Clang coverage:
> +
> + 1. Configure libFuzzer to store a corpus of all interesting inputs (see
> + CORPUS_DIR above)
> + 2. ./configure the QEMU build with:
> + --enable-sanitizers \
Oops... that should be --enable-fuzzing \
> + --extra-cflags="-fprofile-instr-generate -fcoverage-mapping"
> + 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling
> libfuzzer
> + to execute all of the inputs in $CORPUS_DIR and exit. Once the process
> + exits, you should find a file, "default.profraw" in the working
> directory.
> + 4. Execute these commands to generate a detailed HTML coverage-report:
> + llvm-profdata merge -output=default.profdata default.profraw
> + llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=default.profdata \
> + --format html -output-dir=/path/to/output/report
> +
> == Adding a new fuzzer ==
> Coverage over virtual devices can be improved by adding additional fuzzers.
> Fuzzers are kept in tests/qtest/fuzz/ and should be added to
> --
> 2.26.2
>
- [PATCH 0/4] fuzz: misc patches, Alexander Bulekov, 2020/07/06
- [PATCH 1/4] fuzz: build without AddressSanitizer, by default, Alexander Bulekov, 2020/07/06
- [PATCH 2/4] docs/fuzz: describe building fuzzers with enable-sanitizers, Alexander Bulekov, 2020/07/06
- [PATCH 3/4] docs/fuzz: add information about useful libFuzzer flags, Alexander Bulekov, 2020/07/06
- [PATCH 4/4] docs/fuzz: add instructions for generating a coverage report, Alexander Bulekov, 2020/07/06
- Re: [PATCH 4/4] docs/fuzz: add instructions for generating a coverage report,
Alexander Bulekov <=