[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 07/10] docs/fuzz: add instructions for generating a coverage repor
From: |
Thomas Huth |
Subject: |
[PULL 07/10] docs/fuzz: add instructions for generating a coverage report |
Date: |
Tue, 21 Jul 2020 10:10:52 +0200 |
From: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200706195534.14962-5-alxndr@bu.edu>
[thuth: Replaced --enable-sanitizers with --enable-fuzzing]
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
docs/devel/fuzzing.txt | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
index 6d18115239..96d71c94d7 100644
--- a/docs/devel/fuzzing.txt
+++ b/docs/devel/fuzzing.txt
@@ -85,6 +85,25 @@ better coverage performance, depending on the target.
Note that libFuzzer's exact behavior will depend on the version of
clang and libFuzzer used to build the device fuzzers.
+== Generating Coverage Reports ==
+Code coverage is a crucial metric for evaluating a fuzzer's performance.
+libFuzzer's output provides a "cov: " column that provides a total number of
+unique blocks/edges covered. To examine coverage on a line-by-line basis we
+can use Clang coverage:
+
+ 1. Configure libFuzzer to store a corpus of all interesting inputs (see
+ CORPUS_DIR above)
+ 2. ./configure the QEMU build with:
+ --enable-fuzzing \
+ --extra-cflags="-fprofile-instr-generate -fcoverage-mapping"
+ 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling libfuzzer
+ to execute all of the inputs in $CORPUS_DIR and exit. Once the process
+ exits, you should find a file, "default.profraw" in the working directory.
+ 4. Execute these commands to generate a detailed HTML coverage-report:
+ llvm-profdata merge -output=default.profdata default.profraw
+ llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=default.profdata \
+ --format html -output-dir=/path/to/output/report
+
== Adding a new fuzzer ==
Coverage over virtual devices can be improved by adding additional fuzzers.
Fuzzers are kept in tests/qtest/fuzz/ and should be added to
--
2.18.1
- [PULL 00/10] qtest / fuzzer patches, Thomas Huth, 2020/07/21
- [PULL 01/10] scripts/oss-fuzz: Limit target list to i386-softmmu, Thomas Huth, 2020/07/21
- [PULL 02/10] fuzz: Fix leak when assembling datadir path string, Thomas Huth, 2020/07/21
- [PULL 03/10] gitlab-ci.yml: Add oss-fuzz build tests, Thomas Huth, 2020/07/21
- [PULL 04/10] fuzz: build without AddressSanitizer, by default, Thomas Huth, 2020/07/21
- [PULL 05/10] docs/fuzz: describe building fuzzers with enable-sanitizers, Thomas Huth, 2020/07/21
- [PULL 07/10] docs/fuzz: add instructions for generating a coverage report,
Thomas Huth <=
- [PULL 06/10] docs/fuzz: add information about useful libFuzzer flags, Thomas Huth, 2020/07/21
- [PULL 10/10] hw: Mark nd_table[] misuse in realize methods FIXME, Thomas Huth, 2020/07/21
- [PULL 08/10] MAINTAINERS: Extend the device fuzzing section, Thomas Huth, 2020/07/21
- [PULL 09/10] msf2: Unbreak device-list-properties for "msf-soc", Thomas Huth, 2020/07/21
- Re: [PULL 00/10] qtest / fuzzer patches, Peter Maydell, 2020/07/21