Lines Matching +full:asan +full:- +full:trace +full:- +full:cmp
12 get function-level, basic-block-level, and edge-level coverage at a very low
21 following compile-time flags:
23 * ``-fsanitize-coverage=func`` for function-level coverage (very fast).
24 * ``-fsanitize-coverage=bb`` for basic-block-level coverage (may add up to 30%
26 * ``-fsanitize-coverage=edge`` for edge-level coverage (up to 40% slowdown).
28 You may also specify ``-fsanitize-coverage=indirect-calls`` for
29 additional `caller-callee coverage`_.
35 To get `Coverage counters`_, add ``-fsanitize-coverage=8bit-counters``
36 to one of the above compile-time flags. At runtime, use
41 .. code-block:: console
43 % cat -n cov.cc
53 % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=func
54 % ASAN_OPTIONS=coverage=1 ./a.out; ls -l *sancov
56 -rw-r----- 1 kcc eng 4 Nov 27 12:21 a.out.22673.sancov
57 % ASAN_OPTIONS=coverage=1 ./a.out foo ; ls -l *sancov
60 -rw-r----- 1 kcc eng 4 Nov 27 12:21 a.out.22673.sancov
61 -rw-r----- 1 kcc eng 8 Nov 27 12:21 a.out.22679.sancov
77 ``$LLVM/projects/compiler-rt/lib/sanitizer_common/scripts/sancov.py`` is
80 .. code-block:: console
89 You can then filter the output of ``sancov.py`` through ``addr2line --exe
90 ObjectFile`` or ``llvm-symbolizer --obj ObjectFile`` to get file names and line
93 .. code-block:: console
95 … % sancov.py print a.out.22679.sancov a.out.22673.sancov 2> /dev/null | llvm-symbolizer --obj a.out
109 .. code-block:: console
114 -print - Print coverage addresses
115 -covered-functions - Print all covered functions.
116 -not-covered-functions - Print all not covered functions.
117 -html-report - Print HTML coverage report.
120 -blacklist=<string> - Blacklist file (sanitizer blacklist format).
121 -demangle - Print demangled function name.
122 -strip_path_prefix=<string> - Strip this prefix from file paths in reports
142 .. code-block:: console
145 sancov.py: read 2 64-bit PCs from a.out.12345.sancov
158 .. code-block:: c++
167 .. code-block:: none
181 edge-level coverage (``-fsanitize-coverage=edge``) simply splits all critical
184 .. code-block:: none
197 When ``coverage_bitset=1`` run-time flag is given, the coverage will also be
201 .. code-block:: console
203 % clang++ -fsanitize=address -fsanitize-coverage=edge cov.cc
210 ==> a.out.38214.bitset-sancov <==
212 ==> a.out.6128.bitset-sancov <==
217 easily used for bitset-based corpus distillation.
219 Caller-callee coverage
223 Every indirect function call is instrumented with a run-time function call that
225 file called ``caller-callee.PID.sancov`` which contains caller/callee pairs as
228 .. code-block:: console
250 instrumentation. With additional compile-time and run-time flags you can get
253 On exit, every counter will be mapped to a 8-bit bitset representing counter
254 ranges: ``1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+`` and those 8-bit bitsets will
257 .. code-block:: console
259 % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=edge,8bit-counters
261 % ls -l *counters-sancov
262 ... a.out.17110.counters-sancov
263 % xxd *counters-sancov
266 These counters may also be used for in-process coverage-guided fuzzers. See
269 .. code-block:: c++
275 // We define 8 value ranges: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+
276 // The i-th bit is set to 1 if the counter value is in the i-th range.
277 // This counter-based coverage implementation is *not* thread-safe.
285 // __sanitizer_get_number_of_counters bytes long and 8-aligned.
292 With ``-fsanitize-coverage=trace-bb`` the compiler will insert
294 (depending on the value of ``-fsanitize-coverage=[func,bb,edge]``).
297 .. code-block:: console
299 % clang -g -fsanitize=address -fsanitize-coverage=edge,trace-bb foo.cc
303 `trace-points.PID.sancov` and `trace-events.PID.sancov`.
305 in the form that you can feed into llvm-symbolizer (e.g. `a.out 0x4dca89`), one per line.
306 The second file will contain the actual execution trace as a sequence of 4-byte integers
307 -- these integers are the indices into the array of instrumented points (the first file).
309 Basic block tracing is currently supported only for single-threaded applications.
315 With ``-fsanitize-coverage=trace-pc`` the compiler will insert
317 With an additional ``...=trace-pc,indirect-calls`` flag
319 These callbacks are not implemented in the Sanitizer run-time and should be defined
327 An *experimental* feature to support data-flow-guided fuzzing.
328 With ``-fsanitize-coverage=trace-cmp`` the compiler will insert extra instrumentation
333 .. code-block:: c++
337 // - [63:32] the Size of the operands of comparison in bits
338 // - [31:0] the Type of comparison (one of ICMP_EQ, ... ICMP_SLE)
350 The current implementation is not thread-safe and thus can be safely used only for single-threaded …
358 .. code-block:: console
361 % ls -l /tmp/cov/*sancov
362 -rw-r----- 1 kcc eng 4 Nov 27 12:21 a.out.22673.sancov
363 -rw-r----- 1 kcc eng 8 Nov 27 12:21 a.out.22679.sancov
372 If the program ends with a signal that ASan does not handle (or can not handle
377 memory-mapped file as soon as it collected.
379 .. code-block:: console
394 Note that on 64-bit platforms, this method writes 2x more data than the default,
395 because it stores full PC values instead of 32-bit offsets.
397 In-process fuzzing
401 a fuzzer in the same process as the code being fuzzed (in-process fuzzer).
408 If a fuzzer finds a bug in the ASan run, you will need to save the reproducer
413 <http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/README.txt?view=markup>`_.
418 This coverage implementation is **fast**. With function-level coverage
419 (``-fsanitize-coverage=func``) the overhead is not measurable. With
420 basic-block-level coverage (``-fsanitize-coverage=bb``) the overhead varies
424 benchmark cov0 cov1 diff 0-1 cov2 diff 0-2 diff 1-2
455 <https://groups.google.com/forum/#!topic/llvm-dev/cDqYgnxNEhY>`_.