SanitizerCoverage.rst - OpenGrok cross reference for /external/clang/docs/SanitizerCoverage.rst

Lines Matching full:coverage
11 Sanitizer tools have a very simple code coverage tool built in. It allows to
12 get function-level, basic-block-level, and edge-level coverage at a very low
23 * ``-fsanitize-coverage=func`` for function-level coverage (very fast).
24 * ``-fsanitize-coverage=bb`` for basic-block-level coverage (may add up to 30%
26 * ``-fsanitize-coverage=edge`` for edge-level coverage (up to 40% slowdown).
28 You may also specify ``-fsanitize-coverage=indirect-calls`` for
29 additional `caller-callee coverage`_.
31 At run time, pass ``coverage=1`` in ``ASAN_OPTIONS``,
33 appropriate. For the standalone coverage mode, use ``UBSAN_OPTIONS``.
35 To get `Coverage counters`_, add ``-fsanitize-coverage=8bit-counters``
37 ``*SAN_OPTIONS=coverage=1:coverage_counters=1``.
53     % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=func
54     % ASAN_OPTIONS=coverage=1 ./a.out; ls -l *sancov
57     % ASAN_OPTIONS=coverage=1 ./a.out foo ; ls -l *sancov
102 A new experimental ``sancov`` tool is developed to process coverage files.
114       -print                    - Print coverage addresses
117       -html-report              - Print HTML coverage report.
129 coverage report would be automatically generated alongside the coverage files.
134 How good is the coverage?
150     sancov.py: 1 PCs missing from coverage
153 Edge coverage
181 edge-level coverage (``-fsanitize-coverage=edge``) simply splits all critical
197 When ``coverage_bitset=1`` run-time flag is given, the coverage will also be
203     % clang++ -fsanitize=address -fsanitize-coverage=edge cov.cc
204     % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out
206     % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out 1
216 unless dlopen/dlclose come into play), so the bitset coverage can be
219 Caller-callee coverage
245 Coverage counters
249 `AFL <http://lcamtuf.coredump.cx/afl/technical_details.txt>`__'s coverage
251 more sensitive coverage information.  In addition to boolean values assigned to
259     % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=edge,8bit-counters
260     % ASAN_OPTIONS="coverage=1:coverage_counters=1" ./a.out
266 These counters may also be used for in-process coverage-guided fuzzers. See
271     // The coverage instrumentation may optionally provide imprecise counters.
277     // This counter-based coverage implementation is *not* thread-safe.
279     // Returns the number of registered coverage counters.
292 With ``-fsanitize-coverage=trace-bb`` the compiler will insert
294 (depending on the value of ``-fsanitize-coverage=[func,bb,edge]``).
299     % clang -g -fsanitize=address -fsanitize-coverage=edge,trace-bb foo.cc
300     % ASAN_OPTIONS=coverage=1 ./a.out
315 With ``-fsanitize-coverage=trace-pc`` the compiler will insert
328 With ``-fsanitize-coverage=trace-cmp`` the compiler will insert extra instrumentation
360     % ASAN_OPTIONS="coverage=1:coverage_dir=/tmp/cov" ./a.out foo
368 Normally, coverage data is collected in memory and saved to disk when the
373 at all, like SIGKILL), coverage data will be lost. This is a big problem on
376 With ``ASAN_OPTIONS=coverage=1:coverage_direct=1`` coverage data is written to a
381     % ASAN_OPTIONS="coverage=1:coverage_direct=1" ./a.out
400 Coverage data could be useful for fuzzers and sometimes it is preferable to run
405 covered entities in the program. This will tell the fuzzer if the coverage has
418 This coverage implementation is **fast**. With function-level coverage
419 (``-fsanitize-coverage=func``) the overhead is not measurable. With
420 basic-block-level coverage (``-fsanitize-coverage=bb``) the overhead varies
447 Why another coverage?
450 Why did we implement yet another code coverage?
453   * Traditional coverage implementations based in global counters