[lib/Fuzzer] Section: How good is my fuzzer?

author Kostya Serebryany <kcc@google.com>

Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)

committer Kostya Serebryany <kcc@google.com>

Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)
author Kostya Serebryany <kcc@google.com>
Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)
committer Kostya Serebryany <kcc@google.com>
Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)
diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst

index 842599cad887099003719ec02bad164241ee1e4d..a31f83d39500f65abb96ba1a75b4d1eb219b4038 100644 (file)
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -256,6 +256,21 @@ You can run both fuzzers on the same corpus in parallel::
  
  Periodically restart both fuzzers so that they can use each other's findings.
  
+How good is my fuzzer?
+----------------------
+
+Once you implement your target function ``TestOneInput`` and fuzz it to death,
+you will want to know whether the function or the corpus can be improved further.
+One easy to use metric is, of course, code coverage.
+You can get the coverage for your corpus like this::
+
+  ASAN_OPTIONS=coverage_pcs=1 ./fuzzer CORPUS_DIR -runs=0
+
+This will run all the tests in the CORPUS_DIR but will not generate any new tests
+and dump covered PCs to disk before exiting.
+Then you can subtract the set of covered PCs from the set of all instrumented PCs in the binary,
+see SanitizerCoverage_ for details.
+
  Fuzzing components of LLVM
  ==========================
author	Kostya Serebryany <kcc@google.com>
	Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)
committer	Kostya Serebryany <kcc@google.com>
	Fri, 10 Apr 2015 06:32:29 +0000 (06:32 +0000)