From f3a664fc2ebababe7e91a0a73503a66f359da2f4 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Fri, 10 Apr 2015 06:32:29 +0000
Subject: [PATCH] [lib/Fuzzer] Section: How good is my fuzzer?

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@234571 91177308-0d34-0410-b5e6-96231b3b80d8
---
 docs/LibFuzzer.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index 842599cad88..a31f83d3950 100644
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -256,6 +256,21 @@ You can run both fuzzers on the same corpus in parallel::
 
 Periodically restart both fuzzers so that they can use each other's findings.
 
+How good is my fuzzer?
+----------------------
+
+Once you implement your target function ``TestOneInput`` and fuzz it to death,
+you will want to know whether the function or the corpus can be improved further.
+One easy to use metric is, of course, code coverage.
+You can get the coverage for your corpus like this::
+
+  ASAN_OPTIONS=coverage_pcs=1 ./fuzzer CORPUS_DIR -runs=0
+
+This will run all the tests in the CORPUS_DIR but will not generate any new tests
+and dump covered PCs to disk before exiting.
+Then you can subtract the set of covered PCs from the set of all instrumented PCs in the binary,
+see SanitizerCoverage_ for details.
+
 Fuzzing components of LLVM
 ==========================
 
-- 
2.34.1