diff options
| author | Kostya Serebryany <kcc@google.com> | 2016-09-09 01:17:03 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2016-09-09 01:17:03 +0000 |
| commit | 5c04bd250e84ed67624896550b65236a9170efcc (patch) | |
| tree | 6202d3fd522334b6eeb4a047585840c05ffc9a12 /llvm/docs | |
| parent | 2c3ea554985b1433db28a504c629d5d8c0eea185 (diff) | |
| download | bcm5719-llvm-5c04bd250e84ed67624896550b65236a9170efcc.tar.gz bcm5719-llvm-5c04bd250e84ed67624896550b65236a9170efcc.zip | |
[libFuzzer] remove use_traces=1 since use_value_profile seems to be strictly better
llvm-svn: 281007
Diffstat (limited to 'llvm/docs')
| -rw-r--r-- | llvm/docs/LibFuzzer.rst | 18 |
1 files changed, 1 insertions, 17 deletions
diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index 9074cd8872f..69919085e2f 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -240,7 +240,7 @@ The most important command line options are: directory. Defaults to 0. This flag can be used to minimize a corpus. ``-minimize_crash`` If 1, minimizes the provided crash input. - Use with -runs=N or -max_total_time=N to limit the number attempts. + Use with -runs=N or -max_total_time=N to limit the number of attempts. ``-reload`` If set to 1 (the default), the corpus directory is re-read periodically to check for new inputs; this allows detection of new inputs that were discovered @@ -261,8 +261,6 @@ The most important command line options are: blocks are hit; defaults to 1. ``-use_value_profile`` Use `value profile`_ to guide corpus expansion; defaults to 0. -``-use_traces`` - Use instruction traces (experimental, defaults to 0); see `Data-flow-guided fuzzing`_. ``-only_ascii`` If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0. ``-artifact_prefix`` @@ -619,19 +617,6 @@ but there are two downsides. First, the extra instrumentation may bring up to 2x additional slowdown. Second, the corpus may grow by several times. - -Data-flow-guided fuzzing ------------------------- - -*EXPERIMENTAL*. -With an additional compiler flag ``-fsanitize-coverage=trace-cmp`` (see SanitizerCoverageTraceDataFlow_) -and extra run-time flag ``-use_traces=1`` the fuzzer will try to apply *data-flow-guided fuzzing*. -That is, the fuzzer will record the inputs to comparison instructions, switch statements, -and several libc functions (``memcmp``, ``strcmp``, ``strncmp``, etc). -It will later use those recorded inputs during mutations. - -This mode can be combined with DataFlowSanitizer_ to achieve better sensitivity. - Fuzzer-friendly build mode --------------------------- Sometimes the code under test is not fuzzing-friendly. Examples: @@ -922,7 +907,6 @@ Trophies .. _AFL: http://lcamtuf.coredump.cx/afl/ .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow -.. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html .. _AddressSanitizer: http://clang.llvm.org/docs/AddressSanitizer.html .. _LeakSanitizer: http://clang.llvm.org/docs/LeakSanitizer.html .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed |
