[lib/Fuzzer] Section: How good is my fuzzer?

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@234571 91177308-0d34-0410-b5e6-96231b3b80d8
2025-04-12 07:37:34 +00:00 · 2015-04-10 06:32:29 +00:00 · 2015-04-10 06:32:29 +00:00 · f3a664fc2e
commit f3a664fc2e
parent 3e35db6c50
1 changed files with 15 additions and 0 deletions
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@ -256,6 +256,21 @@ You can run both fuzzers on the same corpus in parallel::

 Periodically restart both fuzzers so that they can use each other's findings.

+How good is my fuzzer?
+----------------------
+
+Once you implement your target function ``TestOneInput`` and fuzz it to death,
+you will want to know whether the function or the corpus can be improved further.
+One easy to use metric is, of course, code coverage.
+You can get the coverage for your corpus like this::
+
+  ASAN_OPTIONS=coverage_pcs=1 ./fuzzer CORPUS_DIR -runs=0
+
+This will run all the tests in the CORPUS_DIR but will not generate any new tests
+and dump covered PCs to disk before exiting.
+Then you can subtract the set of covered PCs from the set of all instrumented PCs in the binary,
+see SanitizerCoverage_ for details.
+
 Fuzzing components of LLVM
 ==========================