SanitizerCoverage.rst - OpenGrok cross reference for /external/clang/docs/SanitizerCoverage.rst

Lines Matching refs:coverage
11 Sanitizer tools have a very simple code coverage tool built in. It allows to
12 get function-level, basic-block-level, and edge-level coverage at a very low
23 * ``-fsanitize-coverage=func`` for function-level coverage (very fast).
24 * ``-fsanitize-coverage=bb`` for basic-block-level coverage (may add up to 30%
26 * ``-fsanitize-coverage=edge`` for edge-level coverage (up to 40% slowdown).
28 You may also specify ``-fsanitize-coverage=indirect-calls`` for
29 additional `caller-callee coverage`_.
31 At run time, pass ``coverage=1`` in ``ASAN_OPTIONS``,
33 appropriate. For the standalone coverage mode, use ``UBSAN_OPTIONS``.
35 To get `Coverage counters`_, add ``-fsanitize-coverage=8bit-counters``
37 ``*SAN_OPTIONS=coverage=1:coverage_counters=1``.
53     % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=func
54     % ASAN_OPTIONS=coverage=1 ./a.out; ls -l *sancov
57     % ASAN_OPTIONS=coverage=1 ./a.out foo ; ls -l *sancov
102 A new experimental ``sancov`` tool is developed to process coverage files.
114       -print                    - Print coverage addresses
117       -html-report              - Print HTML coverage report.
129 coverage report would be automatically generated alongside the coverage files.
134 How good is the coverage?
150     sancov.py: 1 PCs missing from coverage
153 Edge coverage
181 edge-level coverage (``-fsanitize-coverage=edge``) simply splits all critical
197 When ``coverage_bitset=1`` run-time flag is given, the coverage will also be
203     % clang++ -fsanitize=address -fsanitize-coverage=edge cov.cc
204     % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out
206     % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out 1
216 unless dlopen/dlclose come into play), so the bitset coverage can be
219 Caller-callee coverage
249 `AFL <http://lcamtuf.coredump.cx/afl/technical_details.txt>`__'s coverage
251 more sensitive coverage information.  In addition to boolean values assigned to
259     % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=edge,8bit-counters
260     % ASAN_OPTIONS="coverage=1:coverage_counters=1" ./a.out
266 These counters may also be used for in-process coverage-guided fuzzers. See
271     // The coverage instrumentation may optionally provide imprecise counters.
277     // This counter-based coverage implementation is *not* thread-safe.
279     // Returns the number of registered coverage counters.
292 With ``-fsanitize-coverage=trace-bb`` the compiler will insert
294 (depending on the value of ``-fsanitize-coverage=[func,bb,edge]``).
299     % clang -g -fsanitize=address -fsanitize-coverage=edge,trace-bb foo.cc
300     % ASAN_OPTIONS=coverage=1 ./a.out
315 With ``-fsanitize-coverage=trace-pc`` the compiler will insert
328 With ``-fsanitize-coverage=trace-cmp`` the compiler will insert extra instrumentation
360     % ASAN_OPTIONS="coverage=1:coverage_dir=/tmp/cov" ./a.out foo
368 Normally, coverage data is collected in memory and saved to disk when the
373 at all, like SIGKILL), coverage data will be lost. This is a big problem on
376 With ``ASAN_OPTIONS=coverage=1:coverage_direct=1`` coverage data is written to a
381     % ASAN_OPTIONS="coverage=1:coverage_direct=1" ./a.out
405 covered entities in the program. This will tell the fuzzer if the coverage has
418 This coverage implementation is **fast**. With function-level coverage
419 (``-fsanitize-coverage=func``) the overhead is not measurable. With
420 basic-block-level coverage (``-fsanitize-coverage=bb``) the overhead varies
447 Why another coverage?
450 Why did we implement yet another code coverage?
453   * Traditional coverage implementations based in global counters