advanced.md - OpenGrok cross reference for /external/jazzer-api/docs/advanced.md

Lines Matching +full:clang +full:- +full:asan +full:- +full:ubsan +full:- +full:fuzz
3 * [Passing JVM arguments](#passing-jvm-arguments)
4 * [Coverage instrumentation](#coverage-instrumentation)
5 * [Trace instrumentation](#trace-instrumentation)
6 * [Value profile](#value-profile)
7 * [Custom hooks](#custom-hooks)
8 * [Suppressing stack traces](#suppressing-stack-traces)
9 * [Export coverage information](#export-coverage-information)
10 * [Native libraries](#native-libraries)
11 * [Fuzzing mutators](#fuzzing-mutators)
13 <!-- Created by https://github.com/ekalinin/github-markdown-toc -->
16 Since Jazzer is a libFuzzer-compiled binary, all positional and single dash command-line options ar…
17 Therefore, all Jazzer options are passed via double dash command-line flags, i.e., as `--option=val…
19 A full list of command-line flags can be printed with the `--help` flag.
24 When Jazzer is started using the `jazzer` binary, it starts a JVM in which it executes the fuzz tar…
27 Alternatively, arguments can also be supplied via the `--jvm_args` argument.
33 --jvm_args=--enable-preview;-Xmx1000m
35 --jvm_args=--enable-preview:-Xmx1000m
38 Arguments specified with `--jvm_args` take precedence over those in `JAVA_OPTS`.
45 It is possible to restrict instrumentation to only a subset of classes with the `--instrumentation_…
47 Similarly, there is `--instrumentation_excludes` to exclude specific classes from instrumentation.
51 --instrumentation_includes=com.my_com.**:com.other_com.** --instrumentation_excludes=com.my_com.cry…
54 By default, JVM-internal classes and Java as well as Kotlin standard library classes are not instru…
59 These hooks correspond to [clang's data flow hooks](https://clang.llvm.org/docs/SanitizerCoverage.h…
60 The particular instrumentation types to apply can be specified using the `--trace` flag, which acce…
62 * `cov`: AFL-style edge coverage
73 The run-time flag `-use_value_profile=1` enables [libFuzzer's value profiling mode](https://llvm.or…
75 …java/com/example/ExampleValueProfileFuzzer.java) for a fuzz target that would be very hard to fuzz…
80 This functionality is also available to fuzz targets, where it can be used to implement custom sani…
84 …he Maven artifact [`com.code-intelligence:jazzer-api`](https://search.maven.org/search?q=g:com.cod…
85 …he `@MethodHook` API](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_in…
87 …e on the classpath provided by `--cp` and can then be loaded by providing the flag `--custom_hooks…
88 …va/lang/instrument/Instrumentation.html#appendToBootstrapClassLoaderSearch-java.util.jar.JarFile-).
89 …ustom hooks can alternatively be specified via the `Jazzer-Hook-Classes` attribute in the fuzz tar…
93 With the flag `--keep_going=N` Jazzer continues fuzzing until `N` unique stack traces have been enc…
95 …o be ignored based on their `DEDUP_TOKEN` by passing a comma-separated list of tokens via `--ignor…
99 The internally gathered JaCoCo coverage information can be exported in human-readable and JaCoCo ex…
100 …ve not been covered by the fuzzer and thus may require more comprehensive fuzz targets or a more e…
102 The human-readable report contains coverage information, like branch and line coverage, on file lev…
103 It's useful to get a quick overview about the overall coverage. The flag `--coverage_report=<file>`…
105 Similar to the JaCoCo `dump` command, the flag `--coverage_dump=<file>` specifies a coverage dump f…
114 java -jar path/to/jacococli.jar report coverage.exec \
115   --classfiles classes.jar \
116   --sourcefiles some/path/to/sources \
117   --html report \
118   --name FuzzCoverageReport
124 …zer to get coverage feedback, these libraries have to be compiled with `-fsanitize=fuzzer-no-link`.
128 - *AddressSanitizer*: `-fsanitize=fuzzer-no-link,address`
129 - *UndefinedBehaviorSanitizer*: `-fsanitize=fuzzer-no-link,undefined` (add `-fno-sanitize-recover=a…
131 Then, start Jazzer with `--asan` and/or `--ubsan` to automatically preload the sanitizer runtimes.
132 Jazzer defaults to using the runtimes associated with `clang` on the `PATH`.
134 If no compiler is available in your runtime environment (e.g. in OSS-Fuzz) but you have a directory…
136 **Note:** On macOS, you may see Gatekeeper warnings when using `--asan` and/or `--ubsan` since thes…
141 The fuzz targets `ExampleFuzzerWithASan` and `ExampleFuzzerWithUBSan` in the [`examples`](../exampl…
142 Also see `TurboJpegFuzzer` for a real-world example.
148 …LVMFuzzerCustomMutator` (and optionally `LLVMFuzzerCustomCrossOver`) and pre-loading the mutator l…
152 LD_PRELOAD=libcustom_mutator.so bazel run //:jazzer -- <arguments>