efficient_fuzzing.md - OpenGrok cross reference for /external/cronet/tot/testing/libfuzzer/efficient

Lines Matching +full:upload +full:- +full:coverage
3 This relates to fuzzers created using [libfuzzer] not [FuzzTests] - none of this
40 * [Simplifying initialization/cleanup](#Simplifying-initialization-cleanup)
41 * [Minimizing memory usage](#Minimizing-memory-usage)
47 use-cases or fail to account for unexpected scenarios.
55 allocated within the `LLVMFuzzerTestOneInput` function should be de-allocated,
63 works faster for stack-based and static objects than for heap-allocated ones.
70 ### Code coverage
75 * Review aggregated Chrome coverage from recent runs by checking the [fuzzing
76   coverage] report. This report can provide insight on how to improve code
77   coverage.
78 * Generate a source-level coverage report for your fuzzer by running the
79   [coverage script] stored in the Chromium repository. The script provides
82 For the `out/coverage` target in the coverage script, make sure to add all of
88 **Note:** The code coverage of a fuzz target depends heavily on the corpus. A
89 well-chosen corpus will produce much greater code coverage. On the other hand,
90 a coverage report generated by a fuzz target without a corpus won't cover much
93 [Corpus Size](#Corpus-Size).
99 or corpus unit) *interesting* if the input results in new code coverage (i.e.,
106 (also called a *coverage plateau*). The corpus for a reasonably complex target
109 If a fuzz target reaches coverage plateau with a small corpus, the common causes
112 analyze a [coverage report](#code-coverage). Then, to fix the issue, try the
116   [custom build](#Custom-build).
117 * Prepare or improve the [seed corpus](#Seed-corpus).
118 * Prepare or improve the [fuzzer dictionary](#Fuzzer-dictionary).
128 In many cases, providing a seed corpus can increase code coverage by an order of
181 large, can’t be open-sourced, etc.), you can upload the corpus to the Google
187 3) In the `<my_fuzzer>` directory, upload your corpus files.
190 **Note:** If you upload your corpus to GCS, you don’t need to add the
198 gsutil -m rsync <path_to_corpus> gs://clusterfuzz-corpus/libfuzzer/<my_fuzzer>
215 You can minimize your seed corpus by using libFuzzer’s `-merge=1` option:
221 # Run the fuzzer with -merge=1 flag.
222 ./my_fuzzer -merge=1 ./seed_corpus_minimized ./seed_corpus
226 minimized corpus that gives the same code coverage as your initial `seed_corpus`
231 You can help your fuzzer increase its coverage by providing a set of common
233 especially well for certain use-cases (e.g., fuzzing file format decoders or
234 text-based protocols like XML).
240    (`\xNN`) applied to all non-printable, high-bit, or otherwise problematic
242    similar to the one used by the [AFL] fuzzing engine (`-x` option).
265    ./out/libfuzzer/my_fuzzer -dict=<path_to_dict> <path_to_corpus>
298 [ClusterFuzz status]: libFuzzer_integration.md#Status-Links
299 [Corpus GCS Bucket]: https://console.cloud.google.com/storage/clusterfuzz-corpus/libfuzzer
301 [gn config]: getting_started.md#running-the-fuzz-target
303 [coverage script]: https://cs.chromium.org/chromium/src/tools/code_coverage/coverage.py
304 [fuzzing coverage]: https://analysis.chromium.org/coverage/p/chromium?platform=fuzz
306 [startup initialization]: https://llvm.org/docs/LibFuzzer.html#startup-initialization