• Home
  • Raw
  • Download

Lines Matching refs:coverage

11 Sanitizer tools have a very simple code coverage tool built in. It allows to
12 get function-level, basic-block-level, and edge-level coverage at a very low
22 * ``-fsanitize-coverage=func`` for function-level coverage (very fast).
23 * ``-fsanitize-coverage=bb`` for basic-block-level coverage (may add up to 30%
25 * ``-fsanitize-coverage=edge`` for edge-level coverage (up to 40% slowdown).
27 You may also specify ``-fsanitize-coverage=indirect-calls`` for
28 additional `caller-callee coverage`_.
30 At run time, pass ``coverage=1`` in ``ASAN_OPTIONS``, ``LSAN_OPTIONS``,
33 To get `Coverage counters`_, add ``-fsanitize-coverage=8bit-counters``
35 ``*SAN_OPTIONS=coverage=1:coverage_counters=1``.
51 % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=func
52 % ASAN_OPTIONS=coverage=1 ./a.out; ls -l *sancov
55 % ASAN_OPTIONS=coverage=1 ./a.out foo ; ls -l *sancov
97 How good is the coverage?
113 sancov.py: 1 PCs missing from coverage
116 Edge coverage
144 edge-level coverage (``-fsanitize-coverage=edge``) simply splits all critical
160 When ``coverage_bitset=1`` run-time flag is given, the coverage will also be
166 % clang++ -fsanitize=address -fsanitize-coverage=edge cov.cc
167 % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out
169 % ASAN_OPTIONS="coverage=1:coverage_bitset=1" ./a.out 1
179 unless dlopen/dlclose come into play), so the bitset coverage can be
182 Caller-callee coverage
212 `AFL <http://lcamtuf.coredump.cx/afl/technical_details.txt>`_'s coverage
214 more sensitive coverage information. In addition to boolean values assigned to
222 % clang++ -g cov.cc -fsanitize=address -fsanitize-coverage=edge,8bit-counters
223 % ASAN_OPTIONS="coverage=1:coverage_counters=1" ./a.out
229 These counters may also be used for in-process coverage-guided fuzzers. See
234 // The coverage instrumentation may optionally provide imprecise counters.
240 // This counter-based coverage implementation is *not* thread-safe.
242 // Returns the number of registered coverage counters.
255 With ``-fsanitize-coverage=trace-bb`` the compiler will insert
257 (depending on the value of ``-fsanitize-coverage=[func,bb,edge]``).
263 With ``-fsanitize-coverage=trace-cmp`` the compiler will insert extra instrumentation
295 % ASAN_OPTIONS="coverage=1:coverage_dir=/tmp/cov" ./a.out foo
303 Normally, coverage data is collected in memory and saved to disk when the
308 at all, like SIGKILL), coverage data will be lost. This is a big problem on
311 With ``ASAN_OPTIONS=coverage=1:coverage_direct=1`` coverage data is written to a
316 % ASAN_OPTIONS="coverage=1:coverage_direct=1" ./a.out
340 covered entities in the program. This will tell the fuzzer if the coverage has
353 This coverage implementation is **fast**. With function-level coverage
354 (``-fsanitize-coverage=func``) the overhead is not measurable. With
355 basic-block-level coverage (``-fsanitize-coverage=bb``) the overhead varies
382 Why another coverage?
385 Why did we implement yet another code coverage?
388 * Traditional coverage implementations based in global counters