advanced.md - OpenGrok cross reference for /aosp_15_r20/external/jazzer-api/docs/advanced.md

Lines Matching +full:asan +full:- +full:trace +full:- +full:cmp
3 * [Passing JVM arguments](#passing-jvm-arguments)
4 * [Coverage instrumentation](#coverage-instrumentation)
5 * [Trace instrumentation](#trace-instrumentation)
6 * [Value profile](#value-profile)
7 * [Custom hooks](#custom-hooks)
8 * [Suppressing stack traces](#suppressing-stack-traces)
9 * [Export coverage information](#export-coverage-information)
10 * [Native libraries](#native-libraries)
11 * [Fuzzing mutators](#fuzzing-mutators)
13 <!-- Created by https://github.com/ekalinin/github-markdown-toc -->
16 Since Jazzer is a libFuzzer-compiled binary, all positional and single dash command-line options ar…
17 Therefore, all Jazzer options are passed via double dash command-line flags, i.e., as `--option=val…
19 A full list of command-line flags can be printed with the `--help` flag.
27 Alternatively, arguments can also be supplied via the `--jvm_args` argument.
33 --jvm_args=--enable-preview;-Xmx1000m
35 --jvm_args=--enable-preview:-Xmx1000m
38 Arguments specified with `--jvm_args` take precedence over those in `JAVA_OPTS`.
45 It is possible to restrict instrumentation to only a subset of classes with the `--instrumentation_…
47 Similarly, there is `--instrumentation_excludes` to exclude specific classes from instrumentation.
51 --instrumentation_includes=com.my_com.**:com.other_com.** --instrumentation_excludes=com.my_com.cry…
54 By default, JVM-internal classes and Java as well as Kotlin standard library classes are not instru…
56 ### Trace instrumentation
59 …to [clang's data flow hooks](https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow).
60 The particular instrumentation types to apply can be specified using the `--trace` flag, which acce…
62 * `cov`: AFL-style edge coverage
63 * `cmp`: compares (int, long, String) and switch cases
73 The run-time flag `-use_value_profile=1` enables [libFuzzer's value profiling mode](https://llvm.or…
74 When running with this flag, the feedback about compares and constants received from Jazzer's trace…
84 …he Maven artifact [`com.code-intelligence:jazzer-api`](https://search.maven.org/search?q=g:com.cod…
85 …he `@MethodHook` API](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_in…
87 …e on the classpath provided by `--cp` and can then be loaded by providing the flag `--custom_hooks…
88 …va/lang/instrument/Instrumentation.html#appendToBootstrapClassLoaderSearch-java.util.jar.JarFile-).
89 The list of custom hooks can alternatively be specified via the `Jazzer-Hook-Classes` attribute in …
93 With the flag `--keep_going=N` Jazzer continues fuzzing until `N` unique stack traces have been enc…
95 …o be ignored based on their `DEDUP_TOKEN` by passing a comma-separated list of tokens via `--ignor…
99 The internally gathered JaCoCo coverage information can be exported in human-readable and JaCoCo ex…
102 The human-readable report contains coverage information, like branch and line coverage, on file lev…
103 It's useful to get a quick overview about the overall coverage. The flag `--coverage_report=<file>`…
105 Similar to the JaCoCo `dump` command, the flag `--coverage_dump=<file>` specifies a coverage dump f…
114 java -jar path/to/jacococli.jar report coverage.exec \
115   --classfiles classes.jar \
116   --sourcefiles some/path/to/sources \
117   --html report \
118   --name FuzzCoverageReport
124 …zer to get coverage feedback, these libraries have to be compiled with `-fsanitize=fuzzer-no-link`.
128 - *AddressSanitizer*: `-fsanitize=fuzzer-no-link,address`
129 - *UndefinedBehaviorSanitizer*: `-fsanitize=fuzzer-no-link,undefined` (add `-fno-sanitize-recover=a…
131 Then, start Jazzer with `--asan` and/or `--ubsan` to automatically preload the sanitizer runtimes.
134 If no compiler is available in your runtime environment (e.g. in OSS-Fuzz) but you have a directory…
136 **Note:** On macOS, you may see Gatekeeper warnings when using `--asan` and/or `--ubsan` since thes…
142 Also see `TurboJpegFuzzer` for a real-world example.
148 …LVMFuzzerCustomMutator` (and optionally `LLVMFuzzerCustomCrossOver`) and pre-loading the mutator l…
152 LD_PRELOAD=libcustom_mutator.so bazel run //:jazzer -- <arguments>