2015-01-30 00:58:29 +08:00
|
|
|
//===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// Flags. FUZZER_FLAG macro should be defined at the point of inclusion.
|
|
|
|
// We are not using any flag parsing library for better portability and
|
|
|
|
// independence.
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
FUZZER_FLAG(int, verbosity, 1, "Verbosity level.")
|
|
|
|
FUZZER_FLAG(int, seed, 0, "Random seed. If 0, seed is generated.")
|
|
|
|
FUZZER_FLAG(int, iterations, -1,
|
2015-02-05 06:20:09 +08:00
|
|
|
"Number of iterations of the fuzzer internal loop"
|
|
|
|
" (-1 for infinite iterations).")
|
|
|
|
FUZZER_FLAG(int, runs, -1,
|
|
|
|
"Number of individual test runs (-1 for infinite runs).")
|
2015-01-30 00:58:29 +08:00
|
|
|
FUZZER_FLAG(int, max_len, 64, "Maximal length of the test input.")
|
|
|
|
FUZZER_FLAG(int, cross_over, 1, "If 1, cross over inputs.")
|
2015-02-05 03:10:20 +08:00
|
|
|
FUZZER_FLAG(int, mutate_depth, 5,
|
2015-01-30 00:58:29 +08:00
|
|
|
"Apply this number of consecutive mutations to each input.")
|
2015-02-05 07:42:42 +08:00
|
|
|
FUZZER_FLAG(
|
|
|
|
int, prefer_small_during_initial_shuffle, -1,
|
|
|
|
"If 1, always prefer smaller inputs during the initial corpus shuffle."
|
|
|
|
" If 0, never do that. If -1, do it sometimes.")
|
2015-01-30 00:58:29 +08:00
|
|
|
FUZZER_FLAG(int, exit_on_first, 0,
|
|
|
|
"If 1, exit after the first new interesting input is found.")
|
|
|
|
FUZZER_FLAG(int, timeout, -1, "Timeout in seconds (if positive).")
|
|
|
|
FUZZER_FLAG(int, help, 0, "Print help.")
|
|
|
|
FUZZER_FLAG(
|
|
|
|
int, save_minimized_corpus, 0,
|
|
|
|
"If 1, the minimized corpus is saved into the first input directory")
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
FUZZER_FLAG(int, use_counters, 0, "Use coverage counters")
|
2015-01-30 07:01:07 +08:00
|
|
|
FUZZER_FLAG(int, use_full_coverage_set, 0,
|
2015-02-20 11:02:37 +08:00
|
|
|
"Experimental: Maximize the number of different full"
|
2015-01-30 07:01:07 +08:00
|
|
|
" coverage sets as opposed to maximizing the total coverage."
|
|
|
|
" This is potentially MUCH slower, but may discover more paths.")
|
2015-02-20 11:02:37 +08:00
|
|
|
FUZZER_FLAG(int, use_coverage_pairs, 0,
|
|
|
|
"Experimental: Maximize the number of different coverage pairs.")
|
2015-01-31 09:14:40 +08:00
|
|
|
FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
|
|
|
|
" this number of jobs in separate worker processes"
|
|
|
|
" with stdout/stderr redirected to fuzz-JOB.log.")
|
|
|
|
FUZZER_FLAG(int, workers, 0,
|
|
|
|
"Number of simultaneous worker processes to run the jobs.")
|
2015-03-31 06:09:51 +08:00
|
|
|
FUZZER_FLAG(int, dfsan, 1, "Use DFSan for taint-guided mutations. No-op unless "
|
|
|
|
"the DFSan instrumentation was compiled in.")
|