diff options
Diffstat (limited to 'docs/SanitizerCoverage.rst')
-rw-r--r-- | docs/SanitizerCoverage.rst | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/docs/SanitizerCoverage.rst b/docs/SanitizerCoverage.rst index 3e8102a12f67..8ff5bdf3a3d2 100644 --- a/docs/SanitizerCoverage.rst +++ b/docs/SanitizerCoverage.rst @@ -227,7 +227,8 @@ easily used for bitset-based corpus distillation. Caller-callee coverage ====================== -(Experimental!) +**Deprecated, don't use** + Every indirect function call is instrumented with a run-time function call that captures caller and callee. At the shutdown time the process dumps a separate file called ``caller-callee.PID.sancov`` which contains caller/callee pairs as @@ -253,6 +254,8 @@ Current limitations: Coverage counters ================= +**Deprecated, don't use** + This experimental feature is inspired by `AFL <http://lcamtuf.coredump.cx/afl/technical_details.txt>`__'s coverage instrumentation. With additional compile-time and run-time flags you can get @@ -296,6 +299,9 @@ These counters may also be used for in-process coverage-guided fuzzers. See Tracing basic blocks ==================== + +**Deprecated, don't use** + Experimental support for basic block (or edge) tracing. With ``-fsanitize-coverage=trace-bb`` the compiler will insert ``__sanitizer_cov_trace_basic_block(s32 *id)`` before every function, basic block, or edge @@ -319,6 +325,9 @@ Basic block tracing is currently supported only for single-threaded applications Tracing PCs =========== + +**Deprecated, don't use** + *Experimental* feature similar to tracing basic blocks, but with a different API. With ``-fsanitize-coverage=trace-pc`` the compiler will insert ``__sanitizer_cov_trace_pc()`` on every edge. @@ -331,16 +340,13 @@ and can be used with `AFL <http://lcamtuf.coredump.cx/afl>`__. Tracing PCs with guards ======================= -Another *experimental* feature that tries to combine the functionality of `trace-pc`, -`8bit-counters` and boolean coverage. With ``-fsanitize-coverage=trace-pc-guard`` the compiler will insert the following code on every edge: .. code-block:: none - if (guard_variable) - __sanitizer_cov_trace_pc_guard(&guard_variable) + __sanitizer_cov_trace_pc_guard(&guard_variable) Every edge will have its own `guard_variable` (uint32_t). @@ -349,10 +355,11 @@ The compler will also insert a module constructor that will call .. code-block:: c++ // The guards are [start, stop). - // This function may be called multiple times with the same values of start/stop. + // This function will be called at least once per DSO and may be called + // more than once with the same values of start/stop. __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop); -Similarly to `trace-pc,indirect-calls`, with `trace-pc-guards,indirect-calls` +With `trace-pc-guards,indirect-calls` ``__sanitizer_cov_trace_pc_indirect(void *callee)`` will be inserted on every indirect call. The functions `__sanitizer_cov_trace_pc_*` should be defined by the user. @@ -367,10 +374,10 @@ Example: #include <sanitizer/coverage_interface.h> // This callback is inserted by the compiler as a module constructor - // into every compilation unit. 'start' and 'stop' correspond to the + // into every DSO. 'start' and 'stop' correspond to the // beginning and end of the section with the guards for the entire - // binary (executable or DSO) and so it will be called multiple times - // with the same parameters. + // binary (executable or DSO). The callback will be called at least + // once per DSO and may be called multiple times with the same parameters. extern "C" void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { static uint64_t N; // Counter for the guards. |