Am 05.09.2018 um 12:40 schrieb Peter Hartmann: > Hello Robert, > > On 04.09.2018 14:03, Robert Löhning wrote: >> I saw your post and it helped me get started. Thanks for that! > > cool, thanks for the feedback! > >> >> By the way: In step 1 you use >> -fsanitize-coverage=edge >> whereas I followed LLVM's example [1] and used >> -fsanitize-coverage=trace-pc-guard >> >> Unfortunately the documentation seems to be a bit scarce. Could you >> please tell me briefly about the advantages of either one? >> >> I guess I should include "edge" to [2], shouldn't I? Instead of >> hacking the mkspec you could then just use >> <src>/configure -sanitize address -coverage edge <further params> > > The "-fsanitize-coverage=edge" just comes from an older clang version > when there was no trace-pc-guard. Nowadays "trace-pc-guard" without > other args implies "edge", so the latter can be ignored when configuring > with address sanitizer. > > IIUC edge just provided information on whether a piece of code was > executed or not, while trace-pc-guard provides a callback which allows > for more fine-grained coverage information; the callback itself is then > implemented in libFuzzer. > > What might be interesting to look at is "-fsanitize-coverage=trace-cmp" > though...
Definitely interesting, but will it be useful for fuzzing? If I get this right, it will record all different values at comparisons. So, if we take a simple example: if (x == 0) foo() else bar() Then all values of x will be considered different. For fuzzing, though, only the two cases x == 0 and x != 0 will matter. Do I miss something here? Cheers, Robert _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development