oss-fuzz/docs/advanced-topics/code_coverage.md

3.5 KiB

layout title parent nav_order permalink
default Code coverage Advanced topics 2 /advanced-topics/code-coverage/

Code Coverage

You can generate code coverage report for your project using Clang Source-based Code Coverage.

  • TOC {:toc}

Pull the latest Docker images

Docker images get regularly updated with a newer version of build tools, build configurations, scripts, and other changes. It is recommended to use the most recent images.

$ python infra/helper.py pull_images

Build fuzz targets

Code Coverage report generation requires a special build configuration to be used. To create a code coverage build for your project, run:

$ python infra/helper.py build_image $PROJECT_NAME
$ python infra/helper.py build_fuzzers --sanitizer=coverage $PROJECT_NAME

Establish access to GCS

To get a good understanding of quality of fuzz testing established for your project, code coverage reports should be generated by running fuzz targets against the corpus aggregated by OSS-Fuzz. Set up gsutil and ensure that you have access to the corpora using:

  • Install gsutil tool
  • Check whether you have access to the corpus for your project:
$ gsutil ls gs://${PROJECT_NAME}-corpus.clusterfuzz-external.appspot.com/

If you see an authorization error from the command above, run:

$ gcloud auth login

and try again. Once gsutil works, you can run the report generation.

Generate code coverage reports

Full project report

To generate code coverage report using the corpus aggregated on OSS-Fuzz, run:

$ python infra/helper.py coverage $PROJECT_NAME

If you want to generate code coverage report using the corpus you have locally, copy the corpus into build/corpus/$PROJECT_NAME/<fuzz_target_name>/ directories for each fuzz target, then run:

$ python infra/helper.py coverage --no-corpus-download $PROJECT_NAME

Single fuzz target

You can generate a code coverage report for a particular fuzz target with --fuzz-target argument:

$ python infra/helper.py coverage --fuzz-target=<fuzz_target_name> $PROJECT_NAME

In this mode, you can specify an arbitrary corpus location for the fuzz target via --corpus-dir to be used instead of the corpus downloaded from OSS-Fuzz:

$ python infra/helper.py coverage --fuzz-target=<fuzz_target_name> \
    --corpus-dir=<my_local_corpus_dir> $PROJECT_NAME

Additional arguments for llvm-cov

You may want to use some of the options of llvm-cov tool, for example, -ignore-filename-regex=. You can pass those to the helper script after --:

$ python infra/helper.py coverage $PROJECT_NAME -- \
    -ignore-filename-regex=.*code/to/be/ignored/.* <other_extra_args>

To specify particular source files or directories to show in the report, list their paths at the end of the extra arguments sequence, for example:

$ python infra/helper.py coverage zlib -- \
    <other_extra_args> /src/zlib/inftrees.c /src/zlib_uncompress_fuzzer.cc /src/zlib/zutil.c

If you want OSS-Fuzz to use some extra arguments when generating code coverage reports for your project, add the arguments into project.yaml file as follows:

coverage_extra_args: -ignore-filename-regex=.*crc.* -ignore-filename-regex=.*adler.* <other_extra_args>