Number of individual test runs (-1 for infinite runs).
Maximum length of the test input. If 0, libFuzzer tries to guess a good value based on the corpus and reports it.
Try generating small inputs first, then try larger inputs over time. Specifies the rate at which the length limit is increased (smaller == faster). If 0, immediately try inputs with size up to max_len. Default value is 0, if LLVMFuzzerCustomMutator is used.
A comma-separated list of input files to use as an additional seed corpus. Alternatively, an "@" followed by the name of a file containing the comma-seperated list.
If 1, cross over inputs.
Apply this number of consecutive mutations to each input.
Experimental/internal. Reduce depth if mutations lose unique features
Shuffle inputs at startup
If 1, always prefer smaller inputs during the corpus shuffle.
Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort.
When libFuzzer itself reports a bug this exit code will be used.
When libFuzzer reports a timeout this exit code will be used.
If positive, indicates the maximal total time in seconds to run the fuzzer.
Experimental mode where fuzzing happens in a subprocess
Ignore timeouts in fork mode
Ignore OOMs in fork mode
Ignore crashes in fork mode
If 1, the 2-nd, 3-rd, etc corpora will be merged into the 1-st corpus. Only interesting units will be taken. This flag can be used to minimize a corpus.
Stop fuzzing ASAP if this file exists
Specify a control file used for the merge process. If a merge process gets killed it tries to leave this file in a state suitable for resuming the merge. By default a temporary file will be used.
If 1, minimizes the provided crash input. Use with -runs=N or -max_total_time=N to limit the number attempts. Use with -exact_artifact_path to specify the output. Combine with ASAN_OPTIONS=dedup_token_length=3 (or similar) to ensure that the minimized input triggers the same crash.
If 1, tries to cleanse the provided crash input to make it contain fewer original bytes. Use with -exact_artifact_path to specify the output.
Use coverage counters
Use hints from intercepting memmem, strstr, etc
Experimental. Use value profile to guide fuzzing.
Use CMP traces to guide mutations
Experimental. Try to shrink corpus inputs.
Try to reduce the size of inputs while preserving their full feature sets
Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log.
Number of simultaneous worker processes to run the jobs. If zero, "min(jobs,NumberOfCpuCores()/2)" is used.
Reload the main corpus every <N> seconds to get new units discovered by other processes. If 0, disabled
Report slowest units if they run for more than this number of seconds.
If 1, generate only ASCII (isprint+isspace) inputs.
Experimental. Use the dictionary file.
Write fuzzing artifacts (crash, timeout, or slow inputs) as $(artifact_prefix)file
Write the single artifact on failure (crash, timeout) as $(exact_artifact_path). This overrides -artifact_prefix and will not use checksum in the file name. Do not use the same path for several parallel processes.
If 1, print out newly covered PCs.
If >=1, print out at most this number of newly covered functions.
If 1, print statistics at exit.
If 1, print statistics on corpus elements at exit.
If 1, print coverage information as text at exit.
If 1, try to intercept SIGSEGV.
If 1, try to intercept SIGBUS.
If 1, try to intercept SIGABRT.
If 1, try to intercept SIGILL.
If 1, try to intercept SIGFPE.
If 1, try to intercept SIGINT.
If 1, try to intercept SIGTERM.
If 1, try to intercept SIGXFSZ.
If 1, try to intercept SIGUSR1.
If 1, try to intercept SIGUSR2.
If 1, a performance optimization isenabled for the 8bit inline counters. Requires that libFuzzer successfully installs its SEGV handler
If 1, close stdout at startup; if 2, close stderr; if 3, close both. Be careful, this will also close e.g. stderr of asan.
If 1, and if LeakSanitizer is enabled try to detect memory leaks during fuzzing (i.e. not only at shut down).
Purge allocator caches and quarantines every <N> seconds. When rss_limit_mb is specified (>0), purging starts when RSS exceeds 50% of rss_limit_mb. Pass purge_allocator_interval=-1 to disable this functionality.
If >= 1 will print all mallocs/frees. If >= 2 will also print stack traces.
If non-zero, the fuzzer will exit uponreaching this limit of RSS memory usage.
If non-zero, the fuzzer will exit if the target tries to allocate this number of Mb with one malloc call. If zero (default) same limit as rss_limit_mb is applied.
Exit if a newly found PC originates from the given source location. Example: -exit_on_src_pos=foo.cc:123. Used primarily for testing libFuzzer itself.
Exit if an item with a given sha1 sum was added to the corpus. Used primarily for testing libFuzzer itself.
If 1, ignore all arguments passed after this one. Useful for fuzzers that need to do their own argument parsing.
Experimental. Fuzzing will focus on inputs that trigger calls to this function. If -focus_function=auto and -data_flow_trace is used, libFuzzer will choose the focus functions automatically.