Dr. Memory's behavior can be controlled through options passed to drmemory prior to the "--" delimiter. Boolean options can be disabled using a "-no_" prefix. Here is a list of options along with their default values and descriptions:
- -version
default: false
Display Dr. Memory version
- -help
default: false
Display the full option list
- -dr <string>
default: ""
The path to the DynamoRIO installation to use. Not needed when using a released Dr. Memory package.
- -drmemory <string>
default: ""
The path to the base of the Dr. Memory installation. Not needed when invoking Dr. Memory from an unmodified installation tree.
- -follow_children
default: true
Monitor child processes by following across execve on Linux or CreateProcess on Windows. On Linux, monitoring always continues across a fork.
- -v
default: false
Display verbose information in the Dr. Memory front end
- -light
default: false
This option enables a lightweight mode that detects unaddressable accesses, free/delete/delete[] mismatches, and GDI API usage errors in Windows, but not uninitialized reads or memory leaks.
- -brief
default: false
Show simplified and easier-to-read error reports that hide STL and CRT source paths, remove executable path prefixes from source files, omit absolute addresses, omit instruction disassembly, and omit thread timestamps. Also enables -delay_frees_stack and disables -callstack_use_top_fp, trading off performance for better error reports.
- -logdir <string>
default: "<install>/logs"
Destination base directory for result files and the symbol cache (unless -symcache_dir is specified). A subdirectory inside this base directory is created for each process that is run, along with a single shared symbol cache directory. If you specify a separate base directory for every run, you will lose the benefits of symbol caching, unless you also specify a separate shared cache directory with the -symcache_dir option.
- -verbose <int>
default: 1 (minimum: 0, maximum: 32)
Verbosity level in log files: 0=none, 1=warnings, 2+=diagnostic. Primarily for debugging of Dr. Memory itself.
- -quiet
default: false
Suppress stderr messages and, on Windows, popup messages. Overrides -results_to_stderr and -summary.
- -results_to_stderr
default: true
Print error reports to stderr in addition to results.txt, interleaving them with the application output. The output will be prefixed by ~~Dr.M~~ for the main thread and by the thread id for other threads. This interleaving can make it easier to see which part of an application run raised an error.
- -prefix_style <int>
default: 0 (minimum: 0, maximum: 2)
For -results_to_stderr, controls the per-line prefix:
-
0 = Default prefix: ~~Dr.M~~ for the main thread and the thread id for other threads.
-
1 = No prefix.
-
2 = Use blank spaces. This makes the output compatible with Visual Studio file and line number parsing.
- -log_suppressed_errors
default: false
Log suppressed error reports for postprocessing. Enabling this option will increase the logfile size, but will allow users to re-process suppressed reports with alternate suppressions or additional symbols.
- -ignore_asserts
default: false
Display, but do not abort, on asserts in debug build (in release build asserts are automatically disabled).
- -exit_code_if_errors <int>
default: 0 (minimum: INT_MIN, maximum: INT_MAX)
If non-zero, the app's exit code is changed to this code if any errors are found.
- -pause_at_error
default: false
Dr. Memory pauses at the point of each error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
- -pause_at_unaddressable
default: false
Dr. Memory pauses at the point of each unaddressable access error that is identified. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
- -pause_at_uninitialized
default: false
Identical to -pause_at_unaddressable, but applies to uninitialized access errors.
- -pause_at_exit
default: false
Pauses at exit, using the same mechanism described in -pause_at_unaddressable. Meant for examining leaks in the debugger.
- -pause_at_assert
default: false
Dr. Memory pauses at the point of each debug-build assert. On Windows, this pause is a popup window. On Linux, the pause involves waiting for a keystroke, which may not work well if the application reads from stdin. In that case consider -pause_via_loop as an additional option.
- -pause_via_loop
default: false
Used in conjunction with -pause_at_uninitialized and -pause_at_uninitialized on Linux, this option causes Dr. Memory to pause via an infinite loop instead of waiting for stdin. Dr. Memory will not continue beyond the first such error found.
- -crash_at_unaddressable
default: false
Dr. Memory terminates the process in a crash at the point of the first unaddressable access error that is identified.
- -crash_at_error
default: false
Dr. Memory terminates the process in a crash at the point of the first error that is identified.
- -callstack_max_frames <int>
default: 20 (minimum: 0, maximum: 4096)
How many call stack frames to record for each non-leak error report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool if there are many error reports with large callstacks. This option must be larger than the largest suppression supplied to -suppress. The separate option -malloc_max_frames controls the callstack size for leak reports, while -free_max_frames controls the callstack size for freed memory overlap reports from -delay_frees_stack.
- -malloc_max_frames <int>
default: 12 (minimum: 0, maximum: 4096)
How many call stack frames to record on each malloc, for use in leak error reports as well as alloc/free mismatch error reports. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool.
- -free_max_frames <int>
default: 6 (minimum: 0, maximum: 4096)
If -delay_frees_stack is enabled, this controls how many call stack frames to record for each use-after-free informational report. A larger maximum will ensure that no call stack is truncated, but can use more memory and slow down the tool.
- -callstack_style <int>
default: 0x0301 (minimum: 0, maximum: 0x1fff)
Set of flags that controls the callstack printing style:
-
0x0001 = show frame numbers
-
0x0002 = show absolute address
-
0x0004 = show offset from library base
-
0x0008 = show offset from symbol start: "library!symbol+offs"
-
0x0010 = show offset from line start: "foo.c:44+0x8"
-
0x0020 = "file:line" on separate line
-
0x0040 = "file @ line" instead of "file:line"
-
0x0080 = "symbol library" instead of "library!symbol"
-
0x0100 = put fields in aligned columns
-
0x0200 = show symbol and module offset when symbols are missing
-
0x0400 = print unique module id
-
0x0800 = show "file(line):" instead of "file:line"d
-
0x1000 = expand template parameters (from "<>") for PDB symbols
- -callstack_truncate_below <string>
default: "main,wmain,WinMain,wWinMain,*RtlUserThreadStart,_threadstartex,BaseThreadInitThunk"
Callstacks will be truncated at any frame that matches any of these ,-separated function names. The function names can contain * or ? wildcards.
- -callstack_modname_hide <string>
default: "*drmemory*"
Callstack frames will not list module names matching any of these ,-separated patterns. The names can contain * or ? wildcards. The module name will be displayed whenever the function name is uknown, however. The module name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks.
- -callstack_exe_hide
default: true
Callstack frames will not list the executable name. The executable name will be displayed whenever the function name is uknown, however. The executable name will only be hidden for error display purposes: it will still be included when considering suppressions, and it will be included in the generated suppression callstacks.
- -callstack_srcfile_hide <string>
default: ""
Callstack frames will not list source file paths matching any of these ,-separated patterns. The paths can contain * or ? wildcards.
- -callstack_srcfile_prefix <string>
default: ""
Callstack frame source paths that match any of these ,-separated prefixes will be printed without the leading portion up to and including the match.
- -lib_blacklist <string>
default: ""
Error reports whose top N frames' module paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_blacklist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_blacklist_frames is 0. The -lib_whitelist takes priority over this blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module. The default on Windows is set to $SYSTEMROOT*.d?? if not otherwise specified.
- -lib_blacklist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must match -lib_blacklist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables blacklist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
- -lib_whitelist <string>
default: ""
Error reports where not a single one of the top N frames' module paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -lib_whitelist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -lib_whitelist_frames is 0 or if -lib_whitelist is empty. This whitelist takes priority over -lib_blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each module.
- -lib_whitelist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -lib_whitelist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -lib_whitelist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
- -src_whitelist <string>
default: ""
Error reports where not a single one of the top N frames' source file paths match any of these ,-separated patterns will be separated by default as merely potential errors, where N is -src_whitelist_frames. These errors are reported to potential_errors.txt rather than results.txt. This feature is disabled if -src_whitelist_frames is 0 or if -src_whitelist is empty. This whitelist takes priority over -lib_blacklist: i.e., if any top frame matches the whitelist, the error will be reported normally, even if all frames also match the blacklist. If combined with -lib_whitelist, the -lib_whitelist will perform its check first, followed by -src_whitelist. Each pattern can use * and ? wildcards (which have the same semantics as in suppression files) and is matched against the full path of each source file.
- -src_whitelist_frames <int>
default: 4 (minimum: 0, maximum: 4096)
The number of frames, starting from the top, that must not match -src_whitelist in a callstack in order for an error report to be separated from the regularly reported errors. Setting this value to 0 disables -src_whitelist-based error separation. If the top frame is a system call or a replace_* Dr. Memory routine, it is ignored and matching starts from the second frame.
- -check_uninit_blacklist <string>
default: ""
For each library or executable basename on this list, Dr. Memory suspends checking of uninitialized reads. Instead Dr. Memory marks all memory written by such modules as defined. This is a more efficient way to ignore all errors from a module than suppressing them or adding to the lib_blacklist option. Dr. Memory does automatically turn a whole-module suppression consisting of a single frame of the form 'modulename!*' into an entry on this list. The entries on this list can contain wildcards.
- -callstack_use_top_fp
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer. If enabled, overridden when -callstack_use_top_fp_selectively is enabled. Normally trusting the register is correct. However, if a frameless function is on top of the stack, using the ebp register can cause a callstack to skip the next function. If this option is set to false, the callstack walk will perform a stack scan at the top of every callstack. This adds additional overhead in exchange for more accuracy, although in -light mode the additional accuracy has some tradeoffs and can result in incorrect frames. It should not be necessary to disable this option normally, unless an application or one of its static libraries is built with optimizations that omit frame pointers.
- -callstack_use_top_fp_selectively
default: true
Whether to trust the top-level ebp/rbp register to hold the next frame pointer in certain situations. When enabled, this overrides -callstack_use_top_fp if it is enabled; but if -callstack_use_top_fp is disabled then the top fp is never used. When this option is enabled, in full or -leaks_only modes then the top fp is not used for all non-leak errors, while in -light mode the top fp is only not used for non-leak errors where the top frame is in an application module. See the -callstack_use_top_fp option for further information about the top frame pointer.
- -callstack_use_fp
default: true
Whether to use frame pointers at all. The -callstack_use_top_fp and -callstack_use_top_fp_selectively options control whether to use the top frame pointer. This option controls whether to continue walking the frame pointer chain. Turning this off may be necessary if a mixture of frame pointer optimized code and un-optimized code is in use in the application, to avoid skipping interior callstack frames.
- -callstack_conservative
default: false
By default, callstack walking is tuned for performance. It is possible to miss some frames when application code is optimized. Enabling this option causes extra checks to be performed to attempt to create more accurate callstacks. These checks add extra overhead.
- -callstack_max_scan <int>
default: 2048 (minimum: 0, maximum: 16384)
How far to scan to locate the first stack frame when starting in a frameless function, or to locate the next stack frame when crossing loader or glue stub thunks or a signal or exception frame. Increasing this can produce better callstacks but may incur noticeable overhead for applications that make many allocation calls.
- -callstack_bad_fp_list <string>
default: "libstdc++*"
When walking frame pointers and transitioning from any module on this list to a frame not in the same module, the frame pointer chain is assumed to be suspect and a stack scan is performed. Use this option to avoid missing frames in your application's code that are skipped due to frame pointer optimizations in other libraries.
- -check_leaks
default: true
Whether to list details of each individual memory leak. If this option is disabled and -count_leaks is enabled, leaks will still be detected, but only the count of leaks will be shown.
- -count_leaks
default: true
Whether to detect memory leaks. Whether details on each leak are shown is controlled by the -check_leaks option. Disabling this option can reduce execution overhead as less information must be kept internally, while disabling -check_leaks will not affect execution overhead.
- -symbol_offsets
default: false
Deprecated: use -callstack_style flag 0x4
- -ignore_early_leaks
default: true
Whether to ignore leaks from memory allocated by system code prior to Dr. Memory taking over.
- -check_leaks_on_destroy
default: true
If enabled, when a heap is destroyed (HeapDestroy on Windows), report any live allocations inside it as possible leaks.
- -possible_leaks
default: true
Whether to list possibly-reachable allocations when leak checking. Requires -check_leaks.
- -midchunk_size_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation to be reachable instead of possibly leaked. Currently this option looks for a very specific pattern. If your application's header is slightly different please contact the authors about generalizing this check.
- -midchunk_new_ok
default: true
Consider allocations reached by a mid-allocation pointer that points past a size field at the head of the allocation that looks like a new[] header to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
- -midchunk_inheritance_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a parent class instantiation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
- -midchunk_string_ok
default: true
Consider allocations reached by a mid-allocation pointer that points to a char array inside an instance of a std::string representation to be reachable instead of possibly leaked. A heuristic is used for this identification that is not perfect.
- -scan_read_only_files
default: false
Whether the leak scan should scan read-only file-mapped memory when looking for pointers to the heap. The leak scan does not track whether pages have been read-only since they were mapped, so it's possible for the application to store heap pointers in a file-mapped region and then mark it read-only. If your application does so, you may want to turn on this option.
- -strings_vs_pointers
default: true
Use heuristics to rule out sub-strings as leak scan pointers, preventing strings from anchoring heap objects and resulting in false negatives.
- -show_reachable
default: false
Whether to list reachable allocations when leak checking. Requires -check_leaks.
- -suppress <string>
default: ""
File containing errors to suppress. May be repeated. See Suppressing Errors.
- -default_suppress
default: true
Use the set of default suppressions that come with Dr. Memory. See Suppressing Errors.
- -gen_suppress_offs
default: true
Generate mod+offs suppressions in addition to mod!sym suppressions in the output suppress file
- -gen_suppress_syms
default: true
Generate mod!syms suppressions in addition to mod+offs suppressions in the output suppress file
- -show_threads
default: true
Whether to print the callstack of each thread creation point referenced in an error report to the global logfile, which can be useful to identify which thread was involved in the error report. Look for 'NEW THREAD' in the global.pid.log file in the log directory where the results.txt file is found.
- -show_all_threads
default: false
Whether to print the callstack of each thread creation point (whether referenced in an error report or not) to the global logfile. This can be useful to identify which thread was involved in error reports, as well as general diagnostics for what threads were present during a run. Look for 'NEW THREAD' in the global.pid.log file in the log directory where the results.txt file is found.
- -conservative
default: false
Be conservative whenever reading application memory. When this option is disabled, Dr. Memory may read return addresses and arguments passed to functions without fault-handling code, which gains performance but can sacrifice robustness when running hand-crafted assembly code
- -check_uninit_cmps
default: true
Report definedness errors on compares instead of waiting for conditional jmps.
- -check_uninit_non_moves
default: false
Report definedness errors on any instruction that is not a move. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting.
- -check_uninit_all
default: false
Report definedness errors on any instruction, rather than the default of waiting until something meaningful is done, which reduces false positives. Note: turning this option on may result in false positives, but can also help diagnose errors through earlier error reporting.
- -strict_bitops
default: false
Currently, Dr. Memory's definedness granularity is per-byte. This can lead to false positives on code that uses bitfields. By default, Dr. Memory relaxes its uninitialized checking on certain bit operations that are typically only used with bitfields, to avoid these false positives. However, this can lead to false negatives. Turning this option on will eliminate all false negatives (at the cost of potential false positives). Eventually Dr. Memory will have bit-level granularity and this option will go away.
- -stack_swap_threshold <int>
default: 0x9000 (minimum: 256, maximum: INT_MAX)
Stack change amount to consider a swap instead of an allocation or de-allocation on the same stack. Dr. Memory attempts to dynamically tune this value unless it is changed from its default.
- -redzone_size <int>
default: 16 (minimum: 0, maximum: 32*1024)
Buffer on either side of each malloc. This should be a multiple of 8.
- -report_max <int>
default: 20000 (minimum: -1, maximum: INT_MAX)
Maximum non-leak errors to report (-1=no limit). This includes 'potential' errors listed separately.
- -report_leak_max <int>
default: 10000 (minimum: -1, maximum: INT_MAX)
Maximum leaks to report (-1=no limit). This includes 'potential' leaks listed separately.
- -report_write_to_read_only
default: true
Report writes to read-only memory as unaddressable errors.
- -show_duplicates
default: false
Print details on each duplicate error rather than only showing unique error details
- -batch
default: false
Do not launch notepad with the results file at application exit.
- -summary
default: true
Display process startup information and a summary of errors to stderr at app exit.
- -use_symcache
default: true
Cache results of symbol lookups to speed up future runs
- -symcache_dir <string>
default: "<install>/logs/symcache"
Destination for symbol cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory.
- -symcache_minsize <int>
default: 1000 (minimum: 0, maximum: UINT_MAX)
Minimum module size to cache symbols for. Note that there's little downside to caching and it is pretty much always better to cache.
- -use_symcache_postcall
default: true
Cache post-call sites to speed up future runs. Requires -use_symcache to be true.
- -warn_null_ptr
default: false
Whether to warn when NULL is passed to free() or realloc().
- -delay_frees <int>
default: 2000 (minimum: 0, maximum: UINT_MAX)
Frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap.
- -delay_frees_maxsz <int>
default: 20000000 (minimum: 0, maximum: UINT_MAX)
Maximum size of frees to delay before committing. The larger this number, the greater the likelihood that Dr. Memory will identify use-after-free errors. However, the larger this number, the more memory will be used. This value is separate for each set of allocation routines and each Windows Heap.
- -delay_frees_stack
default: true
Record callstacks on free to use when reporting use-after-free or other errors that overlap with freed objects. There is a slight performance hit incurred by this feature for malloc-intensive applications. The callstack size is controlled by -free_max_frames.
- -leaks_only
default: false
Puts Dr. Memory into a leak-check-only mode that has lower overhead but does not detect other types of errors other than invalid frees.
- -check_uninitialized
default: IF_X64_ELSE(false, true)
Check for uninitialized read errors. When disabled, puts Dr. Memory into a mode that has lower overhead but does not detect definedness errors. Furthermore, the lack of definedness information reduces accuracy of leak identification, resulting in potentially failing to identify some leaks.
- -check_stack_bounds
default: false
Only applies for -no_check_uninitialized. Determines whether to check for beyond-top-of-stack accesses.
- -check_stack_access
default: false
Only applies for -no_check_uninitialized. Determines whether to check for errors on memory references that use esp or ebp as a base. These are normally local variable and function parameter references only, but for optimized or unusual code they could point elsewhere in memory. Checking these incurs additional overhead.
- -check_alignment
default: false
Only applies for -no_check_uninitialized. Determines whether to incur additional overhead in order to handle memory accesses that are not aligned to their size. With this option off, the tool may miss bounds overflows that involve unaligned memory references.
- -fault_to_slowpath
default: true
Only applies for -no_check_uninitialized. Determines whether to use faulting instructions rather than explicit jump-and-link to exit from fastpath to slowpath.
- -check_delete_mismatch
default: true
Whether to check for free/delete/delete[] mismatches
- -check_prefetch
default: true
Whether to report unaddressable prefetches as warnings
- -prctl_whitelist <string>
default: ""
If this list is non-empty, when Dr. Memory sees prctl(PR_SET_NAME) and the name is not on the list, then Dr. Memory will disable its instrumentation for the rest of the process and for all of its child processes. The list is ,-separated.
- -auxlib <string>
default: ""
This option should specify the basename of an auxiliary system call handling library found in the same directory as the Dr. Memory client library.
- -analyze_unknown_syscalls
default: true
For unknown syscalls use memory comparison to find output params
- -syscall_dword_granularity
default: true
For unknown syscall comparisons (-analyze_unknown_syscalls), when changes are detected, consider the containing dword to have changed
- -syscall_sentinels
default: false
Use sentinels to detect writes on unknown syscalls and reduce false positives, in particular for uninitialized reads. Can potentially result in incorrect behavior if definedness information is incorrect or application threads read syscall parameter info simultaneously. This option requires -analyze_unknown_syscalls to be enabled.
- -prefer_msize
default: false
Prefer _msize to malloc_usable_size when both are present
- -perturb
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions.
- -perturb_only
default: false
Adds random delays to thread synchronization and other operations to try and increase the chances of catching race conditions, but disables all memory checking to create a low-overhead tool that executes significantly faster. However, without memory checking race conditions will only be detected if they result in an actual crash or other externally visible change in behavior. When this option is enabled, Dr. Memory will not produce an error summary or results.txt.
- -perturb_max <int>
default: 50 (minimum: 0, maximum: UINT_MAX)
This option sets the maximum delay added by -perturb, in milliseconds for thread operations and in custom units for instruction-level operations. Delays added will be randomly selected from 0 up to -perturb_max.
- -perturb_seed <int>
default: 0 (minimum: 0, maximum: UINT_MAX)
To reproduce the random delays added by -perturb, pass the seed from the logfile from the target run to this option. There may still be non-determinism in the rest of the system, however.
- -unaddr_only
default: false
This option enables a lightweight mode that only detects critical errors of unaddressable accesses on heap data. This option cannot be used with 'light' or 'check_uninitialized'.
- -pattern <int>
default: 0 (minimum: 0, maximum: USHRT_MAX)
Use sentinels to detect accesses on unaddressable regions around allocated heap objects. When this option is enabled, checks for uninitialized read errors will be disabled.
- -persist_code
default: false
Cache instrumented code to speed up future runs. For short-running applications, this can provide a performance boost. It may not be worth enabling for long-running applications. Currently, this option is only supported with -light or -no_check_uninitialized. It also currently fails to re-use randomized libraries on Windows, resulting in less of a performance boost for applications that use many libraries with ASLR enabled.
- -persist_dir <string>
default: "<install>/logs/codecache"
Destination for code cache files. When using a unique log directory for each run, symbols will not be shared across runs because the default cache location is inside the log directory. Use this option to set a shared directory.
- -soft_kills
default: true
Ensure external processes terminated by this one exit cleanly. Often applications forcibly terminate child processes, which can prevent proper leak checking and error and suppression summarization as well as generation of symbol and code cache files needed for performance. When this option is enabled, every termination call to another process will be replaced with a directive to the Dr. Memory running in that process to perform a clean shutdown. If there is no DynamoRIO-based tool in the target process, the regular termination call will be carried out.
- -fuzz_target <string>
default: ""
Fuzz test the target program according to the specified descriptor, which should have the format: <target>|<arg-count>|<buffer-index>|<size-index>|<repeat-count>[|<calling-convention>]
where <target>
has one of two formats: <module>!<symbol>
<module>+<offset>
Here, <module>
refers to a single binary image file such as a library (.so or .dll) or an application executable (.exe on Windows). The <offset>
specifies the entry point of the target function as a hexadecimal offset (e.g. '0xf7d4') from the start of the module that contains it (i.e., the library or executable image). The <symbol>
may be either a plain C function name, a mangled C++ symbol, or (Windows only) a de-mangled C++ symbol of the form returned by the Symbol Query Tool. The option -fuzz_mangled_names
is required for using mangled names in Windows, and the mangled name must have every '@' character escaped by substituting a '-' in its place. The module alias <main> may be used to refer to the main module of the process, which is the program executable.
The <arg-count> specifies the number of arguments to the function (for vararg functions this must match the actual number of arguments passed by the app). The <*-index> arguments specify the index of the corresponding parameter in the target function. The <repeat-count> indicates the number of times to repeat the target function (use 0 to repeat until the mutator is exhuasted). The optional <calling-convention> can be specified using one of the following codes: 1 = AMD64
2 = Microsoft x64 (Visual Studio)
3 = ARM
4 = cdecl or stdcall
5 = fastcall
6 = thiscall
- -fuzz_mutator <string>
default: ""
Configure the input mutator of the fuzz tester according to the specified descriptor, which should have the format: <algorithm>|<unit>|<flags>|<sparsity>[|<random_seed>]
where <algorithm>
is one of the drfuzz_mutator_algorithm_t: r = random selection of bits or numbers (MUTATOR_ALG_RANDOM)
o = ordered sequence of bits or numbers (MUTATOR_ALG_ORDERED)
and <unit>
is one of the drfuzz_mutator_unit_t: b = mutation by bit flipping (MUTATOR_UNIT_BITS)
n = mutation by random number generation (MUTATOR_UNIT_NUM)
and <flags>
are any combination of: r = reset to the original buffer value passed by the app before each mutation
t = seed the mutator's random number generator with the current clock time (drfuzz_mutator_options_t.random_seed)
and the <sparsity>
is an integer specifying a number of values to skip between mutations (drfuzz_mutator_options_t.sparsity
). See Fuzz Testing Mode for more detailed information.
- -fuzz_one_input <string>
default: ""
Specify one fuzz input value to test. The value is a hexadecimal byte sequence using the printed byte order (i.e., non-endian), for example '7f392a' represents byte array { 0x7f, 0x39, 0x2a }.