From f6d63ccc901f73ea6a345f59464f3f60525f9179 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Thu, 17 Nov 2016 17:31:54 +0000
Subject: [PATCH] [libFuzzer] better documentation for
 -fsanitize-coverage=trace-cmp

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@287240 91177308-0d34-0410-b5e6-96231b3b80d8
---
 docs/LibFuzzer.rst | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index a46c23ac281..a8530f95285 100644
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -451,12 +451,22 @@ The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::
   # the name of the keyword followed by '=' may be omitted:
   "foo\x0Abar"
 
-Value Profile
----------------
 
-*EXPERIMENTAL*.
+
+Tracing CMP instructions
+------------------------
+
 With an additional compiler flag ``-fsanitize-coverage=trace-cmp``
 (see SanitizerCoverageTraceDataFlow_)
+libFuzzer will intercept CMP instructions and guide mutations based
+on the arguments of intercepted CMP instructions. This may slow down
+the fuzzing but is very likely to improve the results.
+
+Value Profile
+-------------
+
+*EXPERIMENTAL*.
+With  ``-fsanitize-coverage=trace-cmp``
 and extra run-time flag ``-use_value_profile=1`` the fuzzer will
 collect value profiles for the parameters of compare instructions
 and treat some new values as new coverage.
-- 
2.40.0