2017-08-22 07:25:50 +08:00
|
|
|
//===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// Flags. FUZZER_FLAG_INT/FUZZER_FLAG_STRING macros should be defined at the
|
|
|
|
// point of inclusion. We are not using any flag parsing library for better
|
|
|
|
// portability and independence.
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
FUZZER_FLAG_INT(verbosity, 1, "Verbosity level.")
|
|
|
|
FUZZER_FLAG_UNSIGNED(seed, 0, "Random seed. If 0, seed is generated.")
|
|
|
|
FUZZER_FLAG_INT(runs, -1,
|
|
|
|
"Number of individual test runs (-1 for infinite runs).")
|
|
|
|
FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
|
|
|
|
"If 0, libFuzzer tries to guess a good value based on the corpus "
|
|
|
|
"and reports it. ")
|
2018-02-14 04:52:15 +08:00
|
|
|
FUZZER_FLAG_INT(len_control, 1000, "Try generating small inputs first, "
|
|
|
|
"then try larger inputs over time. Specifies the rate at which the length "
|
|
|
|
"limit is increased (smaller == faster). If 0, immediately try inputs with "
|
|
|
|
"size up to max_len.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
|
|
|
|
FUZZER_FLAG_INT(mutate_depth, 5,
|
|
|
|
"Apply this number of consecutive mutations to each input.")
|
2017-12-02 03:18:38 +08:00
|
|
|
FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
|
|
|
|
"Reduce depth if mutations lose unique features")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
|
|
|
|
FUZZER_FLAG_INT(prefer_small, 1,
|
|
|
|
"If 1, always prefer smaller inputs during the corpus shuffle.")
|
|
|
|
FUZZER_FLAG_INT(
|
|
|
|
timeout, 1200,
|
|
|
|
"Timeout in seconds (if positive). "
|
|
|
|
"If one unit runs more than this number of seconds the process will abort.")
|
|
|
|
FUZZER_FLAG_INT(error_exitcode, 77, "When libFuzzer itself reports a bug "
|
|
|
|
"this exit code will be used.")
|
|
|
|
FUZZER_FLAG_INT(timeout_exitcode, 77, "When libFuzzer reports a timeout "
|
|
|
|
"this exit code will be used.")
|
|
|
|
FUZZER_FLAG_INT(max_total_time, 0, "If positive, indicates the maximal total "
|
|
|
|
"time in seconds to run the fuzzer.")
|
|
|
|
FUZZER_FLAG_INT(help, 0, "Print help.")
|
|
|
|
FUZZER_FLAG_INT(merge, 0, "If 1, the 2-nd, 3-rd, etc corpora will be "
|
|
|
|
"merged into the 1-st corpus. Only interesting units will be taken. "
|
|
|
|
"This flag can be used to minimize a corpus.")
|
2017-11-09 09:05:29 +08:00
|
|
|
FUZZER_FLAG_STRING(merge_inner, "internal flag")
|
|
|
|
FUZZER_FLAG_STRING(merge_control_file,
|
2018-03-13 22:35:10 +08:00
|
|
|
"Specify a control file used for the merge process. "
|
2017-11-09 13:49:28 +08:00
|
|
|
"If a merge process gets killed it tries to leave this file "
|
|
|
|
"in a state suitable for resuming the merge. "
|
2017-11-09 09:05:29 +08:00
|
|
|
"By default a temporary file will be used.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_STRING(save_coverage_summary, "Experimental:"
|
|
|
|
" save coverage summary to a given file."
|
|
|
|
" Used with -merge=1")
|
|
|
|
FUZZER_FLAG_STRING(load_coverage_summary, "Experimental:"
|
|
|
|
" load coverage summary from a given file."
|
|
|
|
" Treat this coverage as belonging to the first corpus. "
|
|
|
|
" Used with -merge=1")
|
|
|
|
FUZZER_FLAG_INT(minimize_crash, 0, "If 1, minimizes the provided"
|
|
|
|
" crash input. Use with -runs=N or -max_total_time=N to limit "
|
|
|
|
"the number attempts."
|
|
|
|
" Use with -exact_artifact_path to specify the output."
|
|
|
|
" Combine with ASAN_OPTIONS=dedup_token_length=3 (or similar) to ensure that"
|
|
|
|
" the minimized input triggers the same crash."
|
|
|
|
)
|
|
|
|
FUZZER_FLAG_INT(cleanse_crash, 0, "If 1, tries to cleanse the provided"
|
|
|
|
" crash input to make it contain fewer original bytes."
|
|
|
|
" Use with -exact_artifact_path to specify the output."
|
|
|
|
)
|
|
|
|
FUZZER_FLAG_INT(minimize_crash_internal_step, 0, "internal flag")
|
|
|
|
FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters")
|
|
|
|
FUZZER_FLAG_INT(use_memmem, 1,
|
|
|
|
"Use hints from intercepting memmem, strstr, etc")
|
|
|
|
FUZZER_FLAG_INT(use_value_profile, 0,
|
|
|
|
"Experimental. Use value profile to guide fuzzing.")
|
|
|
|
FUZZER_FLAG_INT(use_cmp, 1, "Use CMP traces to guide mutations")
|
|
|
|
FUZZER_FLAG_INT(shrink, 0, "Experimental. Try to shrink corpus inputs.")
|
|
|
|
FUZZER_FLAG_INT(reduce_inputs, 1,
|
|
|
|
"Try to reduce the size of inputs while preserving their full feature sets")
|
|
|
|
FUZZER_FLAG_UNSIGNED(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
|
|
|
|
" this number of jobs in separate worker processes"
|
|
|
|
" with stdout/stderr redirected to fuzz-JOB.log.")
|
|
|
|
FUZZER_FLAG_UNSIGNED(workers, 0,
|
|
|
|
"Number of simultaneous worker processes to run the jobs."
|
|
|
|
" If zero, \"min(jobs,NumberOfCpuCores()/2)\" is used.")
|
|
|
|
FUZZER_FLAG_INT(reload, 1,
|
|
|
|
"Reload the main corpus every <N> seconds to get new units"
|
|
|
|
" discovered by other processes. If 0, disabled")
|
|
|
|
FUZZER_FLAG_INT(report_slow_units, 10,
|
|
|
|
"Report slowest units if they run for more than this number of seconds.")
|
|
|
|
FUZZER_FLAG_INT(only_ascii, 0,
|
|
|
|
"If 1, generate only ASCII (isprint+isspace) inputs.")
|
|
|
|
FUZZER_FLAG_STRING(dict, "Experimental. Use the dictionary file.")
|
|
|
|
FUZZER_FLAG_STRING(artifact_prefix, "Write fuzzing artifacts (crash, "
|
|
|
|
"timeout, or slow inputs) as "
|
|
|
|
"$(artifact_prefix)file")
|
|
|
|
FUZZER_FLAG_STRING(exact_artifact_path,
|
|
|
|
"Write the single artifact on failure (crash, timeout) "
|
|
|
|
"as $(exact_artifact_path). This overrides -artifact_prefix "
|
|
|
|
"and will not use checksum in the file name. Do not "
|
|
|
|
"use the same path for several parallel processes.")
|
|
|
|
FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
|
2017-08-29 06:52:22 +08:00
|
|
|
FUZZER_FLAG_INT(print_funcs, 2, "If >=1, print out at most this number of "
|
|
|
|
"newly covered functions.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
|
|
|
|
FUZZER_FLAG_INT(print_corpus_stats, 0,
|
|
|
|
"If 1, print statistics on corpus elements at exit.")
|
|
|
|
FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
|
|
|
|
" at exit.")
|
2018-05-22 03:47:00 +08:00
|
|
|
FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated."
|
|
|
|
" If 1, dump coverage information as a"
|
|
|
|
" .sancov file at exit.")
|
[libFuzzer] Handle unstable edges by using minimum hit counts
Summary:
Created unstable_handle flag that takes 1 or 2, depending on the handling type.
Modified RunOne to accommodate the following heuristic:
Use the first CollectFeatures to count how many features there are.
If no new features, CollectFeatures like before.
If there is new feature, we run CB 2 more times,
Check which edges are unstable per input and we store the least amount of hit counts for each edge.
Apply these hit counts back to inline8bitcounters so that CollectFeatures can work as intended.
Modified UnstableCounters to 8int_t and created a bitset UnstableSet to tell which edges are unstable.
Patch by Kyungtak Woo (@kevinwkt).
Reviewers: Dor1s, metzman, morehouse
Reviewed By: Dor1s, morehouse
Subscribers: delcypher, #sanitizers, llvm-commits, kcc
Differential Revision: https://reviews.llvm.org/D49525
llvm-svn: 337696
2018-07-23 22:20:52 +08:00
|
|
|
FUZZER_FLAG_INT(handle_unstable, 0, "Experimental."
|
|
|
|
" Executes every input 3 times in total if a unique feature"
|
|
|
|
" is found during the first execution."
|
|
|
|
" If 1, we only use the minimum hit count from the 3 runs"
|
2018-07-25 05:02:44 +08:00
|
|
|
" to determine whether an input is interesting."
|
|
|
|
" If 2, we disregard edges that are found unstable for"
|
|
|
|
" feature collection.")
|
[libFuzzer] Implement stat::stability_rate based on the percentage of unstable edges.
Summary:
Created a -print_unstable_stats flag.
When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array.
On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does.
Patch by Kyungtak Woo (@kevinwkt).
Reviewers: metzman, Dor1s, kcc, morehouse
Reviewed By: metzman, Dor1s, morehouse
Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s
Differential Revision: https://reviews.llvm.org/D49212
llvm-svn: 337187
2018-07-17 00:01:31 +08:00
|
|
|
FUZZER_FLAG_INT(print_unstable_stats, 0, "Experimental."
|
|
|
|
" If 1, print unstable statistics at exit.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
|
|
|
|
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
|
|
|
|
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
|
|
|
|
FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
|
|
|
|
FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
|
|
|
|
FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
|
|
|
|
FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
|
|
|
|
FUZZER_FLAG_INT(handle_xfsz, 1, "If 1, try to intercept SIGXFSZ.")
|
2017-11-10 04:30:19 +08:00
|
|
|
FUZZER_FLAG_INT(handle_usr1, 1, "If 1, try to intercept SIGUSR1.")
|
|
|
|
FUZZER_FLAG_INT(handle_usr2, 1, "If 1, try to intercept SIGUSR2.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; "
|
|
|
|
"if 2, close stderr; if 3, close both. "
|
2017-12-02 03:18:38 +08:00
|
|
|
"Be careful, this will also close e.g. stderr of asan.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled "
|
|
|
|
"try to detect memory leaks during fuzzing (i.e. not only at shut down).")
|
2017-10-24 06:04:30 +08:00
|
|
|
FUZZER_FLAG_INT(purge_allocator_interval, 1, "Purge allocator caches and "
|
|
|
|
"quarantines every <N> seconds. When rss_limit_mb is specified (>0), "
|
|
|
|
"purging starts when RSS exceeds 50% of rss_limit_mb. Pass "
|
|
|
|
"purge_allocator_interval=-1 to disable this functionality.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(trace_malloc, 0, "If >= 1 will print all mallocs/frees. "
|
|
|
|
"If >= 2 will also print stack traces.")
|
|
|
|
FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"
|
|
|
|
"reaching this limit of RSS memory usage.")
|
2017-12-02 06:12:04 +08:00
|
|
|
FUZZER_FLAG_INT(malloc_limit_mb, 0, "If non-zero, the fuzzer will exit "
|
|
|
|
"if the target tries to allocate this number of Mb with one malloc call. "
|
|
|
|
"If zero (default) same limit as rss_limit_mb is applied.")
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_STRING(exit_on_src_pos, "Exit if a newly found PC originates"
|
|
|
|
" from the given source location. Example: -exit_on_src_pos=foo.cc:123. "
|
|
|
|
"Used primarily for testing libFuzzer itself.")
|
|
|
|
FUZZER_FLAG_STRING(exit_on_item, "Exit if an item with a given sha1 sum"
|
|
|
|
" was added to the corpus. "
|
|
|
|
"Used primarily for testing libFuzzer itself.")
|
|
|
|
FUZZER_FLAG_INT(ignore_remaining_args, 0, "If 1, ignore all arguments passed "
|
|
|
|
"after this one. Useful for fuzzers that need to do their own "
|
|
|
|
"argument parsing.")
|
2018-05-17 07:26:37 +08:00
|
|
|
FUZZER_FLAG_STRING(focus_function, "Experimental. "
|
|
|
|
"Fuzzing will focus on inputs that trigger calls to this function")
|
2017-08-22 07:25:50 +08:00
|
|
|
|
2018-05-15 09:15:47 +08:00
|
|
|
FUZZER_DEPRECATED_FLAG(run_equivalence_server)
|
|
|
|
FUZZER_DEPRECATED_FLAG(use_equivalence_server)
|
2017-08-22 07:25:50 +08:00
|
|
|
FUZZER_FLAG_INT(analyze_dict, 0, "Experimental")
|
2018-05-11 04:12:15 +08:00
|
|
|
FUZZER_DEPRECATED_FLAG(use_clang_coverage)
|
2018-06-06 09:23:29 +08:00
|
|
|
FUZZER_FLAG_STRING(data_flow_trace, "Experimental: use the data flow trace")
|