Commit Graph

451 Commits

Author SHA1 Message Date
Kostya Serebryany 8a56917492 [libFuzzer] fix -error_exitcode=N, now with a test
llvm-svn: 285958
2016-11-03 19:31:18 +00:00
Kostya Serebryany bcfb0802e2 [libFuzzer] enable use_cmp by default
llvm-svn: 285353
2016-10-27 21:44:37 +00:00
Kostya Serebryany 94c427c23e [libFuzzer] speculatively trying to fix the Mac build; second attempt
llvm-svn: 285262
2016-10-27 00:36:38 +00:00
Kostya Serebryany 3d945f6247 [libFuzzer] revert 285259 -- hit commit too soon
llvm-svn: 285260
2016-10-27 00:24:34 +00:00
Kostya Serebryany 15cd6b4b10 [libFuzzer] speculatively trying to fix the Mac build
llvm-svn: 285259
2016-10-27 00:22:39 +00:00
Kostya Serebryany 2fabecaee3 [libFuzzer] simplify TracePC::HandleTrace even further. Also, when dealing with -exit_on_src_pos, symbolize every PC only once
llvm-svn: 285223
2016-10-26 18:52:04 +00:00
Kostya Serebryany 06b8757b57 [libFuzzer] simplify the code in TracePC::HandleTrace a bit more
llvm-svn: 285147
2016-10-26 00:42:52 +00:00
Kostya Serebryany a5b2e54fcb [libFuzzer] simplify the code to print new PCs
llvm-svn: 285145
2016-10-26 00:20:51 +00:00
Kostya Serebryany 275e260258 [libFuzzer] simplify the code in TracePC::HandleTrace
llvm-svn: 285142
2016-10-25 23:52:25 +00:00
Kostya Serebryany 117976818e [libFuzzer] add StandaloneFuzzTargetMain.c and a test for it
llvm-svn: 285135
2016-10-25 22:30:34 +00:00
Kostya Serebryany c48c93184a [libFuzzer] when mutating based on CMP traces also try adding +/- 1 to the desired bytes. Add another test for use_cmp
llvm-svn: 285109
2016-10-25 20:15:15 +00:00
Kostya Serebryany 3364f90783 [libFuzzer] simplify the code for use_cmp, also use the position hint when available, add a test
llvm-svn: 285049
2016-10-25 02:04:43 +00:00
Kostya Serebryany 65f102d4d2 [libFuzzer] mutation: insert the size of the input in bytes as one of the ways to mutate a binary integer
llvm-svn: 284909
2016-10-22 03:48:53 +00:00
Kostya Serebryany 10ae9e23a3 [libFuzzer] typo in a test
llvm-svn: 284903
2016-10-22 01:07:38 +00:00
Kostya Serebryany 2bfff021ad [libFuzzer] add a test for asan's strict_string_checks=1
llvm-svn: 284902
2016-10-22 00:05:44 +00:00
Reid Kleckner ac2a2a86e4 Fix -Wunused-variable warning in libFuzzer
llvm-svn: 284838
2016-10-21 16:26:27 +00:00
Kostya Serebryany 95b1a434d2 [libFuzzer] extend -print_coverage to also print uncovered lines, functions, and files.
Example of output:
COVERAGE:
COVERED: in DSO2(int) /pathto/DSO2.cpp:6
COVERED: in DSO2(int) /pathto/DSO2.cpp:8
COVERED: in DSO1(int) /pathto/DSO1.cpp:6
COVERED: in DSO1(int) /pathto/DSO1.cpp:8
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:16
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:19
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:25
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:26
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO1.so
UNCOVERED_LINE: in DSO1(int) /pathto/DSO1.cpp:9
UNCOVERED_FUNC: in Uncovered1()
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO2.so
UNCOVERED_LINE: in DSO2(int) /pathto/DSO2.cpp:9
UNCOVERED_FUNC: in Uncovered2()
MODULE_WITH_COVERAGE: /pathto/LLVMFuzzer-DSOTest
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:21
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:27
UNCOVERED_FILE: /pathto/DSOTestExtra.cpp

Several things are not perfect here:
* we are using objdump+awk instead of sancov because sancov does not support DSOs yet.
* this breaks in the presence of ASAN_OPTIONS=strip_path_prefix=...
  (need to implement another API to get the module name by PC)

llvm-svn: 284554
2016-10-19 00:12:03 +00:00
Kostya Serebryany bb59ef77ca [libFuzzer] detect leaks after every run when executing fixed inputs (./fuzzer -runs=1000000 my-file)
llvm-svn: 284514
2016-10-18 18:38:08 +00:00
Kostya Serebryany 8dfed45cd4 [libFuzzer] reshuffle the code for -exit_on_src_pos and -exit_on_item
llvm-svn: 284508
2016-10-18 18:06:05 +00:00
Kostya Serebryany 9a4b10a56f [libFuzzer] swap bytes in integers when handling CMP traces
llvm-svn: 284301
2016-10-15 04:00:07 +00:00
Kostya Serebryany f9b8e8b117 [libFuzzer] better algorithm for -minimize_crash
llvm-svn: 284299
2016-10-15 01:00:24 +00:00
Kostya Serebryany e450e40741 [libFuzzer] remove subdir fuzzer-test-suite as it is now superseded with https://github.com/google/fuzzer-test-suite
llvm-svn: 284275
2016-10-14 20:26:40 +00:00
Kostya Serebryany a5f94fb6c9 [libFuzzer] add -trace_cmp=1 (guiding mutations based on the observed CMP instructions). This is a reincarnation of the previously deleted -use_traces, but using a different approach for collecting traces. Still a toy, but at least it scales well. Also fix -merge in trace-pc-guard mode
llvm-svn: 284273
2016-10-14 20:20:33 +00:00
Kostya Serebryany 0381374f96 [libFuzzer] more detailed message for disabled leak detection
llvm-svn: 284169
2016-10-13 22:24:10 +00:00
Kostya Serebryany a17d23eaa7 [libFuzzer] add -trace_malloc= flag
llvm-svn: 284149
2016-10-13 19:06:46 +00:00
Kostya Serebryany 17d176e16b [libFuzzer] reapply r283946: refactoring to speed things up, NFC. Now with a fix for gcc build
llvm-svn: 284132
2016-10-13 16:19:09 +00:00
Daniel Jasper 90d990e034 Revert "[libFuzzer] refactoring to speed things up, NFC"
This reverts commit r283946.

This breaks when build with GCC:
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: always_inline function might not be inlinable [-Werror=attributes]
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: inlining failed in call to always_inline 'void fuzzer::TracePC::HandleCmp(void*, T, T) [with T = long unsigned int]': target specific option mismatch
lib/Fuzzer/FuzzerTracePC.cpp:198:65: error: called from here

llvm-svn: 283979
2016-10-12 07:26:46 +00:00
Kostya Serebryany a09d11e108 [libFuzzer] refactoring to speed things up, NFC
llvm-svn: 283946
2016-10-11 21:27:37 +00:00
Kostya Serebryany d19919a80e [libFuzzer] implement value profile for switch, increase the size of the PCs array, make sure we don't overflow it
llvm-svn: 283841
2016-10-11 01:14:41 +00:00
Kostya Serebryany 3e0e901a18 [libFuzzer] add switch tests
llvm-svn: 283840
2016-10-11 01:13:32 +00:00
Kostya Serebryany 7abb95d3b3 [libFuzzer] make a test less flaky
llvm-svn: 283686
2016-10-09 03:45:38 +00:00
Kostya Serebryany c5325ed29d [libFuzzer] when shrinking the corpus, delete evicted files previously created by the current process
llvm-svn: 283682
2016-10-08 23:24:45 +00:00
Kostya Serebryany 9adc7c8b4a [libFuzzer] control the reload interval by a flag, make it 10 seconds by default
llvm-svn: 283676
2016-10-08 22:12:14 +00:00
Kostya Serebryany cd04ec25dd [libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.
llvm-svn: 283675
2016-10-08 21:57:48 +00:00
Kostya Serebryany 936b1e774f [libFuzzer] be more careful with memory usage, print peak rss in status lines
llvm-svn: 283418
2016-10-06 05:14:00 +00:00
Kostya Serebryany 3b564e9765 [libFuzzer] when re-running for lsan, don't look at the coverage
llvm-svn: 283411
2016-10-05 23:31:01 +00:00
Kostya Serebryany 1c73f1bf27 [libFuzzer] refactoring to make -shrink=1 work for value profile, added a test.
llvm-svn: 283409
2016-10-05 22:56:21 +00:00
Kostya Serebryany 379359c53a [libFuzzer] add ShrinkValueProfileTest, move code around, NFC
llvm-svn: 283286
2016-10-05 01:09:40 +00:00
Kostya Serebryany 2455f0d013 [libFuzzer] clear the corpus elements if they are evicted (i.e. smaller elements with proper coverage are found). Make sure we never try to mutate empty element. Print the corpus size in bytes in the status lines
llvm-svn: 283279
2016-10-05 00:25:17 +00:00
Kostya Serebryany 4820cc988f [libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway
llvm-svn: 283187
2016-10-04 06:08:46 +00:00
Kostya Serebryany 5a52a11ce4 [libFuzzer] change the probabilities so that we choose only the inputs that are known to be minimal inputs for at least one coverage feature (works only with -shrink=1 for now)
llvm-svn: 283178
2016-10-04 01:51:44 +00:00
Kostya Serebryany a5f1adab56 [libFuzzer] add fuzzer test for libxml2, finds https://bugzilla.gnome.org/show_bug.cgi?id=751631
llvm-svn: 283024
2016-10-01 07:37:40 +00:00
Kostya Serebryany d1f31d0a49 [libFuzzer] fix a recent bugs (buffer overflow)
llvm-svn: 283021
2016-10-01 07:13:25 +00:00
Kostya Serebryany d216922a80 [libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default
llvm-svn: 282995
2016-10-01 01:04:29 +00:00
Kostya Serebryany 90f8f36bca [libFuzzer] remove some experimental code
llvm-svn: 282983
2016-09-30 23:29:27 +00:00
Kostya Serebryany 7022b94687 [libFuzzer] fix openssl fuzzer tests when running on a machine w/o openssl installed
llvm-svn: 282972
2016-09-30 22:35:08 +00:00
Kostya Serebryany e7e790bad6 [libFuzzer] remove unused option
llvm-svn: 282971
2016-09-30 22:29:57 +00:00
Kostya Serebryany b7e7a5473d [libFuzzer] move common parts of shell scripts into a separate file
llvm-svn: 282954
2016-09-30 21:12:30 +00:00
Kostya Serebryany cfa31b6307 [libFuzzer] add a fuzzer test that finds CVE-2015-3193
llvm-svn: 282892
2016-09-30 18:16:16 +00:00
Kostya Serebryany cad612a472 [libfuzzer] test for c-ares CVE-2016-5180
llvm-svn: 282839
2016-09-30 05:15:45 +00:00