maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
242,583 Commits 23 Branches 0 Tags 2.2 GiB
Commit Graph

143 Commits

Author SHA1 Message Date
Kostya Serebryany 468ed78434 [libFuzzer] remove -iterations as redundant (there is also -num_runs) 
llvm-svn: 247030
 2015-09-08 17:30:35 +00:00
Kostya Serebryany 9838b2be87 [libFuzzer] adding a parser for AFL-style dictionaries + tests. 
llvm-svn: 246800
 2015-09-03 20:23:46 +00:00
Kostya Serebryany a9346c2e65 [libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef 
llvm-svn: 246689
 2015-09-02 19:08:08 +00:00
Kostya Serebryany 12c7837381 [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied 
llvm-svn: 244712
 2015-08-12 01:55:37 +00:00
Kostya Serebryany bc7c0ad24d [libFuzzer] add -only_ascii flag 
llvm-svn: 244559
 2015-08-11 01:44:42 +00:00
Yaron Keren 347663b214 Add missing include guard to FuzzerInternal.h, NFC. 
llvm-svn: 244457
 2015-08-10 16:37:40 +00:00
Kostya Serebryany 242ca930e8 [libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly 
llvm-svn: 244250
 2015-08-06 19:19:55 +00:00
Kostya Serebryany bf29ff2fa5 [libFuzzer] add one more mutation strategy: byte shuffling 
llvm-svn: 244188
 2015-08-06 01:29:13 +00:00
Kostya Serebryany 70926aed6b [libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed 
llvm-svn: 244152
 2015-08-05 21:43:48 +00:00
Kostya Serebryany 86a5fba71d [libFuzzer] more refactoring of the Mutator and adding tests to it 
llvm-svn: 243818
 2015-08-01 02:23:06 +00:00
Kostya Serebryany 8ce7424e9c [libFuzzer] start refactoring the Mutator and adding tests to it 
llvm-svn: 243817
 2015-08-01 01:42:51 +00:00
Kostya Serebryany 404c69f2c8 [libFuzzer] allow users to supply their own implementation of rand 
llvm-svn: 243078
 2015-07-24 01:06:40 +00:00
Kostya Serebryany 2b7d2e91cc [libFuzzer] dump long running units to disk 
llvm-svn: 243031
 2015-07-23 18:37:22 +00:00
Kostya Serebryany 20e9bcbfc8 [lib/Fuzzer] start getting rid of std::cerr. Sadly, these parts of C++ library used in libFuzzer badly interract with the same code used in the target function and also with dfsan. It's easier to just not use std::cerr than to defeat these issues. 
llvm-svn: 238078
 2015-05-23 01:07:46 +00:00
Kostya Serebryany f3c7cb464e [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale 
llvm-svn: 238063
 2015-05-22 22:47:03 +00:00
Kostya Serebryany f342459aa4 [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators 
llvm-svn: 238059
 2015-05-22 22:35:31 +00:00
Kostya Serebryany 490bbd6fa4 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately 
llvm-svn: 237735
 2015-05-19 22:12:57 +00:00
Kostya Serebryany cbb2334b7a [lib/Fuzzer] more efficient reload logic; also don't spam git too much 
llvm-svn: 237649
 2015-05-19 01:06:07 +00:00
Kostya Serebryany 2da7b84852 [lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes 
llvm-svn: 237617
 2015-05-18 21:34:20 +00:00
Kostya Serebryany 96eab65d81 [lib/Fuzzer] Add SHA1 implementation from public domain. 
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.

LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.

Test Plan: n/a

Reviewers: chandlerc

Reviewed By: chandlerc

Subscribers: majnemer, llvm-commits

Differential Revision: http://reviews.llvm.org/D9733

llvm-svn: 237400
 2015-05-14 22:41:49 +00:00
Kostya Serebryany 9690fcf12e [lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs. 
llvm-svn: 237163
 2015-05-12 18:51:57 +00:00
Kostya Serebryany d8c54724a8 [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan) 
llvm-svn: 237083
 2015-05-12 01:58:34 +00:00
Kostya Serebryany 225262562f [lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected 
llvm-svn: 237050
 2015-05-11 21:16:27 +00:00
Kostya Serebryany 5a99ecbbb3 [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go. 
llvm-svn: 237043
 2015-05-11 20:51:19 +00:00
Kostya Serebryany 1ac8055bc7 [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes 
llvm-svn: 236906
 2015-05-08 21:30:55 +00:00
Kostya Serebryany beb24c38e7 [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. 
llvm-svn: 236772
 2015-05-07 21:02:11 +00:00
Kostya Serebryany 7d470cfb0c [lib/Fuzzer] minor refactoring/simplification, NFC 
llvm-svn: 236757
 2015-05-07 18:32:29 +00:00
Kostya Serebryany ca6a2a2f1c [lib/Fuzzer] on crash print the contents of the crashy input as base64 
llvm-svn: 236548
 2015-05-05 21:59:51 +00:00
Kostya Serebryany 52a788e503 [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags. 
llvm-svn: 233745
 2015-03-31 20:13:20 +00:00
Kostya Serebryany 16901a901d [fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it. 
llvm-svn: 233637
 2015-03-30 23:04:35 +00:00
Kostya Serebryany 03db8b9225 [fuzzer] print various stats in a unified way 
llvm-svn: 233624
 2015-03-30 22:44:03 +00:00
Kostya Serebryany 16d03bd051 DFSan-based fuzzer (proof of concept). 
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

llvm-svn: 233613
 2015-03-30 22:09:51 +00:00
Kostya Serebryany be5e0ed919 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing). 
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
 2015-03-03 23:27:02 +00:00
Kostya Serebryany 2e3622bddd [fuzzer] one more experimental search mode: -use_coverage_pairs=1 
llvm-svn: 229957
 2015-02-20 03:02:37 +00:00
Kostya Serebryany 016852c396 [fuzzer] split main() into FuzzerDriver() that takes a callback as a parameter and a tiny main() in a separate file 
llvm-svn: 229882
 2015-02-19 18:45:37 +00:00
Kostya Serebryany 92e0476c67 [fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose 
llvm-svn: 228235
 2015-02-04 23:42:42 +00:00
Kostya Serebryany 33f866922a [fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over. 
llvm-svn: 228214
 2015-02-04 22:20:09 +00:00
Kostya Serebryany 5b266a8a23 [fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units 
llvm-svn: 228170
 2015-02-04 19:10:20 +00:00
Kostya Serebryany 2c1b33b897 [fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start. 
llvm-svn: 227507
 2015-01-29 23:01:07 +00:00
Aaron Ballman ef11698cac Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset. 
llvm-svn: 227464
 2015-01-29 16:58:29 +00:00
Aaron Ballman 7b54ed221a Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252 
llvm-svn: 227452
 2015-01-29 15:49:22 +00:00
Kostya Serebryany 265cf04f9c [fuzzer] add option -save_minimized_corpus 
llvm-svn: 227395
 2015-01-28 23:48:39 +00:00
Kostya Serebryany d53b43fe11 Add a Fuzzer library 
Summary:
A simple genetic in-process coverage-guided fuzz testing library.

I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?

I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.

See README.txt for details.

Test Plan: Tests will follow separately.

Reviewers: djasper, chandlerc, rnk

Reviewed By: rnk

Subscribers: majnemer, ygribov, dblaikie, llvm-commits

Differential Revision: http://reviews.llvm.org/D7184

llvm-svn: 227252
 2015-01-27 22:08:41 +00:00