b7e7a5473d
[libFuzzer] move common parts of shell scripts into a separate file
...
llvm-svn: 282954
2016-09-30 21:12:30 +00:00
cfa31b6307
[libFuzzer] add a fuzzer test that finds CVE-2015-3193
...
llvm-svn: 282892
2016-09-30 18:16:16 +00:00
cad612a472
[libfuzzer] test for c-ares CVE-2016-5180
...
llvm-svn: 282839
2016-09-30 05:15:45 +00:00
b3949ef885
[libFuzzer] remove the code for -print_pcs=1 with the old coverage. It still works with the new one (trace-pc-guard)
...
llvm-svn: 282831
2016-09-30 01:24:57 +00:00
2c55613a08
[libFuzzer] more the feature set to InputCorpus; on feature update, change the feature counter of the old best input
...
llvm-svn: 282829
2016-09-30 01:19:56 +00:00
a9b0dd0e51
[sanitizer-coverage/libFuzzer] make the guards for trace-pc 32-bit; create one array of guards per function, instead of one guard per BB. reorganize the code so that trace-pc-guard does not create unneeded globals
...
llvm-svn: 282735
2016-09-29 17:43:24 +00:00
a9a135b4f5
[libFuzzer] initialize ValueBitMap::NumBits
...
llvm-svn: 282721
2016-09-29 15:51:28 +00:00
3ee6c213d6
[libFuzzer] speedup TracePC::FinalizeTrace
...
llvm-svn: 282562
2016-09-28 01:16:24 +00:00
7d6935c184
[libFuzzer] run re2 test in 8 threads by default
...
llvm-svn: 282469
2016-09-27 03:33:57 +00:00
45c144754b
[sanitizer-coverage] fix a bug in trace-gep
...
llvm-svn: 282467
2016-09-27 01:55:08 +00:00
53543af036
[libFuzzer] add a test based on openssl-1.0.1f (finds heartbleed)
...
llvm-svn: 282460
2016-09-27 00:27:40 +00:00
5ff481fd9e
[libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
...
llvm-svn: 282458
2016-09-27 00:10:20 +00:00
273d767215
[libFuzzer] add a standalone build script
...
llvm-svn: 282321
2016-09-24 04:00:00 +00:00
0800b81a21
[libFuzzer] simplify HandleTrace again, start re-running interesting units and collecting their features.
...
llvm-svn: 282316
2016-09-23 23:51:58 +00:00
2d1d944f7e
[libFuzzer] first steps in adding a proper automated test suite based on real-life code: add a script to build RE2 at a revision that has known bugs
...
llvm-svn: 282292
2016-09-23 20:43:22 +00:00
0d26de3922
[libFuzzer] reset Counters (trace-pc-guard) before every run
...
llvm-svn: 282284
2016-09-23 20:04:13 +00:00
ce1cab169f
[libFuzzer] be more precise about what we reset in TracePC
...
llvm-svn: 282225
2016-09-23 02:18:59 +00:00
16a145fd0f
[libFuzzer] fix merging with trace-pc-guard
...
llvm-svn: 282224
2016-09-23 01:58:51 +00:00
87a598e19f
[libFuzzer] simplify the TracePC logic
...
llvm-svn: 282222
2016-09-23 01:20:07 +00:00
ab73c6924f
[libFuzzer] move value profiling logic into TracePC
...
llvm-svn: 282219
2016-09-23 00:46:18 +00:00
d28099de5d
[libFuzzer] change ValueBitMap to remember the number of bits in it
...
llvm-svn: 282216
2016-09-23 00:22:46 +00:00
be0ed59cdc
[libFuzzer] simplify the crash minimizer; split MaxLen into two: MaxInputLen and MaxMutationLen, allow MaxMutationLen to be less than MaxInputLen
...
llvm-svn: 282211
2016-09-22 23:16:36 +00:00
624f59f4d8
[libFuzzer] add 'features' to the corpus elements, allow mutations with Size > MaxSize, fix sha1 in corpus stats; various refactorings
...
llvm-svn: 282129
2016-09-22 01:34:58 +00:00
c9e3de35ed
[libFuzzer] one more test
...
llvm-svn: 282127
2016-09-22 00:57:29 +00:00
29bb664075
[libFuzzer] add stats to the corpus; more refactoring
...
llvm-svn: 282121
2016-09-21 22:42:17 +00:00
20801e1b8a
[libFuzzer] more refactoring; don't compute sha1sum every time we mutate a unit from the corpus, use the stored one.
...
llvm-svn: 282115
2016-09-21 21:41:48 +00:00
8658618ea0
[libFuzzer] more refactoring
...
llvm-svn: 282113
2016-09-21 21:17:23 +00:00
225d8e45d4
[libFuzzer] fix libc++ build
...
llvm-svn: 282050
2016-09-21 03:50:37 +00:00
556894fb10
[libFuzzer] more refactoring; NFC
...
llvm-svn: 282047
2016-09-21 02:05:39 +00:00
6f5a804cdb
[libFuzzer] refactoring: split the large header into many; NFC
...
llvm-svn: 282044
2016-09-21 01:50:50 +00:00
09aa01a6f8
[libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features
...
llvm-svn: 282042
2016-09-21 01:04:43 +00:00
3750c04f7e
[libFuzzer] use sleep() instead of std::this_thread::sleep_for to avoid coverage from instrumented libc++
...
llvm-svn: 281933
2016-09-19 20:32:34 +00:00
b706b481ba
[libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
...
llvm-svn: 281866
2016-09-18 21:47:08 +00:00
8e781a888a
[libFuzzer] use 'if guard' instead of 'if guard >= 0' with trace-pc; change the guard type to intptr_t; use separate array for 8-bit counters
...
llvm-svn: 281845
2016-09-18 04:52:23 +00:00
bc3789a919
[libFuzzer] properly reset the guards when reseting the coverage. Also try to fix check-fuzzer on the bot
...
llvm-svn: 281814
2016-09-17 06:01:55 +00:00
3e36ec1d18
[libFuzzer] change trace-pc to use 8-byte guards
...
llvm-svn: 281810
2016-09-17 05:04:47 +00:00
0984517021
[libFuzzer] make caller-callee feedback work with trace-pc-guard
...
llvm-svn: 281667
2016-09-15 22:16:15 +00:00
21c3573733
[libFuzzer] fix the build for AFLDriverTest
...
llvm-svn: 281633
2016-09-15 18:10:38 +00:00
09e416615e
[libFuzzer] disable test that requires debug info -- it fails on the bot
...
llvm-svn: 281584
2016-09-15 05:46:58 +00:00
0b47fbcb30
[libFuzzer] move the AFL driver build rule test into the uninstrumented dir
...
llvm-svn: 281583
2016-09-15 05:17:39 +00:00
33a497abf4
[libFuzzer] fix print_pcs test
...
llvm-svn: 281580
2016-09-15 04:43:06 +00:00
5350178487
[libFuzzer] implement print_pcs with trace-pc-guard. Change the trace-pc-guard heuristic for 8-bit counters to look more like in AFL (not that it's provable better, but the existin test preferes this heuristic)
...
llvm-svn: 281577
2016-09-15 04:36:45 +00:00
a5277d59d0
[libFuzzer] add 8-bit counters to trace-pc-guard handler
...
llvm-svn: 281568
2016-09-15 01:30:18 +00:00
a00b243c75
[libFuzzer] start using trace-pc-guard as an alternative source of coverage
...
llvm-svn: 281435
2016-09-14 02:13:06 +00:00
8c537c556a
[libFuzzer] print a failed-merge warning only in the merge mode
...
llvm-svn: 281130
2016-09-10 02:17:22 +00:00
4529960a3b
[libFuzzer] don't print help for internal flags
...
llvm-svn: 281124
2016-09-10 00:35:30 +00:00
b991cc1f0e
[libFuzzer] print a visible message if merge fails due to a crash
...
llvm-svn: 281122
2016-09-10 00:15:41 +00:00
1837152a34
[libFuzzer] use sizeof() in tests instead of 4 and 8
...
llvm-svn: 281111
2016-09-09 22:21:16 +00:00
4b17a331ae
[libFuzzer] one more puzzle for value profile
...
llvm-svn: 281106
2016-09-09 21:58:42 +00:00
00ef27112e
[libFuzzer] one more puzzle, value_profile cracks it in a second
...
llvm-svn: 281066
2016-09-09 18:00:04 +00:00
b76a2a5503
[libFuzzer] improve -print_pcs to not print new PCs coming from libFuzzer itself
...
llvm-svn: 281016
2016-09-09 02:38:28 +00:00
8ea4f9873b
[libFuzzer] remove unneeded call
...
llvm-svn: 281014
2016-09-09 01:57:38 +00:00
5c04bd250e
[libFuzzer] remove use_traces=1 since use_value_profile seems to be strictly better
...
llvm-svn: 281007
2016-09-09 01:17:03 +00:00
e2d0f63654
[libFuzzer] add -minimize_crash flag (to minimize crashers). also add two tests that I failed to commit last time
...
llvm-svn: 280332
2016-09-01 01:22:27 +00:00
b077d3fef2
[libfuzzer] simplified unit truncation; do not write trunc items to disc
...
Differential Revision: https://reviews.llvm.org/D24049
llvm-svn: 280153
2016-08-30 20:49:07 +00:00
a016a45d60
[libFuzzer] fix a bug when running a single unit of N bytes with -max_len=M, M<N, caused a buffer overflow
...
llvm-svn: 280098
2016-08-30 14:52:05 +00:00
248d11519a
[libFuzzer] stop using bits for memcmp's value profile -- seems to blow up the corpus too much
...
llvm-svn: 280096
2016-08-30 14:39:33 +00:00
d4492f8101
[libFuzzer] use bits instead of bytes for memcmp/strcmp value profile -- the fuzzer reaches the goal much faster, at least on the simple puzzles
...
llvm-svn: 280054
2016-08-30 03:05:50 +00:00
4d22e4fcb9
[libFuzzer] use trace-div and trace-gep for guided fuzzing, add tests
...
llvm-svn: 280046
2016-08-30 01:30:14 +00:00
3e5991e540
[libFuzzer] simplify a test to make it pass on the bot
...
llvm-svn: 279796
2016-08-26 00:18:16 +00:00
1426f59a76
[libFuzzer] make sure we have symbols on fuzzer tests
...
llvm-svn: 279792
2016-08-25 23:30:02 +00:00
0f0fa4faf2
[libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them
...
llvm-svn: 279787
2016-08-25 22:35:08 +00:00
f67357c671
[libFuzzer] simplify the code, NFC
...
llvm-svn: 279697
2016-08-25 01:25:03 +00:00
41bcb830af
[libFuzzer] make a test more deterministic
...
llvm-svn: 279686
2016-08-24 23:10:17 +00:00
bceadcf1cd
[libFuzzer] use __attribute__((target("popcnt"))) only on x86_64
...
llvm-svn: 279601
2016-08-24 01:38:42 +00:00
ac524cfcce
[libFuzzer] collect 64 states for value profile, not 65
...
llvm-svn: 279588
2016-08-23 23:37:37 +00:00
a533e514b8
[libFuzzer] fix the non-debug build warnings
...
llvm-svn: 279321
2016-08-19 20:57:09 +00:00
32661f9d66
[libFuzzer] add more __attribute__((visibility("default")))
...
llvm-svn: 279143
2016-08-18 20:52:52 +00:00
524c3f32e7
[sanitizer-coverage/libFuzzer] instrument comparisons with __sanitizer_cov_trace_cmp[1248] instead of __sanitizer_cov_trace_cmp, don't pass the comparison type to save a bit performance. Use these new callbacks in libFuzzer
...
llvm-svn: 279027
2016-08-18 01:25:28 +00:00
5a5d5548f0
[libFuzzer] force proper popcnt instruction
...
llvm-svn: 279002
2016-08-17 23:09:57 +00:00
e72774dd69
[libFuzzer] given 0 and 255 more preference when inserting repeated bytes
...
llvm-svn: 278986
2016-08-17 21:50:54 +00:00
0c537b124c
[libFuzzer] one more mutation: ChangeBinaryInteger; also fix the breakage from r278970
...
llvm-svn: 278982
2016-08-17 21:30:30 +00:00
a9a548049a
[libFuzzer] when printing the reproducer input, also print the base input and the mutation sequence
...
llvm-svn: 278975
2016-08-17 20:45:23 +00:00
cd1d5aaf2e
Replace a few more "fall through" comments with LLVM_FALLTHROUGH
...
Follow up to r278902. I had missed "fall through", with a space.
llvm-svn: 278970
2016-08-17 20:30:52 +00:00
a7398ba024
[libFuzzer] more mutations
...
llvm-svn: 278950
2016-08-17 18:10:42 +00:00
3044390af1
[libFuzzer] minor speed improvement
...
llvm-svn: 278856
2016-08-16 21:28:05 +00:00
d46a59fac4
[libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage.
...
llvm-svn: 278839
2016-08-16 19:33:51 +00:00
c98ef718ea
[libFuzzer] refactoring around PCMap, NFC
...
llvm-svn: 278825
2016-08-16 17:37:13 +00:00
bdb220c7a0
[libFuzzer] print a verbose message after executing inputs in non-fuzzing mode
...
llvm-svn: 278724
2016-08-15 19:44:04 +00:00
a0d40a21e7
[libFuzzer] fix the bot
...
llvm-svn: 278721
2016-08-15 19:36:13 +00:00
dfbe59b03d
[libFuzzer] add InsertRepeatedBytes and EraseBytes.
...
New mutation: InsertRepeatedBytes.
Updated mutation: EraseByte => EraseBytes.
This helps https://github.com/google/sanitizers/issues/710
where libFuzzer was not able to find a known bug.
Now it finds it in minutes.
Hopefully, the change is general enough to help other targets.
llvm-svn: 278687
2016-08-15 17:48:28 +00:00
ed3c9cae49
[LibFuzzer] Fix `-jobs=<N>` where <N> > 1 and the number of workers is > 1 on macOS.
...
The original `ExecuteCommand()` called `system()` from the C library.
The C library implementation of this on macOS contains a mutex which
serializes calls to `system()`. This prevented the `-jobs=` flag
from running copies of the fuzzing binary in parallel which is
the opposite of what is intended.
To fix this on macOS an alternative implementation of `ExecuteCommand()`
is provided that can be used concurrently. This is provided in
`FuzzerUtilDarwin.cpp` which is guarded to only compile code on Apple
platforms. The existing implementation has been moved to a new file
`FuzzerUtilLinux.cpp` which is guarded to only compile code on Linux.
This commit includes a simple test to check that LibFuzzer is being
executed in parallel when requested.
Differential Revision: https://reviews.llvm.org/D22742
llvm-svn: 278544
2016-08-12 18:29:36 +00:00
728447bd3b
[libFuzzer] make libFuzzer work with a bit older clang versions
...
llvm-svn: 277941
2016-08-06 21:28:56 +00:00
ff1f2107ec
[libFuzzer] don't print bogus error message
...
llvm-svn: 277940
2016-08-06 21:23:29 +00:00
a8e84b9b37
[libfuzzer] do not warn about missing pcbuffer functions: they are new.
...
llvm-svn: 277927
2016-08-06 17:03:22 +00:00
b4bbc3bb7a
[sanitizers] trace buffer API to use user-allocated buffer.
...
Differential Revision: https://reviews.llvm.org/D23185
llvm-svn: 277859
2016-08-05 20:09:53 +00:00
0ccf06f467
[libFuzzer] extend the messages printed by afl_driver
...
llvm-svn: 276052
2016-07-19 23:18:28 +00:00
6b08be9279
[libFuzzer] properly intercept memmem
...
llvm-svn: 276006
2016-07-19 18:29:06 +00:00
c135b55ae0
[libFuzzer] add hooks for strstr, strcasestr, strcasecmp, strncasecmp
...
llvm-svn: 275648
2016-07-15 23:27:19 +00:00
5d9a17742e
[libFuzzer] add ThreadedLeakTest
...
llvm-svn: 275582
2016-07-15 17:19:43 +00:00
30ca81f1f7
[LibFuzzer] Unbreak the build on macOS which was broken by r272858.
...
``afl_driver.cpp`` currently relies on weak symbols which doesn't
work properly under macOS. For now fix the build by providing a
dummy implementation of ``LLVMFuzzerInitialize(...)``. This is just
a temporary measure until we fix ``afl_driver.cpp`` for macOS.
llvm-svn: 274778
2016-07-07 18:14:11 +00:00
8ba86a5a48
[libFuzzer] Let user specify extra stats file.
...
Summary: If AFL_DRIVER_EXTRA_STATS_FILENAME is set and valid, write to it peak_rss_mb and slowest_unit_time_sec. These are both stats that libFuzzer can print but afl cannot.
Reviewers: kcc, aizatsky, metzman
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D21742
llvm-svn: 274273
2016-06-30 20:43:06 +00:00
f0b3e85f4e
[libfuzzer] moving is_ascii handler inside mutation dispatcher.
...
Summary: It also fixes a bug, when first random might not be ascii.
Differential Revision: http://reviews.llvm.org/D21573
llvm-svn: 273611
2016-06-23 20:44:48 +00:00
0618cbacb6
[libFuzzer] Add standard license info and comment header to AFLDriverTest.cpp
...
Summary: Add license info and brief description of file to AFLDriverTest.cpp.
Reviewers: kcc, aizatsky
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D21487
llvm-svn: 273527
2016-06-23 02:19:36 +00:00
042d1a7b04
[libFuzzer] make the single-run output more reliable
...
llvm-svn: 272998
2016-06-17 13:07:06 +00:00
fd6ad5bba9
[libFuzzer] use the new chainable malloc hooks instead of the old un-chainable ones, use atomic for malloc/free counters instead of a thread local counter in the main thread. This should make on-the-spot leak detection in libFuzzer more reliable
...
llvm-svn: 272948
2016-06-16 20:17:41 +00:00
7bd4720e6b
Fix test from D21194
...
Bot sets ASAN_OPTIONS=handle_abort=1 which prevents expected crash.
llvm-svn: 272866
2016-06-16 01:52:48 +00:00
d6da8f6612
Debugging D21194 issues on bot
...
llvm-svn: 272863
2016-06-16 01:26:46 +00:00
d01720d46d
Enable libFuzzer's afl_driver to append stderr to a file.
...
Summary:
[libFuzzer] Enable afl_driver to append stderr to a user specified file.
Append stderr of afl_driver to the file specified by the environmental variable
AFL_DRIVER_STDERR_DUPLICATE_FILENAME if it is set. This lets users see outputs
on crashes without rerunning crashing test cases (which won't work for crashes
that are difficult to reproduce). Before this patch, stderr would only be sent to afl-fuzz
and users would have no way of seeing it.
Reviewers: llvm-commits, aizatsky, kcc, vitalybuka
Subscribers: vitalybuka
Differential Revision: http://reviews.llvm.org/D21194
llvm-svn: 272858
2016-06-16 00:14:42 +00:00
c4989d27b5
[LibFuzzer] Fix ``FuzzerMutate.ShuffleBytes2`` unit test on OSX.
...
The ``FuzzerMutate.ShuffleBytes2`` unit test was failing on
OSX due to the implementation of ``std::random_shuffle()``
being different between libcxx and libstdc++.
@kcc has decided (see http://reviews.llvm.org/D21218 ) it is acceptable
for there to be different mutation behavior on different platforms so
this commit just adjusts the test to perform the minimum number of
iterations (that is a power of 2) to see all the mutations the unit test
is looking for.
Differential Revision: http://reviews.llvm.org/D21359
llvm-svn: 272743
2016-06-15 01:40:02 +00:00
dca553d021
Revert "Enable libFuzzer's afl_driver to append stderr to a file."
...
Crashes with AddressSanitizer: SEGV on unknown address
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/9924/steps/annotate/logs/stdio
This reverts commit r272706.
llvm-svn: 272726
2016-06-14 22:09:00 +00:00
4b73cc88bf
Enable libFuzzer's afl_driver to append stderr to a file.
...
Summary:
[libFuzzer] Enable afl_driver to append stderr to a user specified file.
Append stderr of afl_driver to the file specified by the environmental variable
AFL_DRIVER_STDERR_DUPLICATE_FILENAME if it is set. This lets users see outputs
on crashes without rerunning crashing test cases (which won't work for crashes
that are difficult to reproduce). Before this patch, stderr would only be sent to afl-fuzz
and users would have no way of seeing it.
Reviewers: llvm-commits, aizatsky, kcc, vitalybuka
Subscribers: vitalybuka
Differential Revision: http://reviews.llvm.org/D21194
llvm-svn: 272706
2016-06-14 20:42:05 +00:00
916bc2b024
[LibFuzzer] Disable the ``fuzzer-trace-pc.test`` test on non-linux platforms.
...
On OSX this test sometimes fails due to the
``LLVMFuzzer-FullCoverageSetTest-TracePC`` program going over the
default 2GiB memory limit. This shouldn't be happening and needs
investigating. For now just disable the test so we can set up an
OSX buildbot.
Differential Revision: http://reviews.llvm.org/D21319
llvm-svn: 272696
2016-06-14 19:15:13 +00:00
02432480c7
[LibFuzzer] Move tests in ``fuzzer-traces.test`` that require hooks to their own test.
...
The tests in ``fuzzer-traces-hooks.test`` only work on Linux because calls to hooks
(e.g. ``__sanitizer_weak_hook_memcmp()``) from inside the sanitizer
runtime are only implemented on Linux. Therefore these tests are set to
only run on Linux.
Differential Revision: http://reviews.llvm.org/D21253
llvm-svn: 272600
2016-06-14 00:11:34 +00:00
0617f15897
[LibFuzzer] Fix some unit test crashes on OSX.
...
This fixes the following unit tests:
FuzzerDictionary.ParseOneDictionaryEntry
FuzzerDictionary.ParseDictionaryFile
The issue appears to be mixing non-ASan-ified code (LibFuzzer) and
ASan-ified code (the unittest) as the tests would pass fine if
everything was built with ASan enabled.
I believe the issue is that different implementations of std::vector<>
are being used in LibFuzzer and outside LibFuzzer (in the unittests).
For Libcxx (I've not seen the issue manifest for libstdc++) we can disable
the ASanified std::vector<> by definining the ``_LIBCPP_HAS_NO_ASAN`` macro.
Doing this fixes the tests on OSX.
Differential Revision: http://reviews.llvm.org/D21049
llvm-svn: 272374
2016-06-10 05:33:07 +00:00
f7798526b9
[libFuzzer] add one more OOM test, which we currently don't handle very well
...
llvm-svn: 272240
2016-06-09 01:20:35 +00:00
53b7b3ca5f
[libFuzzer] add 'weak' back to __sanitizer_malloc_hook and __sanitizer_free_hook
...
llvm-svn: 272116
2016-06-08 04:49:29 +00:00
76f425211e
[libFuzzer] add a test that is built w/o coverage instrumentation but has the coverage rt (it should now fail with a descriptive message)
...
llvm-svn: 272090
2016-06-08 01:46:13 +00:00
1873a496e2
[LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions``
...
This fixes linking problems on OSX.
Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.
It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.
Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.
Differential Revision: http://reviews.llvm.org/D20943
llvm-svn: 272072
2016-06-07 23:32:50 +00:00
1d0a9fd089
[LibFuzzer] Split the fuzzer-oom.test into two tests.
...
This is necessary because the existing fuzzer-oom.test was Linux
specific due to its use of __sanitizer_print_memory_profile() which
is only available on Linux right now and so the test would fail on OSX.
Differential Revision: http://reviews.llvm.org/D20977
llvm-svn: 272061
2016-06-07 21:23:30 +00:00
41d6683c39
[libfuzzer] custom crossover interface function.
...
Differential Revision: http://reviews.llvm.org/D21089
llvm-svn: 272054
2016-06-07 20:22:15 +00:00
1f88b12272
[libfuzzer] prune_corpus option for disabling pruning during the load.
...
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.
Differential Revision: http://reviews.llvm.org/D21084
llvm-svn: 272035
2016-06-07 18:16:32 +00:00
d15c106c9b
[LibFuzzer] s/dataflow sanitizer/DataflowSanitizer/
...
llvm-svn: 271980
2016-06-07 04:44:49 +00:00
0d09f14554
[LibFuzzer] Disable building and running LSan tests on Apple platforms because LSan is not currently supported.
...
Differential Revision: http://reviews.llvm.org/D20947
llvm-svn: 271979
2016-06-07 04:44:39 +00:00
5914407185
[LibFuzzer] Provide stub implementation of __sanitizer_cov_trace_pc_indir
...
Calls to this function are currently injected by the
``SanitizerCoverageModule`` pass when the both the ``indirect-calls``
and ``trace-pc`` sanitizer coverage options are enabled and the code
being instrumented has indirect calls. Previously because LibFuzzer did
not define this function this would lead to link errors when building
some of the tests on OSX.
Differential Revision: http://reviews.llvm.org/D20946
llvm-svn: 271938
2016-06-06 20:27:09 +00:00
70fd3e412a
[libfuzzer] hiding custom mutator handling in MutationDispatcher.
...
Summary: Refactoring, no functional changes.
Differential Revision: http://reviews.llvm.org/D20975
llvm-svn: 271740
2016-06-03 21:34:29 +00:00
3c1782f23b
[libfuzzer] splitting fuzzer.test
...
llvm-svn: 271697
2016-06-03 18:05:22 +00:00
fba4a67a32
[LibFuzzer] Disable compiling and running the LibFuzzer dataflow sanitizer tests on Apple platforms.
...
This fixes a broken part of the build on OSX as the dataflow sanitizer is not supported
on OSX yet.
Differential Revision: http://reviews.llvm.org/D20894
llvm-svn: 271492
2016-06-02 05:48:09 +00:00
d3c33116fd
[LibFuzzer] Reimplement how the optional user functions are called.
...
The motivation for this change is to fix linking issues on OSX.
However this only partially fixes linking issues (the uninstrumented
tests and a few others won't succesfully link yet).
This change introduces a struct of function pointers
(``fuzzer::ExternalFuntions``) which when initialised will point to the
optional functions if they are available. Currently these
``LLVMFuzzerInitialize`` and ``LLVMFuzzerCustomMutator`` functions.
Two implementations of ``fuzzer::ExternalFunctions`` constructor are
provided one for Linux and one for OSX.
The OSX implementation uses ``dlsym()`` because the prior implementation
using weak symbols does not work unless the additional flags are passed
to the linker.
The Linux implementation continues to use weak symbols because the
``dlsym()`` approach does not work unless additional flags are passed
to the linker.
Differential Revision: http://reviews.llvm.org/D20741
llvm-svn: 271491
2016-06-02 05:48:02 +00:00
f6414426f2
[libFuzzer] use __sanitizer_print_memory_profile to print the memory profile on OOM
...
llvm-svn: 271465
2016-06-02 01:33:11 +00:00
f817731a19
[libFuzzer] when an invalid flag is given, warn, but don't crash
...
llvm-svn: 271404
2016-06-01 16:41:12 +00:00
4795210f9c
[libFuzzer] fix a use-after-free (!) in libFuzzer caused by r270905: that CL caused a push_back in the main corpus invalidating the vector<> iterators in rare cases.
...
llvm-svn: 271186
2016-05-29 15:58:57 +00:00
311cc8378e
[libFuzzer] fix a failure that occurs when running individual inputs
...
llvm-svn: 271095
2016-05-28 04:19:46 +00:00
470d04400e
[libFuzzer] use __sanitizer_set_report_fd with -close_fd_mask. This allows us to keep asan reports when closing target's stderr
...
llvm-svn: 271053
2016-05-27 21:46:22 +00:00
b62e7e31f7
Fix compilation with GCC, which treats this as a constructor name not a type
...
name. (GCC is correct here per the latest language DRs.)
llvm-svn: 271044
2016-05-27 21:05:35 +00:00
8c11fce707
[LibFuzzer] Refactor declaration of tests in CMake.
...
Add a new CMake function (``add_libfuzzer_test()``) to simplify
declaration of executables for testing LibFuzzer and use it to
reorganise how tests are declared.
Note that configuration of the lit configuration files has been moved
as late as possible because we are going to need to disable some tests
for some platforms and we will need to propagate this information into
the lit configuration.
Note the code for custom mains was removed because no tests are
currently written for this and Kostya seems happy to remove this.
Differential Revision: http://reviews.llvm.org/D20706
llvm-svn: 270958
2016-05-27 03:14:40 +00:00
76dacb4ba9
[libFuzzer] make check-fuzzer a bit faster
...
llvm-svn: 270947
2016-05-27 01:12:21 +00:00
0edb563f27
[libFuzzer] make OOM-handling more portable. Instead of sending a signal to the main fuzzing thread, print the message in the getrusage thread and exit.
...
llvm-svn: 270945
2016-05-27 00:54:15 +00:00
8fc3a27c5c
[libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from
...
llvm-svn: 270942
2016-05-27 00:21:33 +00:00
d8384122a3
[libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads)
...
llvm-svn: 270929
2016-05-26 22:17:32 +00:00
9551fdd517
[LibFuzzer] Add missing #include<string>
...
This partially fixes the compilation of the LibFuzzer unit test
on OSX using AppleClang.
llvm-svn: 270926
2016-05-26 21:54:25 +00:00
f26017baf9
[libFuzzer] refactor: hide CurrentUnitData inside an interface function. NFC
...
llvm-svn: 270922
2016-05-26 21:32:30 +00:00
c752a26428
[LibFuzzer] Emit error if LLVM_USE_SANITIZER is not correctly set.
...
Previously CMake would successfully configure and compile (with warnings
about ``-fsanitize-coverage=...`` being unused) but the tests LibFuzzer
tests would fail.
Differential Revision: http://reviews.llvm.org/D20662
llvm-svn: 270913
2016-05-26 20:55:09 +00:00
676892a5d5
[LibFuzzer] Allow LibFuzzer to be built in modes other than RELEASE.
...
Previously the flags were only being set correctly when the
build type was "Release". Now the build should work properly
for all the supported build types. When building libFuzzer
the optimization level respects whatever is used for the
rest of LLVM but for the LibFuzzer tests we force -O0.
Differential Revision: http://reviews.llvm.org/D20558
llvm-svn: 270912
2016-05-26 20:55:05 +00:00
4b92326b17
[libFuzzer] when there is a leak in the existing corpus report the reproducer properly
...
llvm-svn: 270905
2016-05-26 20:25:49 +00:00
f1f3f93c9e
[libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended
...
llvm-svn: 270900
2016-05-26 20:03:02 +00:00
e66846ab32
[libfuzzer] replacing unittest for truncate_units with functional test.
...
Differential Revision: http://reviews.llvm.org/D20641
llvm-svn: 270755
2016-05-25 21:00:17 +00:00
ff2e6badbd
[libFuzzer] print stats if we crash on empty input
...
llvm-svn: 270639
2016-05-25 00:15:36 +00:00
af432a45e3
[libfuzzer] Trying random unit prefixes during corpus load.
...
Differential Revision: http://reviews.llvm.org/D20301
llvm-svn: 270632
2016-05-24 23:14:29 +00:00
c8bc8821cb
[libFuzzer] add a license header to afl/afl_driver.cpp
...
llvm-svn: 270598
2016-05-24 19:05:25 +00:00
11565444ca
[LibFuzzer] Fix implementation of ``GetPeakRSSMb()`` on Mac OSX.
...
On Linux ``rusage.ru_maxrss`` is in KiB but on Mac OSX it is in bytes.
Differential Revision: http://reviews.llvm.org/D20410
llvm-svn: 270173
2016-05-20 01:37:54 +00:00
e6ac1fd089
[LibFuzzer] Fix ``NumberOfCpuCores()`` on Mac OSX.
...
The ``nprocs`` command does not exist under Mac OSX so use
``sysctl`` instead on that platform.
Whilst I'm here
* Use ``pclose()`` instead of ``fclose()`` which the ``popen()``
documentation says should be used.
* Check for errors that were previously unhandled.
Differential Revision: http://reviews.llvm.org/D20409
llvm-svn: 270172
2016-05-20 01:30:36 +00:00
3868e468fe
[LibFuzzer]
...
Work around crashes in ``__sanitizer_malloc_hook()`` under Mac OSX.
Under Mac OSX we intercept calls to malloc before thread local
storage is initialised leading to a crash when accessing
``AllocTracer``. To workaround this ``AllocTracer`` is only accessed
in the hook under Linux. For symmetry ``__sanitizer_free_hook()``
is also modified in the same way.
To support this change a set of new macros
LIBFUZZER_LINUX and LIBFUZZER_APPLE has been defined which can be
used to check the target being compiled for.
Differential Revision: http://reviews.llvm.org/D20402
llvm-svn: 270145
2016-05-19 22:00:33 +00:00
a0788e7dd4
[libFuzzer] do the merge faster and a bit less precise
...
llvm-svn: 269497
2016-05-13 22:11:23 +00:00
6289536922
[libFuzzer] print the file name before executing the input so that if there is a crash we know which files has caused it
...
llvm-svn: 269450
2016-05-13 18:10:33 +00:00
8b0d90a6d4
[libFuzzer] simplify FuzzerInterface.h
...
llvm-svn: 269448
2016-05-13 18:04:35 +00:00
781e8da888
[libFuzzer] add a driver file to use AFL on LLVMFuzzerTestOneInput
...
llvm-svn: 269141
2016-05-10 23:46:50 +00:00
1aa501e7e8
[libfuzzer] Refactoring coverage state-management code.
...
It is now less state-dependent and will allow easier comparing of
coverages of different units.
Differential Revision: http://reviews.llvm.org/D20085
llvm-svn: 269140
2016-05-10 23:43:15 +00:00
ca9694ba2c
[libFuzzer] add a test for libFuzzer+ubsan, extend the docs on using libFuzzer+ubsan
...
llvm-svn: 268968
2016-05-09 21:02:36 +00:00
61b07ac75b
[libFuzzer] better document the -merge=1 flag
...
llvm-svn: 268957
2016-05-09 19:11:36 +00:00
8b8f7a3cda
[libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
...
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
52b394e981
[libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs
...
llvm-svn: 268807
2016-05-06 21:58:35 +00:00
baf7fd0b16
[libFuzzer] print stats after running individual inputs
...
llvm-svn: 268547
2016-05-04 20:44:50 +00:00
2fe9304d62
[libFuzzer] enable detect_leaks=1, add proper docs
...
llvm-svn: 268088
2016-04-29 18:49:55 +00:00
0e0bcc4bdb
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak [part 2]
...
llvm-svn: 267771
2016-04-27 19:52:56 +00:00
7018a1aaa4
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak
...
llvm-svn: 267770
2016-04-27 19:52:34 +00:00
9ba19182be
[libFuzzer] remove dead code
...
llvm-svn: 267455
2016-04-25 19:41:45 +00:00
1bfd583d82
[libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
...
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
ebb932d060
[libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus.
...
llvm-svn: 266693
2016-04-18 22:50:39 +00:00
09087bba4d
[libFuzzer] warn if the corpus is empty
...
llvm-svn: 266670
2016-04-18 21:14:11 +00:00
b550cb1750
[NFC] Header cleanup
...
Removed some unused headers, replaced some headers with forward class declarations.
Found using simple scripts like this one:
clear && ack --cpp -l '#include "llvm/ADT/IndexedMap.h"' | xargs grep -L 'IndexedMap[<]' | xargs grep -n --color=auto 'IndexedMap'
Patch by Eugene Kosov <claprix@yandex.ru>
Differential Revision: http://reviews.llvm.org/D19219
From: Mehdi Amini <mehdi.amini@apple.com>
llvm-svn: 266595
2016-04-18 09:17:29 +00:00
b60397f54c
[libFuzzer] add a better warning for command line flags with -- (two dashes)
...
llvm-svn: 266480
2016-04-15 21:56:29 +00:00
e631996350
Remove redundant .c_str(), as suggested by PR25633
...
llvm-svn: 265988
2016-04-11 20:35:17 +00:00
94e29668b0
[libfuzzer] defensive assert
...
llvm-svn: 265866
2016-04-08 23:32:24 +00:00
f13cbee12e
[libfuzzer] adding license headers to cpp files
...
Differential Revision: http://reviews.llvm.org/D18705
llvm-svn: 265174
2016-04-01 18:38:58 +00:00
9e1a238357
[libFuzzer] more docs
...
llvm-svn: 264803
2016-03-29 23:07:36 +00:00
f3ab6d9e10
[libFuzzer] use fflush after every Printf
...
llvm-svn: 264459
2016-03-25 20:31:26 +00:00
f389ae12c1
[libFuzzer] handle SIGTERM
...
llvm-svn: 264338
2016-03-24 21:03:58 +00:00
315167339e
[libFuzzer] don't report memory leaks if we are dying due to a timeout (just use _Exit instead of exit in the timeout callback)
...
llvm-svn: 264237
2016-03-24 01:32:08 +00:00
6278f933a8
[libFuzzer] use fdopen+vfprintf instead of fsnprintf+write
...
llvm-svn: 264230
2016-03-24 00:57:32 +00:00
49e409068a
[libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
...
llvm-svn: 263831
2016-03-18 20:58:29 +00:00
d96b0c14fb
[Fuzzer] Guard no_sanitize_memory attributes behind __has_feature.
...
Otherwise GCC fails to build it because it doesn't know the attribute.
llvm-svn: 263787
2016-03-18 14:19:19 +00:00
c43b584c1c
[libFuzzer] read corpus dirs recursively
...
llvm-svn: 263773
2016-03-18 01:36:00 +00:00
945761b8c2
[libFuzzer] improve -merge functionality
...
llvm-svn: 263769
2016-03-18 00:23:29 +00:00
c5575aabd6
[libFuzzer] deprecate several flags
...
llvm-svn: 263739
2016-03-17 19:59:39 +00:00
23dbc390af
[libFuzzer] add __attribute__((no_sanitize_memory)) to two functions that may be called from signal handler(s) or from msan. This will hopefully avoid msan false reports which I can't reproduce
...
llvm-svn: 263737
2016-03-17 19:42:35 +00:00
298516ffa9
[libfuzzer] speeding up corpus load
...
llvm-svn: 263591
2016-03-15 21:47:21 +00:00
0c5e3af862
[libFuzzer] use max_len exactly equal to the max size of input. Fix 32-bit build
...
llvm-svn: 263518
2016-03-15 01:28:00 +00:00
64d24578d8
[libFuzzer] try to use max_len based on the items of the corpus instead of blindly defaulting to 64 bytes.
...
llvm-svn: 263323
2016-03-12 01:57:04 +00:00
243fe2b3a0
[libfuzzer] adding std:string to allowed adaptable argument.
...
llvm-svn: 262757
2016-03-04 23:18:01 +00:00
5c3701c621
[libFuzzer] log less when re-loading files; fix a silly bug: when running single files actually run all of them, not just the first one
...
llvm-svn: 262754
2016-03-04 22:35:40 +00:00
b8627a89a6
[libfuzzer] arbitrary function adapter.
...
The adapter automates converting sequence of bytes into arbitrary
arguments.
Differential Revision: http://reviews.llvm.org/D17829
llvm-svn: 262673
2016-03-03 23:45:29 +00:00
e483ed2825
[libFuzzer] when interrupted, call _Exit() instead of exit()
...
llvm-svn: 262667
2016-03-03 22:36:37 +00:00
4394b31e1d
[libFuzzer] add -Werror for libFuzzer build rule
...
llvm-svn: 262517
2016-03-02 21:08:16 +00:00
2eed1218e5
libfuzzer: fix compiler warnings
...
- unused sigaction/setitimer result (used in assert)
- unchecked fscanf return value
- signed/unsigned comparison
llvm-svn: 262472
2016-03-02 09:54:40 +00:00
3d95dd9149
[libFuzzer] deprecate exit_on_first flag
...
llvm-svn: 262417
2016-03-01 22:33:14 +00:00
228d5b1ce4
[libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
...
llvm-svn: 262415
2016-03-01 22:19:21 +00:00
f84df30e4f
[libFuzzer] remove FuzzerSanitizerOptions.cpp
...
llvm-svn: 262354
2016-03-01 17:46:32 +00:00
5cd721ae12
Refactor duplicated code for linking with pthread.
...
llvm-svn: 262344
2016-03-01 15:54:40 +00:00
bf821db932
[libFuzzer] fixing the bot
...
llvm-svn: 262106
2016-02-27 03:14:23 +00:00
2d4f8f168b
[libFuzzer] speedup path coverage handling
...
llvm-svn: 262102
2016-02-27 01:50:16 +00:00
66ff0756e4
[libFuzzer] add -print_final_stats=1 flag
...
llvm-svn: 262084
2016-02-26 22:42:23 +00:00
da63c1d09a
[libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds
...
llvm-svn: 262073
2016-02-26 21:33:56 +00:00
a35f7d383f
[libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus
...
llvm-svn: 261267
2016-02-18 21:49:10 +00:00
90bcdb512b
[libFuzzer] fix the libFuzzer bot
...
llvm-svn: 261184
2016-02-18 02:02:40 +00:00
cfbcf9097d
[libFuzzer] don't timeout when loading the corpus. Be a bit more verbose when loading large corpus.
...
llvm-svn: 261143
2016-02-17 19:42:34 +00:00
8a5bef0fcf
[libFuzzer] remove std::vector operations from hot paths, NFC
...
llvm-svn: 260829
2016-02-13 17:56:51 +00:00
1deb0498f5
[libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
...
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
29bcb9f54e
[libFuzzer] remove the C++-ish variant of FuzzerDriver from the interface
...
llvm-svn: 260801
2016-02-13 03:59:26 +00:00
23194963f7
[libFuzzer] simplify CTOR of MutationDispatcher
...
llvm-svn: 260800
2016-02-13 03:46:26 +00:00
292cf0379c
[libFuzzer] get rid of MutationDispatcher::Impl (simplify the code; NFC)
...
llvm-svn: 260799
2016-02-13 03:37:24 +00:00
7ec0c56e07
[libFuzzer] get rid of UserSuppliedFuzzer; NFC
...
llvm-svn: 260798
2016-02-13 03:25:16 +00:00
a399221c32
[libFuzzer] simplify the code around Random. NFC
...
llvm-svn: 260797
2016-02-13 03:00:53 +00:00
ecab57b3ce
[libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea).
...
llvm-svn: 260796
2016-02-13 02:39:30 +00:00
22cc5e2375
[libFuzzer] provide a plain C interface for custom mutators (experimental)
...
llvm-svn: 260794
2016-02-13 02:29:38 +00:00
9d14e4bb15
[libFuzzer] make -runs=N flag also affect the simple runner (will execute every input N times)
...
llvm-svn: 260649
2016-02-12 02:32:03 +00:00
fcb06b4aa5
[libfuzzer] Removing coverage-related flags from asan options.
...
Summary:
Reasons to remove are twofold:
- we don't really need coverage=1 for libfuzzer operation
- makes controlling coverage for fuzzer processes non-trivial.
Differential Revision: http://reviews.llvm.org/D17168
llvm-svn: 260611
2016-02-11 22:20:34 +00:00
ce925c580e
[libFuzzer] hot fix a test
...
llvm-svn: 259732
2016-02-04 00:12:28 +00:00
b92602ada0
[libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak)
...
llvm-svn: 259731
2016-02-04 00:02:17 +00:00
d88d1305c4
[libFuzzer] don't create too many trace-based mutations as it may be too slow
...
llvm-svn: 259600
2016-02-02 23:17:45 +00:00
bfbe7fc404
[libFuzzer] allow passing 1 or more files as individual inputs
...
llvm-svn: 259459
2016-02-02 03:03:47 +00:00
078e984d8d
[libFuzzer] fail if the corpus dir does not exist
...
llvm-svn: 259454
2016-02-02 02:07:26 +00:00
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
085ca4131f
[libFuzzer] re-enable test for -abort_on_timeout=1, this time protecting from ASAN_OPTIONS set outside
...
llvm-svn: 259263
2016-01-29 23:19:00 +00:00
d7785e75f3
Temporary disable broken fuzzer/timeout tests.
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16543
llvm-svn: 258702
2016-01-25 19:05:45 +00:00
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
160dcba81f
[libFuzzer] add more fields to DictionaryEntry to count the number of uses and successes
...
llvm-svn: 258589
2016-01-22 23:55:14 +00:00
df91910bd4
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D16487
llvm-svn: 258571
2016-01-22 22:28:27 +00:00
d84f74cab7
Revert r258473 as it's breaking the build with libc++
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16441
llvm-svn: 258479
2016-01-22 03:21:52 +00:00
b008fd4d89
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits, kcc
Differential Revision: http://reviews.llvm.org/D16419
llvm-svn: 258473
2016-01-22 01:32:34 +00:00
b5e984992a
[libFuzzer] don't do expensive memmem if the result will not be used
...
llvm-svn: 258462
2016-01-22 01:04:58 +00:00
2f13f223c7
[libFuzzer] don't use std::vector in one more hot path
...
llvm-svn: 258380
2016-01-21 01:52:14 +00:00
e313f8f8ff
[libfuzzer] use %p for printing addresses
...
llvm-svn: 258370
2016-01-21 00:02:09 +00:00
311f27c0a8
[libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if
...
llvm-svn: 258178
2016-01-19 20:33:57 +00:00
476f0ce31a
[libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path
...
llvm-svn: 257985
2016-01-16 03:53:32 +00:00
aca7696f4d
[libFuzzer] introduce LLVMFuzzerInitialize
...
llvm-svn: 257980
2016-01-16 01:23:12 +00:00
628bc3ec00
[libFuzzer] move some code from public interface header to a non-public header. NFC
...
llvm-svn: 257963
2016-01-16 00:04:36 +00:00
ae5b9567bc
[libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
...
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
4282d30516
[libFuzzer] use custom stol; also introduce __libfuzzer_is_present so that users can check for its presence.
...
llvm-svn: 257848
2016-01-15 00:17:37 +00:00
4b35874b2a
[libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful
...
llvm-svn: 257736
2016-01-14 02:36:44 +00:00
98abb2c90a
[libFuzzer] make CurrentUnit a POD object instead of vector to avoid extra allocations
...
llvm-svn: 257713
2016-01-13 23:46:01 +00:00
d50a3eedb4
[libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector)
...
llvm-svn: 257701
2016-01-13 23:02:30 +00:00
72fdb32dac
[libFuzzer] make sure to update CurrentUnit when drilling
...
llvm-svn: 257560
2016-01-13 01:58:27 +00:00
4b83a4f6fe
[libFuzzer] add a macro LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS
...
llvm-svn: 257482
2016-01-12 16:50:18 +00:00
4174005622
[libFuzzer] when a new unit is discovered using a dictionary, print all used dictionary entries
...
llvm-svn: 257435
2016-01-12 02:36:59 +00:00
859e86d962
[libFuzzer] add various debug prints. Also don't mutate based on a cmp trace like (a eq a) or (a neq a)
...
llvm-svn: 257434
2016-01-12 02:08:37 +00:00
e3580956ea
[libFuzzer] extend the weak memcmp/strcmp/strncmp interceptors to receive the result of the computations. With that, don't do any mutations if memcmp/etc returned 0
...
llvm-svn: 257423
2016-01-12 00:43:42 +00:00
1f9c40db1d
[libFuzzer] debug prints in tracing
...
llvm-svn: 257249
2016-01-09 03:46:08 +00:00
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
c573316eee
[libFuzzer] don't limit memcmp tracing with 8 bytes
...
llvm-svn: 257245
2016-01-09 01:39:55 +00:00
e7583d21e3
[libFuzzer] refactor the way we collect cmp traces (don't use std::vector, don't limit with 8 bytes)
...
llvm-svn: 257239
2016-01-09 00:38:40 +00:00
152ac7ad70
[libFuzzer] add a position hint to the dictionary-based mutator
...
llvm-svn: 257013
2016-01-07 01:49:35 +00:00
80eb76abf4
[libFuzzer] extend the dictionary mutator to optionally overwrite data with the dict entry
...
llvm-svn: 256900
2016-01-06 02:13:04 +00:00
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
226b734d73
[libFuzzer] make trace-based fuzzing not crash in presence of threads
...
llvm-svn: 256876
2016-01-06 00:03:35 +00:00
b0fb6e8508
[libFuzzer] add AFL-style dictionary for C++, remove the old file with tokens
...
llvm-svn: 256229
2015-12-22 01:50:51 +00:00
550e9c80a6
[libFuzzer] deprecate -save_minimized_corpus, -merge can be used instead
...
llvm-svn: 256086
2015-12-19 03:42:16 +00:00
bf65644c97
[libFuzzer] split the tests to run them in parallel, remove one redundant test
...
llvm-svn: 256085
2015-12-19 03:35:30 +00:00
27ab2d759f
[libFuzzer] make CrossOver just one of the other mutations
...
llvm-svn: 256081
2015-12-19 02:49:09 +00:00
14c50288cc
[libFuzzer] print successfull mutations sequences
...
llvm-svn: 256071
2015-12-19 01:09:49 +00:00
16c1978760
Fuzzer: Fix library dependencies.
...
Newer versions of libstdc++ (4.9+), as well as libc++, depend directly on
libpthread from the standard library headers, so libfuzzer needs to declare
a standard library dependency.
llvm-svn: 255745
2015-12-16 02:14:57 +00:00
a1a5c69b57
[LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
...
Differential Revision: http://reviews.llvm.org/D15339
done
llvm-svn: 255296
2015-12-10 20:41:53 +00:00
8617aaaac2
[libFuzzer] don't reload the corpus more than once every second
...
llvm-svn: 254824
2015-12-05 02:09:22 +00:00
9e48cda9bc
[libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746
...
llvm-svn: 254784
2015-12-04 22:29:39 +00:00
71552ce64b
Libfuzzer: do not pass null into user function
...
Differential Revision: http://reviews.llvm.org/D15098
llvm-svn: 254558
2015-12-02 22:43:53 +00:00
fba04273b7
[libFuzzer] add a test that is built with -fsanitize-coverage=trace-bb
...
llvm-svn: 254484
2015-12-02 02:49:37 +00:00
2d0ef14f5d
[libFuzzer] add a flag -exact_artifact_path
...
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
b569368a5a
[libFuzzer] don't crash when reporting a leak in test_single_input mode
...
llvm-svn: 253761
2015-11-21 03:46:43 +00:00
4d62322213
[libFuzzer] remove default initializer as a workaround for https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68399 . Don't need it anyway.
...
llvm-svn: 253419
2015-11-18 01:08:30 +00:00
2a48c24d77
[libFuzzer] make libFuzzer build even with a compiler that does not have sanitizer headers
...
llvm-svn: 253003
2015-11-13 01:54:40 +00:00
a9c2387192
output_csv libfuzzer option
...
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.
Differential Revision: http://reviews.llvm.org/D14600
llvm-svn: 252856
2015-11-12 04:38:40 +00:00
dc3135db05
[libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
...
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
b7e286bed7
[libFuzzer] add UninstrumentedTest.cpp (missing from a previous commit)
...
llvm-svn: 252658
2015-11-10 22:02:56 +00:00
5eab74e9bc
[libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time)
...
llvm-svn: 252533
2015-11-09 23:17:45 +00:00
b8d0da1386
[libFuzzer] print a bit fewer lines
...
llvm-svn: 252123
2015-11-05 01:19:42 +00:00
e692621a9d
[libFuzzer] when choosing the next unit to mutate, give some preference to the most recent units (they are more likely to be interesting)
...
llvm-svn: 252097
2015-11-04 23:22:25 +00:00
856b7afe60
[libFuzzer] make -test_single_input more reliable: make sure the input's size is equal to it's capacity
...
llvm-svn: 251961
2015-11-03 18:57:25 +00:00
9cc3b0ddb6
[libFuzzer] add -merge flag to merge corpora
...
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
94660b3c36
[libFuzzer] remove some old code; also make __sanitizer_get_total_unique_caller_callee_pairs weak so that newer libFuzzer works with older asan
...
llvm-svn: 251133
2015-10-23 18:37:58 +00:00
2e9fca9f88
[libFuzzer] use the indirect caller-callee counter as an independent search heuristic
...
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
09d2a5f6e1
[libFuzzer] more refactoring the code that checks the coverage. NFC
...
llvm-svn: 251075
2015-10-22 22:56:45 +00:00
007c9b25f4
[libFuzzer] refactoring the code that checks the coverage. NFC
...
llvm-svn: 251074
2015-10-22 22:50:47 +00:00
b36025619c
[libFuzzer] remove the deprecated 'tokens' feature
...
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
2626094fa1
Make a bunch of static arrays const.
...
llvm-svn: 250642
2015-10-18 05:15:34 +00:00
fed509e73d
[libFuzzer] add -shuffle flag
...
llvm-svn: 250603
2015-10-17 04:38:26 +00:00
d6edce97fb
[libFuzzer] print a stack trace on timeout
...
llvm-svn: 250571
2015-10-16 23:04:31 +00:00
a9da9b48ef
[libFuzzer] reduce the size of artifacts printed on the screen
...
llvm-svn: 250565
2015-10-16 22:47:20 +00:00
b91c62b1f3
[libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky
...
llvm-svn: 250564
2015-10-16 22:41:47 +00:00
e95022ac14
[libFuzzer] don't print large artifacts to stderr
...
llvm-svn: 249808
2015-10-09 04:03:14 +00:00
bd5d1cdbb9
[libFuzzer] add -artifact_prefix flag
...
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
3b804877fd
[libFuzzer] fix 32-bit build
...
llvm-svn: 249646
2015-10-08 00:59:25 +00:00
c8cd29fb7e
[libFuzzer] trying to fix at-exit hang
...
llvm-svn: 249231
2015-10-03 07:02:05 +00:00
20bb5e71b2
[libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated.
...
llvm-svn: 249214
2015-10-02 23:34:06 +00:00
65d0a1458f
[libFuzzer] remove experimental flag and functionality
...
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
b85db178a0
[libFuzzer] add a flag -max_total_time
...
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
95e82d5b48
[LibFuzzer] test_single_input option to run a single test case.
...
-test_single_input flag specifies a file name with test data.
Review URL: http://reviews.llvm.org/D13359
Patch by Mike Aizatsky!
llvm-svn: 249096
2015-10-01 23:23:06 +00:00
3287d7a6ed
[libFuzzer] Marking exported symbols as visible. Patch by Mike Aizatsky
...
llvm-svn: 248954
2015-09-30 22:22:37 +00:00
dd02f1f8ab
[libFuzzer] perform fewer crossover operations compared to plain mutations
...
llvm-svn: 247364
2015-09-11 00:20:58 +00:00
65f50868e5
[libFuzzer] refactor the code to allow building libFuzzer on platforms that don't have dfsan and don't support weak functions
...
llvm-svn: 247321
2015-09-10 18:48:38 +00:00
a938bcb89a
[libFuzzer] add two more variants of FuzzerDriver for convenience
...
llvm-svn: 247300
2015-09-10 16:57:57 +00:00
a610cb5ba0
[libFuzzer]Add a test for defeating a hash sum.
...
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function
The modification is to ensure that hash(zeros) != 0.
Reviewers: kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D12648
llvm-svn: 247076
2015-09-08 21:22:52 +00:00
4b82de2e47
[libFuzzer] remove a piece of stale code
...
llvm-svn: 247067
2015-09-08 20:40:10 +00:00
9cdea94f66
[libFuzzer] be more robust when dealing with files on disk (e.g. don't crash if a file was there but disappeared)
...
llvm-svn: 247066
2015-09-08 20:36:33 +00:00
b06fae5ede
[libFuzzer] better documentatio for -save_minimized_corpus=1
...
llvm-svn: 247033
2015-09-08 17:43:51 +00:00
468ed78434
[libFuzzer] remove -iterations as redundant (there is also -num_runs)
...
llvm-svn: 247030
2015-09-08 17:30:35 +00:00
25425ad920
[libFuzzer] add one more mutator: Mutate_ChangeASCIIInteger
...
llvm-svn: 247027
2015-09-08 17:19:31 +00:00
e641dd6479
[libFuzzer] more accurate logic for traces, 80-char fix
...
llvm-svn: 246888
2015-09-04 22:32:25 +00:00
b2e9897644
[libFuzzer] when a single mutation fails try a few more times with other mutations before returning un-mutated data
...
llvm-svn: 246828
2015-09-04 00:40:29 +00:00
7d21166218
[libFuzzer] actually make the dictionaries work (+docs)
...
llvm-svn: 246825
2015-09-04 00:12:11 +00:00
ec2dcb1d91
[libFuzzer] refactor the mutation functions so that they are now methods of a class. NFC
...
llvm-svn: 246808
2015-09-03 21:24:19 +00:00
9838b2be87
[libFuzzer] adding a parser for AFL-style dictionaries + tests.
...
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
6ea1b69fcf
[libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support
...
llvm-svn: 246734
2015-09-02 23:27:39 +00:00
a9346c2e65
[libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef
...
llvm-svn: 246689
2015-09-02 19:08:08 +00:00
06c199ac9d
[libFuzzer] fix minor inefficiency, PR24584
...
llvm-svn: 246087
2015-08-26 21:55:19 +00:00
1230a54970
Fix missing space in libfuzzer's help text.
...
llvm-svn: 244800
2015-08-12 20:00:10 +00:00
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
1688098cb5
[libFuzzer] add colons to the stats output to avoid confusion
...
llvm-svn: 244708
2015-08-12 01:04:27 +00:00
ac25eeba76
[libFuzzer] use raw C IO to reduce the risk of a deadlock in a signal handler.
...
llvm-svn: 244707
2015-08-12 00:55:09 +00:00
69ab31a3fa
Fix unused variable 'X' in release builds.
...
llvm-svn: 244571
2015-08-11 05:57:10 +00:00
bc7c0ad24d
[libFuzzer] add -only_ascii flag
...
llvm-svn: 244559
2015-08-11 01:44:42 +00:00
347663b214
Add missing include guard to FuzzerInternal.h, NFC.
...
llvm-svn: 244457
2015-08-10 16:37:40 +00:00
242ca930e8
[libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly
...
llvm-svn: 244250
2015-08-06 19:19:55 +00:00
bf29ff2fa5
[libFuzzer] add one more mutation strategy: byte shuffling
...
llvm-svn: 244188
2015-08-06 01:29:13 +00:00
d46369d8b3
[libFuzzer] avoid build warnings in non-assert build (useful warning in this case)
...
llvm-svn: 244177
2015-08-05 23:44:42 +00:00
4cc10d432a
[libFuzzer] in dfsan mode, set labels every time we start recording traces as opposed to doing it at process startup. This ensures that the labels are fresh.
...
llvm-svn: 244165
2015-08-05 23:02:57 +00:00
70926aed6b
[libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed
...
llvm-svn: 244152
2015-08-05 21:43:48 +00:00
1ce0035bf0
[libFuzzer] add a missing test file
...
llvm-svn: 244151
2015-08-05 21:32:13 +00:00
7f4227d59a
[libFuzzer] use data-flow feedback from strcmp
...
llvm-svn: 244084
2015-08-05 18:23:01 +00:00
86a5fba71d
[libFuzzer] more refactoring of the Mutator and adding tests to it
...
llvm-svn: 243818
2015-08-01 02:23:06 +00:00
8ce7424e9c
[libFuzzer] start refactoring the Mutator and adding tests to it
...
llvm-svn: 243817
2015-08-01 01:42:51 +00:00
1165efdbf9
[libFuzzer] limit the size of the inputs printed to stderr
...
llvm-svn: 243795
2015-07-31 22:07:17 +00:00
fe7e41e8f5
[libFuzzer] make sure that 2-byte arguments of switch() are handled properly
...
llvm-svn: 243781
2015-07-31 20:58:55 +00:00
73932e5fe3
[libFuzzer] record traces from the switch statements only when told to do so
...
llvm-svn: 243768
2015-07-31 18:09:08 +00:00
cd6a4665e0
[libFuzzer] support switch interception in dfsan mode
...
llvm-svn: 243760
2015-07-31 17:05:05 +00:00
fb7d8d9d06
[libFuzzer] trace switch statements and apply mutations based on the expected case values
...
llvm-svn: 243726
2015-07-31 01:33:06 +00:00
c9dc96bfc6
[libFuzzer] fix the strncmp interceptor -- it should respect short strings.
...
llvm-svn: 243691
2015-07-30 21:22:22 +00:00
b74ba421fc
[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test
...
llvm-svn: 243611
2015-07-30 02:33:45 +00:00
0e776a2250
[libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test
...
llvm-svn: 243603
2015-07-30 01:34:58 +00:00
ae7df1ca4d
[libFuzzer] ensure that the dfsan tracing hooks actually run (using -verbosity=3 in tests)
...
llvm-svn: 243365
2015-07-28 01:25:00 +00:00
35959592a3
[libFuzzer] when using cmp traces, first check that the CMP is evaluated to one value much more frequently than to the other value (heuristic)
...
llvm-svn: 243363
2015-07-28 00:59:53 +00:00
404c69f2c8
[libFuzzer] allow users to supply their own implementation of rand
...
llvm-svn: 243078
2015-07-24 01:06:40 +00:00
2b7d2e91cc
[libFuzzer] dump long running units to disk
...
llvm-svn: 243031
2015-07-23 18:37:22 +00:00
4800c2de28
[Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC.
...
llvm-svn: 242851
2015-07-21 22:51:55 +00:00
dc324e1644
[Fuzzer] Clearly separate regular and DFSan tests. NFC.
...
llvm-svn: 242850
2015-07-21 22:51:49 +00:00
86e4a3e0a3
[libFuzzer] require the files and directories passed to the fuzzer to exist
...
llvm-svn: 242596
2015-07-18 00:03:37 +00:00
2ea204e645
[lib/Fuzzer] make assertions more informative and update comments for the user-supplied mutator
...
llvm-svn: 238658
2015-05-30 17:33:13 +00:00
3fe7682fb0
[lib/Fuzzer] relax an assertion
...
llvm-svn: 238608
2015-05-29 20:31:17 +00:00
316b571007
[lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity)
...
llvm-svn: 238251
2015-05-26 20:57:47 +00:00
c5f905cceb
[lib/Fuzzer] fix docs
...
llvm-svn: 238236
2015-05-26 19:32:52 +00:00
c8228dd9fb
[lib/Fuzzer] fix build with assertions
...
llvm-svn: 238235
2015-05-26 19:29:33 +00:00
e0d60ba876
[lib/Fuzzer] doxygen-ify the comments for the user interface
...
llvm-svn: 238086
2015-05-23 02:12:05 +00:00
7c180eafc1
[lib/Fuzzer] fully get rid of std::cerr in libFuzzer
...
llvm-svn: 238081
2015-05-23 01:22:35 +00:00
20e9bcbfc8
[lib/Fuzzer] start getting rid of std::cerr. Sadly, these parts of C++ library used in libFuzzer badly interract with the same code used in the target function and also with dfsan. It's easier to just not use std::cerr than to defeat these issues.
...
llvm-svn: 238078
2015-05-23 01:07:46 +00:00
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
f342459aa4
[lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators
...
llvm-svn: 238059
2015-05-22 22:35:31 +00:00
71e0feb1ac
[lib/Fuzzer] ignore flags that start with --; use git pull --rebase instead of just git pull
...
llvm-svn: 237950
2015-05-21 20:39:13 +00:00
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
cbb2334b7a
[lib/Fuzzer] more efficient reload logic; also don't spam git too much
...
llvm-svn: 237649
2015-05-19 01:06:07 +00:00
2da7b84852
[lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes
...
llvm-svn: 237617
2015-05-18 21:34:20 +00:00
a8f01bc8e1
Code cleanup: Reindent Fuzzer::MutateAndTestOne.
...
llvm-svn: 237533
2015-05-17 02:44:31 +00:00
96eab65d81
[lib/Fuzzer] Add SHA1 implementation from public domain.
...
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.
LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.
Test Plan: n/a
Reviewers: chandlerc
Reviewed By: chandlerc
Subscribers: majnemer, llvm-commits
Differential Revision: http://reviews.llvm.org/D9733
llvm-svn: 237400
2015-05-14 22:41:49 +00:00
1ce4ebf7d6
[lib/Fuzzer] enable -use_counters=1 by default
...
llvm-svn: 237272
2015-05-13 18:31:46 +00:00
80ec5a11b5
[lib/Fuzzer] A simple script to synchronise a fuzz test corpus with an external git repository.
...
llvm-svn: 237208
2015-05-12 23:19:12 +00:00
f47198aa36
[lib/Fuzzer] use sha1sum for the file hash
...
llvm-svn: 237198
2015-05-12 22:03:34 +00:00
9690fcf12e
[lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs.
...
llvm-svn: 237163
2015-05-12 18:51:57 +00:00
d8c54724a8
[lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
...
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
cd7629caec
[lib/Fuzzer] detach the pulse thread instad of joining it
...
llvm-svn: 237082
2015-05-12 01:43:20 +00:00
8817e86efd
[lib/Fuzzer] don't record traces when trace collection is off
...
llvm-svn: 237067
2015-05-11 23:25:28 +00:00
83fd486ff4
[lib/Fuzzer] when running multiple fuzzing processes, print something every 10 minutes to avoid buildbot timeouts
...
llvm-svn: 237054
2015-05-11 21:31:51 +00:00
225262562f
[lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected
...
llvm-svn: 237050
2015-05-11 21:16:27 +00:00
5a99ecbbb3
[lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
...
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
f3f3ed323a
[lib/Fuzzer] build tests that work well with dfsan also w/o dfsan
...
llvm-svn: 236909
2015-05-08 21:45:19 +00:00
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
21a3381a38
Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= flags.
...
llvm-svn: 236797
2015-05-07 23:33:24 +00:00
beb24c38e7
[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.
...
llvm-svn: 236772
2015-05-07 21:02:11 +00:00
7d470cfb0c
[lib/Fuzzer] minor refactoring/simplification, NFC
...
llvm-svn: 236757
2015-05-07 18:32:29 +00:00
a407ddef27
[lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner
...
llvm-svn: 236683
2015-05-07 00:11:33 +00:00
3befe94acb
[lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to dfsan proper
...
llvm-svn: 236659
2015-05-06 22:47:24 +00:00
754f55d6f5
[lib/Fuzzer] add a fuzzer test for memcmp (does not work yet)
...
llvm-svn: 236656
2015-05-06 22:36:00 +00:00
566bc5aa8a
[lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more unique
...
llvm-svn: 236652
2015-05-06 22:19:00 +00:00
ca6a2a2f1c
[lib/Fuzzer] on crash print the contents of the crashy input as base64
...
llvm-svn: 236548
2015-05-05 21:59:51 +00:00
177582c90f
[lib/Fuzzer] use handle_abort=1 by default so that when assert() fires we save the test case
...
llvm-svn: 236476
2015-05-05 01:42:55 +00:00
f77031f99d
Removing a spurious space; NFC.
...
llvm-svn: 234168
2015-04-06 16:09:13 +00:00
043ab1c8a7
[fuzzer] document the -tokens flag. Also change the diagnostic output
...
llvm-svn: 233842
2015-04-01 21:33:20 +00:00
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
35ce8630f3
Move lib/Fuzzer docs from a README.txt to a proper .rst file.
...
Summary:
Move lib/Fuzzer docs from a README.txt to a proper .rst file.
This change does not add any content, just formatting.
Test Plan: n/a
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8710
llvm-svn: 233638
2015-03-30 23:05:30 +00:00
16901a901d
[fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it.
...
llvm-svn: 233637
2015-03-30 23:04:35 +00:00
03db8b9225
[fuzzer] print various stats in a unified way
...
llvm-svn: 233624
2015-03-30 22:44:03 +00:00
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
016852c396
[fuzzer] split main() into FuzzerDriver() that takes a callback as a parameter and a tiny main() in a separate file
...
llvm-svn: 229882
2015-02-19 18:45:37 +00:00
2117269dd1
[fuzzer] properly annotate fallthrough, add one more entry to FAQ
...
llvm-svn: 229880
2015-02-19 18:21:12 +00:00
db4d645714
[fuzzer] move default sanitizer options to a separate file
...
llvm-svn: 228429
2015-02-06 19:52:07 +00:00
92e0476c67
[fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose
...
llvm-svn: 228235
2015-02-04 23:42:42 +00:00
33f866922a
[fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over.
...
llvm-svn: 228214
2015-02-04 22:20:09 +00:00
5b266a8a23
[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units
...
llvm-svn: 228170
2015-02-04 19:10:20 +00:00
fe43aa8d19
[fuzzer]: fix exit code, add more diagnostics
...
llvm-svn: 228103
2015-02-04 01:22:57 +00:00
cf9fdd5876
[fuzzer] Add proper dependensices to the fuzzer tests
...
Summary: Make sure that FileCheck is built when running check-fuzzer
Test Plan:
run on bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7387
llvm-svn: 228045
2015-02-03 21:57:32 +00:00
4b96ce96c6
[fuzzer] update the include line to use the new header name
...
llvm-svn: 228018
2015-02-03 19:42:05 +00:00
e8cee11570
[fuzzer] add flags to run fuzzer in multiple parallel processes
...
llvm-svn: 227664
2015-01-31 01:14:40 +00:00
71672552db
[fuzzer] Add a gtest-style test
...
Summary: Add one gtest-style test.
Test Plan: run on bot
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7287
llvm-svn: 227639
2015-01-30 23:26:57 +00:00
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
0ff86c79b4
[fuzzer] fix warning in a test
...
llvm-svn: 227478
2015-01-29 18:13:36 +00:00
6d768fcc18
[fuzzer] minor cleanup based on reviews: remove redundant includes, fix a copy-pasto in tests
...
llvm-svn: 227468
2015-01-29 17:16:23 +00:00
a1849af4a9
[fuzzer] add FAQ section to the README.txt
...
llvm-svn: 227466
2015-01-29 17:11:30 +00:00
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
d39df1e24d
Adding missing #includes to try to get this to compile on Windows with Visual Studio.
...
llvm-svn: 227445
2015-01-29 15:19:13 +00:00
265cf04f9c
[fuzzer] add option -save_minimized_corpus
...
llvm-svn: 227395
2015-01-28 23:48:39 +00:00
Kostya Serebryany