Commit Graph

49 Commits

Author SHA1 Message Date
Kostya Serebryany 54a6363a8f [libFuzzer] add -timeout_exitcode option
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
Kostya Serebryany 9768e7f06b [libFuzzer] add -abort_on_timeout option
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
Kostya Serebryany ae5b9567bc [libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
Kostya Serebryany b65805a939 [libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
Mike Aizatsky 8b11f877e4 [libfuzzer] print_new_cov_pcs experimental option.
Differential Revision: http://reviews.llvm.org/D15901

llvm-svn: 256882
2016-01-06 00:21:22 +00:00
Kostya Serebryany 550e9c80a6 [libFuzzer] deprecate -save_minimized_corpus, -merge can be used instead
llvm-svn: 256086
2015-12-19 03:42:16 +00:00
Mike Aizatsky a1a5c69b57 [LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
Differential Revision: http://reviews.llvm.org/D15339

done

llvm-svn: 255296
2015-12-10 20:41:53 +00:00
Kostya Serebryany 2d0ef14f5d [libFuzzer] add a flag -exact_artifact_path
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
Mike Aizatsky a9c2387192 output_csv libfuzzer option
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.

Differential Revision: http://reviews.llvm.org/D14600

llvm-svn: 252856
2015-11-12 04:38:40 +00:00
Kostya Serebryany dc3135db05 [libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
Kostya Serebryany 9cc3b0ddb6 [libFuzzer] add -merge flag to merge corpora
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
Kostya Serebryany 2e9fca9f88 [libFuzzer] use the indirect caller-callee counter as an independent search heuristic
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
Kostya Serebryany b36025619c [libFuzzer] remove the deprecated 'tokens' feature
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
Kostya Serebryany fed509e73d [libFuzzer] add -shuffle flag
llvm-svn: 250603
2015-10-17 04:38:26 +00:00
Kostya Serebryany bd5d1cdbb9 [libFuzzer] add -artifact_prefix flag
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
Kostya Serebryany 65d0a1458f [libFuzzer] remove experimental flag and functionality
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
Kostya Serebryany b85db178a0 [libFuzzer] add a flag -max_total_time
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
Ivan Krasin 95e82d5b48 [LibFuzzer] test_single_input option to run a single test case.
-test_single_input flag specifies a file name with test data.

Review URL: http://reviews.llvm.org/D13359

Patch by Mike Aizatsky!

llvm-svn: 249096
2015-10-01 23:23:06 +00:00
Kostya Serebryany b06fae5ede [libFuzzer] better documentatio for -save_minimized_corpus=1
llvm-svn: 247033
2015-09-08 17:43:51 +00:00
Kostya Serebryany 468ed78434 [libFuzzer] remove -iterations as redundant (there is also -num_runs)
llvm-svn: 247030
2015-09-08 17:30:35 +00:00
Kostya Serebryany 9838b2be87 [libFuzzer] adding a parser for AFL-style dictionaries + tests.
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
Kostya Serebryany 6ea1b69fcf [libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support
llvm-svn: 246734
2015-09-02 23:27:39 +00:00
Lenny Maiorani 1230a54970 Fix missing space in libfuzzer's help text.
llvm-svn: 244800
2015-08-12 20:00:10 +00:00
Kostya Serebryany 12c7837381 [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
Kostya Serebryany bc7c0ad24d [libFuzzer] add -only_ascii flag
llvm-svn: 244559
2015-08-11 01:44:42 +00:00
Kostya Serebryany 70926aed6b [libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed
llvm-svn: 244152
2015-08-05 21:43:48 +00:00
Kostya Serebryany 316b571007 [lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity)
llvm-svn: 238251
2015-05-26 20:57:47 +00:00
Kostya Serebryany c5f905cceb [lib/Fuzzer] fix docs
llvm-svn: 238236
2015-05-26 19:32:52 +00:00
Kostya Serebryany f3c7cb464e [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
Kostya Serebryany 490bbd6fa4 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
Kostya Serebryany 2da7b84852 [lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes
llvm-svn: 237617
2015-05-18 21:34:20 +00:00
Kostya Serebryany 1ce4ebf7d6 [lib/Fuzzer] enable -use_counters=1 by default
llvm-svn: 237272
2015-05-13 18:31:46 +00:00
Kostya Serebryany 9690fcf12e [lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs.
llvm-svn: 237163
2015-05-12 18:51:57 +00:00
Kostya Serebryany d8c54724a8 [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
Kostya Serebryany 5a99ecbbb3 [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
Kostya Serebryany 1ac8055bc7 [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
Kostya Serebryany 52a788e503 [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
Kostya Serebryany 16d03bd051 DFSan-based fuzzer (proof of concept).
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

llvm-svn: 233613
2015-03-30 22:09:51 +00:00
Kostya Serebryany be5e0ed919 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
2015-03-03 23:27:02 +00:00
Kostya Serebryany 2e3622bddd [fuzzer] one more experimental search mode: -use_coverage_pairs=1
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
Kostya Serebryany 92e0476c67 [fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose
llvm-svn: 228235
2015-02-04 23:42:42 +00:00
Kostya Serebryany 33f866922a [fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over.
llvm-svn: 228214
2015-02-04 22:20:09 +00:00
Kostya Serebryany 5b266a8a23 [fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units
llvm-svn: 228170
2015-02-04 19:10:20 +00:00
Kostya Serebryany e8cee11570 [fuzzer] add flags to run fuzzer in multiple parallel processes
llvm-svn: 227664
2015-01-31 01:14:40 +00:00
Kostya Serebryany 2c1b33b897 [fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
Aaron Ballman ef11698cac Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
Aaron Ballman 7b54ed221a Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
Kostya Serebryany 265cf04f9c [fuzzer] add option -save_minimized_corpus
llvm-svn: 227395
2015-01-28 23:48:39 +00:00
Kostya Serebryany d53b43fe11 Add a Fuzzer library
Summary:
A simple genetic in-process coverage-guided fuzz testing library.

I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?

I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.

See README.txt for details.

Test Plan: Tests will follow separately.

Reviewers: djasper, chandlerc, rnk

Reviewed By: rnk

Subscribers: majnemer, ygribov, dblaikie, llvm-commits

Differential Revision: http://reviews.llvm.org/D7184

llvm-svn: 227252
2015-01-27 22:08:41 +00:00