Kostya Serebryany
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
Kostya Serebryany
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
Kostya Serebryany
ae5b9567bc
[libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
...
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
Kostya Serebryany
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
Mike Aizatsky
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
Kostya Serebryany
550e9c80a6
[libFuzzer] deprecate -save_minimized_corpus, -merge can be used instead
...
llvm-svn: 256086
2015-12-19 03:42:16 +00:00
Mike Aizatsky
a1a5c69b57
[LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
...
Differential Revision: http://reviews.llvm.org/D15339
done
llvm-svn: 255296
2015-12-10 20:41:53 +00:00
Kostya Serebryany
2d0ef14f5d
[libFuzzer] add a flag -exact_artifact_path
...
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
Mike Aizatsky
a9c2387192
output_csv libfuzzer option
...
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.
Differential Revision: http://reviews.llvm.org/D14600
llvm-svn: 252856
2015-11-12 04:38:40 +00:00
Kostya Serebryany
dc3135db05
[libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
...
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
Kostya Serebryany
9cc3b0ddb6
[libFuzzer] add -merge flag to merge corpora
...
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
Kostya Serebryany
2e9fca9f88
[libFuzzer] use the indirect caller-callee counter as an independent search heuristic
...
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
Kostya Serebryany
b36025619c
[libFuzzer] remove the deprecated 'tokens' feature
...
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
Kostya Serebryany
fed509e73d
[libFuzzer] add -shuffle flag
...
llvm-svn: 250603
2015-10-17 04:38:26 +00:00
Kostya Serebryany
bd5d1cdbb9
[libFuzzer] add -artifact_prefix flag
...
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
Kostya Serebryany
65d0a1458f
[libFuzzer] remove experimental flag and functionality
...
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
Kostya Serebryany
b85db178a0
[libFuzzer] add a flag -max_total_time
...
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
Ivan Krasin
95e82d5b48
[LibFuzzer] test_single_input option to run a single test case.
...
-test_single_input flag specifies a file name with test data.
Review URL: http://reviews.llvm.org/D13359
Patch by Mike Aizatsky!
llvm-svn: 249096
2015-10-01 23:23:06 +00:00
Kostya Serebryany
b06fae5ede
[libFuzzer] better documentatio for -save_minimized_corpus=1
...
llvm-svn: 247033
2015-09-08 17:43:51 +00:00
Kostya Serebryany
468ed78434
[libFuzzer] remove -iterations as redundant (there is also -num_runs)
...
llvm-svn: 247030
2015-09-08 17:30:35 +00:00
Kostya Serebryany
9838b2be87
[libFuzzer] adding a parser for AFL-style dictionaries + tests.
...
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
Kostya Serebryany
6ea1b69fcf
[libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support
...
llvm-svn: 246734
2015-09-02 23:27:39 +00:00
Lenny Maiorani
1230a54970
Fix missing space in libfuzzer's help text.
...
llvm-svn: 244800
2015-08-12 20:00:10 +00:00
Kostya Serebryany
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
Kostya Serebryany
bc7c0ad24d
[libFuzzer] add -only_ascii flag
...
llvm-svn: 244559
2015-08-11 01:44:42 +00:00
Kostya Serebryany
70926aed6b
[libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed
...
llvm-svn: 244152
2015-08-05 21:43:48 +00:00
Kostya Serebryany
316b571007
[lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity)
...
llvm-svn: 238251
2015-05-26 20:57:47 +00:00
Kostya Serebryany
c5f905cceb
[lib/Fuzzer] fix docs
...
llvm-svn: 238236
2015-05-26 19:32:52 +00:00
Kostya Serebryany
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
Kostya Serebryany
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
Kostya Serebryany
2da7b84852
[lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes
...
llvm-svn: 237617
2015-05-18 21:34:20 +00:00
Kostya Serebryany
1ce4ebf7d6
[lib/Fuzzer] enable -use_counters=1 by default
...
llvm-svn: 237272
2015-05-13 18:31:46 +00:00
Kostya Serebryany
9690fcf12e
[lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs.
...
llvm-svn: 237163
2015-05-12 18:51:57 +00:00
Kostya Serebryany
d8c54724a8
[lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
...
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
Kostya Serebryany
5a99ecbbb3
[lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
...
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
Kostya Serebryany
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
Kostya Serebryany
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
Kostya Serebryany
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
Kostya Serebryany
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
Kostya Serebryany
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
Kostya Serebryany
92e0476c67
[fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose
...
llvm-svn: 228235
2015-02-04 23:42:42 +00:00
Kostya Serebryany
33f866922a
[fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over.
...
llvm-svn: 228214
2015-02-04 22:20:09 +00:00
Kostya Serebryany
5b266a8a23
[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units
...
llvm-svn: 228170
2015-02-04 19:10:20 +00:00
Kostya Serebryany
e8cee11570
[fuzzer] add flags to run fuzzer in multiple parallel processes
...
llvm-svn: 227664
2015-01-31 01:14:40 +00:00
Kostya Serebryany
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
Aaron Ballman
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
Aaron Ballman
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
Kostya Serebryany
265cf04f9c
[fuzzer] add option -save_minimized_corpus
...
llvm-svn: 227395
2015-01-28 23:48:39 +00:00
Kostya Serebryany
d53b43fe11
Add a Fuzzer library
...
Summary:
A simple genetic in-process coverage-guided fuzz testing library.
I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?
I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.
See README.txt for details.
Test Plan: Tests will follow separately.
Reviewers: djasper, chandlerc, rnk
Reviewed By: rnk
Subscribers: majnemer, ygribov, dblaikie, llvm-commits
Differential Revision: http://reviews.llvm.org/D7184
llvm-svn: 227252
2015-01-27 22:08:41 +00:00