a35f7d383f
[libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus
...
llvm-svn: 261267
2016-02-18 21:49:10 +00:00
8a5bef0fcf
[libFuzzer] remove std::vector operations from hot paths, NFC
...
llvm-svn: 260829
2016-02-13 17:56:51 +00:00
1deb0498f5
[libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
...
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
23194963f7
[libFuzzer] simplify CTOR of MutationDispatcher
...
llvm-svn: 260800
2016-02-13 03:46:26 +00:00
292cf0379c
[libFuzzer] get rid of MutationDispatcher::Impl (simplify the code; NFC)
...
llvm-svn: 260799
2016-02-13 03:37:24 +00:00
7ec0c56e07
[libFuzzer] get rid of UserSuppliedFuzzer; NFC
...
llvm-svn: 260798
2016-02-13 03:25:16 +00:00
a399221c32
[libFuzzer] simplify the code around Random. NFC
...
llvm-svn: 260797
2016-02-13 03:00:53 +00:00
ecab57b3ce
[libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea).
...
llvm-svn: 260796
2016-02-13 02:39:30 +00:00
bfbe7fc404
[libFuzzer] allow passing 1 or more files as individual inputs
...
llvm-svn: 259459
2016-02-02 03:03:47 +00:00
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
160dcba81f
[libFuzzer] add more fields to DictionaryEntry to count the number of uses and successes
...
llvm-svn: 258589
2016-01-22 23:55:14 +00:00
df91910bd4
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D16487
llvm-svn: 258571
2016-01-22 22:28:27 +00:00
d84f74cab7
Revert r258473 as it's breaking the build with libc++
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16441
llvm-svn: 258479
2016-01-22 03:21:52 +00:00
b008fd4d89
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits, kcc
Differential Revision: http://reviews.llvm.org/D16419
llvm-svn: 258473
2016-01-22 01:32:34 +00:00
476f0ce31a
[libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path
...
llvm-svn: 257985
2016-01-16 03:53:32 +00:00
aca7696f4d
[libFuzzer] introduce LLVMFuzzerInitialize
...
llvm-svn: 257980
2016-01-16 01:23:12 +00:00
628bc3ec00
[libFuzzer] move some code from public interface header to a non-public header. NFC
...
llvm-svn: 257963
2016-01-16 00:04:36 +00:00
ae5b9567bc
[libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
...
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
98abb2c90a
[libFuzzer] make CurrentUnit a POD object instead of vector to avoid extra allocations
...
llvm-svn: 257713
2016-01-13 23:46:01 +00:00
d50a3eedb4
[libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector)
...
llvm-svn: 257701
2016-01-13 23:02:30 +00:00
4174005622
[libFuzzer] when a new unit is discovered using a dictionary, print all used dictionary entries
...
llvm-svn: 257435
2016-01-12 02:36:59 +00:00
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
27ab2d759f
[libFuzzer] make CrossOver just one of the other mutations
...
llvm-svn: 256081
2015-12-19 02:49:09 +00:00
9e48cda9bc
[libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746
...
llvm-svn: 254784
2015-12-04 22:29:39 +00:00
2d0ef14f5d
[libFuzzer] add a flag -exact_artifact_path
...
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
a9c2387192
output_csv libfuzzer option
...
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.
Differential Revision: http://reviews.llvm.org/D14600
llvm-svn: 252856
2015-11-12 04:38:40 +00:00
dc3135db05
[libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
...
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
e692621a9d
[libFuzzer] when choosing the next unit to mutate, give some preference to the most recent units (they are more likely to be interesting)
...
llvm-svn: 252097
2015-11-04 23:22:25 +00:00
9cc3b0ddb6
[libFuzzer] add -merge flag to merge corpora
...
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
94660b3c36
[libFuzzer] remove some old code; also make __sanitizer_get_total_unique_caller_callee_pairs weak so that newer libFuzzer works with older asan
...
llvm-svn: 251133
2015-10-23 18:37:58 +00:00
2e9fca9f88
[libFuzzer] use the indirect caller-callee counter as an independent search heuristic
...
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
09d2a5f6e1
[libFuzzer] more refactoring the code that checks the coverage. NFC
...
llvm-svn: 251075
2015-10-22 22:56:45 +00:00
007c9b25f4
[libFuzzer] refactoring the code that checks the coverage. NFC
...
llvm-svn: 251074
2015-10-22 22:50:47 +00:00
b36025619c
[libFuzzer] remove the deprecated 'tokens' feature
...
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
fed509e73d
[libFuzzer] add -shuffle flag
...
llvm-svn: 250603
2015-10-17 04:38:26 +00:00
d6edce97fb
[libFuzzer] print a stack trace on timeout
...
llvm-svn: 250571
2015-10-16 23:04:31 +00:00
b91c62b1f3
[libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky
...
llvm-svn: 250564
2015-10-16 22:41:47 +00:00
bd5d1cdbb9
[libFuzzer] add -artifact_prefix flag
...
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
20bb5e71b2
[libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated.
...
llvm-svn: 249214
2015-10-02 23:34:06 +00:00
65d0a1458f
[libFuzzer] remove experimental flag and functionality
...
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
b85db178a0
[libFuzzer] add a flag -max_total_time
...
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
95e82d5b48
[LibFuzzer] test_single_input option to run a single test case.
...
-test_single_input flag specifies a file name with test data.
Review URL: http://reviews.llvm.org/D13359
Patch by Mike Aizatsky!
llvm-svn: 249096
2015-10-01 23:23:06 +00:00
468ed78434
[libFuzzer] remove -iterations as redundant (there is also -num_runs)
...
llvm-svn: 247030
2015-09-08 17:30:35 +00:00
9838b2be87
[libFuzzer] adding a parser for AFL-style dictionaries + tests.
...
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
a9346c2e65
[libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef
...
llvm-svn: 246689
2015-09-02 19:08:08 +00:00
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
bc7c0ad24d
[libFuzzer] add -only_ascii flag
...
llvm-svn: 244559
2015-08-11 01:44:42 +00:00
347663b214
Add missing include guard to FuzzerInternal.h, NFC.
...
llvm-svn: 244457
2015-08-10 16:37:40 +00:00
242ca930e8
[libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly
...
llvm-svn: 244250
2015-08-06 19:19:55 +00:00
bf29ff2fa5
[libFuzzer] add one more mutation strategy: byte shuffling
...
llvm-svn: 244188
2015-08-06 01:29:13 +00:00
70926aed6b
[libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed
...
llvm-svn: 244152
2015-08-05 21:43:48 +00:00
86a5fba71d
[libFuzzer] more refactoring of the Mutator and adding tests to it
...
llvm-svn: 243818
2015-08-01 02:23:06 +00:00
8ce7424e9c
[libFuzzer] start refactoring the Mutator and adding tests to it
...
llvm-svn: 243817
2015-08-01 01:42:51 +00:00
404c69f2c8
[libFuzzer] allow users to supply their own implementation of rand
...
llvm-svn: 243078
2015-07-24 01:06:40 +00:00
2b7d2e91cc
[libFuzzer] dump long running units to disk
...
llvm-svn: 243031
2015-07-23 18:37:22 +00:00
20e9bcbfc8
[lib/Fuzzer] start getting rid of std::cerr. Sadly, these parts of C++ library used in libFuzzer badly interract with the same code used in the target function and also with dfsan. It's easier to just not use std::cerr than to defeat these issues.
...
llvm-svn: 238078
2015-05-23 01:07:46 +00:00
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
f342459aa4
[lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators
...
llvm-svn: 238059
2015-05-22 22:35:31 +00:00
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
cbb2334b7a
[lib/Fuzzer] more efficient reload logic; also don't spam git too much
...
llvm-svn: 237649
2015-05-19 01:06:07 +00:00
2da7b84852
[lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes
...
llvm-svn: 237617
2015-05-18 21:34:20 +00:00
96eab65d81
[lib/Fuzzer] Add SHA1 implementation from public domain.
...
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.
LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.
Test Plan: n/a
Reviewers: chandlerc
Reviewed By: chandlerc
Subscribers: majnemer, llvm-commits
Differential Revision: http://reviews.llvm.org/D9733
llvm-svn: 237400
2015-05-14 22:41:49 +00:00
9690fcf12e
[lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs.
...
llvm-svn: 237163
2015-05-12 18:51:57 +00:00
d8c54724a8
[lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
...
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
225262562f
[lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected
...
llvm-svn: 237050
2015-05-11 21:16:27 +00:00
5a99ecbbb3
[lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
...
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
beb24c38e7
[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.
...
llvm-svn: 236772
2015-05-07 21:02:11 +00:00
7d470cfb0c
[lib/Fuzzer] minor refactoring/simplification, NFC
...
llvm-svn: 236757
2015-05-07 18:32:29 +00:00
ca6a2a2f1c
[lib/Fuzzer] on crash print the contents of the crashy input as base64
...
llvm-svn: 236548
2015-05-05 21:59:51 +00:00
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
16901a901d
[fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it.
...
llvm-svn: 233637
2015-03-30 23:04:35 +00:00
03db8b9225
[fuzzer] print various stats in a unified way
...
llvm-svn: 233624
2015-03-30 22:44:03 +00:00
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
016852c396
[fuzzer] split main() into FuzzerDriver() that takes a callback as a parameter and a tiny main() in a separate file
...
llvm-svn: 229882
2015-02-19 18:45:37 +00:00
92e0476c67
[fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose
...
llvm-svn: 228235
2015-02-04 23:42:42 +00:00
33f866922a
[fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over.
...
llvm-svn: 228214
2015-02-04 22:20:09 +00:00
5b266a8a23
[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units
...
llvm-svn: 228170
2015-02-04 19:10:20 +00:00
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
265cf04f9c
[fuzzer] add option -save_minimized_corpus
...
llvm-svn: 227395
2015-01-28 23:48:39 +00:00
d53b43fe11
Add a Fuzzer library
...
Summary:
A simple genetic in-process coverage-guided fuzz testing library.
I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?
I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.
See README.txt for details.
Test Plan: Tests will follow separately.
Reviewers: djasper, chandlerc, rnk
Reviewed By: rnk
Subscribers: majnemer, ygribov, dblaikie, llvm-commits
Differential Revision: http://reviews.llvm.org/D7184
llvm-svn: 227252
2015-01-27 22:08:41 +00:00
Kostya Serebryany