Commit Graph

131 Commits

Author SHA1 Message Date
Kostya Serebryany 0f0fa4faf2 [libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them
llvm-svn: 279787
2016-08-25 22:35:08 +00:00
Kostya Serebryany f67357c671 [libFuzzer] simplify the code, NFC
llvm-svn: 279697
2016-08-25 01:25:03 +00:00
Kostya Serebryany bceadcf1cd [libFuzzer] use __attribute__((target("popcnt"))) only on x86_64
llvm-svn: 279601
2016-08-24 01:38:42 +00:00
Kostya Serebryany 0c537b124c [libFuzzer] one more mutation: ChangeBinaryInteger; also fix the breakage from r278970
llvm-svn: 278982
2016-08-17 21:30:30 +00:00
Kostya Serebryany a9a548049a [libFuzzer] when printing the reproducer input, also print the base input and the mutation sequence
llvm-svn: 278975
2016-08-17 20:45:23 +00:00
Kostya Serebryany a7398ba024 [libFuzzer] more mutations
llvm-svn: 278950
2016-08-17 18:10:42 +00:00
Kostya Serebryany d46a59fac4 [libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage.
llvm-svn: 278839
2016-08-16 19:33:51 +00:00
Kostya Serebryany c98ef718ea [libFuzzer] refactoring around PCMap, NFC
llvm-svn: 278825
2016-08-16 17:37:13 +00:00
Kostya Serebryany dfbe59b03d [libFuzzer] add InsertRepeatedBytes and EraseBytes.
New mutation: InsertRepeatedBytes.
Updated mutation: EraseByte => EraseBytes.

This helps https://github.com/google/sanitizers/issues/710
where libFuzzer was not able to find a known bug.
Now it finds it in minutes.

Hopefully, the change is general enough to help other targets.

llvm-svn: 278687
2016-08-15 17:48:28 +00:00
Mike Aizatsky b4bbc3bb7a [sanitizers] trace buffer API to use user-allocated buffer.
Differential Revision: https://reviews.llvm.org/D23185

llvm-svn: 277859
2016-08-05 20:09:53 +00:00
Kostya Serebryany c135b55ae0 [libFuzzer] add hooks for strstr, strcasestr, strcasecmp, strncasecmp
llvm-svn: 275648
2016-07-15 23:27:19 +00:00
Mike Aizatsky f0b3e85f4e [libfuzzer] moving is_ascii handler inside mutation dispatcher.
Summary: It also fixes a bug, when first random might not be ascii.

Differential Revision: http://reviews.llvm.org/D21573

llvm-svn: 273611
2016-06-23 20:44:48 +00:00
Dan Liew 1873a496e2 [LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions``
This fixes linking problems on OSX.

Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.

It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.

Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.

Differential Revision: http://reviews.llvm.org/D20943

llvm-svn: 272072
2016-06-07 23:32:50 +00:00
Mike Aizatsky 41d6683c39 [libfuzzer] custom crossover interface function.
Differential Revision: http://reviews.llvm.org/D21089

llvm-svn: 272054
2016-06-07 20:22:15 +00:00
Mike Aizatsky 1f88b12272 [libfuzzer] prune_corpus option for disabling pruning during the load.
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.

Differential Revision: http://reviews.llvm.org/D21084

llvm-svn: 272035
2016-06-07 18:16:32 +00:00
Mike Aizatsky 70fd3e412a [libfuzzer] hiding custom mutator handling in MutationDispatcher.
Summary: Refactoring, no functional changes.

Differential Revision: http://reviews.llvm.org/D20975

llvm-svn: 271740
2016-06-03 21:34:29 +00:00
Dan Liew d3c33116fd [LibFuzzer] Reimplement how the optional user functions are called.
The motivation for this change is to fix linking issues on OSX.
However this only partially fixes linking issues (the uninstrumented
tests and a few others  won't succesfully link yet).

This change introduces a struct of function pointers
(``fuzzer::ExternalFuntions``) which when initialised will point to the
optional functions if they are available.  Currently these
``LLVMFuzzerInitialize`` and ``LLVMFuzzerCustomMutator`` functions.

Two implementations of ``fuzzer::ExternalFunctions`` constructor are
provided one for Linux and one for OSX.

The OSX implementation uses ``dlsym()`` because the prior implementation
using weak symbols does not work unless the additional flags are passed
to the linker.

The Linux implementation continues to use weak symbols because the
``dlsym()`` approach does not work unless additional flags are passed
to the linker.

Differential Revision: http://reviews.llvm.org/D20741

llvm-svn: 271491
2016-06-02 05:48:02 +00:00
Kostya Serebryany 0edb563f27 [libFuzzer] make OOM-handling more portable. Instead of sending a signal to the main fuzzing thread, print the message in the getrusage thread and exit.
llvm-svn: 270945
2016-05-27 00:54:15 +00:00
Kostya Serebryany 8fc3a27c5c [libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from
llvm-svn: 270942
2016-05-27 00:21:33 +00:00
Kostya Serebryany d8384122a3 [libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads)
llvm-svn: 270929
2016-05-26 22:17:32 +00:00
Kostya Serebryany f26017baf9 [libFuzzer] refactor: hide CurrentUnitData inside an interface function. NFC
llvm-svn: 270922
2016-05-26 21:32:30 +00:00
Kostya Serebryany 4b92326b17 [libFuzzer] when there is a leak in the existing corpus report the reproducer properly
llvm-svn: 270905
2016-05-26 20:25:49 +00:00
Kostya Serebryany f1f3f93c9e [libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended
llvm-svn: 270900
2016-05-26 20:03:02 +00:00
Mike Aizatsky af432a45e3 [libfuzzer] Trying random unit prefixes during corpus load.
Differential Revision: http://reviews.llvm.org/D20301

llvm-svn: 270632
2016-05-24 23:14:29 +00:00
Dan Liew 3868e468fe [LibFuzzer]
Work around crashes in ``__sanitizer_malloc_hook()`` under Mac OSX.

Under Mac OSX we intercept calls to malloc before thread local
storage is initialised leading to a crash when accessing
``AllocTracer``. To workaround this ``AllocTracer`` is only accessed
in the hook under Linux. For symmetry ``__sanitizer_free_hook()``
is also modified in the same way.

To support this change a set of new macros
LIBFUZZER_LINUX and LIBFUZZER_APPLE has been defined which can be
used to check the target being compiled for.

Differential Revision: http://reviews.llvm.org/D20402

llvm-svn: 270145
2016-05-19 22:00:33 +00:00
Kostya Serebryany 8b0d90a6d4 [libFuzzer] simplify FuzzerInterface.h
llvm-svn: 269448
2016-05-13 18:04:35 +00:00
Mike Aizatsky 1aa501e7e8 [libfuzzer] Refactoring coverage state-management code.
It is now less state-dependent and will allow easier comparing of
coverages of different units.

Differential Revision: http://reviews.llvm.org/D20085

llvm-svn: 269140
2016-05-10 23:43:15 +00:00
Kostya Serebryany 8b8f7a3cda [libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
Kostya Serebryany 52b394e981 [libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs
llvm-svn: 268807
2016-05-06 21:58:35 +00:00
Kostya Serebryany baf7fd0b16 [libFuzzer] print stats after running individual inputs
llvm-svn: 268547
2016-05-04 20:44:50 +00:00
Kostya Serebryany 2fe9304d62 [libFuzzer] enable detect_leaks=1, add proper docs
llvm-svn: 268088
2016-04-29 18:49:55 +00:00
Kostya Serebryany 7018a1aaa4 [libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak
llvm-svn: 267770
2016-04-27 19:52:34 +00:00
Kostya Serebryany 9ba19182be [libFuzzer] remove dead code
llvm-svn: 267455
2016-04-25 19:41:45 +00:00
Kostya Serebryany 1bfd583d82 [libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
Kostya Serebryany ebb932d060 [libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus.
llvm-svn: 266693
2016-04-18 22:50:39 +00:00
Kostya Serebryany f389ae12c1 [libFuzzer] handle SIGTERM
llvm-svn: 264338
2016-03-24 21:03:58 +00:00
Kostya Serebryany 49e409068a [libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
llvm-svn: 263831
2016-03-18 20:58:29 +00:00
Kostya Serebryany 945761b8c2 [libFuzzer] improve -merge functionality
llvm-svn: 263769
2016-03-18 00:23:29 +00:00
Kostya Serebryany c5575aabd6 [libFuzzer] deprecate several flags
llvm-svn: 263739
2016-03-17 19:59:39 +00:00
Kostya Serebryany 64d24578d8 [libFuzzer] try to use max_len based on the items of the corpus instead of blindly defaulting to 64 bytes.
llvm-svn: 263323
2016-03-12 01:57:04 +00:00
Kostya Serebryany 3d95dd9149 [libFuzzer] deprecate exit_on_first flag
llvm-svn: 262417
2016-03-01 22:33:14 +00:00
Kostya Serebryany 228d5b1ce4 [libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
llvm-svn: 262415
2016-03-01 22:19:21 +00:00
Kostya Serebryany 66ff0756e4 [libFuzzer] add -print_final_stats=1 flag
llvm-svn: 262084
2016-02-26 22:42:23 +00:00
Kostya Serebryany da63c1d09a [libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds
llvm-svn: 262073
2016-02-26 21:33:56 +00:00
Kostya Serebryany a35f7d383f [libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus
llvm-svn: 261267
2016-02-18 21:49:10 +00:00
Kostya Serebryany 8a5bef0fcf [libFuzzer] remove std::vector operations from hot paths, NFC
llvm-svn: 260829
2016-02-13 17:56:51 +00:00
Kostya Serebryany 1deb0498f5 [libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
Kostya Serebryany 23194963f7 [libFuzzer] simplify CTOR of MutationDispatcher
llvm-svn: 260800
2016-02-13 03:46:26 +00:00
Kostya Serebryany 292cf0379c [libFuzzer] get rid of MutationDispatcher::Impl (simplify the code; NFC)
llvm-svn: 260799
2016-02-13 03:37:24 +00:00
Kostya Serebryany 7ec0c56e07 [libFuzzer] get rid of UserSuppliedFuzzer; NFC
llvm-svn: 260798
2016-02-13 03:25:16 +00:00