Kostya Serebryany
468ed78434
[libFuzzer] remove -iterations as redundant (there is also -num_runs)
...
llvm-svn: 247030
2015-09-08 17:30:35 +00:00
Kostya Serebryany
7d21166218
[libFuzzer] actually make the dictionaries work (+docs)
...
llvm-svn: 246825
2015-09-04 00:12:11 +00:00
Kostya Serebryany
a9346c2e65
[libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef
...
llvm-svn: 246689
2015-09-02 19:08:08 +00:00
Kostya Serebryany
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
Kostya Serebryany
1688098cb5
[libFuzzer] add colons to the stats output to avoid confusion
...
llvm-svn: 244708
2015-08-12 01:04:27 +00:00
Nick Lewycky
69ab31a3fa
Fix unused variable 'X' in release builds.
...
llvm-svn: 244571
2015-08-11 05:57:10 +00:00
Kostya Serebryany
bc7c0ad24d
[libFuzzer] add -only_ascii flag
...
llvm-svn: 244559
2015-08-11 01:44:42 +00:00
Kostya Serebryany
70926aed6b
[libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed
...
llvm-svn: 244152
2015-08-05 21:43:48 +00:00
Kostya Serebryany
1165efdbf9
[libFuzzer] limit the size of the inputs printed to stderr
...
llvm-svn: 243795
2015-07-31 22:07:17 +00:00
Kostya Serebryany
404c69f2c8
[libFuzzer] allow users to supply their own implementation of rand
...
llvm-svn: 243078
2015-07-24 01:06:40 +00:00
Kostya Serebryany
2b7d2e91cc
[libFuzzer] dump long running units to disk
...
llvm-svn: 243031
2015-07-23 18:37:22 +00:00
Kostya Serebryany
2ea204e645
[lib/Fuzzer] make assertions more informative and update comments for the user-supplied mutator
...
llvm-svn: 238658
2015-05-30 17:33:13 +00:00
Kostya Serebryany
316b571007
[lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity)
...
llvm-svn: 238251
2015-05-26 20:57:47 +00:00
Kostya Serebryany
c8228dd9fb
[lib/Fuzzer] fix build with assertions
...
llvm-svn: 238235
2015-05-26 19:29:33 +00:00
Kostya Serebryany
7c180eafc1
[lib/Fuzzer] fully get rid of std::cerr in libFuzzer
...
llvm-svn: 238081
2015-05-23 01:22:35 +00:00
Kostya Serebryany
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
Kostya Serebryany
f342459aa4
[lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators
...
llvm-svn: 238059
2015-05-22 22:35:31 +00:00
Kostya Serebryany
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
Kostya Serebryany
cbb2334b7a
[lib/Fuzzer] more efficient reload logic; also don't spam git too much
...
llvm-svn: 237649
2015-05-19 01:06:07 +00:00
Kostya Serebryany
2da7b84852
[lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes
...
llvm-svn: 237617
2015-05-18 21:34:20 +00:00
Logan Chien
a8f01bc8e1
Code cleanup: Reindent Fuzzer::MutateAndTestOne.
...
llvm-svn: 237533
2015-05-17 02:44:31 +00:00
Kostya Serebryany
225262562f
[lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected
...
llvm-svn: 237050
2015-05-11 21:16:27 +00:00
Kostya Serebryany
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
Kostya Serebryany
beb24c38e7
[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.
...
llvm-svn: 236772
2015-05-07 21:02:11 +00:00
Kostya Serebryany
7d470cfb0c
[lib/Fuzzer] minor refactoring/simplification, NFC
...
llvm-svn: 236757
2015-05-07 18:32:29 +00:00
Kostya Serebryany
ca6a2a2f1c
[lib/Fuzzer] on crash print the contents of the crashy input as base64
...
llvm-svn: 236548
2015-05-05 21:59:51 +00:00
Kostya Serebryany
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
Kostya Serebryany
16901a901d
[fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it.
...
llvm-svn: 233637
2015-03-30 23:04:35 +00:00
Kostya Serebryany
03db8b9225
[fuzzer] print various stats in a unified way
...
llvm-svn: 233624
2015-03-30 22:44:03 +00:00
Kostya Serebryany
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
Kostya Serebryany
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
Kostya Serebryany
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
Kostya Serebryany
016852c396
[fuzzer] split main() into FuzzerDriver() that takes a callback as a parameter and a tiny main() in a separate file
...
llvm-svn: 229882
2015-02-19 18:45:37 +00:00
Kostya Serebryany
92e0476c67
[fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose
...
llvm-svn: 228235
2015-02-04 23:42:42 +00:00
Kostya Serebryany
33f866922a
[fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over.
...
llvm-svn: 228214
2015-02-04 22:20:09 +00:00
Kostya Serebryany
5b266a8a23
[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units
...
llvm-svn: 228170
2015-02-04 19:10:20 +00:00
Kostya Serebryany
fe43aa8d19
[fuzzer]: fix exit code, add more diagnostics
...
llvm-svn: 228103
2015-02-04 01:22:57 +00:00
Kostya Serebryany
4b96ce96c6
[fuzzer] update the include line to use the new header name
...
llvm-svn: 228018
2015-02-03 19:42:05 +00:00
Kostya Serebryany
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
Kostya Serebryany
6d768fcc18
[fuzzer] minor cleanup based on reviews: remove redundant includes, fix a copy-pasto in tests
...
llvm-svn: 227468
2015-01-29 17:16:23 +00:00
Aaron Ballman
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
Aaron Ballman
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
Kostya Serebryany
265cf04f9c
[fuzzer] add option -save_minimized_corpus
...
llvm-svn: 227395
2015-01-28 23:48:39 +00:00
Kostya Serebryany
a8fbcf0c1f
Add lit-style tests for the Fuzzer library
...
Summary: Add test targets and the lit-style runner.
Test Plan: Run the tests on bot.
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7217
llvm-svn: 227389
2015-01-28 22:49:25 +00:00
Kostya Serebryany
d53b43fe11
Add a Fuzzer library
...
Summary:
A simple genetic in-process coverage-guided fuzz testing library.
I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?
I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.
See README.txt for details.
Test Plan: Tests will follow separately.
Reviewers: djasper, chandlerc, rnk
Reviewed By: rnk
Subscribers: majnemer, ygribov, dblaikie, llvm-commits
Differential Revision: http://reviews.llvm.org/D7184
llvm-svn: 227252
2015-01-27 22:08:41 +00:00