Commit Graph

104 Commits

Author SHA1 Message Date
Kostya Serebryany 4a27b70ed5 [libFuzzer] enable reduce_inputs=1 by default (seems to be a big win usually)
llvm-svn: 308541
2017-07-19 22:10:30 +00:00
Justin Bogner c27a70d048 [libFuzzer] Allow non-fuzzer args after -ignore_remaining_args=1
With this change, libFuzzer will ignore any arguments after a sigil
argument, but it will preserve these arguments at the end of the
command line when launching subprocesses. Using this, its possible to
handle positional and single-dash arguments to the program under test
by discarding everything up to -ignore_remaining_args=1 in
LLVMFuzzerInitialize.

llvm-svn: 308069
2017-07-14 23:33:04 +00:00
Kostya Serebryany 1e99d543d2 [libFuzzer] refactoring in preparation for -reduce_inputs; NFC intended
llvm-svn: 307857
2017-07-12 22:20:04 +00:00
Kostya Serebryany b068087bd8 [libFuzzer] update docs on -print_coverage/-dump_coverage
llvm-svn: 302498
2017-05-09 01:34:27 +00:00
Kostya Serebryany f60f61d0b3 [libFuzzer] extend help for -minimize_crash to cover ASAN_OPTIONS=dedup_token_length=3
llvm-svn: 300800
2017-04-19 23:58:05 +00:00
Kostya Serebryany a9e6cb8633 [libFuzzer] remove -output_csv option. It duplicates the default output and got out of sync
llvm-svn: 300768
2017-04-19 21:34:58 +00:00
Kostya Serebryany 1f231e7cc7 [libFuzzer] update -help: mention -exact_artifact_path in help for -minimize_crash and -cleanse_crash
llvm-svn: 300642
2017-04-19 01:22:04 +00:00
Kostya Serebryany ac7a9eae0b [libFuzzer] experimental option -cleanse_crash: tries to replace all bytes in a crash reproducer with garbage, while still preserving the crash
llvm-svn: 300498
2017-04-17 20:58:21 +00:00
Vitaly Buka ea997e10cb [libFuzzer] fix type in signal name.
Fixes PR32576.

Patch by Jakub Zawadzki.

llvm-svn: 299968
2017-04-11 18:20:05 +00:00
Kostya Serebryany 4fc6dd7f8f [libFuzzer] add two experimental flags to make corpus merging more scalable: -save_coverage_summary/-load_coverage_summary. This is still WIP, the documentation will come later if these flags survive
llvm-svn: 298548
2017-03-22 20:32:44 +00:00
Kostya Serebryany f7e610eda1 [libFuzzer] Experimenting with dictionary minimization.
Summary:
Tracking issue: https://github.com/google/oss-fuzz/issues/331


Reviewers: kcc

Reviewed By: kcc

Differential Revision: https://reviews.llvm.org/D30940

llvm-svn: 298031
2017-03-17 01:40:09 +00:00
Kostya Serebryany 98d592cc91 [libFuzzer] experimental support for 'equivalance fuzzing'
llvm-svn: 292646
2017-01-20 20:57:07 +00:00
Kostya Serebryany bb91170cb5 [libFuzzer] remove stale code
llvm-svn: 292325
2017-01-18 01:10:18 +00:00
Kostya Serebryany 1d8c2ce97e [libFuzzer] use table of recent compares for memcmp/strcmp (to unify the code between cmp and memcmp handling)
llvm-svn: 292287
2017-01-17 23:09:05 +00:00
Kostya Serebryany 4aa0590e33 [libFuzzer] improve error handling during the merge (handle various IO failures)
llvm-svn: 291182
2017-01-05 22:05:47 +00:00
Kostya Serebryany 2a8440df70 [libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually (second attempt)
llvm-svn: 290637
2016-12-27 23:24:55 +00:00
Mike Aizatsky 9b415be1bf [libfuzzer] dump_coverage command line flag
Reviewers: kcc, vitalybuka

Differential Revision: https://reviews.llvm.org/D27942

llvm-svn: 290138
2016-12-19 22:18:08 +00:00
Daniel Jasper fa1030e40b Revert "[libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code"
This reverts commit r289998.

See comment:
https://reviews.llvm.org/rL289998

llvm-svn: 290043
2016-12-17 12:27:49 +00:00
Kostya Serebryany be7003f99c [libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code
llvm-svn: 289998
2016-12-16 22:42:05 +00:00
Kostya Serebryany 628b43aab6 [libFuzzer] enable the failure-resistant merge by default (with trace-pc-guard only)
llvm-svn: 289772
2016-12-15 06:21:21 +00:00
Marcos Pividori 6e3d885c79 [libFuzzer] Properly use unsigned for workers, jobs and NumberOfCpuCores.
std:🧵:hardware_concurrency() returns an unsigned, so I modify
NumberOfCpuCores() to return unsigned too.
The number of cpus is used to define the number of workers, so I decided
to update the worker and jobs flags to be declared as unsigned too.

Differential Revision: https://reviews.llvm.org/D27685

llvm-svn: 289559
2016-12-13 17:45:53 +00:00
Kostya Serebryany 111e1d69e3 [libFuzzer] implement crash-resistant merge (https://github.com/google/sanitizers/issues/722). This is a first experimental variant that needs some more testing, thus not yet adding a lit test (but there are unit tests).
llvm-svn: 289166
2016-12-09 01:17:24 +00:00
Kostya Serebryany 8a56917492 [libFuzzer] fix -error_exitcode=N, now with a test
llvm-svn: 285958
2016-11-03 19:31:18 +00:00
Kostya Serebryany bcfb0802e2 [libFuzzer] enable use_cmp by default
llvm-svn: 285353
2016-10-27 21:44:37 +00:00
Kostya Serebryany a5f94fb6c9 [libFuzzer] add -trace_cmp=1 (guiding mutations based on the observed CMP instructions). This is a reincarnation of the previously deleted -use_traces, but using a different approach for collecting traces. Still a toy, but at least it scales well. Also fix -merge in trace-pc-guard mode
llvm-svn: 284273
2016-10-14 20:20:33 +00:00
Kostya Serebryany a17d23eaa7 [libFuzzer] add -trace_malloc= flag
llvm-svn: 284149
2016-10-13 19:06:46 +00:00
Kostya Serebryany c5325ed29d [libFuzzer] when shrinking the corpus, delete evicted files previously created by the current process
llvm-svn: 283682
2016-10-08 23:24:45 +00:00
Kostya Serebryany 9adc7c8b4a [libFuzzer] control the reload interval by a flag, make it 10 seconds by default
llvm-svn: 283676
2016-10-08 22:12:14 +00:00
Kostya Serebryany d216922a80 [libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default
llvm-svn: 282995
2016-10-01 01:04:29 +00:00
Kostya Serebryany e7e790bad6 [libFuzzer] remove unused option
llvm-svn: 282971
2016-09-30 22:29:57 +00:00
Kostya Serebryany 5ff481fd9e [libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
llvm-svn: 282458
2016-09-27 00:10:20 +00:00
Kostya Serebryany 29bb664075 [libFuzzer] add stats to the corpus; more refactoring
llvm-svn: 282121
2016-09-21 22:42:17 +00:00
Kostya Serebryany 09aa01a6f8 [libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features
llvm-svn: 282042
2016-09-21 01:04:43 +00:00
Kostya Serebryany b706b481ba [libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
llvm-svn: 281866
2016-09-18 21:47:08 +00:00
Kostya Serebryany 5c04bd250e [libFuzzer] remove use_traces=1 since use_value_profile seems to be strictly better
llvm-svn: 281007
2016-09-09 01:17:03 +00:00
Kostya Serebryany e2d0f63654 [libFuzzer] add -minimize_crash flag (to minimize crashers). also add two tests that I failed to commit last time
llvm-svn: 280332
2016-09-01 01:22:27 +00:00
Kostya Serebryany 0f0fa4faf2 [libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them
llvm-svn: 279787
2016-08-25 22:35:08 +00:00
Kostya Serebryany d46a59fac4 [libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage.
llvm-svn: 278839
2016-08-16 19:33:51 +00:00
Kostya Serebryany c135b55ae0 [libFuzzer] add hooks for strstr, strcasestr, strcasecmp, strncasecmp
llvm-svn: 275648
2016-07-15 23:27:19 +00:00
Mike Aizatsky 1f88b12272 [libfuzzer] prune_corpus option for disabling pruning during the load.
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.

Differential Revision: http://reviews.llvm.org/D21084

llvm-svn: 272035
2016-06-07 18:16:32 +00:00
Mike Aizatsky af432a45e3 [libfuzzer] Trying random unit prefixes during corpus load.
Differential Revision: http://reviews.llvm.org/D20301

llvm-svn: 270632
2016-05-24 23:14:29 +00:00
Kostya Serebryany 61b07ac75b [libFuzzer] better document the -merge=1 flag
llvm-svn: 268957
2016-05-09 19:11:36 +00:00
Kostya Serebryany 8b8f7a3cda [libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
Kostya Serebryany 52b394e981 [libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs
llvm-svn: 268807
2016-05-06 21:58:35 +00:00
Kostya Serebryany 2fe9304d62 [libFuzzer] enable detect_leaks=1, add proper docs
llvm-svn: 268088
2016-04-29 18:49:55 +00:00
Kostya Serebryany 1bfd583d82 [libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
Kostya Serebryany 9e1a238357 [libFuzzer] more docs
llvm-svn: 264803
2016-03-29 23:07:36 +00:00
Kostya Serebryany f389ae12c1 [libFuzzer] handle SIGTERM
llvm-svn: 264338
2016-03-24 21:03:58 +00:00
Kostya Serebryany 49e409068a [libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
llvm-svn: 263831
2016-03-18 20:58:29 +00:00
Kostya Serebryany 945761b8c2 [libFuzzer] improve -merge functionality
llvm-svn: 263769
2016-03-18 00:23:29 +00:00