Commit Graph

262 Commits

Author SHA1 Message Date
Kostya Serebryany 4aa0590e33 [libFuzzer] improve error handling during the merge (handle various IO failures)
llvm-svn: 291182
2017-01-05 22:05:47 +00:00
Kostya Serebryany d723804fa2 [libFuzzer] make __sanitizer_cov_trace_switch more predictable
llvm-svn: 290703
2016-12-29 02:50:35 +00:00
Mike Aizatsky 9b415be1bf [libfuzzer] dump_coverage command line flag
Reviewers: kcc, vitalybuka

Differential Revision: https://reviews.llvm.org/D27942

llvm-svn: 290138
2016-12-19 22:18:08 +00:00
Kostya Serebryany 1e438a1dba [libFuzzer] use less memory for merge
llvm-svn: 290039
2016-12-17 08:20:24 +00:00
Kostya Serebryany 2c36a30770 [libFuzzer] remove stale test
llvm-svn: 290033
2016-12-17 02:18:59 +00:00
Kostya Serebryany 00e638e642 [libFuzzer] when tracing switch statements, handle only one case at a time (to make things faster). Also ensure that the signals from value profile do not intersect with the regular coverage
llvm-svn: 290031
2016-12-17 02:03:34 +00:00
Mike Aizatsky a5c7efc6d4 [libfuzzer] removing experimental FuzzerFnAdapter
Summary: This is superceded by protobuf mutation work.

Reviewers: kcc

Subscribers: mgorny

Differential Revision: https://reviews.llvm.org/D27865

llvm-svn: 290018
2016-12-17 00:12:13 +00:00
Marcos Pividori 3b04af2420 [libFuzzer] Remove unnecessary includes of posix headers.
Remove includes of "unistd.h" header, which is missing in non posix
systems.

Differential Revision: https://reviews.llvm.org/D277300

llvm-svn: 289965
2016-12-16 17:35:21 +00:00
Marcos Pividori 6a7e4c2e20 [libFuzzer] Update tests to use more general functions instead of posix specific.
Replace sleep() posix function by a more portable sleep_for() function
from std. Also, ignore memmem() and strcasestr() on Windows.

Differential Revision: https://reviews.llvm.org/D27729

llvm-svn: 289964
2016-12-16 17:35:13 +00:00
Kostya Serebryany 628b43aab6 [libFuzzer] enable the failure-resistant merge by default (with trace-pc-guard only)
llvm-svn: 289772
2016-12-15 06:21:21 +00:00
Marcos Pividori 64d4147396 [libFuzzer] Fix bug in detecting timeouts when input string is empty.
I added a new flag RunningCB to know if the Fuzzer's main thread is
running the CB function, instead of using (!CurrentUnitSize).
(!CurrentUnitSize) doesn't work properly. For example, in FuzzerLoop.cpp,
inside ShuffleAndMinimize() function, we execute the callback with an
empty string (size=0). Previous implementation failed to detect timeouts
in that execution.
Also, I add a regression test for that case.

Differential Revision: https://reviews.llvm.org/D27433

llvm-svn: 289561
2016-12-13 17:46:25 +00:00
Kostya Serebryany a31300e789 [libFuzzer] don't require extra flags with -minimize_crash=1 (default to -max_total_time=600). Also respect exact_artifact_path when outputting the end result
llvm-svn: 289506
2016-12-13 00:40:47 +00:00
Kostya Serebryany 092d5764a1 [libFuzzer] split one slow test into several, for more parallel testing
llvm-svn: 289481
2016-12-12 22:55:25 +00:00
Kostya Serebryany a4b43bf8e8 [libFuzzer] make SimpleCmpTest a bit simpler to crack and more verbose
llvm-svn: 289477
2016-12-12 22:39:33 +00:00
Kostya Serebryany 035af9b346 [libFuzzer] build libFuzzer itself with asan
llvm-svn: 289469
2016-12-12 20:58:10 +00:00
Kostya Serebryany d4be88913e [libFuzzer] respect -max_len during merge
llvm-svn: 289467
2016-12-12 20:39:35 +00:00
Kostya Serebryany 441e6310ae [libFuzzer] don't depend on time in a test
llvm-svn: 289368
2016-12-11 06:28:09 +00:00
Kostya Serebryany c05cb60369 [libFuzzer] test cleanup (3)
llvm-svn: 289314
2016-12-10 02:48:42 +00:00
Kostya Serebryany 832d39e9cc [libFuzzer] test cleanup (2)
llvm-svn: 289313
2016-12-10 02:47:00 +00:00
Kostya Serebryany 2f962fe5f7 [libFuzzer] test cleanup
llvm-svn: 289312
2016-12-10 02:45:56 +00:00
Kostya Serebryany 61be0f947d [libFuzzer] switch all libFuzzer tests to use -fsanitize-coverage=trace-pc-guard. Support for the previosly used instrumentation will be removed in the following changes
llvm-svn: 289311
2016-12-10 02:26:23 +00:00
Kostya Serebryany 111e1d69e3 [libFuzzer] implement crash-resistant merge (https://github.com/google/sanitizers/issues/722). This is a first experimental variant that needs some more testing, thus not yet adding a lit test (but there are unit tests).
llvm-svn: 289166
2016-12-09 01:17:24 +00:00
Kostya Serebryany 09f4fa5200 [libFuzzer] add a test for r288389 (-rss_limit_mb=0 means no limit).
llvm-svn: 288392
2016-12-01 18:02:07 +00:00
Kostya Serebryany b66cb88c2e revert r288283 as it causes debug info (line numbers) to be lost in instrumented code. also revert r288299 which was a workaround for the problem.
llvm-svn: 288300
2016-12-01 02:06:56 +00:00
Kostya Serebryany 73f438ef9a [libFuzzer] temporary disable a part of the test broken by r288283
llvm-svn: 288299
2016-12-01 01:33:44 +00:00
Kostya Serebryany 05f7791fbf [libFuzzer] extend -rss_limit_mb to crash instantly on a single malloc that exceeds the limit
llvm-svn: 288281
2016-11-30 22:39:35 +00:00
Kostya Serebryany 1cba0a96e7 [libFuzzer] extend -print_coverage to print the comma-separated list of covered dirs. Note: the Windows stub for DirName is left unimplemented
llvm-svn: 288276
2016-11-30 21:53:32 +00:00
Kostya Serebryany fc1c405f98 [libFuzzer] use less stack
llvm-svn: 286689
2016-11-12 00:24:35 +00:00
Kostya Serebryany 8a56917492 [libFuzzer] fix -error_exitcode=N, now with a test
llvm-svn: 285958
2016-11-03 19:31:18 +00:00
Kostya Serebryany bcfb0802e2 [libFuzzer] enable use_cmp by default
llvm-svn: 285353
2016-10-27 21:44:37 +00:00
Kostya Serebryany 117976818e [libFuzzer] add StandaloneFuzzTargetMain.c and a test for it
llvm-svn: 285135
2016-10-25 22:30:34 +00:00
Kostya Serebryany c48c93184a [libFuzzer] when mutating based on CMP traces also try adding +/- 1 to the desired bytes. Add another test for use_cmp
llvm-svn: 285109
2016-10-25 20:15:15 +00:00
Kostya Serebryany 3364f90783 [libFuzzer] simplify the code for use_cmp, also use the position hint when available, add a test
llvm-svn: 285049
2016-10-25 02:04:43 +00:00
Kostya Serebryany 65f102d4d2 [libFuzzer] mutation: insert the size of the input in bytes as one of the ways to mutate a binary integer
llvm-svn: 284909
2016-10-22 03:48:53 +00:00
Kostya Serebryany 10ae9e23a3 [libFuzzer] typo in a test
llvm-svn: 284903
2016-10-22 01:07:38 +00:00
Kostya Serebryany 2bfff021ad [libFuzzer] add a test for asan's strict_string_checks=1
llvm-svn: 284902
2016-10-22 00:05:44 +00:00
Kostya Serebryany 95b1a434d2 [libFuzzer] extend -print_coverage to also print uncovered lines, functions, and files.
Example of output:
COVERAGE:
COVERED: in DSO2(int) /pathto/DSO2.cpp:6
COVERED: in DSO2(int) /pathto/DSO2.cpp:8
COVERED: in DSO1(int) /pathto/DSO1.cpp:6
COVERED: in DSO1(int) /pathto/DSO1.cpp:8
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:16
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:19
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:25
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:26
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO1.so
UNCOVERED_LINE: in DSO1(int) /pathto/DSO1.cpp:9
UNCOVERED_FUNC: in Uncovered1()
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO2.so
UNCOVERED_LINE: in DSO2(int) /pathto/DSO2.cpp:9
UNCOVERED_FUNC: in Uncovered2()
MODULE_WITH_COVERAGE: /pathto/LLVMFuzzer-DSOTest
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:21
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:27
UNCOVERED_FILE: /pathto/DSOTestExtra.cpp

Several things are not perfect here:
* we are using objdump+awk instead of sancov because sancov does not support DSOs yet.
* this breaks in the presence of ASAN_OPTIONS=strip_path_prefix=...
  (need to implement another API to get the module name by PC)

llvm-svn: 284554
2016-10-19 00:12:03 +00:00
Kostya Serebryany bb59ef77ca [libFuzzer] detect leaks after every run when executing fixed inputs (./fuzzer -runs=1000000 my-file)
llvm-svn: 284514
2016-10-18 18:38:08 +00:00
Kostya Serebryany 9a4b10a56f [libFuzzer] swap bytes in integers when handling CMP traces
llvm-svn: 284301
2016-10-15 04:00:07 +00:00
Kostya Serebryany a5f94fb6c9 [libFuzzer] add -trace_cmp=1 (guiding mutations based on the observed CMP instructions). This is a reincarnation of the previously deleted -use_traces, but using a different approach for collecting traces. Still a toy, but at least it scales well. Also fix -merge in trace-pc-guard mode
llvm-svn: 284273
2016-10-14 20:20:33 +00:00
Kostya Serebryany a17d23eaa7 [libFuzzer] add -trace_malloc= flag
llvm-svn: 284149
2016-10-13 19:06:46 +00:00
Kostya Serebryany d19919a80e [libFuzzer] implement value profile for switch, increase the size of the PCs array, make sure we don't overflow it
llvm-svn: 283841
2016-10-11 01:14:41 +00:00
Kostya Serebryany 3e0e901a18 [libFuzzer] add switch tests
llvm-svn: 283840
2016-10-11 01:13:32 +00:00
Kostya Serebryany 7abb95d3b3 [libFuzzer] make a test less flaky
llvm-svn: 283686
2016-10-09 03:45:38 +00:00
Kostya Serebryany c5325ed29d [libFuzzer] when shrinking the corpus, delete evicted files previously created by the current process
llvm-svn: 283682
2016-10-08 23:24:45 +00:00
Kostya Serebryany 1c73f1bf27 [libFuzzer] refactoring to make -shrink=1 work for value profile, added a test.
llvm-svn: 283409
2016-10-05 22:56:21 +00:00
Kostya Serebryany 379359c53a [libFuzzer] add ShrinkValueProfileTest, move code around, NFC
llvm-svn: 283286
2016-10-05 01:09:40 +00:00
Kostya Serebryany 4820cc988f [libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway
llvm-svn: 283187
2016-10-04 06:08:46 +00:00
Kostya Serebryany e7e790bad6 [libFuzzer] remove unused option
llvm-svn: 282971
2016-09-30 22:29:57 +00:00
Kostya Serebryany b3949ef885 [libFuzzer] remove the code for -print_pcs=1 with the old coverage. It still works with the new one (trace-pc-guard)
llvm-svn: 282831
2016-09-30 01:24:57 +00:00