d755e4f587
[LibFuzzer] Introduce a portable WeakAlias implementation.
...
Windows doesn't really support weak aliases, but with some
linker magic we can get something that's pretty close on
Windows. This introduces an interface to accessing weakly
aliased symbols that will work on any platform. Linker
magic changes to come in a separate patch.
Patch by Marcos Pividori
Differential Revision: https://reviews.llvm.org/D27235
llvm-svn: 288530
2016-12-02 19:41:17 +00:00
34dcfb9294
[LibFuzzer] Split FuzzerUtil for Posix and Windows.
...
Pave the way for separating out platform specific
utility functions into separate files.
Patch by Marcos Pividori
Differential Revision: https://reviews.llvm.org/D27234
llvm-svn: 288529
2016-12-02 19:38:19 +00:00
09f4fa5200
[libFuzzer] add a test for r288389 (-rss_limit_mb=0 means no limit).
...
llvm-svn: 288392
2016-12-01 18:02:07 +00:00
dc6b8ca879
[libFuzzer] treat -rss_limit_mb=0 as no limit
...
llvm-svn: 288389
2016-12-01 17:56:15 +00:00
b66cb88c2e
revert r288283 as it causes debug info (line numbers) to be lost in instrumented code. also revert r288299 which was a workaround for the problem.
...
llvm-svn: 288300
2016-12-01 02:06:56 +00:00
73f438ef9a
[libFuzzer] temporary disable a part of the test broken by r288283
...
llvm-svn: 288299
2016-12-01 01:33:44 +00:00
05f7791fbf
[libFuzzer] extend -rss_limit_mb to crash instantly on a single malloc that exceeds the limit
...
llvm-svn: 288281
2016-11-30 22:39:35 +00:00
1cba0a96e7
[libFuzzer] extend -print_coverage to print the comma-separated list of covered dirs. Note: the Windows stub for DirName is left unimplemented
...
llvm-svn: 288276
2016-11-30 21:53:32 +00:00
5abac1769f
[LibFuzzer] Add Windows implementations of some IO functions.
...
This patch moves some posix specific file i/o code into a new
file, FuzzerIOPosix.cpp, and provides implementations for these
functions on Windows in FuzzerIOWindows.cpp. This is another
incremental step towards getting libfuzzer working on Windows,
although it still should not be expected to be fully working.
Patch by Marcos Pividori
Differential Revision: https://reviews.llvm.org/D27233
llvm-svn: 288275
2016-11-30 21:44:26 +00:00
24a148b1d4
[LibFuzzer] Split up some functions among different headers.
...
In an effort to get libfuzzer working on Windows, we need to make
a distinction between what functions require platform specific
code (e.g. different code on Windows vs Linux) and what code
doesn't. IO functions, for example, tend to be platform
specific.
This patch separates out some of the functions which will need
to have platform specific implementations into different headers,
so that we can then provide different implementations for each
platform.
Aside from that, this patch contains no functional change. It
is purely a re-organization.
Patch by Marcos Pividori
Differential Revision: https://reviews.llvm.org/D27230
llvm-svn: 288264
2016-11-30 19:06:14 +00:00
c6d8b4c044
[LibFuzzer] Add macro flags for Posix and Windows.
...
This is the beginning of an effort to get libfuzzer working on
Windows. This is a NFC to just add some macros for platform
detection on Windows.
Patch by Marcos Pividori
Differential Revision: https://reviews.llvm.org/D27229
llvm-svn: 288249
2016-11-30 16:32:54 +00:00
6c77811a29
[libFuzzer] replace 'auto' with 'auto *' to better follow the LLVM style
...
llvm-svn: 286870
2016-11-14 19:21:38 +00:00
53c894d257
[libFuzzer] use a valid ASCII string for a dummy seed corpus
...
llvm-svn: 286702
2016-11-12 02:27:21 +00:00
fc1c405f98
[libFuzzer] use less stack
...
llvm-svn: 286689
2016-11-12 00:24:35 +00:00
235679181b
[libFuzzer] do not initialize parts of TracePC -- let them be initialized by the linker. Add no-msan attribute to the memcmp hook.
...
llvm-svn: 286665
2016-11-11 23:06:53 +00:00
8a56917492
[libFuzzer] fix -error_exitcode=N, now with a test
...
llvm-svn: 285958
2016-11-03 19:31:18 +00:00
bcfb0802e2
[libFuzzer] enable use_cmp by default
...
llvm-svn: 285353
2016-10-27 21:44:37 +00:00
94c427c23e
[libFuzzer] speculatively trying to fix the Mac build; second attempt
...
llvm-svn: 285262
2016-10-27 00:36:38 +00:00
3d945f6247
[libFuzzer] revert 285259 -- hit commit too soon
...
llvm-svn: 285260
2016-10-27 00:24:34 +00:00
15cd6b4b10
[libFuzzer] speculatively trying to fix the Mac build
...
llvm-svn: 285259
2016-10-27 00:22:39 +00:00
2fabecaee3
[libFuzzer] simplify TracePC::HandleTrace even further. Also, when dealing with -exit_on_src_pos, symbolize every PC only once
...
llvm-svn: 285223
2016-10-26 18:52:04 +00:00
06b8757b57
[libFuzzer] simplify the code in TracePC::HandleTrace a bit more
...
llvm-svn: 285147
2016-10-26 00:42:52 +00:00
a5b2e54fcb
[libFuzzer] simplify the code to print new PCs
...
llvm-svn: 285145
2016-10-26 00:20:51 +00:00
275e260258
[libFuzzer] simplify the code in TracePC::HandleTrace
...
llvm-svn: 285142
2016-10-25 23:52:25 +00:00
117976818e
[libFuzzer] add StandaloneFuzzTargetMain.c and a test for it
...
llvm-svn: 285135
2016-10-25 22:30:34 +00:00
c48c93184a
[libFuzzer] when mutating based on CMP traces also try adding +/- 1 to the desired bytes. Add another test for use_cmp
...
llvm-svn: 285109
2016-10-25 20:15:15 +00:00
3364f90783
[libFuzzer] simplify the code for use_cmp, also use the position hint when available, add a test
...
llvm-svn: 285049
2016-10-25 02:04:43 +00:00
65f102d4d2
[libFuzzer] mutation: insert the size of the input in bytes as one of the ways to mutate a binary integer
...
llvm-svn: 284909
2016-10-22 03:48:53 +00:00
10ae9e23a3
[libFuzzer] typo in a test
...
llvm-svn: 284903
2016-10-22 01:07:38 +00:00
2bfff021ad
[libFuzzer] add a test for asan's strict_string_checks=1
...
llvm-svn: 284902
2016-10-22 00:05:44 +00:00
ac2a2a86e4
Fix -Wunused-variable warning in libFuzzer
...
llvm-svn: 284838
2016-10-21 16:26:27 +00:00
95b1a434d2
[libFuzzer] extend -print_coverage to also print uncovered lines, functions, and files.
...
Example of output:
COVERAGE:
COVERED: in DSO2(int) /pathto/DSO2.cpp:6
COVERED: in DSO2(int) /pathto/DSO2.cpp:8
COVERED: in DSO1(int) /pathto/DSO1.cpp:6
COVERED: in DSO1(int) /pathto/DSO1.cpp:8
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:16
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:19
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:25
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:26
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO1.so
UNCOVERED_LINE: in DSO1(int) /pathto/DSO1.cpp:9
UNCOVERED_FUNC: in Uncovered1()
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO2.so
UNCOVERED_LINE: in DSO2(int) /pathto/DSO2.cpp:9
UNCOVERED_FUNC: in Uncovered2()
MODULE_WITH_COVERAGE: /pathto/LLVMFuzzer-DSOTest
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:21
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:27
UNCOVERED_FILE: /pathto/DSOTestExtra.cpp
Several things are not perfect here:
* we are using objdump+awk instead of sancov because sancov does not support DSOs yet.
* this breaks in the presence of ASAN_OPTIONS=strip_path_prefix=...
(need to implement another API to get the module name by PC)
llvm-svn: 284554
2016-10-19 00:12:03 +00:00
bb59ef77ca
[libFuzzer] detect leaks after every run when executing fixed inputs (./fuzzer -runs=1000000 my-file)
...
llvm-svn: 284514
2016-10-18 18:38:08 +00:00
8dfed45cd4
[libFuzzer] reshuffle the code for -exit_on_src_pos and -exit_on_item
...
llvm-svn: 284508
2016-10-18 18:06:05 +00:00
9a4b10a56f
[libFuzzer] swap bytes in integers when handling CMP traces
...
llvm-svn: 284301
2016-10-15 04:00:07 +00:00
f9b8e8b117
[libFuzzer] better algorithm for -minimize_crash
...
llvm-svn: 284299
2016-10-15 01:00:24 +00:00
e450e40741
[libFuzzer] remove subdir fuzzer-test-suite as it is now superseded with https://github.com/google/fuzzer-test-suite
...
llvm-svn: 284275
2016-10-14 20:26:40 +00:00
a5f94fb6c9
[libFuzzer] add -trace_cmp=1 (guiding mutations based on the observed CMP instructions). This is a reincarnation of the previously deleted -use_traces, but using a different approach for collecting traces. Still a toy, but at least it scales well. Also fix -merge in trace-pc-guard mode
...
llvm-svn: 284273
2016-10-14 20:20:33 +00:00
0381374f96
[libFuzzer] more detailed message for disabled leak detection
...
llvm-svn: 284169
2016-10-13 22:24:10 +00:00
a17d23eaa7
[libFuzzer] add -trace_malloc= flag
...
llvm-svn: 284149
2016-10-13 19:06:46 +00:00
17d176e16b
[libFuzzer] reapply r283946: refactoring to speed things up, NFC. Now with a fix for gcc build
...
llvm-svn: 284132
2016-10-13 16:19:09 +00:00
90d990e034
Revert "[libFuzzer] refactoring to speed things up, NFC"
...
This reverts commit r283946.
This breaks when build with GCC:
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: always_inline function might not be inlinable [-Werror=attributes]
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: inlining failed in call to always_inline 'void fuzzer::TracePC::HandleCmp(void*, T, T) [with T = long unsigned int]': target specific option mismatch
lib/Fuzzer/FuzzerTracePC.cpp:198:65: error: called from here
llvm-svn: 283979
2016-10-12 07:26:46 +00:00
a09d11e108
[libFuzzer] refactoring to speed things up, NFC
...
llvm-svn: 283946
2016-10-11 21:27:37 +00:00
d19919a80e
[libFuzzer] implement value profile for switch, increase the size of the PCs array, make sure we don't overflow it
...
llvm-svn: 283841
2016-10-11 01:14:41 +00:00
3e0e901a18
[libFuzzer] add switch tests
...
llvm-svn: 283840
2016-10-11 01:13:32 +00:00
7abb95d3b3
[libFuzzer] make a test less flaky
...
llvm-svn: 283686
2016-10-09 03:45:38 +00:00
c5325ed29d
[libFuzzer] when shrinking the corpus, delete evicted files previously created by the current process
...
llvm-svn: 283682
2016-10-08 23:24:45 +00:00
9adc7c8b4a
[libFuzzer] control the reload interval by a flag, make it 10 seconds by default
...
llvm-svn: 283676
2016-10-08 22:12:14 +00:00
cd04ec25dd
[libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.
...
llvm-svn: 283675
2016-10-08 21:57:48 +00:00
936b1e774f
[libFuzzer] be more careful with memory usage, print peak rss in status lines
...
llvm-svn: 283418
2016-10-06 05:14:00 +00:00
3b564e9765
[libFuzzer] when re-running for lsan, don't look at the coverage
...
llvm-svn: 283411
2016-10-05 23:31:01 +00:00
1c73f1bf27
[libFuzzer] refactoring to make -shrink=1 work for value profile, added a test.
...
llvm-svn: 283409
2016-10-05 22:56:21 +00:00
379359c53a
[libFuzzer] add ShrinkValueProfileTest, move code around, NFC
...
llvm-svn: 283286
2016-10-05 01:09:40 +00:00
2455f0d013
[libFuzzer] clear the corpus elements if they are evicted (i.e. smaller elements with proper coverage are found). Make sure we never try to mutate empty element. Print the corpus size in bytes in the status lines
...
llvm-svn: 283279
2016-10-05 00:25:17 +00:00
4820cc988f
[libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway
...
llvm-svn: 283187
2016-10-04 06:08:46 +00:00
5a52a11ce4
[libFuzzer] change the probabilities so that we choose only the inputs that are known to be minimal inputs for at least one coverage feature (works only with -shrink=1 for now)
...
llvm-svn: 283178
2016-10-04 01:51:44 +00:00
a5f1adab56
[libFuzzer] add fuzzer test for libxml2, finds https://bugzilla.gnome.org/show_bug.cgi?id=751631
...
llvm-svn: 283024
2016-10-01 07:37:40 +00:00
d1f31d0a49
[libFuzzer] fix a recent bugs (buffer overflow)
...
llvm-svn: 283021
2016-10-01 07:13:25 +00:00
d216922a80
[libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default
...
llvm-svn: 282995
2016-10-01 01:04:29 +00:00
90f8f36bca
[libFuzzer] remove some experimental code
...
llvm-svn: 282983
2016-09-30 23:29:27 +00:00
7022b94687
[libFuzzer] fix openssl fuzzer tests when running on a machine w/o openssl installed
...
llvm-svn: 282972
2016-09-30 22:35:08 +00:00
e7e790bad6
[libFuzzer] remove unused option
...
llvm-svn: 282971
2016-09-30 22:29:57 +00:00
b7e7a5473d
[libFuzzer] move common parts of shell scripts into a separate file
...
llvm-svn: 282954
2016-09-30 21:12:30 +00:00
cfa31b6307
[libFuzzer] add a fuzzer test that finds CVE-2015-3193
...
llvm-svn: 282892
2016-09-30 18:16:16 +00:00
cad612a472
[libfuzzer] test for c-ares CVE-2016-5180
...
llvm-svn: 282839
2016-09-30 05:15:45 +00:00
b3949ef885
[libFuzzer] remove the code for -print_pcs=1 with the old coverage. It still works with the new one (trace-pc-guard)
...
llvm-svn: 282831
2016-09-30 01:24:57 +00:00
2c55613a08
[libFuzzer] more the feature set to InputCorpus; on feature update, change the feature counter of the old best input
...
llvm-svn: 282829
2016-09-30 01:19:56 +00:00
a9b0dd0e51
[sanitizer-coverage/libFuzzer] make the guards for trace-pc 32-bit; create one array of guards per function, instead of one guard per BB. reorganize the code so that trace-pc-guard does not create unneeded globals
...
llvm-svn: 282735
2016-09-29 17:43:24 +00:00
a9a135b4f5
[libFuzzer] initialize ValueBitMap::NumBits
...
llvm-svn: 282721
2016-09-29 15:51:28 +00:00
3ee6c213d6
[libFuzzer] speedup TracePC::FinalizeTrace
...
llvm-svn: 282562
2016-09-28 01:16:24 +00:00
7d6935c184
[libFuzzer] run re2 test in 8 threads by default
...
llvm-svn: 282469
2016-09-27 03:33:57 +00:00
45c144754b
[sanitizer-coverage] fix a bug in trace-gep
...
llvm-svn: 282467
2016-09-27 01:55:08 +00:00
53543af036
[libFuzzer] add a test based on openssl-1.0.1f (finds heartbleed)
...
llvm-svn: 282460
2016-09-27 00:27:40 +00:00
5ff481fd9e
[libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
...
llvm-svn: 282458
2016-09-27 00:10:20 +00:00
273d767215
[libFuzzer] add a standalone build script
...
llvm-svn: 282321
2016-09-24 04:00:00 +00:00
0800b81a21
[libFuzzer] simplify HandleTrace again, start re-running interesting units and collecting their features.
...
llvm-svn: 282316
2016-09-23 23:51:58 +00:00
2d1d944f7e
[libFuzzer] first steps in adding a proper automated test suite based on real-life code: add a script to build RE2 at a revision that has known bugs
...
llvm-svn: 282292
2016-09-23 20:43:22 +00:00
0d26de3922
[libFuzzer] reset Counters (trace-pc-guard) before every run
...
llvm-svn: 282284
2016-09-23 20:04:13 +00:00
ce1cab169f
[libFuzzer] be more precise about what we reset in TracePC
...
llvm-svn: 282225
2016-09-23 02:18:59 +00:00
16a145fd0f
[libFuzzer] fix merging with trace-pc-guard
...
llvm-svn: 282224
2016-09-23 01:58:51 +00:00
87a598e19f
[libFuzzer] simplify the TracePC logic
...
llvm-svn: 282222
2016-09-23 01:20:07 +00:00
ab73c6924f
[libFuzzer] move value profiling logic into TracePC
...
llvm-svn: 282219
2016-09-23 00:46:18 +00:00
d28099de5d
[libFuzzer] change ValueBitMap to remember the number of bits in it
...
llvm-svn: 282216
2016-09-23 00:22:46 +00:00
be0ed59cdc
[libFuzzer] simplify the crash minimizer; split MaxLen into two: MaxInputLen and MaxMutationLen, allow MaxMutationLen to be less than MaxInputLen
...
llvm-svn: 282211
2016-09-22 23:16:36 +00:00
624f59f4d8
[libFuzzer] add 'features' to the corpus elements, allow mutations with Size > MaxSize, fix sha1 in corpus stats; various refactorings
...
llvm-svn: 282129
2016-09-22 01:34:58 +00:00
c9e3de35ed
[libFuzzer] one more test
...
llvm-svn: 282127
2016-09-22 00:57:29 +00:00
29bb664075
[libFuzzer] add stats to the corpus; more refactoring
...
llvm-svn: 282121
2016-09-21 22:42:17 +00:00
20801e1b8a
[libFuzzer] more refactoring; don't compute sha1sum every time we mutate a unit from the corpus, use the stored one.
...
llvm-svn: 282115
2016-09-21 21:41:48 +00:00
8658618ea0
[libFuzzer] more refactoring
...
llvm-svn: 282113
2016-09-21 21:17:23 +00:00
225d8e45d4
[libFuzzer] fix libc++ build
...
llvm-svn: 282050
2016-09-21 03:50:37 +00:00
556894fb10
[libFuzzer] more refactoring; NFC
...
llvm-svn: 282047
2016-09-21 02:05:39 +00:00
6f5a804cdb
[libFuzzer] refactoring: split the large header into many; NFC
...
llvm-svn: 282044
2016-09-21 01:50:50 +00:00
09aa01a6f8
[libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features
...
llvm-svn: 282042
2016-09-21 01:04:43 +00:00
3750c04f7e
[libFuzzer] use sleep() instead of std::this_thread::sleep_for to avoid coverage from instrumented libc++
...
llvm-svn: 281933
2016-09-19 20:32:34 +00:00
b706b481ba
[libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
...
llvm-svn: 281866
2016-09-18 21:47:08 +00:00
8e781a888a
[libFuzzer] use 'if guard' instead of 'if guard >= 0' with trace-pc; change the guard type to intptr_t; use separate array for 8-bit counters
...
llvm-svn: 281845
2016-09-18 04:52:23 +00:00
bc3789a919
[libFuzzer] properly reset the guards when reseting the coverage. Also try to fix check-fuzzer on the bot
...
llvm-svn: 281814
2016-09-17 06:01:55 +00:00
3e36ec1d18
[libFuzzer] change trace-pc to use 8-byte guards
...
llvm-svn: 281810
2016-09-17 05:04:47 +00:00
0984517021
[libFuzzer] make caller-callee feedback work with trace-pc-guard
...
llvm-svn: 281667
2016-09-15 22:16:15 +00:00
21c3573733
[libFuzzer] fix the build for AFLDriverTest
...
llvm-svn: 281633
2016-09-15 18:10:38 +00:00
Zachary Turner