OSchip
/
llvm-project
mirror of https://github.com/THU-DSP-LAB/llvm-project.git
13
0
Fork 6
Code Issues Packages Projects Releases Wiki Activity
221,948 Commits 32 Branches 0 Tags 2.2 GiB
Commit Graph

51 Commits

Author SHA1 Message Date
Kostya Serebryany ce925c580e [libFuzzer] hot fix a test 
llvm-svn: 259732
 2016-02-04 00:12:28 +00:00
Kostya Serebryany b92602ada0 [libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak) 
llvm-svn: 259731
 2016-02-04 00:02:17 +00:00
Kostya Serebryany bfbe7fc404 [libFuzzer] allow passing 1 or more files as individual inputs 
llvm-svn: 259459
 2016-02-02 03:03:47 +00:00
Kostya Serebryany 078e984d8d [libFuzzer] fail if the corpus dir does not exist 
llvm-svn: 259454
 2016-02-02 02:07:26 +00:00
Kostya Serebryany 311f27c0a8 [libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if 
llvm-svn: 258178
 2016-01-19 20:33:57 +00:00
Kostya Serebryany aca7696f4d [libFuzzer] introduce LLVMFuzzerInitialize 
llvm-svn: 257980
 2016-01-16 01:23:12 +00:00
Kostya Serebryany d50a3eedb4 [libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector) 
llvm-svn: 257701
 2016-01-13 23:02:30 +00:00
Kostya Serebryany 152ac7ad70 [libFuzzer] add a position hint to the dictionary-based mutator 
llvm-svn: 257013
 2016-01-07 01:49:35 +00:00
Mike Aizatsky 8b11f877e4 [libfuzzer] print_new_cov_pcs experimental option. 
Differential Revision: http://reviews.llvm.org/D15901

llvm-svn: 256882
 2016-01-06 00:21:22 +00:00
Kostya Serebryany bf65644c97 [libFuzzer] split the tests to run them in parallel, remove one redundant test 
llvm-svn: 256085
 2015-12-19 03:35:30 +00:00
Kostya Serebryany 27ab2d759f [libFuzzer] make CrossOver just one of the other mutations 
llvm-svn: 256081
 2015-12-19 02:49:09 +00:00
Mike Aizatsky a1a5c69b57 [LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding. 
Differential Revision: http://reviews.llvm.org/D15339

done

llvm-svn: 255296
 2015-12-10 20:41:53 +00:00
Kostya Serebryany 2d0ef14f5d [libFuzzer] add a flag -exact_artifact_path 
llvm-svn: 254100
 2015-11-25 21:40:46 +00:00
Kostya Serebryany dc3135db05 [libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea) 
llvm-svn: 252838
 2015-11-12 01:02:01 +00:00
Kostya Serebryany 5eab74e9bc [libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time) 
llvm-svn: 252533
 2015-11-09 23:17:45 +00:00
Kostya Serebryany 2e9fca9f88 [libFuzzer] use the indirect caller-callee counter as an independent search heuristic 
llvm-svn: 251078
 2015-10-22 23:55:39 +00:00
Kostya Serebryany b36025619c [libFuzzer] remove the deprecated 'tokens' feature 
llvm-svn: 251069
 2015-10-22 21:48:09 +00:00
Kostya Serebryany d6edce97fb [libFuzzer] print a stack trace on timeout 
llvm-svn: 250571
 2015-10-16 23:04:31 +00:00
Kostya Serebryany b91c62b1f3 [libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky 
llvm-svn: 250564
 2015-10-16 22:41:47 +00:00
Kostya Serebryany bd5d1cdbb9 [libFuzzer] add -artifact_prefix flag 
llvm-svn: 249807
 2015-10-09 03:57:59 +00:00
Kostya Serebryany 65d0a1458f [libFuzzer] remove experimental flag and functionality 
llvm-svn: 249194
 2015-10-02 22:00:32 +00:00
Kostya Serebryany b85db178a0 [libFuzzer] add a flag -max_total_time 
llvm-svn: 249181
 2015-10-02 20:47:55 +00:00
Ivan Krasin 95e82d5b48 [LibFuzzer] test_single_input option to run a single test case. 
-test_single_input flag specifies a file name with test data.

Review URL: http://reviews.llvm.org/D13359

Patch by Mike Aizatsky!

llvm-svn: 249096
 2015-10-01 23:23:06 +00:00
Ivan Krasin a610cb5ba0 [libFuzzer]Add a test for defeating a hash sum. 
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function

The modification is to ensure that hash(zeros) != 0.

Reviewers: kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12648

llvm-svn: 247076
 2015-09-08 21:22:52 +00:00
Kostya Serebryany 7d21166218 [libFuzzer] actually make the dictionaries work (+docs) 
llvm-svn: 246825
 2015-09-04 00:12:11 +00:00
Kostya Serebryany 6ea1b69fcf [libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support 
llvm-svn: 246734
 2015-09-02 23:27:39 +00:00
Kostya Serebryany 12c7837381 [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied 
llvm-svn: 244712
 2015-08-12 01:55:37 +00:00
Kostya Serebryany 7f4227d59a [libFuzzer] use data-flow feedback from strcmp 
llvm-svn: 244084
 2015-08-05 18:23:01 +00:00
Kostya Serebryany fe7e41e8f5 [libFuzzer] make sure that 2-byte arguments of switch() are handled properly 
llvm-svn: 243781
 2015-07-31 20:58:55 +00:00
Kostya Serebryany fb7d8d9d06 [libFuzzer] trace switch statements and apply mutations based on the expected case values 
llvm-svn: 243726
 2015-07-31 01:33:06 +00:00
Kostya Serebryany b74ba421fc [libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test 
llvm-svn: 243611
 2015-07-30 02:33:45 +00:00
Kostya Serebryany 0e776a2250 [libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test 
llvm-svn: 243603
 2015-07-30 01:34:58 +00:00
Kostya Serebryany 2b7d2e91cc [libFuzzer] dump long running units to disk 
llvm-svn: 243031
 2015-07-23 18:37:22 +00:00
Alexey Samsonov 4800c2de28 [Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC. 
llvm-svn: 242851
 2015-07-21 22:51:55 +00:00
Alexey Samsonov dc324e1644 [Fuzzer] Clearly separate regular and DFSan tests. NFC. 
llvm-svn: 242850
 2015-07-21 22:51:49 +00:00
Kostya Serebryany f3c7cb464e [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale 
llvm-svn: 238063
 2015-05-22 22:47:03 +00:00
Kostya Serebryany f342459aa4 [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators 
llvm-svn: 238059
 2015-05-22 22:35:31 +00:00
Kostya Serebryany 490bbd6fa4 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately 
llvm-svn: 237735
 2015-05-19 22:12:57 +00:00
Kostya Serebryany d8c54724a8 [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan) 
llvm-svn: 237083
 2015-05-12 01:58:34 +00:00
Kostya Serebryany 5a99ecbbb3 [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go. 
llvm-svn: 237043
 2015-05-11 20:51:19 +00:00
Kostya Serebryany f3f3ed323a [lib/Fuzzer] build tests that work well with dfsan also w/o dfsan 
llvm-svn: 236909
 2015-05-08 21:45:19 +00:00
Kostya Serebryany beb24c38e7 [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. 
llvm-svn: 236772
 2015-05-07 21:02:11 +00:00
Kostya Serebryany a407ddef27 [lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner 
llvm-svn: 236683
 2015-05-07 00:11:33 +00:00
Kostya Serebryany 52a788e503 [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags. 
llvm-svn: 233745
 2015-03-31 20:13:20 +00:00
Kostya Serebryany 16d03bd051 DFSan-based fuzzer (proof of concept). 
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

llvm-svn: 233613
 2015-03-30 22:09:51 +00:00
Kostya Serebryany be5e0ed919 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing). 
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
 2015-03-03 23:27:02 +00:00
Kostya Serebryany 2e3622bddd [fuzzer] one more experimental search mode: -use_coverage_pairs=1 
llvm-svn: 229957
 2015-02-20 03:02:37 +00:00
Kostya Serebryany 2c1b33b897 [fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start. 
llvm-svn: 227507
 2015-01-29 23:01:07 +00:00
Aaron Ballman ef11698cac Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset. 
llvm-svn: 227464
 2015-01-29 16:58:29 +00:00
Aaron Ballman 7b54ed221a Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252 
llvm-svn: 227452
 2015-01-29 15:49:22 +00:00