4820cc988f
[libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway
...
llvm-svn: 283187
2016-10-04 06:08:46 +00:00
d216922a80
[libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default
...
llvm-svn: 282995
2016-10-01 01:04:29 +00:00
90f8f36bca
[libFuzzer] remove some experimental code
...
llvm-svn: 282983
2016-09-30 23:29:27 +00:00
e7e790bad6
[libFuzzer] remove unused option
...
llvm-svn: 282971
2016-09-30 22:29:57 +00:00
b3949ef885
[libFuzzer] remove the code for -print_pcs=1 with the old coverage. It still works with the new one (trace-pc-guard)
...
llvm-svn: 282831
2016-09-30 01:24:57 +00:00
2c55613a08
[libFuzzer] more the feature set to InputCorpus; on feature update, change the feature counter of the old best input
...
llvm-svn: 282829
2016-09-30 01:19:56 +00:00
a9b0dd0e51
[sanitizer-coverage/libFuzzer] make the guards for trace-pc 32-bit; create one array of guards per function, instead of one guard per BB. reorganize the code so that trace-pc-guard does not create unneeded globals
...
llvm-svn: 282735
2016-09-29 17:43:24 +00:00
5ff481fd9e
[libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
...
llvm-svn: 282458
2016-09-27 00:10:20 +00:00
0800b81a21
[libFuzzer] simplify HandleTrace again, start re-running interesting units and collecting their features.
...
llvm-svn: 282316
2016-09-23 23:51:58 +00:00
ce1cab169f
[libFuzzer] be more precise about what we reset in TracePC
...
llvm-svn: 282225
2016-09-23 02:18:59 +00:00
16a145fd0f
[libFuzzer] fix merging with trace-pc-guard
...
llvm-svn: 282224
2016-09-23 01:58:51 +00:00
87a598e19f
[libFuzzer] simplify the TracePC logic
...
llvm-svn: 282222
2016-09-23 01:20:07 +00:00
ab73c6924f
[libFuzzer] move value profiling logic into TracePC
...
llvm-svn: 282219
2016-09-23 00:46:18 +00:00
d28099de5d
[libFuzzer] change ValueBitMap to remember the number of bits in it
...
llvm-svn: 282216
2016-09-23 00:22:46 +00:00
be0ed59cdc
[libFuzzer] simplify the crash minimizer; split MaxLen into two: MaxInputLen and MaxMutationLen, allow MaxMutationLen to be less than MaxInputLen
...
llvm-svn: 282211
2016-09-22 23:16:36 +00:00
624f59f4d8
[libFuzzer] add 'features' to the corpus elements, allow mutations with Size > MaxSize, fix sha1 in corpus stats; various refactorings
...
llvm-svn: 282129
2016-09-22 01:34:58 +00:00
29bb664075
[libFuzzer] add stats to the corpus; more refactoring
...
llvm-svn: 282121
2016-09-21 22:42:17 +00:00
20801e1b8a
[libFuzzer] more refactoring; don't compute sha1sum every time we mutate a unit from the corpus, use the stored one.
...
llvm-svn: 282115
2016-09-21 21:41:48 +00:00
6f5a804cdb
[libFuzzer] refactoring: split the large header into many; NFC
...
llvm-svn: 282044
2016-09-21 01:50:50 +00:00
09aa01a6f8
[libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features
...
llvm-svn: 282042
2016-09-21 01:04:43 +00:00
b706b481ba
[libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
...
llvm-svn: 281866
2016-09-18 21:47:08 +00:00
3e36ec1d18
[libFuzzer] change trace-pc to use 8-byte guards
...
llvm-svn: 281810
2016-09-17 05:04:47 +00:00
5350178487
[libFuzzer] implement print_pcs with trace-pc-guard. Change the trace-pc-guard heuristic for 8-bit counters to look more like in AFL (not that it's provable better, but the existin test preferes this heuristic)
...
llvm-svn: 281577
2016-09-15 04:36:45 +00:00
a5277d59d0
[libFuzzer] add 8-bit counters to trace-pc-guard handler
...
llvm-svn: 281568
2016-09-15 01:30:18 +00:00
a00b243c75
[libFuzzer] start using trace-pc-guard as an alternative source of coverage
...
llvm-svn: 281435
2016-09-14 02:13:06 +00:00
8c537c556a
[libFuzzer] print a failed-merge warning only in the merge mode
...
llvm-svn: 281130
2016-09-10 02:17:22 +00:00
b991cc1f0e
[libFuzzer] print a visible message if merge fails due to a crash
...
llvm-svn: 281122
2016-09-10 00:15:41 +00:00
b76a2a5503
[libFuzzer] improve -print_pcs to not print new PCs coming from libFuzzer itself
...
llvm-svn: 281016
2016-09-09 02:38:28 +00:00
8ea4f9873b
[libFuzzer] remove unneeded call
...
llvm-svn: 281014
2016-09-09 01:57:38 +00:00
b077d3fef2
[libfuzzer] simplified unit truncation; do not write trunc items to disc
...
Differential Revision: https://reviews.llvm.org/D24049
llvm-svn: 280153
2016-08-30 20:49:07 +00:00
0f0fa4faf2
[libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them
...
llvm-svn: 279787
2016-08-25 22:35:08 +00:00
f67357c671
[libFuzzer] simplify the code, NFC
...
llvm-svn: 279697
2016-08-25 01:25:03 +00:00
a9a548049a
[libFuzzer] when printing the reproducer input, also print the base input and the mutation sequence
...
llvm-svn: 278975
2016-08-17 20:45:23 +00:00
d46a59fac4
[libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage.
...
llvm-svn: 278839
2016-08-16 19:33:51 +00:00
c98ef718ea
[libFuzzer] refactoring around PCMap, NFC
...
llvm-svn: 278825
2016-08-16 17:37:13 +00:00
728447bd3b
[libFuzzer] make libFuzzer work with a bit older clang versions
...
llvm-svn: 277941
2016-08-06 21:28:56 +00:00
ff1f2107ec
[libFuzzer] don't print bogus error message
...
llvm-svn: 277940
2016-08-06 21:23:29 +00:00
b4bbc3bb7a
[sanitizers] trace buffer API to use user-allocated buffer.
...
Differential Revision: https://reviews.llvm.org/D23185
llvm-svn: 277859
2016-08-05 20:09:53 +00:00
f0b3e85f4e
[libfuzzer] moving is_ascii handler inside mutation dispatcher.
...
Summary: It also fixes a bug, when first random might not be ascii.
Differential Revision: http://reviews.llvm.org/D21573
llvm-svn: 273611
2016-06-23 20:44:48 +00:00
fd6ad5bba9
[libFuzzer] use the new chainable malloc hooks instead of the old un-chainable ones, use atomic for malloc/free counters instead of a thread local counter in the main thread. This should make on-the-spot leak detection in libFuzzer more reliable
...
llvm-svn: 272948
2016-06-16 20:17:41 +00:00
53b7b3ca5f
[libFuzzer] add 'weak' back to __sanitizer_malloc_hook and __sanitizer_free_hook
...
llvm-svn: 272116
2016-06-08 04:49:29 +00:00
76f425211e
[libFuzzer] add a test that is built w/o coverage instrumentation but has the coverage rt (it should now fail with a descriptive message)
...
llvm-svn: 272090
2016-06-08 01:46:13 +00:00
1873a496e2
[LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions``
...
This fixes linking problems on OSX.
Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.
It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.
Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.
Differential Revision: http://reviews.llvm.org/D20943
llvm-svn: 272072
2016-06-07 23:32:50 +00:00
1f88b12272
[libfuzzer] prune_corpus option for disabling pruning during the load.
...
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.
Differential Revision: http://reviews.llvm.org/D21084
llvm-svn: 272035
2016-06-07 18:16:32 +00:00
70fd3e412a
[libfuzzer] hiding custom mutator handling in MutationDispatcher.
...
Summary: Refactoring, no functional changes.
Differential Revision: http://reviews.llvm.org/D20975
llvm-svn: 271740
2016-06-03 21:34:29 +00:00
d3c33116fd
[LibFuzzer] Reimplement how the optional user functions are called.
...
The motivation for this change is to fix linking issues on OSX.
However this only partially fixes linking issues (the uninstrumented
tests and a few others won't succesfully link yet).
This change introduces a struct of function pointers
(``fuzzer::ExternalFuntions``) which when initialised will point to the
optional functions if they are available. Currently these
``LLVMFuzzerInitialize`` and ``LLVMFuzzerCustomMutator`` functions.
Two implementations of ``fuzzer::ExternalFunctions`` constructor are
provided one for Linux and one for OSX.
The OSX implementation uses ``dlsym()`` because the prior implementation
using weak symbols does not work unless the additional flags are passed
to the linker.
The Linux implementation continues to use weak symbols because the
``dlsym()`` approach does not work unless additional flags are passed
to the linker.
Differential Revision: http://reviews.llvm.org/D20741
llvm-svn: 271491
2016-06-02 05:48:02 +00:00
f6414426f2
[libFuzzer] use __sanitizer_print_memory_profile to print the memory profile on OOM
...
llvm-svn: 271465
2016-06-02 01:33:11 +00:00
4795210f9c
[libFuzzer] fix a use-after-free (!) in libFuzzer caused by r270905: that CL caused a push_back in the main corpus invalidating the vector<> iterators in rare cases.
...
llvm-svn: 271186
2016-05-29 15:58:57 +00:00
311cc8378e
[libFuzzer] fix a failure that occurs when running individual inputs
...
llvm-svn: 271095
2016-05-28 04:19:46 +00:00
0edb563f27
[libFuzzer] make OOM-handling more portable. Instead of sending a signal to the main fuzzing thread, print the message in the getrusage thread and exit.
...
llvm-svn: 270945
2016-05-27 00:54:15 +00:00
8fc3a27c5c
[libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from
...
llvm-svn: 270942
2016-05-27 00:21:33 +00:00
d8384122a3
[libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads)
...
llvm-svn: 270929
2016-05-26 22:17:32 +00:00
f26017baf9
[libFuzzer] refactor: hide CurrentUnitData inside an interface function. NFC
...
llvm-svn: 270922
2016-05-26 21:32:30 +00:00
4b92326b17
[libFuzzer] when there is a leak in the existing corpus report the reproducer properly
...
llvm-svn: 270905
2016-05-26 20:25:49 +00:00
f1f3f93c9e
[libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended
...
llvm-svn: 270900
2016-05-26 20:03:02 +00:00
ff2e6badbd
[libFuzzer] print stats if we crash on empty input
...
llvm-svn: 270639
2016-05-25 00:15:36 +00:00
af432a45e3
[libfuzzer] Trying random unit prefixes during corpus load.
...
Differential Revision: http://reviews.llvm.org/D20301
llvm-svn: 270632
2016-05-24 23:14:29 +00:00
3868e468fe
[LibFuzzer]
...
Work around crashes in ``__sanitizer_malloc_hook()`` under Mac OSX.
Under Mac OSX we intercept calls to malloc before thread local
storage is initialised leading to a crash when accessing
``AllocTracer``. To workaround this ``AllocTracer`` is only accessed
in the hook under Linux. For symmetry ``__sanitizer_free_hook()``
is also modified in the same way.
To support this change a set of new macros
LIBFUZZER_LINUX and LIBFUZZER_APPLE has been defined which can be
used to check the target being compiled for.
Differential Revision: http://reviews.llvm.org/D20402
llvm-svn: 270145
2016-05-19 22:00:33 +00:00
a0788e7dd4
[libFuzzer] do the merge faster and a bit less precise
...
llvm-svn: 269497
2016-05-13 22:11:23 +00:00
8b0d90a6d4
[libFuzzer] simplify FuzzerInterface.h
...
llvm-svn: 269448
2016-05-13 18:04:35 +00:00
1aa501e7e8
[libfuzzer] Refactoring coverage state-management code.
...
It is now less state-dependent and will allow easier comparing of
coverages of different units.
Differential Revision: http://reviews.llvm.org/D20085
llvm-svn: 269140
2016-05-10 23:43:15 +00:00
8b8f7a3cda
[libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
...
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
52b394e981
[libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs
...
llvm-svn: 268807
2016-05-06 21:58:35 +00:00
7018a1aaa4
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak
...
llvm-svn: 267770
2016-04-27 19:52:34 +00:00
9ba19182be
[libFuzzer] remove dead code
...
llvm-svn: 267455
2016-04-25 19:41:45 +00:00
1bfd583d82
[libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
...
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
ebb932d060
[libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus.
...
llvm-svn: 266693
2016-04-18 22:50:39 +00:00
94e29668b0
[libfuzzer] defensive assert
...
llvm-svn: 265866
2016-04-08 23:32:24 +00:00
315167339e
[libFuzzer] don't report memory leaks if we are dying due to a timeout (just use _Exit instead of exit in the timeout callback)
...
llvm-svn: 264237
2016-03-24 01:32:08 +00:00
d96b0c14fb
[Fuzzer] Guard no_sanitize_memory attributes behind __has_feature.
...
Otherwise GCC fails to build it because it doesn't know the attribute.
llvm-svn: 263787
2016-03-18 14:19:19 +00:00
945761b8c2
[libFuzzer] improve -merge functionality
...
llvm-svn: 263769
2016-03-18 00:23:29 +00:00
c5575aabd6
[libFuzzer] deprecate several flags
...
llvm-svn: 263739
2016-03-17 19:59:39 +00:00
23dbc390af
[libFuzzer] add __attribute__((no_sanitize_memory)) to two functions that may be called from signal handler(s) or from msan. This will hopefully avoid msan false reports which I can't reproduce
...
llvm-svn: 263737
2016-03-17 19:42:35 +00:00
64d24578d8
[libFuzzer] try to use max_len based on the items of the corpus instead of blindly defaulting to 64 bytes.
...
llvm-svn: 263323
2016-03-12 01:57:04 +00:00
e483ed2825
[libFuzzer] when interrupted, call _Exit() instead of exit()
...
llvm-svn: 262667
2016-03-03 22:36:37 +00:00
3d95dd9149
[libFuzzer] deprecate exit_on_first flag
...
llvm-svn: 262417
2016-03-01 22:33:14 +00:00
228d5b1ce4
[libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
...
llvm-svn: 262415
2016-03-01 22:19:21 +00:00
66ff0756e4
[libFuzzer] add -print_final_stats=1 flag
...
llvm-svn: 262084
2016-02-26 22:42:23 +00:00
da63c1d09a
[libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds
...
llvm-svn: 262073
2016-02-26 21:33:56 +00:00
a35f7d383f
[libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus
...
llvm-svn: 261267
2016-02-18 21:49:10 +00:00
cfbcf9097d
[libFuzzer] don't timeout when loading the corpus. Be a bit more verbose when loading large corpus.
...
llvm-svn: 261143
2016-02-17 19:42:34 +00:00
8a5bef0fcf
[libFuzzer] remove std::vector operations from hot paths, NFC
...
llvm-svn: 260829
2016-02-13 17:56:51 +00:00
1deb0498f5
[libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
...
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
7ec0c56e07
[libFuzzer] get rid of UserSuppliedFuzzer; NFC
...
llvm-svn: 260798
2016-02-13 03:25:16 +00:00
22cc5e2375
[libFuzzer] provide a plain C interface for custom mutators (experimental)
...
llvm-svn: 260794
2016-02-13 02:29:38 +00:00
b92602ada0
[libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak)
...
llvm-svn: 259731
2016-02-04 00:02:17 +00:00
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
df91910bd4
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D16487
llvm-svn: 258571
2016-01-22 22:28:27 +00:00
d84f74cab7
Revert r258473 as it's breaking the build with libc++
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16441
llvm-svn: 258479
2016-01-22 03:21:52 +00:00
b008fd4d89
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits, kcc
Differential Revision: http://reviews.llvm.org/D16419
llvm-svn: 258473
2016-01-22 01:32:34 +00:00
e313f8f8ff
[libfuzzer] use %p for printing addresses
...
llvm-svn: 258370
2016-01-21 00:02:09 +00:00
628bc3ec00
[libFuzzer] move some code from public interface header to a non-public header. NFC
...
llvm-svn: 257963
2016-01-16 00:04:36 +00:00
4b35874b2a
[libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful
...
llvm-svn: 257736
2016-01-14 02:36:44 +00:00
98abb2c90a
[libFuzzer] make CurrentUnit a POD object instead of vector to avoid extra allocations
...
llvm-svn: 257713
2016-01-13 23:46:01 +00:00
d50a3eedb4
[libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector)
...
llvm-svn: 257701
2016-01-13 23:02:30 +00:00
72fdb32dac
[libFuzzer] make sure to update CurrentUnit when drilling
...
llvm-svn: 257560
2016-01-13 01:58:27 +00:00
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
27ab2d759f
[libFuzzer] make CrossOver just one of the other mutations
...
llvm-svn: 256081
2015-12-19 02:49:09 +00:00
Kostya Serebryany