b706b481ba
[libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
...
llvm-svn: 281866
2016-09-18 21:47:08 +00:00
bc3789a919
[libFuzzer] properly reset the guards when reseting the coverage. Also try to fix check-fuzzer on the bot
...
llvm-svn: 281814
2016-09-17 06:01:55 +00:00
3e36ec1d18
[libFuzzer] change trace-pc to use 8-byte guards
...
llvm-svn: 281810
2016-09-17 05:04:47 +00:00
0984517021
[libFuzzer] make caller-callee feedback work with trace-pc-guard
...
llvm-svn: 281667
2016-09-15 22:16:15 +00:00
21c3573733
[libFuzzer] fix the build for AFLDriverTest
...
llvm-svn: 281633
2016-09-15 18:10:38 +00:00
09e416615e
[libFuzzer] disable test that requires debug info -- it fails on the bot
...
llvm-svn: 281584
2016-09-15 05:46:58 +00:00
0b47fbcb30
[libFuzzer] move the AFL driver build rule test into the uninstrumented dir
...
llvm-svn: 281583
2016-09-15 05:17:39 +00:00
33a497abf4
[libFuzzer] fix print_pcs test
...
llvm-svn: 281580
2016-09-15 04:43:06 +00:00
5350178487
[libFuzzer] implement print_pcs with trace-pc-guard. Change the trace-pc-guard heuristic for 8-bit counters to look more like in AFL (not that it's provable better, but the existin test preferes this heuristic)
...
llvm-svn: 281577
2016-09-15 04:36:45 +00:00
a5277d59d0
[libFuzzer] add 8-bit counters to trace-pc-guard handler
...
llvm-svn: 281568
2016-09-15 01:30:18 +00:00
a00b243c75
[libFuzzer] start using trace-pc-guard as an alternative source of coverage
...
llvm-svn: 281435
2016-09-14 02:13:06 +00:00
4529960a3b
[libFuzzer] don't print help for internal flags
...
llvm-svn: 281124
2016-09-10 00:35:30 +00:00
b991cc1f0e
[libFuzzer] print a visible message if merge fails due to a crash
...
llvm-svn: 281122
2016-09-10 00:15:41 +00:00
1837152a34
[libFuzzer] use sizeof() in tests instead of 4 and 8
...
llvm-svn: 281111
2016-09-09 22:21:16 +00:00
4b17a331ae
[libFuzzer] one more puzzle for value profile
...
llvm-svn: 281106
2016-09-09 21:58:42 +00:00
00ef27112e
[libFuzzer] one more puzzle, value_profile cracks it in a second
...
llvm-svn: 281066
2016-09-09 18:00:04 +00:00
5c04bd250e
[libFuzzer] remove use_traces=1 since use_value_profile seems to be strictly better
...
llvm-svn: 281007
2016-09-09 01:17:03 +00:00
e2d0f63654
[libFuzzer] add -minimize_crash flag (to minimize crashers). also add two tests that I failed to commit last time
...
llvm-svn: 280332
2016-09-01 01:22:27 +00:00
b077d3fef2
[libfuzzer] simplified unit truncation; do not write trunc items to disc
...
Differential Revision: https://reviews.llvm.org/D24049
llvm-svn: 280153
2016-08-30 20:49:07 +00:00
a016a45d60
[libFuzzer] fix a bug when running a single unit of N bytes with -max_len=M, M<N, caused a buffer overflow
...
llvm-svn: 280098
2016-08-30 14:52:05 +00:00
248d11519a
[libFuzzer] stop using bits for memcmp's value profile -- seems to blow up the corpus too much
...
llvm-svn: 280096
2016-08-30 14:39:33 +00:00
d4492f8101
[libFuzzer] use bits instead of bytes for memcmp/strcmp value profile -- the fuzzer reaches the goal much faster, at least on the simple puzzles
...
llvm-svn: 280054
2016-08-30 03:05:50 +00:00
4d22e4fcb9
[libFuzzer] use trace-div and trace-gep for guided fuzzing, add tests
...
llvm-svn: 280046
2016-08-30 01:30:14 +00:00
3e5991e540
[libFuzzer] simplify a test to make it pass on the bot
...
llvm-svn: 279796
2016-08-26 00:18:16 +00:00
1426f59a76
[libFuzzer] make sure we have symbols on fuzzer tests
...
llvm-svn: 279792
2016-08-25 23:30:02 +00:00
0f0fa4faf2
[libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them
...
llvm-svn: 279787
2016-08-25 22:35:08 +00:00
41bcb830af
[libFuzzer] make a test more deterministic
...
llvm-svn: 279686
2016-08-24 23:10:17 +00:00
524c3f32e7
[sanitizer-coverage/libFuzzer] instrument comparisons with __sanitizer_cov_trace_cmp[1248] instead of __sanitizer_cov_trace_cmp, don't pass the comparison type to save a bit performance. Use these new callbacks in libFuzzer
...
llvm-svn: 279027
2016-08-18 01:25:28 +00:00
0c537b124c
[libFuzzer] one more mutation: ChangeBinaryInteger; also fix the breakage from r278970
...
llvm-svn: 278982
2016-08-17 21:30:30 +00:00
a7398ba024
[libFuzzer] more mutations
...
llvm-svn: 278950
2016-08-17 18:10:42 +00:00
d46a59fac4
[libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage.
...
llvm-svn: 278839
2016-08-16 19:33:51 +00:00
bdb220c7a0
[libFuzzer] print a verbose message after executing inputs in non-fuzzing mode
...
llvm-svn: 278724
2016-08-15 19:44:04 +00:00
a0d40a21e7
[libFuzzer] fix the bot
...
llvm-svn: 278721
2016-08-15 19:36:13 +00:00
dfbe59b03d
[libFuzzer] add InsertRepeatedBytes and EraseBytes.
...
New mutation: InsertRepeatedBytes.
Updated mutation: EraseByte => EraseBytes.
This helps https://github.com/google/sanitizers/issues/710
where libFuzzer was not able to find a known bug.
Now it finds it in minutes.
Hopefully, the change is general enough to help other targets.
llvm-svn: 278687
2016-08-15 17:48:28 +00:00
ed3c9cae49
[LibFuzzer] Fix `-jobs=<N>` where <N> > 1 and the number of workers is > 1 on macOS.
...
The original `ExecuteCommand()` called `system()` from the C library.
The C library implementation of this on macOS contains a mutex which
serializes calls to `system()`. This prevented the `-jobs=` flag
from running copies of the fuzzing binary in parallel which is
the opposite of what is intended.
To fix this on macOS an alternative implementation of `ExecuteCommand()`
is provided that can be used concurrently. This is provided in
`FuzzerUtilDarwin.cpp` which is guarded to only compile code on Apple
platforms. The existing implementation has been moved to a new file
`FuzzerUtilLinux.cpp` which is guarded to only compile code on Linux.
This commit includes a simple test to check that LibFuzzer is being
executed in parallel when requested.
Differential Revision: https://reviews.llvm.org/D22742
llvm-svn: 278544
2016-08-12 18:29:36 +00:00
6b08be9279
[libFuzzer] properly intercept memmem
...
llvm-svn: 276006
2016-07-19 18:29:06 +00:00
c135b55ae0
[libFuzzer] add hooks for strstr, strcasestr, strcasecmp, strncasecmp
...
llvm-svn: 275648
2016-07-15 23:27:19 +00:00
5d9a17742e
[libFuzzer] add ThreadedLeakTest
...
llvm-svn: 275582
2016-07-15 17:19:43 +00:00
30ca81f1f7
[LibFuzzer] Unbreak the build on macOS which was broken by r272858.
...
``afl_driver.cpp`` currently relies on weak symbols which doesn't
work properly under macOS. For now fix the build by providing a
dummy implementation of ``LLVMFuzzerInitialize(...)``. This is just
a temporary measure until we fix ``afl_driver.cpp`` for macOS.
llvm-svn: 274778
2016-07-07 18:14:11 +00:00
8ba86a5a48
[libFuzzer] Let user specify extra stats file.
...
Summary: If AFL_DRIVER_EXTRA_STATS_FILENAME is set and valid, write to it peak_rss_mb and slowest_unit_time_sec. These are both stats that libFuzzer can print but afl cannot.
Reviewers: kcc, aizatsky, metzman
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D21742
llvm-svn: 274273
2016-06-30 20:43:06 +00:00
f0b3e85f4e
[libfuzzer] moving is_ascii handler inside mutation dispatcher.
...
Summary: It also fixes a bug, when first random might not be ascii.
Differential Revision: http://reviews.llvm.org/D21573
llvm-svn: 273611
2016-06-23 20:44:48 +00:00
0618cbacb6
[libFuzzer] Add standard license info and comment header to AFLDriverTest.cpp
...
Summary: Add license info and brief description of file to AFLDriverTest.cpp.
Reviewers: kcc, aizatsky
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D21487
llvm-svn: 273527
2016-06-23 02:19:36 +00:00
042d1a7b04
[libFuzzer] make the single-run output more reliable
...
llvm-svn: 272998
2016-06-17 13:07:06 +00:00
fd6ad5bba9
[libFuzzer] use the new chainable malloc hooks instead of the old un-chainable ones, use atomic for malloc/free counters instead of a thread local counter in the main thread. This should make on-the-spot leak detection in libFuzzer more reliable
...
llvm-svn: 272948
2016-06-16 20:17:41 +00:00
7bd4720e6b
Fix test from D21194
...
Bot sets ASAN_OPTIONS=handle_abort=1 which prevents expected crash.
llvm-svn: 272866
2016-06-16 01:52:48 +00:00
d6da8f6612
Debugging D21194 issues on bot
...
llvm-svn: 272863
2016-06-16 01:26:46 +00:00
d01720d46d
Enable libFuzzer's afl_driver to append stderr to a file.
...
Summary:
[libFuzzer] Enable afl_driver to append stderr to a user specified file.
Append stderr of afl_driver to the file specified by the environmental variable
AFL_DRIVER_STDERR_DUPLICATE_FILENAME if it is set. This lets users see outputs
on crashes without rerunning crashing test cases (which won't work for crashes
that are difficult to reproduce). Before this patch, stderr would only be sent to afl-fuzz
and users would have no way of seeing it.
Reviewers: llvm-commits, aizatsky, kcc, vitalybuka
Subscribers: vitalybuka
Differential Revision: http://reviews.llvm.org/D21194
llvm-svn: 272858
2016-06-16 00:14:42 +00:00
c4989d27b5
[LibFuzzer] Fix ``FuzzerMutate.ShuffleBytes2`` unit test on OSX.
...
The ``FuzzerMutate.ShuffleBytes2`` unit test was failing on
OSX due to the implementation of ``std::random_shuffle()``
being different between libcxx and libstdc++.
@kcc has decided (see http://reviews.llvm.org/D21218 ) it is acceptable
for there to be different mutation behavior on different platforms so
this commit just adjusts the test to perform the minimum number of
iterations (that is a power of 2) to see all the mutations the unit test
is looking for.
Differential Revision: http://reviews.llvm.org/D21359
llvm-svn: 272743
2016-06-15 01:40:02 +00:00
dca553d021
Revert "Enable libFuzzer's afl_driver to append stderr to a file."
...
Crashes with AddressSanitizer: SEGV on unknown address
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/9924/steps/annotate/logs/stdio
This reverts commit r272706.
llvm-svn: 272726
2016-06-14 22:09:00 +00:00
4b73cc88bf
Enable libFuzzer's afl_driver to append stderr to a file.
...
Summary:
[libFuzzer] Enable afl_driver to append stderr to a user specified file.
Append stderr of afl_driver to the file specified by the environmental variable
AFL_DRIVER_STDERR_DUPLICATE_FILENAME if it is set. This lets users see outputs
on crashes without rerunning crashing test cases (which won't work for crashes
that are difficult to reproduce). Before this patch, stderr would only be sent to afl-fuzz
and users would have no way of seeing it.
Reviewers: llvm-commits, aizatsky, kcc, vitalybuka
Subscribers: vitalybuka
Differential Revision: http://reviews.llvm.org/D21194
llvm-svn: 272706
2016-06-14 20:42:05 +00:00
916bc2b024
[LibFuzzer] Disable the ``fuzzer-trace-pc.test`` test on non-linux platforms.
...
On OSX this test sometimes fails due to the
``LLVMFuzzer-FullCoverageSetTest-TracePC`` program going over the
default 2GiB memory limit. This shouldn't be happening and needs
investigating. For now just disable the test so we can set up an
OSX buildbot.
Differential Revision: http://reviews.llvm.org/D21319
llvm-svn: 272696
2016-06-14 19:15:13 +00:00
02432480c7
[LibFuzzer] Move tests in ``fuzzer-traces.test`` that require hooks to their own test.
...
The tests in ``fuzzer-traces-hooks.test`` only work on Linux because calls to hooks
(e.g. ``__sanitizer_weak_hook_memcmp()``) from inside the sanitizer
runtime are only implemented on Linux. Therefore these tests are set to
only run on Linux.
Differential Revision: http://reviews.llvm.org/D21253
llvm-svn: 272600
2016-06-14 00:11:34 +00:00
0617f15897
[LibFuzzer] Fix some unit test crashes on OSX.
...
This fixes the following unit tests:
FuzzerDictionary.ParseOneDictionaryEntry
FuzzerDictionary.ParseDictionaryFile
The issue appears to be mixing non-ASan-ified code (LibFuzzer) and
ASan-ified code (the unittest) as the tests would pass fine if
everything was built with ASan enabled.
I believe the issue is that different implementations of std::vector<>
are being used in LibFuzzer and outside LibFuzzer (in the unittests).
For Libcxx (I've not seen the issue manifest for libstdc++) we can disable
the ASanified std::vector<> by definining the ``_LIBCPP_HAS_NO_ASAN`` macro.
Doing this fixes the tests on OSX.
Differential Revision: http://reviews.llvm.org/D21049
llvm-svn: 272374
2016-06-10 05:33:07 +00:00
f7798526b9
[libFuzzer] add one more OOM test, which we currently don't handle very well
...
llvm-svn: 272240
2016-06-09 01:20:35 +00:00
76f425211e
[libFuzzer] add a test that is built w/o coverage instrumentation but has the coverage rt (it should now fail with a descriptive message)
...
llvm-svn: 272090
2016-06-08 01:46:13 +00:00
1873a496e2
[LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions``
...
This fixes linking problems on OSX.
Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.
It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.
Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.
Differential Revision: http://reviews.llvm.org/D20943
llvm-svn: 272072
2016-06-07 23:32:50 +00:00
1d0a9fd089
[LibFuzzer] Split the fuzzer-oom.test into two tests.
...
This is necessary because the existing fuzzer-oom.test was Linux
specific due to its use of __sanitizer_print_memory_profile() which
is only available on Linux right now and so the test would fail on OSX.
Differential Revision: http://reviews.llvm.org/D20977
llvm-svn: 272061
2016-06-07 21:23:30 +00:00
41d6683c39
[libfuzzer] custom crossover interface function.
...
Differential Revision: http://reviews.llvm.org/D21089
llvm-svn: 272054
2016-06-07 20:22:15 +00:00
1f88b12272
[libfuzzer] prune_corpus option for disabling pruning during the load.
...
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.
Differential Revision: http://reviews.llvm.org/D21084
llvm-svn: 272035
2016-06-07 18:16:32 +00:00
d15c106c9b
[LibFuzzer] s/dataflow sanitizer/DataflowSanitizer/
...
llvm-svn: 271980
2016-06-07 04:44:49 +00:00
0d09f14554
[LibFuzzer] Disable building and running LSan tests on Apple platforms because LSan is not currently supported.
...
Differential Revision: http://reviews.llvm.org/D20947
llvm-svn: 271979
2016-06-07 04:44:39 +00:00
3c1782f23b
[libfuzzer] splitting fuzzer.test
...
llvm-svn: 271697
2016-06-03 18:05:22 +00:00
fba4a67a32
[LibFuzzer] Disable compiling and running the LibFuzzer dataflow sanitizer tests on Apple platforms.
...
This fixes a broken part of the build on OSX as the dataflow sanitizer is not supported
on OSX yet.
Differential Revision: http://reviews.llvm.org/D20894
llvm-svn: 271492
2016-06-02 05:48:09 +00:00
f6414426f2
[libFuzzer] use __sanitizer_print_memory_profile to print the memory profile on OOM
...
llvm-svn: 271465
2016-06-02 01:33:11 +00:00
f817731a19
[libFuzzer] when an invalid flag is given, warn, but don't crash
...
llvm-svn: 271404
2016-06-01 16:41:12 +00:00
4795210f9c
[libFuzzer] fix a use-after-free (!) in libFuzzer caused by r270905: that CL caused a push_back in the main corpus invalidating the vector<> iterators in rare cases.
...
llvm-svn: 271186
2016-05-29 15:58:57 +00:00
470d04400e
[libFuzzer] use __sanitizer_set_report_fd with -close_fd_mask. This allows us to keep asan reports when closing target's stderr
...
llvm-svn: 271053
2016-05-27 21:46:22 +00:00
8c11fce707
[LibFuzzer] Refactor declaration of tests in CMake.
...
Add a new CMake function (``add_libfuzzer_test()``) to simplify
declaration of executables for testing LibFuzzer and use it to
reorganise how tests are declared.
Note that configuration of the lit configuration files has been moved
as late as possible because we are going to need to disable some tests
for some platforms and we will need to propagate this information into
the lit configuration.
Note the code for custom mains was removed because no tests are
currently written for this and Kostya seems happy to remove this.
Differential Revision: http://reviews.llvm.org/D20706
llvm-svn: 270958
2016-05-27 03:14:40 +00:00
76dacb4ba9
[libFuzzer] make check-fuzzer a bit faster
...
llvm-svn: 270947
2016-05-27 01:12:21 +00:00
8fc3a27c5c
[libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from
...
llvm-svn: 270942
2016-05-27 00:21:33 +00:00
d8384122a3
[libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads)
...
llvm-svn: 270929
2016-05-26 22:17:32 +00:00
676892a5d5
[LibFuzzer] Allow LibFuzzer to be built in modes other than RELEASE.
...
Previously the flags were only being set correctly when the
build type was "Release". Now the build should work properly
for all the supported build types. When building libFuzzer
the optimization level respects whatever is used for the
rest of LLVM but for the LibFuzzer tests we force -O0.
Differential Revision: http://reviews.llvm.org/D20558
llvm-svn: 270912
2016-05-26 20:55:05 +00:00
4b92326b17
[libFuzzer] when there is a leak in the existing corpus report the reproducer properly
...
llvm-svn: 270905
2016-05-26 20:25:49 +00:00
f1f3f93c9e
[libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended
...
llvm-svn: 270900
2016-05-26 20:03:02 +00:00
e66846ab32
[libfuzzer] replacing unittest for truncate_units with functional test.
...
Differential Revision: http://reviews.llvm.org/D20641
llvm-svn: 270755
2016-05-25 21:00:17 +00:00
ff2e6badbd
[libFuzzer] print stats if we crash on empty input
...
llvm-svn: 270639
2016-05-25 00:15:36 +00:00
af432a45e3
[libfuzzer] Trying random unit prefixes during corpus load.
...
Differential Revision: http://reviews.llvm.org/D20301
llvm-svn: 270632
2016-05-24 23:14:29 +00:00
6289536922
[libFuzzer] print the file name before executing the input so that if there is a crash we know which files has caused it
...
llvm-svn: 269450
2016-05-13 18:10:33 +00:00
8b0d90a6d4
[libFuzzer] simplify FuzzerInterface.h
...
llvm-svn: 269448
2016-05-13 18:04:35 +00:00
ca9694ba2c
[libFuzzer] add a test for libFuzzer+ubsan, extend the docs on using libFuzzer+ubsan
...
llvm-svn: 268968
2016-05-09 21:02:36 +00:00
8b8f7a3cda
[libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
...
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
baf7fd0b16
[libFuzzer] print stats after running individual inputs
...
llvm-svn: 268547
2016-05-04 20:44:50 +00:00
2fe9304d62
[libFuzzer] enable detect_leaks=1, add proper docs
...
llvm-svn: 268088
2016-04-29 18:49:55 +00:00
0e0bcc4bdb
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak [part 2]
...
llvm-svn: 267771
2016-04-27 19:52:56 +00:00
7018a1aaa4
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak
...
llvm-svn: 267770
2016-04-27 19:52:34 +00:00
1bfd583d82
[libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
...
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
ebb932d060
[libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus.
...
llvm-svn: 266693
2016-04-18 22:50:39 +00:00
09087bba4d
[libFuzzer] warn if the corpus is empty
...
llvm-svn: 266670
2016-04-18 21:14:11 +00:00
b60397f54c
[libFuzzer] add a better warning for command line flags with -- (two dashes)
...
llvm-svn: 266480
2016-04-15 21:56:29 +00:00
f13cbee12e
[libfuzzer] adding license headers to cpp files
...
Differential Revision: http://reviews.llvm.org/D18705
llvm-svn: 265174
2016-04-01 18:38:58 +00:00
315167339e
[libFuzzer] don't report memory leaks if we are dying due to a timeout (just use _Exit instead of exit in the timeout callback)
...
llvm-svn: 264237
2016-03-24 01:32:08 +00:00
49e409068a
[libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
...
llvm-svn: 263831
2016-03-18 20:58:29 +00:00
c43b584c1c
[libFuzzer] read corpus dirs recursively
...
llvm-svn: 263773
2016-03-18 01:36:00 +00:00
945761b8c2
[libFuzzer] improve -merge functionality
...
llvm-svn: 263769
2016-03-18 00:23:29 +00:00
c5575aabd6
[libFuzzer] deprecate several flags
...
llvm-svn: 263739
2016-03-17 19:59:39 +00:00
243fe2b3a0
[libfuzzer] adding std:string to allowed adaptable argument.
...
llvm-svn: 262757
2016-03-04 23:18:01 +00:00
b8627a89a6
[libfuzzer] arbitrary function adapter.
...
The adapter automates converting sequence of bytes into arbitrary
arguments.
Differential Revision: http://reviews.llvm.org/D17829
llvm-svn: 262673
2016-03-03 23:45:29 +00:00
228d5b1ce4
[libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
...
llvm-svn: 262415
2016-03-01 22:19:21 +00:00
bf821db932
[libFuzzer] fixing the bot
...
llvm-svn: 262106
2016-02-27 03:14:23 +00:00
2d4f8f168b
[libFuzzer] speedup path coverage handling
...
llvm-svn: 262102
2016-02-27 01:50:16 +00:00
66ff0756e4
[libFuzzer] add -print_final_stats=1 flag
...
llvm-svn: 262084
2016-02-26 22:42:23 +00:00
da63c1d09a
[libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds
...
llvm-svn: 262073
2016-02-26 21:33:56 +00:00
90bcdb512b
[libFuzzer] fix the libFuzzer bot
...
llvm-svn: 261184
2016-02-18 02:02:40 +00:00
1deb0498f5
[libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
...
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
7ec0c56e07
[libFuzzer] get rid of UserSuppliedFuzzer; NFC
...
llvm-svn: 260798
2016-02-13 03:25:16 +00:00
a399221c32
[libFuzzer] simplify the code around Random. NFC
...
llvm-svn: 260797
2016-02-13 03:00:53 +00:00
ecab57b3ce
[libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea).
...
llvm-svn: 260796
2016-02-13 02:39:30 +00:00
22cc5e2375
[libFuzzer] provide a plain C interface for custom mutators (experimental)
...
llvm-svn: 260794
2016-02-13 02:29:38 +00:00
9d14e4bb15
[libFuzzer] make -runs=N flag also affect the simple runner (will execute every input N times)
...
llvm-svn: 260649
2016-02-12 02:32:03 +00:00
ce925c580e
[libFuzzer] hot fix a test
...
llvm-svn: 259732
2016-02-04 00:12:28 +00:00
b92602ada0
[libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak)
...
llvm-svn: 259731
2016-02-04 00:02:17 +00:00
bfbe7fc404
[libFuzzer] allow passing 1 or more files as individual inputs
...
llvm-svn: 259459
2016-02-02 03:03:47 +00:00
078e984d8d
[libFuzzer] fail if the corpus dir does not exist
...
llvm-svn: 259454
2016-02-02 02:07:26 +00:00
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
085ca4131f
[libFuzzer] re-enable test for -abort_on_timeout=1, this time protecting from ASAN_OPTIONS set outside
...
llvm-svn: 259263
2016-01-29 23:19:00 +00:00
d7785e75f3
Temporary disable broken fuzzer/timeout tests.
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16543
llvm-svn: 258702
2016-01-25 19:05:45 +00:00
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
df91910bd4
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D16487
llvm-svn: 258571
2016-01-22 22:28:27 +00:00
d84f74cab7
Revert r258473 as it's breaking the build with libc++
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16441
llvm-svn: 258479
2016-01-22 03:21:52 +00:00
b008fd4d89
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits, kcc
Differential Revision: http://reviews.llvm.org/D16419
llvm-svn: 258473
2016-01-22 01:32:34 +00:00
311f27c0a8
[libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if
...
llvm-svn: 258178
2016-01-19 20:33:57 +00:00
476f0ce31a
[libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path
...
llvm-svn: 257985
2016-01-16 03:53:32 +00:00
aca7696f4d
[libFuzzer] introduce LLVMFuzzerInitialize
...
llvm-svn: 257980
2016-01-16 01:23:12 +00:00
ae5b9567bc
[libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
...
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
4b35874b2a
[libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful
...
llvm-svn: 257736
2016-01-14 02:36:44 +00:00
d50a3eedb4
[libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector)
...
llvm-svn: 257701
2016-01-13 23:02:30 +00:00
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
c573316eee
[libFuzzer] don't limit memcmp tracing with 8 bytes
...
llvm-svn: 257245
2016-01-09 01:39:55 +00:00
152ac7ad70
[libFuzzer] add a position hint to the dictionary-based mutator
...
llvm-svn: 257013
2016-01-07 01:49:35 +00:00
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
226b734d73
[libFuzzer] make trace-based fuzzing not crash in presence of threads
...
llvm-svn: 256876
2016-01-06 00:03:35 +00:00
bf65644c97
[libFuzzer] split the tests to run them in parallel, remove one redundant test
...
llvm-svn: 256085
2015-12-19 03:35:30 +00:00
27ab2d759f
[libFuzzer] make CrossOver just one of the other mutations
...
llvm-svn: 256081
2015-12-19 02:49:09 +00:00
a1a5c69b57
[LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
...
Differential Revision: http://reviews.llvm.org/D15339
done
llvm-svn: 255296
2015-12-10 20:41:53 +00:00
9e48cda9bc
[libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746
...
llvm-svn: 254784
2015-12-04 22:29:39 +00:00
71552ce64b
Libfuzzer: do not pass null into user function
...
Differential Revision: http://reviews.llvm.org/D15098
llvm-svn: 254558
2015-12-02 22:43:53 +00:00
fba04273b7
[libFuzzer] add a test that is built with -fsanitize-coverage=trace-bb
...
llvm-svn: 254484
2015-12-02 02:49:37 +00:00
2d0ef14f5d
[libFuzzer] add a flag -exact_artifact_path
...
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
dc3135db05
[libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
...
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
b7e286bed7
[libFuzzer] add UninstrumentedTest.cpp (missing from a previous commit)
...
llvm-svn: 252658
2015-11-10 22:02:56 +00:00
5eab74e9bc
[libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time)
...
llvm-svn: 252533
2015-11-09 23:17:45 +00:00
9cc3b0ddb6
[libFuzzer] add -merge flag to merge corpora
...
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
2e9fca9f88
[libFuzzer] use the indirect caller-callee counter as an independent search heuristic
...
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
b36025619c
[libFuzzer] remove the deprecated 'tokens' feature
...
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
d6edce97fb
[libFuzzer] print a stack trace on timeout
...
llvm-svn: 250571
2015-10-16 23:04:31 +00:00
b91c62b1f3
[libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky
...
llvm-svn: 250564
2015-10-16 22:41:47 +00:00
bd5d1cdbb9
[libFuzzer] add -artifact_prefix flag
...
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
20bb5e71b2
[libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated.
...
llvm-svn: 249214
2015-10-02 23:34:06 +00:00
65d0a1458f
[libFuzzer] remove experimental flag and functionality
...
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
b85db178a0
[libFuzzer] add a flag -max_total_time
...
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
95e82d5b48
[LibFuzzer] test_single_input option to run a single test case.
...
-test_single_input flag specifies a file name with test data.
Review URL: http://reviews.llvm.org/D13359
Patch by Mike Aizatsky!
llvm-svn: 249096
2015-10-01 23:23:06 +00:00
a610cb5ba0
[libFuzzer]Add a test for defeating a hash sum.
...
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function
The modification is to ensure that hash(zeros) != 0.
Reviewers: kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D12648
llvm-svn: 247076
2015-09-08 21:22:52 +00:00
25425ad920
[libFuzzer] add one more mutator: Mutate_ChangeASCIIInteger
...
llvm-svn: 247027
2015-09-08 17:19:31 +00:00
7d21166218
[libFuzzer] actually make the dictionaries work (+docs)
...
llvm-svn: 246825
2015-09-04 00:12:11 +00:00
ec2dcb1d91
[libFuzzer] refactor the mutation functions so that they are now methods of a class. NFC
...
llvm-svn: 246808
2015-09-03 21:24:19 +00:00
9838b2be87
[libFuzzer] adding a parser for AFL-style dictionaries + tests.
...
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
6ea1b69fcf
[libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support
...
llvm-svn: 246734
2015-09-02 23:27:39 +00:00
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
242ca930e8
[libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly
...
llvm-svn: 244250
2015-08-06 19:19:55 +00:00
bf29ff2fa5
[libFuzzer] add one more mutation strategy: byte shuffling
...
llvm-svn: 244188
2015-08-06 01:29:13 +00:00
1ce0035bf0
[libFuzzer] add a missing test file
...
llvm-svn: 244151
2015-08-05 21:32:13 +00:00
7f4227d59a
[libFuzzer] use data-flow feedback from strcmp
...
llvm-svn: 244084
2015-08-05 18:23:01 +00:00
86a5fba71d
[libFuzzer] more refactoring of the Mutator and adding tests to it
...
llvm-svn: 243818
2015-08-01 02:23:06 +00:00
8ce7424e9c
[libFuzzer] start refactoring the Mutator and adding tests to it
...
llvm-svn: 243817
2015-08-01 01:42:51 +00:00
fe7e41e8f5
[libFuzzer] make sure that 2-byte arguments of switch() are handled properly
...
llvm-svn: 243781
2015-07-31 20:58:55 +00:00
cd6a4665e0
[libFuzzer] support switch interception in dfsan mode
...
llvm-svn: 243760
2015-07-31 17:05:05 +00:00
fb7d8d9d06
[libFuzzer] trace switch statements and apply mutations based on the expected case values
...
llvm-svn: 243726
2015-07-31 01:33:06 +00:00
c9dc96bfc6
[libFuzzer] fix the strncmp interceptor -- it should respect short strings.
...
llvm-svn: 243691
2015-07-30 21:22:22 +00:00
b74ba421fc
[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test
...
llvm-svn: 243611
2015-07-30 02:33:45 +00:00
0e776a2250
[libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test
...
llvm-svn: 243603
2015-07-30 01:34:58 +00:00
ae7df1ca4d
[libFuzzer] ensure that the dfsan tracing hooks actually run (using -verbosity=3 in tests)
...
llvm-svn: 243365
2015-07-28 01:25:00 +00:00
404c69f2c8
[libFuzzer] allow users to supply their own implementation of rand
...
llvm-svn: 243078
2015-07-24 01:06:40 +00:00
2b7d2e91cc
[libFuzzer] dump long running units to disk
...
llvm-svn: 243031
2015-07-23 18:37:22 +00:00
4800c2de28
[Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC.
...
llvm-svn: 242851
2015-07-21 22:51:55 +00:00
dc324e1644
[Fuzzer] Clearly separate regular and DFSan tests. NFC.
...
llvm-svn: 242850
2015-07-21 22:51:49 +00:00
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
f342459aa4
[lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators
...
llvm-svn: 238059
2015-05-22 22:35:31 +00:00
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
96eab65d81
[lib/Fuzzer] Add SHA1 implementation from public domain.
...
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.
LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.
Test Plan: n/a
Reviewers: chandlerc
Reviewed By: chandlerc
Subscribers: majnemer, llvm-commits
Differential Revision: http://reviews.llvm.org/D9733
llvm-svn: 237400
2015-05-14 22:41:49 +00:00
d8c54724a8
[lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
...
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
5a99ecbbb3
[lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
...
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
f3f3ed323a
[lib/Fuzzer] build tests that work well with dfsan also w/o dfsan
...
llvm-svn: 236909
2015-05-08 21:45:19 +00:00
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
21a3381a38
Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= flags.
...
llvm-svn: 236797
2015-05-07 23:33:24 +00:00
beb24c38e7
[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.
...
llvm-svn: 236772
2015-05-07 21:02:11 +00:00
a407ddef27
[lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner
...
llvm-svn: 236683
2015-05-07 00:11:33 +00:00
3befe94acb
[lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to dfsan proper
...
llvm-svn: 236659
2015-05-06 22:47:24 +00:00
754f55d6f5
[lib/Fuzzer] add a fuzzer test for memcmp (does not work yet)
...
llvm-svn: 236656
2015-05-06 22:36:00 +00:00
566bc5aa8a
[lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more unique
...
llvm-svn: 236652
2015-05-06 22:19:00 +00:00
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
cf9fdd5876
[fuzzer] Add proper dependensices to the fuzzer tests
...
Summary: Make sure that FileCheck is built when running check-fuzzer
Test Plan:
run on bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7387
llvm-svn: 228045
2015-02-03 21:57:32 +00:00
71672552db
[fuzzer] Add a gtest-style test
...
Summary: Add one gtest-style test.
Test Plan: run on bot
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7287
llvm-svn: 227639
2015-01-30 23:26:57 +00:00
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
0ff86c79b4
[fuzzer] fix warning in a test
...
llvm-svn: 227478
2015-01-29 18:13:36 +00:00
6d768fcc18
[fuzzer] minor cleanup based on reviews: remove redundant includes, fix a copy-pasto in tests
...
llvm-svn: 227468
2015-01-29 17:16:23 +00:00
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
Kostya Serebryany