OSchip
/
llvm-project
mirror of https://github.com/THU-DSP-LAB/llvm-project.git
13
0
Fork 6
Code Issues Packages Projects Releases Wiki Activity
257,842 Commits 32 Branches 0 Tags 2.2 GiB
Commit Graph

216 Commits

Author SHA1 Message Date
Kostya Serebryany a9b0dd0e51 [sanitizer-coverage/libFuzzer] make the guards for trace-pc 32-bit; create one array of guards per function, instead of one guard per BB. reorganize the code so that trace-pc-guard does not create unneeded globals 
llvm-svn: 282735
 2016-09-29 17:43:24 +00:00
Kostya Serebryany 5ff481fd9e [libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag 
llvm-svn: 282458
 2016-09-27 00:10:20 +00:00
Kostya Serebryany 0800b81a21 [libFuzzer] simplify HandleTrace again, start re-running interesting units and collecting their features. 
llvm-svn: 282316
 2016-09-23 23:51:58 +00:00
Kostya Serebryany ce1cab169f [libFuzzer] be more precise about what we reset in TracePC 
llvm-svn: 282225
 2016-09-23 02:18:59 +00:00
Kostya Serebryany 16a145fd0f [libFuzzer] fix merging with trace-pc-guard 
llvm-svn: 282224
 2016-09-23 01:58:51 +00:00
Kostya Serebryany 87a598e19f [libFuzzer] simplify the TracePC logic 
llvm-svn: 282222
 2016-09-23 01:20:07 +00:00
Kostya Serebryany ab73c6924f [libFuzzer] move value profiling logic into TracePC 
llvm-svn: 282219
 2016-09-23 00:46:18 +00:00
Kostya Serebryany d28099de5d [libFuzzer] change ValueBitMap to remember the number of bits in it 
llvm-svn: 282216
 2016-09-23 00:22:46 +00:00
Kostya Serebryany be0ed59cdc [libFuzzer] simplify the crash minimizer; split MaxLen into two: MaxInputLen and MaxMutationLen, allow MaxMutationLen to be less than MaxInputLen 
llvm-svn: 282211
 2016-09-22 23:16:36 +00:00
Kostya Serebryany 624f59f4d8 [libFuzzer] add 'features' to the corpus elements, allow mutations with Size > MaxSize, fix sha1 in corpus stats; various refactorings 
llvm-svn: 282129
 2016-09-22 01:34:58 +00:00
Kostya Serebryany 29bb664075 [libFuzzer] add stats to the corpus; more refactoring 
llvm-svn: 282121
 2016-09-21 22:42:17 +00:00
Kostya Serebryany 20801e1b8a [libFuzzer] more refactoring; don't compute sha1sum every time we mutate a unit from the corpus, use the stored one. 
llvm-svn: 282115
 2016-09-21 21:41:48 +00:00
Kostya Serebryany 6f5a804cdb [libFuzzer] refactoring: split the large header into many; NFC 
llvm-svn: 282044
 2016-09-21 01:50:50 +00:00
Kostya Serebryany 09aa01a6f8 [libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features 
llvm-svn: 282042
 2016-09-21 01:04:43 +00:00
Kostya Serebryany b706b481ba [libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer 
llvm-svn: 281866
 2016-09-18 21:47:08 +00:00
Kostya Serebryany 3e36ec1d18 [libFuzzer] change trace-pc to use 8-byte guards 
llvm-svn: 281810
 2016-09-17 05:04:47 +00:00
Kostya Serebryany 5350178487 [libFuzzer] implement print_pcs with trace-pc-guard. Change the trace-pc-guard heuristic for 8-bit counters to look more like in AFL (not that it's provable better, but the existin test preferes this heuristic) 
llvm-svn: 281577
 2016-09-15 04:36:45 +00:00
Kostya Serebryany a5277d59d0 [libFuzzer] add 8-bit counters to trace-pc-guard handler 
llvm-svn: 281568
 2016-09-15 01:30:18 +00:00
Kostya Serebryany a00b243c75 [libFuzzer] start using trace-pc-guard as an alternative source of coverage 
llvm-svn: 281435
 2016-09-14 02:13:06 +00:00
Kostya Serebryany 8c537c556a [libFuzzer] print a failed-merge warning only in the merge mode 
llvm-svn: 281130
 2016-09-10 02:17:22 +00:00
Kostya Serebryany b991cc1f0e [libFuzzer] print a visible message if merge fails due to a crash 
llvm-svn: 281122
 2016-09-10 00:15:41 +00:00
Kostya Serebryany b76a2a5503 [libFuzzer] improve -print_pcs to not print new PCs coming from libFuzzer itself 
llvm-svn: 281016
 2016-09-09 02:38:28 +00:00
Kostya Serebryany 8ea4f9873b [libFuzzer] remove unneeded call 
llvm-svn: 281014
 2016-09-09 01:57:38 +00:00
Mike Aizatsky b077d3fef2 [libfuzzer] simplified unit truncation; do not write trunc items to disc 
Differential Revision: https://reviews.llvm.org/D24049

llvm-svn: 280153
 2016-08-30 20:49:07 +00:00
Kostya Serebryany 0f0fa4faf2 [libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them 
llvm-svn: 279787
 2016-08-25 22:35:08 +00:00
Kostya Serebryany f67357c671 [libFuzzer] simplify the code, NFC 
llvm-svn: 279697
 2016-08-25 01:25:03 +00:00
Kostya Serebryany a9a548049a [libFuzzer] when printing the reproducer input, also print the base input and the mutation sequence 
llvm-svn: 278975
 2016-08-17 20:45:23 +00:00
Kostya Serebryany d46a59fac4 [libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage. 
llvm-svn: 278839
 2016-08-16 19:33:51 +00:00
Kostya Serebryany c98ef718ea [libFuzzer] refactoring around PCMap, NFC 
llvm-svn: 278825
 2016-08-16 17:37:13 +00:00
Kostya Serebryany 728447bd3b [libFuzzer] make libFuzzer work with a bit older clang versions 
llvm-svn: 277941
 2016-08-06 21:28:56 +00:00
Kostya Serebryany ff1f2107ec [libFuzzer] don't print bogus error message 
llvm-svn: 277940
 2016-08-06 21:23:29 +00:00
Mike Aizatsky b4bbc3bb7a [sanitizers] trace buffer API to use user-allocated buffer. 
Differential Revision: https://reviews.llvm.org/D23185

llvm-svn: 277859
 2016-08-05 20:09:53 +00:00
Mike Aizatsky f0b3e85f4e [libfuzzer] moving is_ascii handler inside mutation dispatcher. 
Summary: It also fixes a bug, when first random might not be ascii.

Differential Revision: http://reviews.llvm.org/D21573

llvm-svn: 273611
 2016-06-23 20:44:48 +00:00
Kostya Serebryany fd6ad5bba9 [libFuzzer] use the new chainable malloc hooks instead of the old un-chainable ones, use atomic for malloc/free counters instead of a thread local counter in the main thread. This should make on-the-spot leak detection in libFuzzer more reliable 
llvm-svn: 272948
 2016-06-16 20:17:41 +00:00
Kostya Serebryany 53b7b3ca5f [libFuzzer] add 'weak' back to __sanitizer_malloc_hook and __sanitizer_free_hook 
llvm-svn: 272116
 2016-06-08 04:49:29 +00:00
Kostya Serebryany 76f425211e [libFuzzer] add a test that is built w/o coverage instrumentation but has the coverage rt (it should now fail with a descriptive message) 
llvm-svn: 272090
 2016-06-08 01:46:13 +00:00
Dan Liew 1873a496e2 [LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions`` 
This fixes linking problems on OSX.

Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.

It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.

Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.

Differential Revision: http://reviews.llvm.org/D20943

llvm-svn: 272072
 2016-06-07 23:32:50 +00:00
Mike Aizatsky 1f88b12272 [libfuzzer] prune_corpus option for disabling pruning during the load. 
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.

Differential Revision: http://reviews.llvm.org/D21084

llvm-svn: 272035
 2016-06-07 18:16:32 +00:00
Mike Aizatsky 70fd3e412a [libfuzzer] hiding custom mutator handling in MutationDispatcher. 
Summary: Refactoring, no functional changes.

Differential Revision: http://reviews.llvm.org/D20975

llvm-svn: 271740
 2016-06-03 21:34:29 +00:00
Dan Liew d3c33116fd [LibFuzzer] Reimplement how the optional user functions are called. 
The motivation for this change is to fix linking issues on OSX.
However this only partially fixes linking issues (the uninstrumented
tests and a few others  won't succesfully link yet).

This change introduces a struct of function pointers
(``fuzzer::ExternalFuntions``) which when initialised will point to the
optional functions if they are available.  Currently these
``LLVMFuzzerInitialize`` and ``LLVMFuzzerCustomMutator`` functions.

Two implementations of ``fuzzer::ExternalFunctions`` constructor are
provided one for Linux and one for OSX.

The OSX implementation uses ``dlsym()`` because the prior implementation
using weak symbols does not work unless the additional flags are passed
to the linker.

The Linux implementation continues to use weak symbols because the
``dlsym()`` approach does not work unless additional flags are passed
to the linker.

Differential Revision: http://reviews.llvm.org/D20741

llvm-svn: 271491
 2016-06-02 05:48:02 +00:00
Kostya Serebryany f6414426f2 [libFuzzer] use __sanitizer_print_memory_profile to print the memory profile on OOM 
llvm-svn: 271465
 2016-06-02 01:33:11 +00:00
Kostya Serebryany 4795210f9c [libFuzzer] fix a use-after-free (!) in libFuzzer caused by r270905: that CL caused a push_back in the main corpus invalidating the vector<> iterators in rare cases. 
llvm-svn: 271186
 2016-05-29 15:58:57 +00:00
Kostya Serebryany 311cc8378e [libFuzzer] fix a failure that occurs when running individual inputs 
llvm-svn: 271095
 2016-05-28 04:19:46 +00:00
Kostya Serebryany 0edb563f27 [libFuzzer] make OOM-handling more portable. Instead of sending a signal to the main fuzzing thread, print the message in the getrusage thread and exit. 
llvm-svn: 270945
 2016-05-27 00:54:15 +00:00
Kostya Serebryany 8fc3a27c5c [libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from 
llvm-svn: 270942
 2016-05-27 00:21:33 +00:00
Kostya Serebryany d8384122a3 [libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads) 
llvm-svn: 270929
 2016-05-26 22:17:32 +00:00
Kostya Serebryany f26017baf9 [libFuzzer] refactor: hide CurrentUnitData inside an interface function. NFC 
llvm-svn: 270922
 2016-05-26 21:32:30 +00:00
Kostya Serebryany 4b92326b17 [libFuzzer] when there is a leak in the existing corpus report the reproducer properly 
llvm-svn: 270905
 2016-05-26 20:25:49 +00:00
Kostya Serebryany f1f3f93c9e [libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended 
llvm-svn: 270900
 2016-05-26 20:03:02 +00:00
Kostya Serebryany ff2e6badbd [libFuzzer] print stats if we crash on empty input 
llvm-svn: 270639
 2016-05-25 00:15:36 +00:00
Mike Aizatsky af432a45e3 [libfuzzer] Trying random unit prefixes during corpus load. 
Differential Revision: http://reviews.llvm.org/D20301

llvm-svn: 270632
 2016-05-24 23:14:29 +00:00
Dan Liew 3868e468fe [LibFuzzer] 
Work around crashes in ``__sanitizer_malloc_hook()`` under Mac OSX.

Under Mac OSX we intercept calls to malloc before thread local
storage is initialised leading to a crash when accessing
``AllocTracer``. To workaround this ``AllocTracer`` is only accessed
in the hook under Linux. For symmetry ``__sanitizer_free_hook()``
is also modified in the same way.

To support this change a set of new macros
LIBFUZZER_LINUX and LIBFUZZER_APPLE has been defined which can be
used to check the target being compiled for.

Differential Revision: http://reviews.llvm.org/D20402

llvm-svn: 270145
 2016-05-19 22:00:33 +00:00
Kostya Serebryany a0788e7dd4 [libFuzzer] do the merge faster and a bit less precise 
llvm-svn: 269497
 2016-05-13 22:11:23 +00:00
Kostya Serebryany 8b0d90a6d4 [libFuzzer] simplify FuzzerInterface.h 
llvm-svn: 269448
 2016-05-13 18:04:35 +00:00
Mike Aizatsky 1aa501e7e8 [libfuzzer] Refactoring coverage state-management code. 
It is now less state-dependent and will allow easier comparing of
coverages of different units.

Differential Revision: http://reviews.llvm.org/D20085

llvm-svn: 269140
 2016-05-10 23:43:15 +00:00
Kostya Serebryany 8b8f7a3cda [libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer. 
llvm-svn: 268821
 2016-05-06 23:38:07 +00:00
Kostya Serebryany 52b394e981 [libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs 
llvm-svn: 268807
 2016-05-06 21:58:35 +00:00
Kostya Serebryany 7018a1aaa4 [libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak 
llvm-svn: 267770
 2016-04-27 19:52:34 +00:00
Kostya Serebryany 9ba19182be [libFuzzer] remove dead code 
llvm-svn: 267455
 2016-04-25 19:41:45 +00:00
Kostya Serebryany 1bfd583d82 [libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing 
llvm-svn: 266838
 2016-04-20 00:24:21 +00:00
Kostya Serebryany ebb932d060 [libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus. 
llvm-svn: 266693
 2016-04-18 22:50:39 +00:00
Mike Aizatsky 94e29668b0 [libfuzzer] defensive assert 
llvm-svn: 265866
 2016-04-08 23:32:24 +00:00
Kostya Serebryany 315167339e [libFuzzer] don't report memory leaks if we are dying due to a timeout (just use _Exit instead of exit in the timeout callback) 
llvm-svn: 264237
 2016-03-24 01:32:08 +00:00
Benjamin Kramer d96b0c14fb [Fuzzer] Guard no_sanitize_memory attributes behind __has_feature. 
Otherwise GCC fails to build it because it doesn't know the attribute.

llvm-svn: 263787
 2016-03-18 14:19:19 +00:00
Kostya Serebryany 945761b8c2 [libFuzzer] improve -merge functionality 
llvm-svn: 263769
 2016-03-18 00:23:29 +00:00
Kostya Serebryany c5575aabd6 [libFuzzer] deprecate several flags 
llvm-svn: 263739
 2016-03-17 19:59:39 +00:00
Kostya Serebryany 23dbc390af [libFuzzer] add __attribute__((no_sanitize_memory)) to two functions that may be called from signal handler(s) or from msan. This will hopefully avoid msan false reports which I can't reproduce 
llvm-svn: 263737
 2016-03-17 19:42:35 +00:00
Kostya Serebryany 64d24578d8 [libFuzzer] try to use max_len based on the items of the corpus instead of blindly defaulting to 64 bytes. 
llvm-svn: 263323
 2016-03-12 01:57:04 +00:00
Kostya Serebryany e483ed2825 [libFuzzer] when interrupted, call _Exit() instead of exit() 
llvm-svn: 262667
 2016-03-03 22:36:37 +00:00
Kostya Serebryany 3d95dd9149 [libFuzzer] deprecate exit_on_first flag 
llvm-svn: 262417
 2016-03-01 22:33:14 +00:00
Kostya Serebryany 228d5b1ce4 [libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag. 
llvm-svn: 262415
 2016-03-01 22:19:21 +00:00
Kostya Serebryany 66ff0756e4 [libFuzzer] add -print_final_stats=1 flag 
llvm-svn: 262084
 2016-02-26 22:42:23 +00:00
Kostya Serebryany da63c1d09a [libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds 
llvm-svn: 262073
 2016-02-26 21:33:56 +00:00
Kostya Serebryany a35f7d383f [libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus 
llvm-svn: 261267
 2016-02-18 21:49:10 +00:00
Kostya Serebryany cfbcf9097d [libFuzzer] don't timeout when loading the corpus. Be a bit more verbose when loading large corpus. 
llvm-svn: 261143
 2016-02-17 19:42:34 +00:00
Kostya Serebryany 8a5bef0fcf [libFuzzer] remove std::vector operations from hot paths, NFC 
llvm-svn: 260829
 2016-02-13 17:56:51 +00:00
Kostya Serebryany 1deb0498f5 [libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast 
llvm-svn: 260810
 2016-02-13 06:24:18 +00:00
Kostya Serebryany 7ec0c56e07 [libFuzzer] get rid of UserSuppliedFuzzer; NFC 
llvm-svn: 260798
 2016-02-13 03:25:16 +00:00
Kostya Serebryany 22cc5e2375 [libFuzzer] provide a plain C interface for custom mutators (experimental) 
llvm-svn: 260794
 2016-02-13 02:29:38 +00:00
Kostya Serebryany b92602ada0 [libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak) 
llvm-svn: 259731
 2016-02-04 00:02:17 +00:00
Kostya Serebryany 54a6363a8f [libFuzzer] add -timeout_exitcode option 
llvm-svn: 259265
 2016-01-29 23:30:07 +00:00
Kostya Serebryany 9768e7f06b [libFuzzer] add -abort_on_timeout option 
llvm-svn: 258631
 2016-01-23 19:34:19 +00:00
Ivan Krasin df91910bd4 Use std::piecewise_constant_distribution instead of ad-hoc binary search. 
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.

Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.

Reviewers: aizatsky, kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D16487

llvm-svn: 258571
 2016-01-22 22:28:27 +00:00
Ivan Krasin d84f74cab7 Revert r258473 as it's breaking the build with libc++ 
Reviewers: kcc

Differential Revision: http://reviews.llvm.org/D16441

llvm-svn: 258479
 2016-01-22 03:21:52 +00:00
Ivan Krasin b008fd4d89 Use std::piecewise_constant_distribution instead of ad-hoc binary search. 
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.

Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.

Reviewers: aizatsky, kcc

Subscribers: llvm-commits, kcc

Differential Revision: http://reviews.llvm.org/D16419

llvm-svn: 258473
 2016-01-22 01:32:34 +00:00
Mike Aizatsky e313f8f8ff [libfuzzer] use %p for printing addresses 
llvm-svn: 258370
 2016-01-21 00:02:09 +00:00
Kostya Serebryany 628bc3ec00 [libFuzzer] move some code from public interface header to a non-public header. NFC 
llvm-svn: 257963
 2016-01-16 00:04:36 +00:00
Kostya Serebryany 4b35874b2a [libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful 
llvm-svn: 257736
 2016-01-14 02:36:44 +00:00
Kostya Serebryany 98abb2c90a [libFuzzer] make CurrentUnit a POD object instead of vector to avoid extra allocations 
llvm-svn: 257713
 2016-01-13 23:46:01 +00:00
Kostya Serebryany d50a3eedb4 [libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector) 
llvm-svn: 257701
 2016-01-13 23:02:30 +00:00
Kostya Serebryany 72fdb32dac [libFuzzer] make sure to update CurrentUnit when drilling 
llvm-svn: 257560
 2016-01-13 01:58:27 +00:00
Kostya Serebryany b65805a939 [libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary 
llvm-svn: 257248
 2016-01-09 03:08:58 +00:00
Mike Aizatsky 8b11f877e4 [libfuzzer] print_new_cov_pcs experimental option. 
Differential Revision: http://reviews.llvm.org/D15901

llvm-svn: 256882
 2016-01-06 00:21:22 +00:00
Kostya Serebryany 27ab2d759f [libFuzzer] make CrossOver just one of the other mutations 
llvm-svn: 256081
 2015-12-19 02:49:09 +00:00
Kostya Serebryany 14c50288cc [libFuzzer] print successfull mutations sequences 
llvm-svn: 256071
 2015-12-19 01:09:49 +00:00
Kostya Serebryany 8617aaaac2 [libFuzzer] don't reload the corpus more than once every second 
llvm-svn: 254824
 2015-12-05 02:09:22 +00:00
Kostya Serebryany 9e48cda9bc [libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746 
llvm-svn: 254784
 2015-12-04 22:29:39 +00:00
Mike Aizatsky 71552ce64b Libfuzzer: do not pass null into user function 
Differential Revision: http://reviews.llvm.org/D15098

llvm-svn: 254558
 2015-12-02 22:43:53 +00:00
Kostya Serebryany 2d0ef14f5d [libFuzzer] add a flag -exact_artifact_path 
llvm-svn: 254100
 2015-11-25 21:40:46 +00:00
Kostya Serebryany 2a48c24d77 [libFuzzer] make libFuzzer build even with a compiler that does not have sanitizer headers 
llvm-svn: 253003
 2015-11-13 01:54:40 +00:00