1873a496e2
[LibFuzzer] Declare and use sanitizer functions in ``fuzzer::ExternalFunctions``
...
This fixes linking problems on OSX.
Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.
It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.
Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.
Differential Revision: http://reviews.llvm.org/D20943
llvm-svn: 272072
2016-06-07 23:32:50 +00:00
1d0a9fd089
[LibFuzzer] Split the fuzzer-oom.test into two tests.
...
This is necessary because the existing fuzzer-oom.test was Linux
specific due to its use of __sanitizer_print_memory_profile() which
is only available on Linux right now and so the test would fail on OSX.
Differential Revision: http://reviews.llvm.org/D20977
llvm-svn: 272061
2016-06-07 21:23:30 +00:00
41d6683c39
[libfuzzer] custom crossover interface function.
...
Differential Revision: http://reviews.llvm.org/D21089
llvm-svn: 272054
2016-06-07 20:22:15 +00:00
1f88b12272
[libfuzzer] prune_corpus option for disabling pruning during the load.
...
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.
Differential Revision: http://reviews.llvm.org/D21084
llvm-svn: 272035
2016-06-07 18:16:32 +00:00
d15c106c9b
[LibFuzzer] s/dataflow sanitizer/DataflowSanitizer/
...
llvm-svn: 271980
2016-06-07 04:44:49 +00:00
0d09f14554
[LibFuzzer] Disable building and running LSan tests on Apple platforms because LSan is not currently supported.
...
Differential Revision: http://reviews.llvm.org/D20947
llvm-svn: 271979
2016-06-07 04:44:39 +00:00
3c1782f23b
[libfuzzer] splitting fuzzer.test
...
llvm-svn: 271697
2016-06-03 18:05:22 +00:00
fba4a67a32
[LibFuzzer] Disable compiling and running the LibFuzzer dataflow sanitizer tests on Apple platforms.
...
This fixes a broken part of the build on OSX as the dataflow sanitizer is not supported
on OSX yet.
Differential Revision: http://reviews.llvm.org/D20894
llvm-svn: 271492
2016-06-02 05:48:09 +00:00
f6414426f2
[libFuzzer] use __sanitizer_print_memory_profile to print the memory profile on OOM
...
llvm-svn: 271465
2016-06-02 01:33:11 +00:00
f817731a19
[libFuzzer] when an invalid flag is given, warn, but don't crash
...
llvm-svn: 271404
2016-06-01 16:41:12 +00:00
4795210f9c
[libFuzzer] fix a use-after-free (!) in libFuzzer caused by r270905: that CL caused a push_back in the main corpus invalidating the vector<> iterators in rare cases.
...
llvm-svn: 271186
2016-05-29 15:58:57 +00:00
470d04400e
[libFuzzer] use __sanitizer_set_report_fd with -close_fd_mask. This allows us to keep asan reports when closing target's stderr
...
llvm-svn: 271053
2016-05-27 21:46:22 +00:00
8c11fce707
[LibFuzzer] Refactor declaration of tests in CMake.
...
Add a new CMake function (``add_libfuzzer_test()``) to simplify
declaration of executables for testing LibFuzzer and use it to
reorganise how tests are declared.
Note that configuration of the lit configuration files has been moved
as late as possible because we are going to need to disable some tests
for some platforms and we will need to propagate this information into
the lit configuration.
Note the code for custom mains was removed because no tests are
currently written for this and Kostya seems happy to remove this.
Differential Revision: http://reviews.llvm.org/D20706
llvm-svn: 270958
2016-05-27 03:14:40 +00:00
76dacb4ba9
[libFuzzer] make check-fuzzer a bit faster
...
llvm-svn: 270947
2016-05-27 01:12:21 +00:00
8fc3a27c5c
[libFuzzer] more refactoring: make sure CurrentUnitData is awlays a valid pointer to read from
...
llvm-svn: 270942
2016-05-27 00:21:33 +00:00
d8384122a3
[libFuzzer] more refactoring around CurrentUnit. Also add a threading test on which we currently have a race (when reporting bugs from multiple threads)
...
llvm-svn: 270929
2016-05-26 22:17:32 +00:00
676892a5d5
[LibFuzzer] Allow LibFuzzer to be built in modes other than RELEASE.
...
Previously the flags were only being set correctly when the
build type was "Release". Now the build should work properly
for all the supported build types. When building libFuzzer
the optimization level respects whatever is used for the
rest of LLVM but for the LibFuzzer tests we force -O0.
Differential Revision: http://reviews.llvm.org/D20558
llvm-svn: 270912
2016-05-26 20:55:05 +00:00
4b92326b17
[libFuzzer] when there is a leak in the existing corpus report the reproducer properly
...
llvm-svn: 270905
2016-05-26 20:25:49 +00:00
f1f3f93c9e
[libFuzzer] reimplement the way we do -only_ascii to allow more 'const' in function declarations. Add a test for -only_ascii. NFC intended
...
llvm-svn: 270900
2016-05-26 20:03:02 +00:00
e66846ab32
[libfuzzer] replacing unittest for truncate_units with functional test.
...
Differential Revision: http://reviews.llvm.org/D20641
llvm-svn: 270755
2016-05-25 21:00:17 +00:00
ff2e6badbd
[libFuzzer] print stats if we crash on empty input
...
llvm-svn: 270639
2016-05-25 00:15:36 +00:00
af432a45e3
[libfuzzer] Trying random unit prefixes during corpus load.
...
Differential Revision: http://reviews.llvm.org/D20301
llvm-svn: 270632
2016-05-24 23:14:29 +00:00
6289536922
[libFuzzer] print the file name before executing the input so that if there is a crash we know which files has caused it
...
llvm-svn: 269450
2016-05-13 18:10:33 +00:00
8b0d90a6d4
[libFuzzer] simplify FuzzerInterface.h
...
llvm-svn: 269448
2016-05-13 18:04:35 +00:00
ca9694ba2c
[libFuzzer] add a test for libFuzzer+ubsan, extend the docs on using libFuzzer+ubsan
...
llvm-svn: 268968
2016-05-09 21:02:36 +00:00
8b8f7a3cda
[libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
...
llvm-svn: 268821
2016-05-06 23:38:07 +00:00
baf7fd0b16
[libFuzzer] print stats after running individual inputs
...
llvm-svn: 268547
2016-05-04 20:44:50 +00:00
2fe9304d62
[libFuzzer] enable detect_leaks=1, add proper docs
...
llvm-svn: 268088
2016-04-29 18:49:55 +00:00
0e0bcc4bdb
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak [part 2]
...
llvm-svn: 267771
2016-04-27 19:52:56 +00:00
7018a1aaa4
[libFuzzer] disable leak detection if we have tried it for 1000 times w/o finding a leak
...
llvm-svn: 267770
2016-04-27 19:52:34 +00:00
1bfd583d82
[libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
...
llvm-svn: 266838
2016-04-20 00:24:21 +00:00
ebb932d060
[libFuzzer] try to print correct time in seconds when reporting a timeout. Don't report timeouts while still loading the corpus.
...
llvm-svn: 266693
2016-04-18 22:50:39 +00:00
09087bba4d
[libFuzzer] warn if the corpus is empty
...
llvm-svn: 266670
2016-04-18 21:14:11 +00:00
b60397f54c
[libFuzzer] add a better warning for command line flags with -- (two dashes)
...
llvm-svn: 266480
2016-04-15 21:56:29 +00:00
f13cbee12e
[libfuzzer] adding license headers to cpp files
...
Differential Revision: http://reviews.llvm.org/D18705
llvm-svn: 265174
2016-04-01 18:38:58 +00:00
315167339e
[libFuzzer] don't report memory leaks if we are dying due to a timeout (just use _Exit instead of exit in the timeout callback)
...
llvm-svn: 264237
2016-03-24 01:32:08 +00:00
49e409068a
[libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
...
llvm-svn: 263831
2016-03-18 20:58:29 +00:00
c43b584c1c
[libFuzzer] read corpus dirs recursively
...
llvm-svn: 263773
2016-03-18 01:36:00 +00:00
945761b8c2
[libFuzzer] improve -merge functionality
...
llvm-svn: 263769
2016-03-18 00:23:29 +00:00
c5575aabd6
[libFuzzer] deprecate several flags
...
llvm-svn: 263739
2016-03-17 19:59:39 +00:00
243fe2b3a0
[libfuzzer] adding std:string to allowed adaptable argument.
...
llvm-svn: 262757
2016-03-04 23:18:01 +00:00
b8627a89a6
[libfuzzer] arbitrary function adapter.
...
The adapter automates converting sequence of bytes into arbitrary
arguments.
Differential Revision: http://reviews.llvm.org/D17829
llvm-svn: 262673
2016-03-03 23:45:29 +00:00
228d5b1ce4
[libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
...
llvm-svn: 262415
2016-03-01 22:19:21 +00:00
bf821db932
[libFuzzer] fixing the bot
...
llvm-svn: 262106
2016-02-27 03:14:23 +00:00
2d4f8f168b
[libFuzzer] speedup path coverage handling
...
llvm-svn: 262102
2016-02-27 01:50:16 +00:00
66ff0756e4
[libFuzzer] add -print_final_stats=1 flag
...
llvm-svn: 262084
2016-02-26 22:42:23 +00:00
da63c1d09a
[libFuzzer] initial implementation of path coverage based on -fsanitize-coverage=trace-pc. This does not scale well yet, but already cracks FullCoverageSetTest in seconds
...
llvm-svn: 262073
2016-02-26 21:33:56 +00:00
90bcdb512b
[libFuzzer] fix the libFuzzer bot
...
llvm-svn: 261184
2016-02-18 02:02:40 +00:00
1deb0498f5
[libFuzzer] don't require seed in fuzzer::Mutate, instead use the global Fuzzer object for fuzzer::Mutate. This makes custom mutators fast
...
llvm-svn: 260810
2016-02-13 06:24:18 +00:00
7ec0c56e07
[libFuzzer] get rid of UserSuppliedFuzzer; NFC
...
llvm-svn: 260798
2016-02-13 03:25:16 +00:00
a399221c32
[libFuzzer] simplify the code around Random. NFC
...
llvm-svn: 260797
2016-02-13 03:00:53 +00:00
ecab57b3ce
[libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea).
...
llvm-svn: 260796
2016-02-13 02:39:30 +00:00
22cc5e2375
[libFuzzer] provide a plain C interface for custom mutators (experimental)
...
llvm-svn: 260794
2016-02-13 02:29:38 +00:00
9d14e4bb15
[libFuzzer] make -runs=N flag also affect the simple runner (will execute every input N times)
...
llvm-svn: 260649
2016-02-12 02:32:03 +00:00
ce925c580e
[libFuzzer] hot fix a test
...
llvm-svn: 259732
2016-02-04 00:12:28 +00:00
b92602ada0
[libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak)
...
llvm-svn: 259731
2016-02-04 00:02:17 +00:00
bfbe7fc404
[libFuzzer] allow passing 1 or more files as individual inputs
...
llvm-svn: 259459
2016-02-02 03:03:47 +00:00
078e984d8d
[libFuzzer] fail if the corpus dir does not exist
...
llvm-svn: 259454
2016-02-02 02:07:26 +00:00
54a6363a8f
[libFuzzer] add -timeout_exitcode option
...
llvm-svn: 259265
2016-01-29 23:30:07 +00:00
085ca4131f
[libFuzzer] re-enable test for -abort_on_timeout=1, this time protecting from ASAN_OPTIONS set outside
...
llvm-svn: 259263
2016-01-29 23:19:00 +00:00
d7785e75f3
Temporary disable broken fuzzer/timeout tests.
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16543
llvm-svn: 258702
2016-01-25 19:05:45 +00:00
9768e7f06b
[libFuzzer] add -abort_on_timeout option
...
llvm-svn: 258631
2016-01-23 19:34:19 +00:00
df91910bd4
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D16487
llvm-svn: 258571
2016-01-22 22:28:27 +00:00
d84f74cab7
Revert r258473 as it's breaking the build with libc++
...
Reviewers: kcc
Differential Revision: http://reviews.llvm.org/D16441
llvm-svn: 258479
2016-01-22 03:21:52 +00:00
b008fd4d89
Use std::piecewise_constant_distribution instead of ad-hoc binary search.
...
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.
Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.
Reviewers: aizatsky, kcc
Subscribers: llvm-commits, kcc
Differential Revision: http://reviews.llvm.org/D16419
llvm-svn: 258473
2016-01-22 01:32:34 +00:00
311f27c0a8
[libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if
...
llvm-svn: 258178
2016-01-19 20:33:57 +00:00
476f0ce31a
[libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path
...
llvm-svn: 257985
2016-01-16 03:53:32 +00:00
aca7696f4d
[libFuzzer] introduce LLVMFuzzerInitialize
...
llvm-svn: 257980
2016-01-16 01:23:12 +00:00
ae5b9567bc
[libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
...
llvm-svn: 257873
2016-01-15 06:24:05 +00:00
4b35874b2a
[libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful
...
llvm-svn: 257736
2016-01-14 02:36:44 +00:00
d50a3eedb4
[libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector)
...
llvm-svn: 257701
2016-01-13 23:02:30 +00:00
b65805a939
[libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
...
llvm-svn: 257248
2016-01-09 03:08:58 +00:00
c573316eee
[libFuzzer] don't limit memcmp tracing with 8 bytes
...
llvm-svn: 257245
2016-01-09 01:39:55 +00:00
152ac7ad70
[libFuzzer] add a position hint to the dictionary-based mutator
...
llvm-svn: 257013
2016-01-07 01:49:35 +00:00
8b11f877e4
[libfuzzer] print_new_cov_pcs experimental option.
...
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
2016-01-06 00:21:22 +00:00
226b734d73
[libFuzzer] make trace-based fuzzing not crash in presence of threads
...
llvm-svn: 256876
2016-01-06 00:03:35 +00:00
bf65644c97
[libFuzzer] split the tests to run them in parallel, remove one redundant test
...
llvm-svn: 256085
2015-12-19 03:35:30 +00:00
27ab2d759f
[libFuzzer] make CrossOver just one of the other mutations
...
llvm-svn: 256081
2015-12-19 02:49:09 +00:00
a1a5c69b57
[LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
...
Differential Revision: http://reviews.llvm.org/D15339
done
llvm-svn: 255296
2015-12-10 20:41:53 +00:00
9e48cda9bc
[libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746
...
llvm-svn: 254784
2015-12-04 22:29:39 +00:00
71552ce64b
Libfuzzer: do not pass null into user function
...
Differential Revision: http://reviews.llvm.org/D15098
llvm-svn: 254558
2015-12-02 22:43:53 +00:00
fba04273b7
[libFuzzer] add a test that is built with -fsanitize-coverage=trace-bb
...
llvm-svn: 254484
2015-12-02 02:49:37 +00:00
2d0ef14f5d
[libFuzzer] add a flag -exact_artifact_path
...
llvm-svn: 254100
2015-11-25 21:40:46 +00:00
dc3135db05
[libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
...
llvm-svn: 252838
2015-11-12 01:02:01 +00:00
b7e286bed7
[libFuzzer] add UninstrumentedTest.cpp (missing from a previous commit)
...
llvm-svn: 252658
2015-11-10 22:02:56 +00:00
5eab74e9bc
[libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time)
...
llvm-svn: 252533
2015-11-09 23:17:45 +00:00
9cc3b0ddb6
[libFuzzer] add -merge flag to merge corpora
...
llvm-svn: 251168
2015-10-24 01:16:40 +00:00
2e9fca9f88
[libFuzzer] use the indirect caller-callee counter as an independent search heuristic
...
llvm-svn: 251078
2015-10-22 23:55:39 +00:00
b36025619c
[libFuzzer] remove the deprecated 'tokens' feature
...
llvm-svn: 251069
2015-10-22 21:48:09 +00:00
d6edce97fb
[libFuzzer] print a stack trace on timeout
...
llvm-svn: 250571
2015-10-16 23:04:31 +00:00
b91c62b1f3
[libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky
...
llvm-svn: 250564
2015-10-16 22:41:47 +00:00
bd5d1cdbb9
[libFuzzer] add -artifact_prefix flag
...
llvm-svn: 249807
2015-10-09 03:57:59 +00:00
20bb5e71b2
[libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated.
...
llvm-svn: 249214
2015-10-02 23:34:06 +00:00
65d0a1458f
[libFuzzer] remove experimental flag and functionality
...
llvm-svn: 249194
2015-10-02 22:00:32 +00:00
b85db178a0
[libFuzzer] add a flag -max_total_time
...
llvm-svn: 249181
2015-10-02 20:47:55 +00:00
95e82d5b48
[LibFuzzer] test_single_input option to run a single test case.
...
-test_single_input flag specifies a file name with test data.
Review URL: http://reviews.llvm.org/D13359
Patch by Mike Aizatsky!
llvm-svn: 249096
2015-10-01 23:23:06 +00:00
a610cb5ba0
[libFuzzer]Add a test for defeating a hash sum.
...
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function
The modification is to ensure that hash(zeros) != 0.
Reviewers: kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D12648
llvm-svn: 247076
2015-09-08 21:22:52 +00:00
25425ad920
[libFuzzer] add one more mutator: Mutate_ChangeASCIIInteger
...
llvm-svn: 247027
2015-09-08 17:19:31 +00:00
7d21166218
[libFuzzer] actually make the dictionaries work (+docs)
...
llvm-svn: 246825
2015-09-04 00:12:11 +00:00
ec2dcb1d91
[libFuzzer] refactor the mutation functions so that they are now methods of a class. NFC
...
llvm-svn: 246808
2015-09-03 21:24:19 +00:00
9838b2be87
[libFuzzer] adding a parser for AFL-style dictionaries + tests.
...
llvm-svn: 246800
2015-09-03 20:23:46 +00:00
6ea1b69fcf
[libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support
...
llvm-svn: 246734
2015-09-02 23:27:39 +00:00
12c7837381
[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied
...
llvm-svn: 244712
2015-08-12 01:55:37 +00:00
242ca930e8
[libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly
...
llvm-svn: 244250
2015-08-06 19:19:55 +00:00
bf29ff2fa5
[libFuzzer] add one more mutation strategy: byte shuffling
...
llvm-svn: 244188
2015-08-06 01:29:13 +00:00
1ce0035bf0
[libFuzzer] add a missing test file
...
llvm-svn: 244151
2015-08-05 21:32:13 +00:00
7f4227d59a
[libFuzzer] use data-flow feedback from strcmp
...
llvm-svn: 244084
2015-08-05 18:23:01 +00:00
86a5fba71d
[libFuzzer] more refactoring of the Mutator and adding tests to it
...
llvm-svn: 243818
2015-08-01 02:23:06 +00:00
8ce7424e9c
[libFuzzer] start refactoring the Mutator and adding tests to it
...
llvm-svn: 243817
2015-08-01 01:42:51 +00:00
fe7e41e8f5
[libFuzzer] make sure that 2-byte arguments of switch() are handled properly
...
llvm-svn: 243781
2015-07-31 20:58:55 +00:00
cd6a4665e0
[libFuzzer] support switch interception in dfsan mode
...
llvm-svn: 243760
2015-07-31 17:05:05 +00:00
fb7d8d9d06
[libFuzzer] trace switch statements and apply mutations based on the expected case values
...
llvm-svn: 243726
2015-07-31 01:33:06 +00:00
c9dc96bfc6
[libFuzzer] fix the strncmp interceptor -- it should respect short strings.
...
llvm-svn: 243691
2015-07-30 21:22:22 +00:00
b74ba421fc
[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test
...
llvm-svn: 243611
2015-07-30 02:33:45 +00:00
0e776a2250
[libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test
...
llvm-svn: 243603
2015-07-30 01:34:58 +00:00
ae7df1ca4d
[libFuzzer] ensure that the dfsan tracing hooks actually run (using -verbosity=3 in tests)
...
llvm-svn: 243365
2015-07-28 01:25:00 +00:00
404c69f2c8
[libFuzzer] allow users to supply their own implementation of rand
...
llvm-svn: 243078
2015-07-24 01:06:40 +00:00
2b7d2e91cc
[libFuzzer] dump long running units to disk
...
llvm-svn: 243031
2015-07-23 18:37:22 +00:00
4800c2de28
[Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC.
...
llvm-svn: 242851
2015-07-21 22:51:55 +00:00
dc324e1644
[Fuzzer] Clearly separate regular and DFSan tests. NFC.
...
llvm-svn: 242850
2015-07-21 22:51:49 +00:00
f3c7cb464e
[lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale
...
llvm-svn: 238063
2015-05-22 22:47:03 +00:00
f342459aa4
[lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators
...
llvm-svn: 238059
2015-05-22 22:35:31 +00:00
490bbd6fa4
[lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately
...
llvm-svn: 237735
2015-05-19 22:12:57 +00:00
96eab65d81
[lib/Fuzzer] Add SHA1 implementation from public domain.
...
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.
LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.
Test Plan: n/a
Reviewers: chandlerc
Reviewed By: chandlerc
Subscribers: majnemer, llvm-commits
Differential Revision: http://reviews.llvm.org/D9733
llvm-svn: 237400
2015-05-14 22:41:49 +00:00
d8c54724a8
[lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)
...
llvm-svn: 237083
2015-05-12 01:58:34 +00:00
5a99ecbbb3
[lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go.
...
llvm-svn: 237043
2015-05-11 20:51:19 +00:00
f3f3ed323a
[lib/Fuzzer] build tests that work well with dfsan also w/o dfsan
...
llvm-svn: 236909
2015-05-08 21:45:19 +00:00
1ac8055bc7
[lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes
...
llvm-svn: 236906
2015-05-08 21:30:55 +00:00
21a3381a38
Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= flags.
...
llvm-svn: 236797
2015-05-07 23:33:24 +00:00
beb24c38e7
[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.
...
llvm-svn: 236772
2015-05-07 21:02:11 +00:00
a407ddef27
[lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner
...
llvm-svn: 236683
2015-05-07 00:11:33 +00:00
3befe94acb
[lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to dfsan proper
...
llvm-svn: 236659
2015-05-06 22:47:24 +00:00
754f55d6f5
[lib/Fuzzer] add a fuzzer test for memcmp (does not work yet)
...
llvm-svn: 236656
2015-05-06 22:36:00 +00:00
566bc5aa8a
[lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more unique
...
llvm-svn: 236652
2015-05-06 22:19:00 +00:00
52a788e503
[fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags.
...
llvm-svn: 233745
2015-03-31 20:13:20 +00:00
16d03bd051
DFSan-based fuzzer (proof of concept).
...
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
2015-03-30 22:09:51 +00:00
be5e0ed919
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
...
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt ) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-03 23:27:02 +00:00
2e3622bddd
[fuzzer] one more experimental search mode: -use_coverage_pairs=1
...
llvm-svn: 229957
2015-02-20 03:02:37 +00:00
cf9fdd5876
[fuzzer] Add proper dependensices to the fuzzer tests
...
Summary: Make sure that FileCheck is built when running check-fuzzer
Test Plan:
run on bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7387
llvm-svn: 228045
2015-02-03 21:57:32 +00:00
71672552db
[fuzzer] Add a gtest-style test
...
Summary: Add one gtest-style test.
Test Plan: run on bot
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7287
llvm-svn: 227639
2015-01-30 23:26:57 +00:00
2c1b33b897
[fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start.
...
llvm-svn: 227507
2015-01-29 23:01:07 +00:00
0ff86c79b4
[fuzzer] fix warning in a test
...
llvm-svn: 227478
2015-01-29 18:13:36 +00:00
6d768fcc18
[fuzzer] minor cleanup based on reviews: remove redundant includes, fix a copy-pasto in tests
...
llvm-svn: 227468
2015-01-29 17:16:23 +00:00
ef11698cac
Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset.
...
llvm-svn: 227464
2015-01-29 16:58:29 +00:00
7b54ed221a
Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252
...
llvm-svn: 227452
2015-01-29 15:49:22 +00:00
d39df1e24d
Adding missing #includes to try to get this to compile on Windows with Visual Studio.
...
llvm-svn: 227445
2015-01-29 15:19:13 +00:00
a8fbcf0c1f
Add lit-style tests for the Fuzzer library
...
Summary: Add test targets and the lit-style runner.
Test Plan: Run the tests on bot.
Reviewers: samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D7217
llvm-svn: 227389
2015-01-28 22:49:25 +00:00
d53b43fe11
Add a Fuzzer library
...
Summary:
A simple genetic in-process coverage-guided fuzz testing library.
I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?
I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.
See README.txt for details.
Test Plan: Tests will follow separately.
Reviewers: djasper, chandlerc, rnk
Reviewed By: rnk
Subscribers: majnemer, ygribov, dblaikie, llvm-commits
Differential Revision: http://reviews.llvm.org/D7184
llvm-svn: 227252
2015-01-27 22:08:41 +00:00
Dan Liew