wangtao
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
248,994 Commits 29 Branches 0 Tags 2.2 GiB
Commit Graph

469 Commits

Author SHA1 Message Date
Kostya Serebryany 9adc7c8b4a [libFuzzer] control the reload interval by a flag, make it 10 seconds by default 
llvm-svn: 283676
 2016-10-08 22:12:14 +00:00
Kostya Serebryany cd04ec25dd [libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing. 
llvm-svn: 283675
 2016-10-08 21:57:48 +00:00
Kostya Serebryany 936b1e774f [libFuzzer] be more careful with memory usage, print peak rss in status lines 
llvm-svn: 283418
 2016-10-06 05:14:00 +00:00
Kostya Serebryany 3b564e9765 [libFuzzer] when re-running for lsan, don't look at the coverage 
llvm-svn: 283411
 2016-10-05 23:31:01 +00:00
Kostya Serebryany 1c73f1bf27 [libFuzzer] refactoring to make -shrink=1 work for value profile, added a test. 
llvm-svn: 283409
 2016-10-05 22:56:21 +00:00
Kostya Serebryany 379359c53a [libFuzzer] add ShrinkValueProfileTest, move code around, NFC 
llvm-svn: 283286
 2016-10-05 01:09:40 +00:00
Kostya Serebryany 2455f0d013 [libFuzzer] clear the corpus elements if they are evicted (i.e. smaller elements with proper coverage are found). Make sure we never try to mutate empty element. Print the corpus size in bytes in the status lines 
llvm-svn: 283279
 2016-10-05 00:25:17 +00:00
Kostya Serebryany 4820cc988f [libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway 
llvm-svn: 283187
 2016-10-04 06:08:46 +00:00
Kostya Serebryany 5a52a11ce4 [libFuzzer] change the probabilities so that we choose only the inputs that are known to be minimal inputs for at least one coverage feature (works only with -shrink=1 for now) 
llvm-svn: 283178
 2016-10-04 01:51:44 +00:00
Kostya Serebryany a5f1adab56 [libFuzzer] add fuzzer test for libxml2, finds https://bugzilla.gnome.org/show_bug.cgi?id=751631 
llvm-svn: 283024
 2016-10-01 07:37:40 +00:00
Kostya Serebryany d1f31d0a49 [libFuzzer] fix a recent bugs (buffer overflow) 
llvm-svn: 283021
 2016-10-01 07:13:25 +00:00
Kostya Serebryany d216922a80 [libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default 
llvm-svn: 282995
 2016-10-01 01:04:29 +00:00
Kostya Serebryany 90f8f36bca [libFuzzer] remove some experimental code 
llvm-svn: 282983
 2016-09-30 23:29:27 +00:00
Kostya Serebryany 7022b94687 [libFuzzer] fix openssl fuzzer tests when running on a machine w/o openssl installed 
llvm-svn: 282972
 2016-09-30 22:35:08 +00:00
Kostya Serebryany e7e790bad6 [libFuzzer] remove unused option 
llvm-svn: 282971
 2016-09-30 22:29:57 +00:00
Kostya Serebryany b7e7a5473d [libFuzzer] move common parts of shell scripts into a separate file 
llvm-svn: 282954
 2016-09-30 21:12:30 +00:00
Kostya Serebryany cfa31b6307 [libFuzzer] add a fuzzer test that finds CVE-2015-3193 
llvm-svn: 282892
 2016-09-30 18:16:16 +00:00
Kostya Serebryany cad612a472 [libfuzzer] test for c-ares CVE-2016-5180 
llvm-svn: 282839
 2016-09-30 05:15:45 +00:00
Kostya Serebryany b3949ef885 [libFuzzer] remove the code for -print_pcs=1 with the old coverage. It still works with the new one (trace-pc-guard) 
llvm-svn: 282831
 2016-09-30 01:24:57 +00:00
Kostya Serebryany 2c55613a08 [libFuzzer] more the feature set to InputCorpus; on feature update, change the feature counter of the old best input 
llvm-svn: 282829
 2016-09-30 01:19:56 +00:00
Kostya Serebryany a9b0dd0e51 [sanitizer-coverage/libFuzzer] make the guards for trace-pc 32-bit; create one array of guards per function, instead of one guard per BB. reorganize the code so that trace-pc-guard does not create unneeded globals 
llvm-svn: 282735
 2016-09-29 17:43:24 +00:00
Kostya Serebryany a9a135b4f5 [libFuzzer] initialize ValueBitMap::NumBits 
llvm-svn: 282721
 2016-09-29 15:51:28 +00:00
Kostya Serebryany 3ee6c213d6 [libFuzzer] speedup TracePC::FinalizeTrace 
llvm-svn: 282562
 2016-09-28 01:16:24 +00:00
Kostya Serebryany 7d6935c184 [libFuzzer] run re2 test in 8 threads by default 
llvm-svn: 282469
 2016-09-27 03:33:57 +00:00
Kostya Serebryany 45c144754b [sanitizer-coverage] fix a bug in trace-gep 
llvm-svn: 282467
 2016-09-27 01:55:08 +00:00
Kostya Serebryany 53543af036 [libFuzzer] add a test based on openssl-1.0.1f (finds heartbleed) 
llvm-svn: 282460
 2016-09-27 00:27:40 +00:00
Kostya Serebryany 5ff481fd9e [libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag 
llvm-svn: 282458
 2016-09-27 00:10:20 +00:00
Kostya Serebryany 273d767215 [libFuzzer] add a standalone build script 
llvm-svn: 282321
 2016-09-24 04:00:00 +00:00
Kostya Serebryany 0800b81a21 [libFuzzer] simplify HandleTrace again, start re-running interesting units and collecting their features. 
llvm-svn: 282316
 2016-09-23 23:51:58 +00:00
Kostya Serebryany 2d1d944f7e [libFuzzer] first steps in adding a proper automated test suite based on real-life code: add a script to build RE2 at a revision that has known bugs 
llvm-svn: 282292
 2016-09-23 20:43:22 +00:00
Kostya Serebryany 0d26de3922 [libFuzzer] reset Counters (trace-pc-guard) before every run 
llvm-svn: 282284
 2016-09-23 20:04:13 +00:00
Kostya Serebryany ce1cab169f [libFuzzer] be more precise about what we reset in TracePC 
llvm-svn: 282225
 2016-09-23 02:18:59 +00:00
Kostya Serebryany 16a145fd0f [libFuzzer] fix merging with trace-pc-guard 
llvm-svn: 282224
 2016-09-23 01:58:51 +00:00
Kostya Serebryany 87a598e19f [libFuzzer] simplify the TracePC logic 
llvm-svn: 282222
 2016-09-23 01:20:07 +00:00
Kostya Serebryany ab73c6924f [libFuzzer] move value profiling logic into TracePC 
llvm-svn: 282219
 2016-09-23 00:46:18 +00:00
Kostya Serebryany d28099de5d [libFuzzer] change ValueBitMap to remember the number of bits in it 
llvm-svn: 282216
 2016-09-23 00:22:46 +00:00
Kostya Serebryany be0ed59cdc [libFuzzer] simplify the crash minimizer; split MaxLen into two: MaxInputLen and MaxMutationLen, allow MaxMutationLen to be less than MaxInputLen 
llvm-svn: 282211
 2016-09-22 23:16:36 +00:00
Kostya Serebryany 624f59f4d8 [libFuzzer] add 'features' to the corpus elements, allow mutations with Size > MaxSize, fix sha1 in corpus stats; various refactorings 
llvm-svn: 282129
 2016-09-22 01:34:58 +00:00
Kostya Serebryany c9e3de35ed [libFuzzer] one more test 
llvm-svn: 282127
 2016-09-22 00:57:29 +00:00
Kostya Serebryany 29bb664075 [libFuzzer] add stats to the corpus; more refactoring 
llvm-svn: 282121
 2016-09-21 22:42:17 +00:00
Kostya Serebryany 20801e1b8a [libFuzzer] more refactoring; don't compute sha1sum every time we mutate a unit from the corpus, use the stored one. 
llvm-svn: 282115
 2016-09-21 21:41:48 +00:00
Kostya Serebryany 8658618ea0 [libFuzzer] more refactoring 
llvm-svn: 282113
 2016-09-21 21:17:23 +00:00
Kostya Serebryany 225d8e45d4 [libFuzzer] fix libc++ build 
llvm-svn: 282050
 2016-09-21 03:50:37 +00:00
Kostya Serebryany 556894fb10 [libFuzzer] more refactoring; NFC 
llvm-svn: 282047
 2016-09-21 02:05:39 +00:00
Kostya Serebryany 6f5a804cdb [libFuzzer] refactoring: split the large header into many; NFC 
llvm-svn: 282044
 2016-09-21 01:50:50 +00:00
Kostya Serebryany 09aa01a6f8 [libFuzzer] refactoring: move the Corpus into a separate class; delete two unused experimental features 
llvm-svn: 282042
 2016-09-21 01:04:43 +00:00
Kostya Serebryany 3750c04f7e [libFuzzer] use sleep() instead of std::this_thread::sleep_for to avoid coverage from instrumented libc++ 
llvm-svn: 281933
 2016-09-19 20:32:34 +00:00
Kostya Serebryany b706b481ba [libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer 
llvm-svn: 281866
 2016-09-18 21:47:08 +00:00
Kostya Serebryany 8e781a888a [libFuzzer] use 'if guard' instead of 'if guard >= 0' with trace-pc; change the guard type to intptr_t; use separate array for 8-bit counters 
llvm-svn: 281845
 2016-09-18 04:52:23 +00:00
Kostya Serebryany bc3789a919 [libFuzzer] properly reset the guards when reseting the coverage. Also try to fix check-fuzzer on the bot 
llvm-svn: 281814
 2016-09-17 06:01:55 +00:00
Kostya Serebryany 3e36ec1d18 [libFuzzer] change trace-pc to use 8-byte guards 
llvm-svn: 281810
 2016-09-17 05:04:47 +00:00
Kostya Serebryany 0984517021 [libFuzzer] make caller-callee feedback work with trace-pc-guard 
llvm-svn: 281667
 2016-09-15 22:16:15 +00:00
Kostya Serebryany 21c3573733 [libFuzzer] fix the build for AFLDriverTest 
llvm-svn: 281633
 2016-09-15 18:10:38 +00:00
Kostya Serebryany 09e416615e [libFuzzer] disable test that requires debug info -- it fails on the bot 
llvm-svn: 281584
 2016-09-15 05:46:58 +00:00
Kostya Serebryany 0b47fbcb30 [libFuzzer] move the AFL driver build rule test into the uninstrumented dir 
llvm-svn: 281583
 2016-09-15 05:17:39 +00:00
Kostya Serebryany 33a497abf4 [libFuzzer] fix print_pcs test 
llvm-svn: 281580
 2016-09-15 04:43:06 +00:00
Kostya Serebryany 5350178487 [libFuzzer] implement print_pcs with trace-pc-guard. Change the trace-pc-guard heuristic for 8-bit counters to look more like in AFL (not that it's provable better, but the existin test preferes this heuristic) 
llvm-svn: 281577
 2016-09-15 04:36:45 +00:00
Kostya Serebryany a5277d59d0 [libFuzzer] add 8-bit counters to trace-pc-guard handler 
llvm-svn: 281568
 2016-09-15 01:30:18 +00:00
Kostya Serebryany a00b243c75 [libFuzzer] start using trace-pc-guard as an alternative source of coverage 
llvm-svn: 281435
 2016-09-14 02:13:06 +00:00
Kostya Serebryany 8c537c556a [libFuzzer] print a failed-merge warning only in the merge mode 
llvm-svn: 281130
 2016-09-10 02:17:22 +00:00
Kostya Serebryany 4529960a3b [libFuzzer] don't print help for internal flags 
llvm-svn: 281124
 2016-09-10 00:35:30 +00:00
Kostya Serebryany b991cc1f0e [libFuzzer] print a visible message if merge fails due to a crash 
llvm-svn: 281122
 2016-09-10 00:15:41 +00:00
Kostya Serebryany 1837152a34 [libFuzzer] use sizeof() in tests instead of 4 and 8 
llvm-svn: 281111
 2016-09-09 22:21:16 +00:00
Kostya Serebryany 4b17a331ae [libFuzzer] one more puzzle for value profile 
llvm-svn: 281106
 2016-09-09 21:58:42 +00:00
Kostya Serebryany 00ef27112e [libFuzzer] one more puzzle, value_profile cracks it in a second 
llvm-svn: 281066
 2016-09-09 18:00:04 +00:00
Kostya Serebryany b76a2a5503 [libFuzzer] improve -print_pcs to not print new PCs coming from libFuzzer itself 
llvm-svn: 281016
 2016-09-09 02:38:28 +00:00
Kostya Serebryany 8ea4f9873b [libFuzzer] remove unneeded call 
llvm-svn: 281014
 2016-09-09 01:57:38 +00:00
Kostya Serebryany 5c04bd250e [libFuzzer] remove use_traces=1 since use_value_profile seems to be strictly better 
llvm-svn: 281007
 2016-09-09 01:17:03 +00:00
Kostya Serebryany e2d0f63654 [libFuzzer] add -minimize_crash flag (to minimize crashers). also add two tests that I failed to commit last time 
llvm-svn: 280332
 2016-09-01 01:22:27 +00:00
Mike Aizatsky b077d3fef2 [libfuzzer] simplified unit truncation; do not write trunc items to disc 
Differential Revision: https://reviews.llvm.org/D24049

llvm-svn: 280153
 2016-08-30 20:49:07 +00:00
Kostya Serebryany a016a45d60 [libFuzzer] fix a bug when running a single unit of N bytes with -max_len=M, M<N, caused a buffer overflow 
llvm-svn: 280098
 2016-08-30 14:52:05 +00:00
Kostya Serebryany 248d11519a [libFuzzer] stop using bits for memcmp's value profile -- seems to blow up the corpus too much 
llvm-svn: 280096
 2016-08-30 14:39:33 +00:00
Kostya Serebryany d4492f8101 [libFuzzer] use bits instead of bytes for memcmp/strcmp value profile -- the fuzzer reaches the goal much faster, at least on the simple puzzles 
llvm-svn: 280054
 2016-08-30 03:05:50 +00:00
Kostya Serebryany 4d22e4fcb9 [libFuzzer] use trace-div and trace-gep for guided fuzzing, add tests 
llvm-svn: 280046
 2016-08-30 01:30:14 +00:00
Kostya Serebryany 3e5991e540 [libFuzzer] simplify a test to make it pass on the bot 
llvm-svn: 279796
 2016-08-26 00:18:16 +00:00
Kostya Serebryany 1426f59a76 [libFuzzer] make sure we have symbols on fuzzer tests 
llvm-svn: 279792
 2016-08-25 23:30:02 +00:00
Kostya Serebryany 0f0fa4faf2 [libFizzer] rename -print_new_cov_pcs=1 into -print_pcs=1 and make it more useful: print PCs only after the initial corpus has been read and symbolize them 
llvm-svn: 279787
 2016-08-25 22:35:08 +00:00
Kostya Serebryany f67357c671 [libFuzzer] simplify the code, NFC 
llvm-svn: 279697
 2016-08-25 01:25:03 +00:00
Kostya Serebryany 41bcb830af [libFuzzer] make a test more deterministic 
llvm-svn: 279686
 2016-08-24 23:10:17 +00:00
Kostya Serebryany bceadcf1cd [libFuzzer] use __attribute__((target("popcnt"))) only on x86_64 
llvm-svn: 279601
 2016-08-24 01:38:42 +00:00
Kostya Serebryany ac524cfcce [libFuzzer] collect 64 states for value profile, not 65 
llvm-svn: 279588
 2016-08-23 23:37:37 +00:00
Kostya Serebryany a533e514b8 [libFuzzer] fix the non-debug build warnings 
llvm-svn: 279321
 2016-08-19 20:57:09 +00:00
Kostya Serebryany 32661f9d66 [libFuzzer] add more __attribute__((visibility("default"))) 
llvm-svn: 279143
 2016-08-18 20:52:52 +00:00
Kostya Serebryany 524c3f32e7 [sanitizer-coverage/libFuzzer] instrument comparisons with __sanitizer_cov_trace_cmp[1248] instead of __sanitizer_cov_trace_cmp, don't pass the comparison type to save a bit performance. Use these new callbacks in libFuzzer 
llvm-svn: 279027
 2016-08-18 01:25:28 +00:00
Kostya Serebryany 5a5d5548f0 [libFuzzer] force proper popcnt instruction 
llvm-svn: 279002
 2016-08-17 23:09:57 +00:00
Kostya Serebryany e72774dd69 [libFuzzer] given 0 and 255 more preference when inserting repeated bytes 
llvm-svn: 278986
 2016-08-17 21:50:54 +00:00
Kostya Serebryany 0c537b124c [libFuzzer] one more mutation: ChangeBinaryInteger; also fix the breakage from r278970 
llvm-svn: 278982
 2016-08-17 21:30:30 +00:00
Kostya Serebryany a9a548049a [libFuzzer] when printing the reproducer input, also print the base input and the mutation sequence 
llvm-svn: 278975
 2016-08-17 20:45:23 +00:00
Justin Bogner cd1d5aaf2e Replace a few more "fall through" comments with LLVM_FALLTHROUGH 
Follow up to r278902. I had missed "fall through", with a space.

llvm-svn: 278970
 2016-08-17 20:30:52 +00:00
Kostya Serebryany a7398ba024 [libFuzzer] more mutations 
llvm-svn: 278950
 2016-08-17 18:10:42 +00:00
Kostya Serebryany 3044390af1 [libFuzzer] minor speed improvement 
llvm-svn: 278856
 2016-08-16 21:28:05 +00:00
Kostya Serebryany d46a59fac4 [libFuzzer] new experimental feature: value profiling. Profiles values that affect control flow and treats new values as new coverage. 
llvm-svn: 278839
 2016-08-16 19:33:51 +00:00
Kostya Serebryany c98ef718ea [libFuzzer] refactoring around PCMap, NFC 
llvm-svn: 278825
 2016-08-16 17:37:13 +00:00
Kostya Serebryany bdb220c7a0 [libFuzzer] print a verbose message after executing inputs in non-fuzzing mode 
llvm-svn: 278724
 2016-08-15 19:44:04 +00:00
Kostya Serebryany a0d40a21e7 [libFuzzer] fix the bot 
llvm-svn: 278721
 2016-08-15 19:36:13 +00:00
Kostya Serebryany dfbe59b03d [libFuzzer] add InsertRepeatedBytes and EraseBytes. 
New mutation: InsertRepeatedBytes.
Updated mutation: EraseByte => EraseBytes.

This helps https://github.com/google/sanitizers/issues/710
where libFuzzer was not able to find a known bug.
Now it finds it in minutes.

Hopefully, the change is general enough to help other targets.

llvm-svn: 278687
 2016-08-15 17:48:28 +00:00
Dan Liew ed3c9cae49 [LibFuzzer] Fix `-jobs=<N>` where <N> > 1 and the number of workers is > 1 on macOS. 
The original `ExecuteCommand()` called `system()` from the C library.
The C library implementation of this on macOS contains a mutex which
serializes calls to `system()`. This prevented the `-jobs=` flag
from running copies of the fuzzing binary in parallel which is
the opposite of what is intended.

To fix this on macOS an alternative implementation of `ExecuteCommand()`
is provided that can be used concurrently. This is provided in
`FuzzerUtilDarwin.cpp` which is guarded to only compile code on Apple
platforms. The existing implementation has been moved to a new file
`FuzzerUtilLinux.cpp` which is guarded to only compile code on Linux.

This commit includes a simple test to check that LibFuzzer is being
executed in parallel when requested.

Differential Revision: https://reviews.llvm.org/D22742

llvm-svn: 278544
 2016-08-12 18:29:36 +00:00
Kostya Serebryany 728447bd3b [libFuzzer] make libFuzzer work with a bit older clang versions 
llvm-svn: 277941
 2016-08-06 21:28:56 +00:00
Kostya Serebryany ff1f2107ec [libFuzzer] don't print bogus error message 
llvm-svn: 277940
 2016-08-06 21:23:29 +00:00
Mike Aizatsky a8e84b9b37 [libfuzzer] do not warn about missing pcbuffer functions: they are new. 
llvm-svn: 277927
 2016-08-06 17:03:22 +00:00