RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-11-26 04:32:44 +01:00
Code Issues Projects Releases Wiki Activity
137,813 Commits 4 Branches 5 Tags 704 MiB
a73451f514
Commit Graph

355 Commits

Author SHA1 Message Date
Kostya Serebryany
abf7df0972 [libFuzzer] simplify CTOR of MutationDispatcher 
llvm-svn: 260800
 2016-02-13 03:46:26 +00:00
Kostya Serebryany
cca951bf4c [libFuzzer] get rid of MutationDispatcher::Impl (simplify the code; NFC) 
llvm-svn: 260799
 2016-02-13 03:37:24 +00:00
Kostya Serebryany
b9687a1cc3 [libFuzzer] get rid of UserSuppliedFuzzer; NFC 
llvm-svn: 260798
 2016-02-13 03:25:16 +00:00
Kostya Serebryany
9bf814b9ec [libFuzzer] simplify the code around Random. NFC 
llvm-svn: 260797
 2016-02-13 03:00:53 +00:00
Kostya Serebryany
1bb500faf8 [libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea). 
llvm-svn: 260796
 2016-02-13 02:39:30 +00:00
Kostya Serebryany
b2451a8b09 [libFuzzer] provide a plain C interface for custom mutators (experimental) 
llvm-svn: 260794
 2016-02-13 02:29:38 +00:00
Kostya Serebryany
cf66bc968c [libFuzzer] make -runs=N flag also affect the simple runner (will execute every input N times) 
llvm-svn: 260649
 2016-02-12 02:32:03 +00:00
Mike Aizatsky
c1c7e55502 [libfuzzer] Removing coverage-related flags from asan options. 
Summary:
Reasons to remove are twofold:
 - we don't really need coverage=1 for libfuzzer operation
 - makes controlling coverage for fuzzer processes non-trivial.

Differential Revision: http://reviews.llvm.org/D17168

llvm-svn: 260611
 2016-02-11 22:20:34 +00:00
Kostya Serebryany
b6b4bc42cc [libFuzzer] hot fix a test 
llvm-svn: 259732
 2016-02-04 00:12:28 +00:00
Kostya Serebryany
036c2a2dea [libFuzzer] don't write the test unit when a leak is detected (since we don't know which unit causes the leak) 
llvm-svn: 259731
 2016-02-04 00:02:17 +00:00
Kostya Serebryany
aa6ade3737 [libFuzzer] don't create too many trace-based mutations as it may be too slow 
llvm-svn: 259600
 2016-02-02 23:17:45 +00:00
Kostya Serebryany
4b2ab57d9f [libFuzzer] allow passing 1 or more files as individual inputs 
llvm-svn: 259459
 2016-02-02 03:03:47 +00:00
Kostya Serebryany
dd149f22ae [libFuzzer] fail if the corpus dir does not exist 
llvm-svn: 259454
 2016-02-02 02:07:26 +00:00
Kostya Serebryany
e3ec64cf18 [libFuzzer] add -timeout_exitcode option 
llvm-svn: 259265
 2016-01-29 23:30:07 +00:00
Kostya Serebryany
ccb79d88ac [libFuzzer] re-enable test for -abort_on_timeout=1, this time protecting from ASAN_OPTIONS set outside 
llvm-svn: 259263
 2016-01-29 23:19:00 +00:00
Ivan Krasin
09873095d3 Temporary disable broken fuzzer/timeout tests. 
Reviewers: kcc

Differential Revision: http://reviews.llvm.org/D16543

llvm-svn: 258702
 2016-01-25 19:05:45 +00:00
Kostya Serebryany
0c11655f17 [libFuzzer] add -abort_on_timeout option 
llvm-svn: 258631
 2016-01-23 19:34:19 +00:00
Kostya Serebryany
548cef831b [libFuzzer] add more fields to DictionaryEntry to count the number of uses and successes 
llvm-svn: 258589
 2016-01-22 23:55:14 +00:00
Ivan Krasin
ce1bcd8c31 Use std::piecewise_constant_distribution instead of ad-hoc binary search. 
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.

Note: this is the second attempt (prev: r258473). Now, libc++ build is fixed.

Reviewers: aizatsky, kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D16487

llvm-svn: 258571
 2016-01-22 22:28:27 +00:00
Ivan Krasin
7b4522dc59 Revert r258473 as it's breaking the build with libc++ 
Reviewers: kcc

Differential Revision: http://reviews.llvm.org/D16441

llvm-svn: 258479
 2016-01-22 03:21:52 +00:00
Ivan Krasin
db4009626d Use std::piecewise_constant_distribution instead of ad-hoc binary search. 
Summary:
Fix the issue with the most recently discovered unit receiving much less attention.

Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.

Reviewers: aizatsky, kcc

Subscribers: llvm-commits, kcc

Differential Revision: http://reviews.llvm.org/D16419

llvm-svn: 258473
 2016-01-22 01:32:34 +00:00
Kostya Serebryany
f7155b3e82 [libFuzzer] don't do expensive memmem if the result will not be used 
llvm-svn: 258462
 2016-01-22 01:04:58 +00:00
Kostya Serebryany
0b3db26b9a [libFuzzer] don't use std::vector in one more hot path 
llvm-svn: 258380
 2016-01-21 01:52:14 +00:00
Mike Aizatsky
d01a744fd9 [libfuzzer] use %p for printing addresses 
llvm-svn: 258370
 2016-01-21 00:02:09 +00:00
Kostya Serebryany
8820217862 [libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if 
llvm-svn: 258178
 2016-01-19 20:33:57 +00:00
Kostya Serebryany
0ae292d42e [libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path 
llvm-svn: 257985
 2016-01-16 03:53:32 +00:00
Kostya Serebryany
d65aa3494d [libFuzzer] introduce LLVMFuzzerInitialize 
llvm-svn: 257980
 2016-01-16 01:23:12 +00:00
Kostya Serebryany
87079ee20d [libFuzzer] move some code from public interface header to a non-public header. NFC 
llvm-svn: 257963
 2016-01-16 00:04:36 +00:00
Kostya Serebryany
b40c61f46c [libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1) 
llvm-svn: 257873
 2016-01-15 06:24:05 +00:00
Kostya Serebryany
2afdf677ec [libFuzzer] use custom stol; also introduce __libfuzzer_is_present so that users can check for its presence. 
llvm-svn: 257848
 2016-01-15 00:17:37 +00:00
Kostya Serebryany
f77ffed10e [libFuzzer] suggest a dictionary to the user of some of the trace-based dictionary entries were successful 
llvm-svn: 257736
 2016-01-14 02:36:44 +00:00
Kostya Serebryany
f050542d8f [libFuzzer] make CurrentUnit a POD object instead of vector to avoid extra allocations 
llvm-svn: 257713
 2016-01-13 23:46:01 +00:00
Kostya Serebryany
89262beb8c [libFuzzer] make sure we find buffer overflow in the input buffer. Previously, re-using the same vector object was hiding buffer overflows (unless we used annotated vector) 
llvm-svn: 257701
 2016-01-13 23:02:30 +00:00
Kostya Serebryany
ec88d2d728 [libFuzzer] make sure to update CurrentUnit when drilling 
llvm-svn: 257560
 2016-01-13 01:58:27 +00:00
Kostya Serebryany
7902538e08 [libFuzzer] add a macro LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS 
llvm-svn: 257482
 2016-01-12 16:50:18 +00:00
Kostya Serebryany
df2508fcaf [libFuzzer] when a new unit is discovered using a dictionary, print all used dictionary entries 
llvm-svn: 257435
 2016-01-12 02:36:59 +00:00
Kostya Serebryany
929ac07474 [libFuzzer] add various debug prints. Also don't mutate based on a cmp trace like (a eq a) or (a neq a) 
llvm-svn: 257434
 2016-01-12 02:08:37 +00:00
Kostya Serebryany
dbfeeafbb3 [libFuzzer] extend the weak memcmp/strcmp/strncmp interceptors to receive the result of the computations. With that, don't do any mutations if memcmp/etc returned 0 
llvm-svn: 257423
 2016-01-12 00:43:42 +00:00
Kostya Serebryany
b57e7c0541 [libFuzzer] debug prints in tracing 
llvm-svn: 257249
 2016-01-09 03:46:08 +00:00
Kostya Serebryany
bdc66ac566 [libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary 
llvm-svn: 257248
 2016-01-09 03:08:58 +00:00
Kostya Serebryany
591d2f9d2d [libFuzzer] don't limit memcmp tracing with 8 bytes 
llvm-svn: 257245
 2016-01-09 01:39:55 +00:00
Kostya Serebryany
71864fdc77 [libFuzzer] refactor the way we collect cmp traces (don't use std::vector, don't limit with 8 bytes) 
llvm-svn: 257239
 2016-01-09 00:38:40 +00:00
Kostya Serebryany
da719cf533 [libFuzzer] add a position hint to the dictionary-based mutator 
llvm-svn: 257013
 2016-01-07 01:49:35 +00:00
Kostya Serebryany
2c6246a7e6 [libFuzzer] extend the dictionary mutator to optionally overwrite data with the dict entry 
llvm-svn: 256900
 2016-01-06 02:13:04 +00:00
Mike Aizatsky
b1bf6550e4 [libfuzzer] print_new_cov_pcs experimental option. 
Differential Revision: http://reviews.llvm.org/D15901

llvm-svn: 256882
 2016-01-06 00:21:22 +00:00
Kostya Serebryany
7d302bb908 [libFuzzer] make trace-based fuzzing not crash in presence of threads 
llvm-svn: 256876
 2016-01-06 00:03:35 +00:00
Kostya Serebryany
066e99fd12 [libFuzzer] add AFL-style dictionary for C++, remove the old file with tokens 
llvm-svn: 256229
 2015-12-22 01:50:51 +00:00
Kostya Serebryany
4165eed18e [libFuzzer] deprecate -save_minimized_corpus, -merge can be used instead 
llvm-svn: 256086
 2015-12-19 03:42:16 +00:00
Kostya Serebryany
9332fb3411 [libFuzzer] split the tests to run them in parallel, remove one redundant test 
llvm-svn: 256085
 2015-12-19 03:35:30 +00:00
Kostya Serebryany
ab36ca708c [libFuzzer] make CrossOver just one of the other mutations 
llvm-svn: 256081
 2015-12-19 02:49:09 +00:00
Kostya Serebryany
e4adf51693 [libFuzzer] print successfull mutations sequences 
llvm-svn: 256071
 2015-12-19 01:09:49 +00:00
Peter Collingbourne
f8ab9e45d0 Fuzzer: Fix library dependencies. 
Newer versions of libstdc++ (4.9+), as well as libc++, depend directly on
libpthread from the standard library headers, so libfuzzer needs to declare
a standard library dependency.

llvm-svn: 255745
 2015-12-16 02:14:57 +00:00
Mike Aizatsky
ea27e92765 [LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding. 
Differential Revision: http://reviews.llvm.org/D15339

done

llvm-svn: 255296
 2015-12-10 20:41:53 +00:00
Kostya Serebryany
d2117b7607 [libFuzzer] don't reload the corpus more than once every second 
llvm-svn: 254824
 2015-12-05 02:09:22 +00:00
Kostya Serebryany
a69b412cc5 [libFuzzer] compute base64 in-process instead of using an external lib. Since libFuzzer should not depend on anything, just re-implement base64 encoder. PR25746 
llvm-svn: 254784
 2015-12-04 22:29:39 +00:00
Mike Aizatsky
2444b7e49b Libfuzzer: do not pass null into user function 
Differential Revision: http://reviews.llvm.org/D15098

llvm-svn: 254558
 2015-12-02 22:43:53 +00:00
Kostya Serebryany
6b2a558b5e [libFuzzer] add a test that is built with -fsanitize-coverage=trace-bb 
llvm-svn: 254484
 2015-12-02 02:49:37 +00:00
Kostya Serebryany
4b6eeeca4b [libFuzzer] add a flag -exact_artifact_path 
llvm-svn: 254100
 2015-11-25 21:40:46 +00:00
Kostya Serebryany
41c09f4dbc [libFuzzer] don't crash when reporting a leak in test_single_input mode 
llvm-svn: 253761
 2015-11-21 03:46:43 +00:00
Kostya Serebryany
3250d874fb [libFuzzer] remove default initializer as a workaround for https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68399. Don't need it anyway. 
llvm-svn: 253419
 2015-11-18 01:08:30 +00:00
Kostya Serebryany
2f218614e9 [libFuzzer] make libFuzzer build even with a compiler that does not have sanitizer headers 
llvm-svn: 253003
 2015-11-13 01:54:40 +00:00
Mike Aizatsky
4afb4aff05 output_csv libfuzzer option 
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.

Differential Revision: http://reviews.llvm.org/D14600

llvm-svn: 252856
 2015-11-12 04:38:40 +00:00
Kostya Serebryany
745d4188ac [libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea) 
llvm-svn: 252838
 2015-11-12 01:02:01 +00:00
Kostya Serebryany
53bfef8ad6 [libFuzzer] add UninstrumentedTest.cpp (missing from a previous commit) 
llvm-svn: 252658
 2015-11-10 22:02:56 +00:00
Kostya Serebryany
548bb85f31 [libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time) 
llvm-svn: 252533
 2015-11-09 23:17:45 +00:00
Kostya Serebryany
23d6a0a60f [libFuzzer] print a bit fewer lines 
llvm-svn: 252123
 2015-11-05 01:19:42 +00:00
Kostya Serebryany
9d859680b2 [libFuzzer] when choosing the next unit to mutate, give some preference to the most recent units (they are more likely to be interesting) 
llvm-svn: 252097
 2015-11-04 23:22:25 +00:00
Kostya Serebryany
6ba411ce7a [libFuzzer] make -test_single_input more reliable: make sure the input's size is equal to it's capacity 
llvm-svn: 251961
 2015-11-03 18:57:25 +00:00
Kostya Serebryany
c171514e30 [libFuzzer] add -merge flag to merge corpora 
llvm-svn: 251168
 2015-10-24 01:16:40 +00:00
Kostya Serebryany
f03686178a [libFuzzer] remove some old code; also make __sanitizer_get_total_unique_caller_callee_pairs weak so that newer libFuzzer works with older asan 
llvm-svn: 251133
 2015-10-23 18:37:58 +00:00
Kostya Serebryany
829e28a729 [libFuzzer] use the indirect caller-callee counter as an independent search heuristic 
llvm-svn: 251078
 2015-10-22 23:55:39 +00:00
Kostya Serebryany
8c8cba5fa8 [libFuzzer] more refactoring the code that checks the coverage. NFC 
llvm-svn: 251075
 2015-10-22 22:56:45 +00:00
Kostya Serebryany
e6c24f1866 [libFuzzer] refactoring the code that checks the coverage. NFC 
llvm-svn: 251074
 2015-10-22 22:50:47 +00:00
Kostya Serebryany
99fe4b430c [libFuzzer] remove the deprecated 'tokens' feature 
llvm-svn: 251069
 2015-10-22 21:48:09 +00:00
Craig Topper
c8409f4435 Make a bunch of static arrays const. 
llvm-svn: 250642
 2015-10-18 05:15:34 +00:00
Kostya Serebryany
b30ba817ce [libFuzzer] add -shuffle flag 
llvm-svn: 250603
 2015-10-17 04:38:26 +00:00
Kostya Serebryany
a51be6eaa4 [libFuzzer] print a stack trace on timeout 
llvm-svn: 250571
 2015-10-16 23:04:31 +00:00
Kostya Serebryany
c1fcef367b [libFuzzer] reduce the size of artifacts printed on the screen 
llvm-svn: 250565
 2015-10-16 22:47:20 +00:00
Kostya Serebryany
47e5e62e71 [libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky 
llvm-svn: 250564
 2015-10-16 22:41:47 +00:00
Kostya Serebryany
98ed53705f [libFuzzer] don't print large artifacts to stderr 
llvm-svn: 249808
 2015-10-09 04:03:14 +00:00
Kostya Serebryany
e3d637a4af [libFuzzer] add -artifact_prefix flag 
llvm-svn: 249807
 2015-10-09 03:57:59 +00:00
Kostya Serebryany
6e1f94e9cd [libFuzzer] fix 32-bit build 
llvm-svn: 249646
 2015-10-08 00:59:25 +00:00
Kostya Serebryany
d0d9f0b833 [libFuzzer] trying to fix at-exit hang 
llvm-svn: 249231
 2015-10-03 07:02:05 +00:00
Kostya Serebryany
4487114c63 [libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated. 
llvm-svn: 249214
 2015-10-02 23:34:06 +00:00
Kostya Serebryany
20a00e008b [libFuzzer] remove experimental flag and functionality 
llvm-svn: 249194
 2015-10-02 22:00:32 +00:00
Kostya Serebryany
70f0401f05 [libFuzzer] add a flag -max_total_time 
llvm-svn: 249181
 2015-10-02 20:47:55 +00:00
Ivan Krasin
b941371206 [LibFuzzer] test_single_input option to run a single test case. 
-test_single_input flag specifies a file name with test data.

Review URL: http://reviews.llvm.org/D13359

Patch by Mike Aizatsky!

llvm-svn: 249096
 2015-10-01 23:23:06 +00:00
Kostya Serebryany
8474784569 [libFuzzer] Marking exported symbols as visible. Patch by Mike Aizatsky 
llvm-svn: 248954
 2015-09-30 22:22:37 +00:00
Kostya Serebryany
6c4e275248 [libFuzzer] perform fewer crossover operations compared to plain mutations 
llvm-svn: 247364
 2015-09-11 00:20:58 +00:00
Kostya Serebryany
19cfb70c6a [libFuzzer] refactor the code to allow building libFuzzer on platforms that don't have dfsan and don't support weak functions 
llvm-svn: 247321
 2015-09-10 18:48:38 +00:00
Kostya Serebryany
0001c18d8c [libFuzzer] add two more variants of FuzzerDriver for convenience 
llvm-svn: 247300
 2015-09-10 16:57:57 +00:00
Ivan Krasin
cc79d453f1 [libFuzzer]Add a test for defeating a hash sum. 
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function

The modification is to ensure that hash(zeros) != 0.

Reviewers: kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12648

llvm-svn: 247076
 2015-09-08 21:22:52 +00:00
Kostya Serebryany
a2e2e93ba1 [libFuzzer] remove a piece of stale code 
llvm-svn: 247067
 2015-09-08 20:40:10 +00:00
Kostya Serebryany
04cc0059e2 [libFuzzer] be more robust when dealing with files on disk (e.g. don't crash if a file was there but disappeared) 
llvm-svn: 247066
 2015-09-08 20:36:33 +00:00
Kostya Serebryany
2d2cfbe976 [libFuzzer] better documentatio for -save_minimized_corpus=1 
llvm-svn: 247033
 2015-09-08 17:43:51 +00:00
Kostya Serebryany
28b0d0ab37 [libFuzzer] remove -iterations as redundant (there is also -num_runs) 
llvm-svn: 247030
 2015-09-08 17:30:35 +00:00
Kostya Serebryany
a575372f59 [libFuzzer] add one more mutator: Mutate_ChangeASCIIInteger 
llvm-svn: 247027
 2015-09-08 17:19:31 +00:00
Kostya Serebryany
22e4458e65 [libFuzzer] more accurate logic for traces, 80-char fix 
llvm-svn: 246888
 2015-09-04 22:32:25 +00:00
Kostya Serebryany
2c51ca12e7 [libFuzzer] when a single mutation fails try a few more times with other mutations before returning un-mutated data 
llvm-svn: 246828
 2015-09-04 00:40:29 +00:00
Kostya Serebryany
28a699d9b8 [libFuzzer] actually make the dictionaries work (+docs) 
llvm-svn: 246825
 2015-09-04 00:12:11 +00:00
Kostya Serebryany
3eaa9123bf [libFuzzer] refactor the mutation functions so that they are now methods of a class. NFC 
llvm-svn: 246808
 2015-09-03 21:24:19 +00:00
Kostya Serebryany
3b60fc1204 [libFuzzer] adding a parser for AFL-style dictionaries + tests. 
llvm-svn: 246800
 2015-09-03 20:23:46 +00:00
Kostya Serebryany
d4b7d4667f [libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support 
llvm-svn: 246734
 2015-09-02 23:27:39 +00:00
Kostya Serebryany
9c0479fa99 [libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef 
llvm-svn: 246689
 2015-09-02 19:08:08 +00:00
Kostya Serebryany
0e83baec1a [libFuzzer] fix minor inefficiency, PR24584 
llvm-svn: 246087
 2015-08-26 21:55:19 +00:00
Lenny Maiorani
1850ddfeb6 Fix missing space in libfuzzer's help text. 
llvm-svn: 244800
 2015-08-12 20:00:10 +00:00
Kostya Serebryany
a9d3e6b2dc [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied 
llvm-svn: 244712
 2015-08-12 01:55:37 +00:00
Kostya Serebryany
2bdb9ad059 [libFuzzer] add colons to the stats output to avoid confusion 
llvm-svn: 244708
 2015-08-12 01:04:27 +00:00
Kostya Serebryany
5a4f36556e [libFuzzer] use raw C IO to reduce the risk of a deadlock in a signal handler. 
llvm-svn: 244707
 2015-08-12 00:55:09 +00:00
Nick Lewycky
1bff8578d4 Fix unused variable 'X' in release builds. 
llvm-svn: 244571
 2015-08-11 05:57:10 +00:00
Kostya Serebryany
1c2b96fda9 [libFuzzer] add -only_ascii flag 
llvm-svn: 244559
 2015-08-11 01:44:42 +00:00
Yaron Keren
b598ba7c7c Add missing include guard to FuzzerInternal.h, NFC. 
llvm-svn: 244457
 2015-08-10 16:37:40 +00:00
Kostya Serebryany
90b784ccc2 [libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly 
llvm-svn: 244250
 2015-08-06 19:19:55 +00:00
Kostya Serebryany
acf2228ee8 [libFuzzer] add one more mutation strategy: byte shuffling 
llvm-svn: 244188
 2015-08-06 01:29:13 +00:00
Kostya Serebryany
c721977710 [libFuzzer] avoid build warnings in non-assert build (useful warning in this case) 
llvm-svn: 244177
 2015-08-05 23:44:42 +00:00
Kostya Serebryany
4338e69a99 [libFuzzer] in dfsan mode, set labels every time we start recording traces as opposed to doing it at process startup. This ensures that the labels are fresh. 
llvm-svn: 244165
 2015-08-05 23:02:57 +00:00
Kostya Serebryany
80051e17c0 [libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed 
llvm-svn: 244152
 2015-08-05 21:43:48 +00:00
Kostya Serebryany
5be4cb583e [libFuzzer] add a missing test file 
llvm-svn: 244151
 2015-08-05 21:32:13 +00:00
Kostya Serebryany
897a5553b1 [libFuzzer] use data-flow feedback from strcmp 
llvm-svn: 244084
 2015-08-05 18:23:01 +00:00
Kostya Serebryany
7ee2b779f7 [libFuzzer] more refactoring of the Mutator and adding tests to it 
llvm-svn: 243818
 2015-08-01 02:23:06 +00:00
Kostya Serebryany
82464edd32 [libFuzzer] start refactoring the Mutator and adding tests to it 
llvm-svn: 243817
 2015-08-01 01:42:51 +00:00
Kostya Serebryany
7a9f5ff70b [libFuzzer] limit the size of the inputs printed to stderr 
llvm-svn: 243795
 2015-07-31 22:07:17 +00:00
Kostya Serebryany
a9e61b09d8 [libFuzzer] make sure that 2-byte arguments of switch() are handled properly 
llvm-svn: 243781
 2015-07-31 20:58:55 +00:00
Kostya Serebryany
ccad0c6979 [libFuzzer] record traces from the switch statements only when told to do so 
llvm-svn: 243768
 2015-07-31 18:09:08 +00:00
Kostya Serebryany
fead0c3ca4 [libFuzzer] support switch interception in dfsan mode 
llvm-svn: 243760
 2015-07-31 17:05:05 +00:00
Kostya Serebryany
71a4e8ccbf [libFuzzer] trace switch statements and apply mutations based on the expected case values 
llvm-svn: 243726
 2015-07-31 01:33:06 +00:00
Kostya Serebryany
e76cb85ac7 [libFuzzer] fix the strncmp interceptor -- it should respect short strings. 
llvm-svn: 243691
 2015-07-30 21:22:22 +00:00
Kostya Serebryany
433c6e8b4b [libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test 
llvm-svn: 243611
 2015-07-30 02:33:45 +00:00
Kostya Serebryany
d6ac2f5889 [libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test 
llvm-svn: 243603
 2015-07-30 01:34:58 +00:00
Kostya Serebryany
fc26c8ec1c [libFuzzer] ensure that the dfsan tracing hooks actually run (using -verbosity=3 in tests) 
llvm-svn: 243365
 2015-07-28 01:25:00 +00:00
Kostya Serebryany
afb5a6f493 [libFuzzer] when using cmp traces, first check that the CMP is evaluated to one value much more frequently than to the other value (heuristic) 
llvm-svn: 243363
 2015-07-28 00:59:53 +00:00
Kostya Serebryany
02e05d0662 [libFuzzer] allow users to supply their own implementation of rand 
llvm-svn: 243078
 2015-07-24 01:06:40 +00:00
Kostya Serebryany
35d1f9b1f6 [libFuzzer] dump long running units to disk 
llvm-svn: 243031
 2015-07-23 18:37:22 +00:00
Alexey Samsonov
84ab5e6b2a [Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC. 
llvm-svn: 242851
 2015-07-21 22:51:55 +00:00
Alexey Samsonov
4a6c6512bc [Fuzzer] Clearly separate regular and DFSan tests. NFC. 
llvm-svn: 242850
 2015-07-21 22:51:49 +00:00
Kostya Serebryany
7c2874be12 [libFuzzer] require the files and directories passed to the fuzzer to exist 
llvm-svn: 242596
 2015-07-18 00:03:37 +00:00
Kostya Serebryany
444683ece7 [lib/Fuzzer] make assertions more informative and update comments for the user-supplied mutator 
llvm-svn: 238658
 2015-05-30 17:33:13 +00:00
Kostya Serebryany
74916b0deb [lib/Fuzzer] relax an assertion 
llvm-svn: 238608
 2015-05-29 20:31:17 +00:00
Kostya Serebryany
dd85a5b4fc [lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity) 
llvm-svn: 238251
 2015-05-26 20:57:47 +00:00
Kostya Serebryany
6903bb7921 [lib/Fuzzer] fix docs 
llvm-svn: 238236
 2015-05-26 19:32:52 +00:00
Kostya Serebryany
9de53cc3c2 [lib/Fuzzer] fix build with assertions 
llvm-svn: 238235
 2015-05-26 19:29:33 +00:00
Kostya Serebryany
e460252e97 [lib/Fuzzer] doxygen-ify the comments for the user interface 
llvm-svn: 238086
 2015-05-23 02:12:05 +00:00
Kostya Serebryany
6fa7ac36da [lib/Fuzzer] fully get rid of std::cerr in libFuzzer 
llvm-svn: 238081
 2015-05-23 01:22:35 +00:00
Kostya Serebryany
c28d1607f2 [lib/Fuzzer] start getting rid of std::cerr. Sadly, these parts of C++ library used in libFuzzer badly interract with the same code used in the target function and also with dfsan. It's easier to just not use std::cerr than to defeat these issues. 
llvm-svn: 238078
 2015-05-23 01:07:46 +00:00
Kostya Serebryany
3afd2456cd [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale 
llvm-svn: 238063
 2015-05-22 22:47:03 +00:00
Kostya Serebryany
2ee531c66a [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators 
llvm-svn: 238059
 2015-05-22 22:35:31 +00:00
Kostya Serebryany
a05448768c [lib/Fuzzer] ignore flags that start with --; use git pull --rebase instead of just git pull 
llvm-svn: 237950
 2015-05-21 20:39:13 +00:00
Kostya Serebryany
46c887ece3 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately 
llvm-svn: 237735
 2015-05-19 22:12:57 +00:00
Kostya Serebryany
33a7c23155 [lib/Fuzzer] more efficient reload logic; also don't spam git too much 
llvm-svn: 237649
 2015-05-19 01:06:07 +00:00
Kostya Serebryany
a98902fdfc [lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes 
llvm-svn: 237617
 2015-05-18 21:34:20 +00:00
Logan Chien
5bf41f4c70 Code cleanup: Reindent Fuzzer::MutateAndTestOne. 
llvm-svn: 237533
 2015-05-17 02:44:31 +00:00
Kostya Serebryany
72ed46ef80 [lib/Fuzzer] Add SHA1 implementation from public domain. 
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.

LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.

Test Plan: n/a

Reviewers: chandlerc

Reviewed By: chandlerc

Subscribers: majnemer, llvm-commits

Differential Revision: http://reviews.llvm.org/D9733

llvm-svn: 237400
 2015-05-14 22:41:49 +00:00
Kostya Serebryany
31389337e7 [lib/Fuzzer] enable -use_counters=1 by default 
llvm-svn: 237272
 2015-05-13 18:31:46 +00:00
Kostya Serebryany
4abd8e053b [lib/Fuzzer] A simple script to synchronise a fuzz test corpus with an external git repository. 
llvm-svn: 237208
 2015-05-12 23:19:12 +00:00
Kostya Serebryany
35ac844218 [lib/Fuzzer] use sha1sum for the file hash 
llvm-svn: 237198
 2015-05-12 22:03:34 +00:00
Kostya Serebryany
354905a212 [lib/Fuzzer] guess the right number of workers if -jobs=N is given but -workers=M is not. Update the docs. 
llvm-svn: 237163
 2015-05-12 18:51:57 +00:00
Kostya Serebryany
933c6b41dd [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan) 
llvm-svn: 237083
 2015-05-12 01:58:34 +00:00
Kostya Serebryany
e0f5e9012d [lib/Fuzzer] detach the pulse thread instad of joining it 
llvm-svn: 237082
 2015-05-12 01:43:20 +00:00
Kostya Serebryany
56ab38ba4f [lib/Fuzzer] don't record traces when trace collection is off 
llvm-svn: 237067
 2015-05-11 23:25:28 +00:00
Kostya Serebryany
c901470416 [lib/Fuzzer] when running multiple fuzzing processes, print something every 10 minutes to avoid buildbot timeouts 
llvm-svn: 237054
 2015-05-11 21:31:51 +00:00
Kostya Serebryany
a4fe522adc [lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected 
llvm-svn: 237050
 2015-05-11 21:16:27 +00:00
Kostya Serebryany
528387038e [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go. 
llvm-svn: 237043
 2015-05-11 20:51:19 +00:00
Kostya Serebryany
9843ef6423 [lib/Fuzzer] build tests that work well with dfsan also w/o dfsan 
llvm-svn: 236909
 2015-05-08 21:45:19 +00:00
Kostya Serebryany
9387837867 [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes 
llvm-svn: 236906
 2015-05-08 21:30:55 +00:00
Alexey Samsonov
9792622ab9 Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= flags. 
llvm-svn: 236797
 2015-05-07 23:33:24 +00:00
Kostya Serebryany
037e4b3475 [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. 
llvm-svn: 236772
 2015-05-07 21:02:11 +00:00
Kostya Serebryany
f4f653e078 [lib/Fuzzer] minor refactoring/simplification, NFC 
llvm-svn: 236757
 2015-05-07 18:32:29 +00:00
Kostya Serebryany
0d43299c46 [lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner 
llvm-svn: 236683
 2015-05-07 00:11:33 +00:00
Kostya Serebryany
6569a73cd5 [lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to dfsan proper 
llvm-svn: 236659
 2015-05-06 22:47:24 +00:00
Kostya Serebryany
35e9a98a9d [lib/Fuzzer] add a fuzzer test for memcmp (does not work yet) 
llvm-svn: 236656
 2015-05-06 22:36:00 +00:00
Kostya Serebryany
e33452df30 [lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more unique 
llvm-svn: 236652
 2015-05-06 22:19:00 +00:00
Kostya Serebryany
177467fad4 [lib/Fuzzer] on crash print the contents of the crashy input as base64 
llvm-svn: 236548
 2015-05-05 21:59:51 +00:00
Kostya Serebryany
15a12f25e5 [lib/Fuzzer] use handle_abort=1 by default so that when assert() fires we save the test case 
llvm-svn: 236476
 2015-05-05 01:42:55 +00:00
Aaron Ballman
9419d88907 Removing a spurious space; NFC. 
llvm-svn: 234168
 2015-04-06 16:09:13 +00:00
Kostya Serebryany
af347bcc4a [fuzzer] document the -tokens flag. Also change the diagnostic output 
llvm-svn: 233842
 2015-04-01 21:33:20 +00:00
Kostya Serebryany
c69c3a7d4e [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags. 
llvm-svn: 233745
 2015-03-31 20:13:20 +00:00
Kostya Serebryany
2fe2ed32ac Move lib/Fuzzer docs from a README.txt to a proper .rst file. 
Summary:
Move lib/Fuzzer docs from a README.txt to a proper .rst file.
This change does not add any content, just formatting.

Test Plan: n/a

Reviewers: samsonov

Reviewed By: samsonov

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8710

llvm-svn: 233638
 2015-03-30 23:05:30 +00:00
Kostya Serebryany
e11d81541d [fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it. 
llvm-svn: 233637
 2015-03-30 23:04:35 +00:00
Kostya Serebryany
84554a2713 [fuzzer] print various stats in a unified way 
llvm-svn: 233624
 2015-03-30 22:44:03 +00:00
Kostya Serebryany
bf919ef6ab DFSan-based fuzzer (proof of concept). 
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

llvm-svn: 233613
 2015-03-30 22:09:51 +00:00
Kostya Serebryany
285f1f0e41 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing). 
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
 2015-03-03 23:27:02 +00:00
Kostya Serebryany
543d4cfda0 [fuzzer] one more experimental search mode: -use_coverage_pairs=1 
llvm-svn: 229957
 2015-02-20 03:02:37 +00:00
Kostya Serebryany
af6cf1face [fuzzer] split main() into FuzzerDriver() that takes a callback as a parameter and a tiny main() in a separate file 
llvm-svn: 229882
 2015-02-19 18:45:37 +00:00
Kostya Serebryany
1b890a52e0 [fuzzer] properly annotate fallthrough, add one more entry to FAQ 
llvm-svn: 229880
 2015-02-19 18:21:12 +00:00
Kostya Serebryany
afe59b6588 [fuzzer] move default sanitizer options to a separate file 
llvm-svn: 228429
 2015-02-06 19:52:07 +00:00
Kostya Serebryany
64c4d4b6ad [fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verbose 
llvm-svn: 228235
 2015-02-04 23:42:42 +00:00
Kostya Serebryany
bef8a9c563 [fuzzer] add -runs=N to limit the number of runs per session. Also, make sure we do some mutations w/o cross over. 
llvm-svn: 228214
 2015-02-04 22:20:09 +00:00
Kostya Serebryany
31b6858756 [fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units 
llvm-svn: 228170
 2015-02-04 19:10:20 +00:00
Kostya Serebryany
c850679d3c [fuzzer]: fix exit code, add more diagnostics 
llvm-svn: 228103
 2015-02-04 01:22:57 +00:00
Kostya Serebryany
65c9f7dd34 [fuzzer] Add proper dependensices to the fuzzer tests 
Summary: Make sure that FileCheck is built when running check-fuzzer

Test Plan:
run on bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer

Reviewers: samsonov

Reviewed By: samsonov

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7387

llvm-svn: 228045
 2015-02-03 21:57:32 +00:00
Kostya Serebryany
6dd23ca926 [fuzzer] update the include line to use the new header name 
llvm-svn: 228018
 2015-02-03 19:42:05 +00:00
Kostya Serebryany
e1dd7778a1 [fuzzer] add flags to run fuzzer in multiple parallel processes 
llvm-svn: 227664
 2015-01-31 01:14:40 +00:00
Kostya Serebryany
5ac8bf3c74 [fuzzer] Add a gtest-style test 
Summary: Add one gtest-style test.

Test Plan: run on bot

Reviewers: samsonov

Reviewed By: samsonov

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7287

llvm-svn: 227639
 2015-01-30 23:26:57 +00:00
Kostya Serebryany
9658f61dfd [fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start. 
llvm-svn: 227507
 2015-01-29 23:01:07 +00:00
Kostya Serebryany
39fec2f9bb [fuzzer] fix warning in a test 
llvm-svn: 227478
 2015-01-29 18:13:36 +00:00
Kostya Serebryany
51955d2781 [fuzzer] minor cleanup based on reviews: remove redundant includes, fix a copy-pasto in tests 
llvm-svn: 227468
 2015-01-29 17:16:23 +00:00
Kostya Serebryany
f609f98508 [fuzzer] add FAQ section to the README.txt 
llvm-svn: 227466
 2015-01-29 17:11:30 +00:00
Aaron Ballman
ea7bb26fdf Reverting r227452, which adds back the fuzzer library. Now excluding the fuzzer library based on LLVM_USE_SANITIZE_COVERAGE being set or unset. 
llvm-svn: 227464
 2015-01-29 16:58:29 +00:00
Aaron Ballman
28eea44386 Temporarily reverting the fuzzer library as it causes too many build issues for MSVC users. This reverts: 227445, 227395, 227389, 227357, 227254, 227252 
llvm-svn: 227452
 2015-01-29 15:49:22 +00:00
Aaron Ballman
0ec3c657a3 Adding missing #includes to try to get this to compile on Windows with Visual Studio. 
llvm-svn: 227445
 2015-01-29 15:19:13 +00:00