RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-10-21 12:02:58 +02:00
Code Issues Projects Releases Wiki Activity
122,340 Commits 4 Branches 5 Tags 704 MiB
e3d637a4af
Commit Graph

57 Commits

Author SHA1 Message Date
Kostya Serebryany
e3d637a4af [libFuzzer] add -artifact_prefix flag 
llvm-svn: 249807
 2015-10-09 03:57:59 +00:00
Kostya Serebryany
4487114c63 [libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated. 
llvm-svn: 249214
 2015-10-02 23:34:06 +00:00
Kostya Serebryany
20a00e008b [libFuzzer] remove experimental flag and functionality 
llvm-svn: 249194
 2015-10-02 22:00:32 +00:00
Kostya Serebryany
70f0401f05 [libFuzzer] add a flag -max_total_time 
llvm-svn: 249181
 2015-10-02 20:47:55 +00:00
Ivan Krasin
b941371206 [LibFuzzer] test_single_input option to run a single test case. 
-test_single_input flag specifies a file name with test data.

Review URL: http://reviews.llvm.org/D13359

Patch by Mike Aizatsky!

llvm-svn: 249096
 2015-10-01 23:23:06 +00:00
Ivan Krasin
cc79d453f1 [libFuzzer]Add a test for defeating a hash sum. 
Summary:
Add a test for a data followed by 4-byte hash value.
I use a slightly modified Jenkins hash function,
as described in https://en.wikipedia.org/wiki/Jenkins_hash_function

The modification is to ensure that hash(zeros) != 0.

Reviewers: kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12648

llvm-svn: 247076
 2015-09-08 21:22:52 +00:00
Kostya Serebryany
a575372f59 [libFuzzer] add one more mutator: Mutate_ChangeASCIIInteger 
llvm-svn: 247027
 2015-09-08 17:19:31 +00:00
Kostya Serebryany
28a699d9b8 [libFuzzer] actually make the dictionaries work (+docs) 
llvm-svn: 246825
 2015-09-04 00:12:11 +00:00
Kostya Serebryany
3eaa9123bf [libFuzzer] refactor the mutation functions so that they are now methods of a class. NFC 
llvm-svn: 246808
 2015-09-03 21:24:19 +00:00
Kostya Serebryany
3b60fc1204 [libFuzzer] adding a parser for AFL-style dictionaries + tests. 
llvm-svn: 246800
 2015-09-03 20:23:46 +00:00
Kostya Serebryany
d4b7d4667f [libFuzzer] deprecate the -tokens flag. This was a bad idea because the corpus with this flag contains encrypted inputs, not the real inputs, which complicates interoperation with other fuzzers. Instead we'll need to implement AFL dictionary support 
llvm-svn: 246734
 2015-09-02 23:27:39 +00:00
Kostya Serebryany
a9d3e6b2dc [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied 
llvm-svn: 244712
 2015-08-12 01:55:37 +00:00
Kostya Serebryany
90b784ccc2 [libFuzzer] move the mutators to public interface so that custom mutators may reuse these functions directly 
llvm-svn: 244250
 2015-08-06 19:19:55 +00:00
Kostya Serebryany
acf2228ee8 [libFuzzer] add one more mutation strategy: byte shuffling 
llvm-svn: 244188
 2015-08-06 01:29:13 +00:00
Kostya Serebryany
5be4cb583e [libFuzzer] add a missing test file 
llvm-svn: 244151
 2015-08-05 21:32:13 +00:00
Kostya Serebryany
897a5553b1 [libFuzzer] use data-flow feedback from strcmp 
llvm-svn: 244084
 2015-08-05 18:23:01 +00:00
Kostya Serebryany
7ee2b779f7 [libFuzzer] more refactoring of the Mutator and adding tests to it 
llvm-svn: 243818
 2015-08-01 02:23:06 +00:00
Kostya Serebryany
82464edd32 [libFuzzer] start refactoring the Mutator and adding tests to it 
llvm-svn: 243817
 2015-08-01 01:42:51 +00:00
Kostya Serebryany
a9e61b09d8 [libFuzzer] make sure that 2-byte arguments of switch() are handled properly 
llvm-svn: 243781
 2015-07-31 20:58:55 +00:00
Kostya Serebryany
fead0c3ca4 [libFuzzer] support switch interception in dfsan mode 
llvm-svn: 243760
 2015-07-31 17:05:05 +00:00
Kostya Serebryany
71a4e8ccbf [libFuzzer] trace switch statements and apply mutations based on the expected case values 
llvm-svn: 243726
 2015-07-31 01:33:06 +00:00
Kostya Serebryany
e76cb85ac7 [libFuzzer] fix the strncmp interceptor -- it should respect short strings. 
llvm-svn: 243691
 2015-07-30 21:22:22 +00:00
Kostya Serebryany
433c6e8b4b [libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test 
llvm-svn: 243611
 2015-07-30 02:33:45 +00:00
Kostya Serebryany
d6ac2f5889 [libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test 
llvm-svn: 243603
 2015-07-30 01:34:58 +00:00
Kostya Serebryany
fc26c8ec1c [libFuzzer] ensure that the dfsan tracing hooks actually run (using -verbosity=3 in tests) 
llvm-svn: 243365
 2015-07-28 01:25:00 +00:00
Kostya Serebryany
02e05d0662 [libFuzzer] allow users to supply their own implementation of rand 
llvm-svn: 243078
 2015-07-24 01:06:40 +00:00
Kostya Serebryany
35d1f9b1f6 [libFuzzer] dump long running units to disk 
llvm-svn: 243031
 2015-07-23 18:37:22 +00:00
Alexey Samsonov
84ab5e6b2a [Fuzzer] Rely on $PATH expansion instead of hardcoding paths in tests. NFC. 
llvm-svn: 242851
 2015-07-21 22:51:55 +00:00
Alexey Samsonov
4a6c6512bc [Fuzzer] Clearly separate regular and DFSan tests. NFC. 
llvm-svn: 242850
 2015-07-21 22:51:49 +00:00
Kostya Serebryany
3afd2456cd [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale 
llvm-svn: 238063
 2015-05-22 22:47:03 +00:00
Kostya Serebryany
2ee531c66a [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators 
llvm-svn: 238059
 2015-05-22 22:35:31 +00:00
Kostya Serebryany
46c887ece3 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately 
llvm-svn: 237735
 2015-05-19 22:12:57 +00:00
Kostya Serebryany
72ed46ef80 [lib/Fuzzer] Add SHA1 implementation from public domain. 
Summary:
This adds a SHA1 implementation taken from public domain code.
The change is trivial, but as it involves third-party code I'd like
a second pair of eyes before commit.

LibFuzzer can not use SHA1 from openssl because openssl may not be available
and because we may be fuzzing openssl itself.
Using sha1sum via a pipe is too slow.

Test Plan: n/a

Reviewers: chandlerc

Reviewed By: chandlerc

Subscribers: majnemer, llvm-commits

Differential Revision: http://reviews.llvm.org/D9733

llvm-svn: 237400
 2015-05-14 22:41:49 +00:00
Kostya Serebryany
933c6b41dd [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan) 
llvm-svn: 237083
 2015-05-12 01:58:34 +00:00
Kostya Serebryany
528387038e [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go. 
llvm-svn: 237043
 2015-05-11 20:51:19 +00:00
Kostya Serebryany
9843ef6423 [lib/Fuzzer] build tests that work well with dfsan also w/o dfsan 
llvm-svn: 236909
 2015-05-08 21:45:19 +00:00
Kostya Serebryany
9387837867 [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes 
llvm-svn: 236906
 2015-05-08 21:30:55 +00:00
Alexey Samsonov
9792622ab9 Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= flags. 
llvm-svn: 236797
 2015-05-07 23:33:24 +00:00
Kostya Serebryany
037e4b3475 [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. 
llvm-svn: 236772
 2015-05-07 21:02:11 +00:00
Kostya Serebryany
0d43299c46 [lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, simplify the test runner 
llvm-svn: 236683
 2015-05-07 00:11:33 +00:00
Kostya Serebryany
6569a73cd5 [lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to dfsan proper 
llvm-svn: 236659
 2015-05-06 22:47:24 +00:00
Kostya Serebryany
35e9a98a9d [lib/Fuzzer] add a fuzzer test for memcmp (does not work yet) 
llvm-svn: 236656
 2015-05-06 22:36:00 +00:00
Kostya Serebryany
e33452df30 [lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more unique 
llvm-svn: 236652
 2015-05-06 22:19:00 +00:00
Kostya Serebryany
c69c3a7d4e [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags. 
llvm-svn: 233745
 2015-03-31 20:13:20 +00:00
Kostya Serebryany
bf919ef6ab DFSan-based fuzzer (proof of concept). 
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

llvm-svn: 233613
 2015-03-30 22:09:51 +00:00
Kostya Serebryany
285f1f0e41 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing). 
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.

llvm-svn: 231166
 2015-03-03 23:27:02 +00:00
Kostya Serebryany
543d4cfda0 [fuzzer] one more experimental search mode: -use_coverage_pairs=1 
llvm-svn: 229957
 2015-02-20 03:02:37 +00:00
Kostya Serebryany
65c9f7dd34 [fuzzer] Add proper dependensices to the fuzzer tests 
Summary: Make sure that FileCheck is built when running check-fuzzer

Test Plan:
run on bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer

Reviewers: samsonov

Reviewed By: samsonov

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7387

llvm-svn: 228045
 2015-02-03 21:57:32 +00:00
Kostya Serebryany
5ac8bf3c74 [fuzzer] Add a gtest-style test 
Summary: Add one gtest-style test.

Test Plan: run on bot

Reviewers: samsonov

Reviewed By: samsonov

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7287

llvm-svn: 227639
 2015-01-30 23:26:57 +00:00
Kostya Serebryany
9658f61dfd [fuzzer] add -use_full_coverage_set=1 which solves FullCoverageSetTest. This does not scale very well yet, but might be a good start. 
llvm-svn: 227507
 2015-01-29 23:01:07 +00:00