RPCS3/llvm
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm.git synced 2025-04-03 13:51:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
123,795 Commits 39 Branches 10 Tags
Commit Graph

64 Commits

Author SHA1 Message Date
Kostya Serebryany
f41e3780b3 [libFuzzer] make libFuzzer link if there is no sanitizer coverage instrumentation (it will fail at start-up time) 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@252533 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-11-09 23:17:45 +00:00
Kostya Serebryany
331a8c8a87 [libFuzzer] print a bit fewer lines 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@252123 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-11-05 01:19:42 +00:00
Kostya Serebryany
d022e94463 [libFuzzer] when choosing the next unit to mutate, give some preference to the most recent units (they are more likely to be interesting) 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@252097 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-11-04 23:22:25 +00:00
Kostya Serebryany
242325ad98 [libFuzzer] add -merge flag to merge corpora 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251168 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-24 01:16:40 +00:00
Kostya Serebryany
b33343ddb1 [libFuzzer] remove some old code; also make __sanitizer_get_total_unique_caller_callee_pairs weak so that newer libFuzzer works with older asan 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251133 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-23 18:37:58 +00:00
Kostya Serebryany
7bcc4cdbdd [libFuzzer] use the indirect caller-callee counter as an independent search heuristic 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251078 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-22 23:55:39 +00:00
Kostya Serebryany
41180c6eba [libFuzzer] more refactoring the code that checks the coverage. NFC 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251075 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-22 22:56:45 +00:00
Kostya Serebryany
1969ec112d [libFuzzer] refactoring the code that checks the coverage. NFC 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251074 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-22 22:50:47 +00:00
Kostya Serebryany
a3619c6b43 [libFuzzer] remove the deprecated 'tokens' feature 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251069 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-22 21:48:09 +00:00
Kostya Serebryany
2a50aa48db [libFuzzer] add -shuffle flag 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@250603 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-17 04:38:26 +00:00
Kostya Serebryany
9b24e29d72 [libFuzzer] print a stack trace on timeout 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@250571 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-16 23:04:31 +00:00
Kostya Serebryany
5792846506 [libFuzzer] reduce the size of artifacts printed on the screen 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@250565 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-16 22:47:20 +00:00
Kostya Serebryany
17062e257e [libFuzzer] When -test_single_input crashes the test it is not necessary to write crash-file because input is already known to the user. Patch by Mike Aizatsky 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@250564 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-16 22:41:47 +00:00
Kostya Serebryany
002f1b00d6 [libFuzzer] don't print large artifacts to stderr 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249808 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-09 04:03:14 +00:00
Kostya Serebryany
22d6013f13 [libFuzzer] add -artifact_prefix flag 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249807 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-09 03:57:59 +00:00
Kostya Serebryany
9906eefc84 [libFuzzer] make LLVMFuzzerTestOneInput (the fuzzer target function) return int instead of void. The actual return value is not *yet* used (and expected to be 0). This change is API breaking, so the fuzzers will need to be updated. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249214 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-02 23:34:06 +00:00
Kostya Serebryany
f351bce7bd [libFuzzer] remove experimental flag and functionality 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249194 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-02 22:00:32 +00:00
Kostya Serebryany
cd0d243e72 [libFuzzer] add a flag -max_total_time 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249181 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-10-02 20:47:55 +00:00
Kostya Serebryany
8a15ef599e [libFuzzer] perform fewer crossover operations compared to plain mutations 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@247364 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-09-11 00:20:58 +00:00
Kostya Serebryany
06465a68cc [libFuzzer] remove -iterations as redundant (there is also -num_runs) 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@247030 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-09-08 17:30:35 +00:00
Kostya Serebryany
6cc3ed7cdd [libFuzzer] actually make the dictionaries work (+docs) 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@246825 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-09-04 00:12:11 +00:00
Kostya Serebryany
580504f120 [libFuzzer] honour -only_ascii=1 when reading the initial corpus. Also, remove ugly #ifdef 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@246689 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-09-02 19:08:08 +00:00
Kostya Serebryany
234cfada18 [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244712 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-08-12 01:55:37 +00:00
Kostya Serebryany
e0b167c66c [libFuzzer] add colons to the stats output to avoid confusion 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244708 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-08-12 01:04:27 +00:00
Nick Lewycky
eacc53d67e Fix unused variable 'X' in release builds. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244571 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-08-11 05:57:10 +00:00
Kostya Serebryany
89f52ac188 [libFuzzer] add -only_ascii flag 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244559 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-08-11 01:44:42 +00:00
Kostya Serebryany
7141424447 [libFuzzer] add option -report_slow_units=Nsec to control when slow units are printed 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244152 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-08-05 21:43:48 +00:00
Kostya Serebryany
427b5a50cf [libFuzzer] limit the size of the inputs printed to stderr 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243795 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-07-31 22:07:17 +00:00
Kostya Serebryany
33a9a09cd7 [libFuzzer] allow users to supply their own implementation of rand 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243078 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-07-24 01:06:40 +00:00
Kostya Serebryany
6cbc095f13 [libFuzzer] dump long running units to disk 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243031 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-07-23 18:37:22 +00:00
Kostya Serebryany
63da212749 [lib/Fuzzer] make assertions more informative and update comments for the user-supplied mutator 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238658 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-30 17:33:13 +00:00
Kostya Serebryany
ea8a3963b4 [lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity) 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238251 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-26 20:57:47 +00:00
Kostya Serebryany
f580f3683c [lib/Fuzzer] fix build with assertions 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238235 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-26 19:29:33 +00:00
Kostya Serebryany
d434a0a1b2 [lib/Fuzzer] fully get rid of std::cerr in libFuzzer 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238081 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-23 01:22:35 +00:00
Kostya Serebryany
464deacf05 [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is unlikely to ever scale 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238063 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-22 22:47:03 +00:00
Kostya Serebryany
ebada2c2bc [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutators 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@238059 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-22 22:35:31 +00:00
Kostya Serebryany
556425f9a9 [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to every unit of work separately 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237735 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-19 22:12:57 +00:00
Kostya Serebryany
3b3cbed1b0 [lib/Fuzzer] more efficient reload logic; also don't spam git too much 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237649 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-19 01:06:07 +00:00
Kostya Serebryany
05ef67b6b9 [lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD CORPUS' to synchronize with other processes 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237617 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-18 21:34:20 +00:00
Logan Chien
9380329c4e Code cleanup: Reindent Fuzzer::MutateAndTestOne. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237533 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-17 02:44:31 +00:00
Kostya Serebryany
051ef86497 [lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update comments. NFC expected 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237050 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-11 21:16:27 +00:00
Kostya Serebryany
8ae273d380 [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@236906 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-08 21:30:55 +00:00
Kostya Serebryany
6564ee8933 [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@236772 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-07 21:02:11 +00:00
Kostya Serebryany
46fa0aabcb [lib/Fuzzer] minor refactoring/simplification, NFC 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@236757 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-07 18:32:29 +00:00
Kostya Serebryany
605f316258 [lib/Fuzzer] on crash print the contents of the crashy input as base64 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@236548 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-05-05 21:59:51 +00:00
Kostya Serebryany
3399e1fd73 [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string flags. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233745 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-03-31 20:13:20 +00:00
Kostya Serebryany
e6d25ad0e0 [fuzzer] when a single unit takes over 1 second to run and it is the slowest one so far, print it. 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233637 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-03-30 23:04:35 +00:00
Kostya Serebryany
b0b7c53ee4 [fuzzer] print various stats in a unified way 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233624 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-03-30 22:44:03 +00:00
Kostya Serebryany
29c6bd6e4f DFSan-based fuzzer (proof of concept). 
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Test Plan: a test added

Reviewers: samsonov, pcc

Reviewed By: samsonov, pcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8669

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233613 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-03-30 22:09:51 +00:00
Kostya Serebryany
ae0620c4e9 [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing). 
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.

The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.

These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.

Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).

Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.


git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@231166 91177308-0d34-0410-b5e6-96231b3b80d8
 2015-03-03 23:27:02 +00:00