Commit Graph

85 Commits

Author SHA1 Message Date
Dan Liew
1a1c8bea2d [LibFuzzer] Declare and use sanitizer functions in `fuzzer::ExternalFunctions`
This fixes linking problems on OSX.

Unfortunately it turns out we need to use an instance of the
``fuzzer::ExternalFunctions`` object in several places so this
commit also replaces all instances with a single global instance.

It also turns out initializing a global ``fuzzer::ExternalFunctions``
before main is entered (i.e. letting the object be initialised by the
global initializers) is not safe (on OSX the call to ``Printf()`` in the
CTOR crashes if it is called from a global initializer) so we instead
have a global ``fuzzer::ExternalFunctions*`` and initialize it inside
``FuzzerDriver()``.

Multiple unit tests depend also depend on the
``fuzzer::ExternalFunctions*`` global so a ``main()`` function has been
added that initializes it before running any tests.

Differential Revision: http://reviews.llvm.org/D20943

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@272072 91177308-0d34-0410-b5e6-96231b3b80d8
2016-06-07 23:32:50 +00:00
Mike Aizatsky
c7f790d744 [libfuzzer] prune_corpus option for disabling pruning during the load.
Summary:
The option is very useful for testing, plus I intend to measure
its effect on fuzzer effectiveness.

Differential Revision: http://reviews.llvm.org/D21084

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@272035 91177308-0d34-0410-b5e6-96231b3b80d8
2016-06-07 18:16:32 +00:00
Dan Liew
8bb56ccbc0 [LibFuzzer] Reimplement how the optional user functions are called.
The motivation for this change is to fix linking issues on OSX.
However this only partially fixes linking issues (the uninstrumented
tests and a few others  won't succesfully link yet).

This change introduces a struct of function pointers
(``fuzzer::ExternalFuntions``) which when initialised will point to the
optional functions if they are available.  Currently these
``LLVMFuzzerInitialize`` and ``LLVMFuzzerCustomMutator`` functions.

Two implementations of ``fuzzer::ExternalFunctions`` constructor are
provided one for Linux and one for OSX.

The OSX implementation uses ``dlsym()`` because the prior implementation
using weak symbols does not work unless the additional flags are passed
to the linker.

The Linux implementation continues to use weak symbols because the
``dlsym()`` approach does not work unless additional flags are passed
to the linker.

Differential Revision: http://reviews.llvm.org/D20741

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@271491 91177308-0d34-0410-b5e6-96231b3b80d8
2016-06-02 05:48:02 +00:00
Kostya Serebryany
3886b25c4a [libFuzzer] when an invalid flag is given, warn, but don't crash
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@271404 91177308-0d34-0410-b5e6-96231b3b80d8
2016-06-01 16:41:12 +00:00
Mike Aizatsky
b0d0618635 [libfuzzer] Trying random unit prefixes during corpus load.
Differential Revision: http://reviews.llvm.org/D20301

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@270632 91177308-0d34-0410-b5e6-96231b3b80d8
2016-05-24 23:14:29 +00:00
Kostya Serebryany
909ee84abf [libFuzzer] print the file name before executing the input so that if there is a crash we know which files has caused it
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@269450 91177308-0d34-0410-b5e6-96231b3b80d8
2016-05-13 18:10:33 +00:00
Kostya Serebryany
f01dfdd8aa [libFuzzer] enhance -rss_limit_mb and enable by default. Now it will print the OOM reproducer.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268821 91177308-0d34-0410-b5e6-96231b3b80d8
2016-05-06 23:38:07 +00:00
Kostya Serebryany
815a884f59 [libFuzzer] add exeprimental -rss_limit_mb flag to fight against OOMs
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268807 91177308-0d34-0410-b5e6-96231b3b80d8
2016-05-06 21:58:35 +00:00
Kostya Serebryany
18c0216842 [libFuzzer] print stats after running individual inputs
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268547 91177308-0d34-0410-b5e6-96231b3b80d8
2016-05-04 20:44:50 +00:00
Kostya Serebryany
a0a13e0ee1 [libFuzzer] added -detect_leaks flag (0 by default for now). When enabled, it will help finding leaks while fuzzing
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@266838 91177308-0d34-0410-b5e6-96231b3b80d8
2016-04-20 00:24:21 +00:00
Kostya Serebryany
37e715dc57 [libFuzzer] warn if the corpus is empty
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@266670 91177308-0d34-0410-b5e6-96231b3b80d8
2016-04-18 21:14:11 +00:00
Mehdi Amini
f6071e14c5 [NFC] Header cleanup
Removed some unused headers, replaced some headers with forward class declarations.

Found using simple scripts like this one:
clear && ack --cpp -l '#include "llvm/ADT/IndexedMap.h"' | xargs grep -L 'IndexedMap[<]' | xargs grep -n --color=auto 'IndexedMap'

Patch by Eugene Kosov <claprix@yandex.ru>

Differential Revision: http://reviews.llvm.org/D19219

From: Mehdi Amini <mehdi.amini@apple.com>

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@266595 91177308-0d34-0410-b5e6-96231b3b80d8
2016-04-18 09:17:29 +00:00
Kostya Serebryany
ac6d266478 [libFuzzer] add a better warning for command line flags with -- (two dashes)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@266480 91177308-0d34-0410-b5e6-96231b3b80d8
2016-04-15 21:56:29 +00:00
Hans Wennborg
f721b994c5 Remove redundant .c_str(), as suggested by PR25633
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@265988 91177308-0d34-0410-b5e6-96231b3b80d8
2016-04-11 20:35:17 +00:00
Kostya Serebryany
d32f138d30 [libFuzzer] handle SIGTERM
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@264338 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-24 21:03:58 +00:00
Kostya Serebryany
4aa62c5d17 [libFuzzer] add a flag close_fd_mask so that we can silence spammy targets by closing stderr/stdout
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@263831 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-18 20:58:29 +00:00
Kostya Serebryany
ab641c1abd [libFuzzer] improve -merge functionality
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@263769 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-18 00:23:29 +00:00
Kostya Serebryany
bcace10c40 [libFuzzer] deprecate several flags
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@263739 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-17 19:59:39 +00:00
Kostya Serebryany
2f2c2e3539 [libFuzzer] use max_len exactly equal to the max size of input. Fix 32-bit build
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@263518 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-15 01:28:00 +00:00
Kostya Serebryany
b30f32650e [libFuzzer] try to use max_len based on the items of the corpus instead of blindly defaulting to 64 bytes.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@263323 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-12 01:57:04 +00:00
Kostya Serebryany
2c1ecb8c48 [libFuzzer] log less when re-loading files; fix a silly bug: when running single files actually run all of them, not just the first one
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@262754 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-04 22:35:40 +00:00
Kostya Serebryany
66bb64fd43 [libFuzzer] deprecate exit_on_first flag
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@262417 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-01 22:33:14 +00:00
Kostya Serebryany
7a1dcf9965 [libFuzzer] add generic signal handlers so that libFuzzer can report at least something if ASan is not handlig the signals for us. Remove abort_on_timeout flag.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@262415 91177308-0d34-0410-b5e6-96231b3b80d8
2016-03-01 22:19:21 +00:00
Kostya Serebryany
86b1b67565 [libFuzzer] add -print_final_stats=1 flag
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@262084 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-26 22:42:23 +00:00
Kostya Serebryany
a755f1bd65 [libFuzzer] only read MaxLen bytes from every file in the corpus to speedup loading the corpus
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@261267 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-18 21:49:10 +00:00
Kostya Serebryany
2d7392fe48 [libFuzzer] remove std::vector operations from hot paths, NFC
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260829 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-13 17:56:51 +00:00
Kostya Serebryany
5a08f1b013 [libFuzzer] remove the C++-ish variant of FuzzerDriver from the interface
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260801 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-13 03:59:26 +00:00
Kostya Serebryany
efb0cc7640 [libFuzzer] get rid of UserSuppliedFuzzer; NFC
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260798 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-13 03:25:16 +00:00
Kostya Serebryany
728ca1266f [libFuzzer] simplify the code around Random. NFC
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260797 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-13 03:00:53 +00:00
Kostya Serebryany
f71ac00d01 [libFuzzer] remove UserSuppliedFuzzer from the interface (it was a bad idea).
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260796 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-13 02:39:30 +00:00
Kostya Serebryany
14c6007ab2 [libFuzzer] make -runs=N flag also affect the simple runner (will execute every input N times)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@260649 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-12 02:32:03 +00:00
Kostya Serebryany
485551ecaf [libFuzzer] allow passing 1 or more files as individual inputs
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@259459 91177308-0d34-0410-b5e6-96231b3b80d8
2016-02-02 03:03:47 +00:00
Kostya Serebryany
58b3c64b6b [libFuzzer] add -timeout_exitcode option
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@259265 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-29 23:30:07 +00:00
Kostya Serebryany
d75ddafc2f [libFuzzer] add -abort_on_timeout option
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@258631 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-23 19:34:19 +00:00
Kostya Serebryany
429a7edf9b [libFuzzer] use std::mt19937 for generating random numbers by default. Fix MyStoll to handle negative values. Use std::any_of instead of std::find_if
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@258178 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-19 20:33:57 +00:00
Kostya Serebryany
baa00e52a5 [libFuzzer] replace vector with a simpler data structure in the Dictionaries to avoid memory allocations on hot path
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@257985 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-16 03:53:32 +00:00
Kostya Serebryany
f1af856009 [libFuzzer] do mutations based on memcmp/strcmp interceptors under a separate flag (-use_memcmp, default=1)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@257873 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-15 06:24:05 +00:00
Kostya Serebryany
9039b1ff4e [libFuzzer] use custom stol; also introduce __libfuzzer_is_present so that users can check for its presence.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@257848 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-15 00:17:37 +00:00
Kostya Serebryany
7fddde9543 [libFuzzer] change the way trace-based mutations are applied. Instead of a custom code just rely on the automatically created dictionary
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@257248 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-09 03:08:58 +00:00
Kostya Serebryany
ab240104f0 [libFuzzer] add a position hint to the dictionary-based mutator
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@257013 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-07 01:49:35 +00:00
Mike Aizatsky
1cea7723fa [libfuzzer] print_new_cov_pcs experimental option.
Differential Revision: http://reviews.llvm.org/D15901

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@256882 91177308-0d34-0410-b5e6-96231b3b80d8
2016-01-06 00:21:22 +00:00
Kostya Serebryany
62663ee66e [libFuzzer] deprecate -save_minimized_corpus, -merge can be used instead
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@256086 91177308-0d34-0410-b5e6-96231b3b80d8
2015-12-19 03:42:16 +00:00
Mike Aizatsky
6d5ee5a800 [LibFuzzer] Introducing FUZZER_FLAG_UNSIGNED and using it for seeding.
Differential Revision: http://reviews.llvm.org/D15339

done

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@255296 91177308-0d34-0410-b5e6-96231b3b80d8
2015-12-10 20:41:53 +00:00
Kostya Serebryany
e8d7ae6209 [libFuzzer] add a flag -exact_artifact_path
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@254100 91177308-0d34-0410-b5e6-96231b3b80d8
2015-11-25 21:40:46 +00:00
Kostya Serebryany
45ac8bc6fc [libFuzzer] don't crash when reporting a leak in test_single_input mode
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@253761 91177308-0d34-0410-b5e6-96231b3b80d8
2015-11-21 03:46:43 +00:00
Mike Aizatsky
c1a030fd64 output_csv libfuzzer option
Summary:
The option outputs statistics in CSV format preceded by 1 header line.
This is intended for machine processing of the output.
-verbosity=0 should likely be set.

Differential Revision: http://reviews.llvm.org/D14600

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@252856 91177308-0d34-0410-b5e6-96231b3b80d8
2015-11-12 04:38:40 +00:00
Kostya Serebryany
1a42a60ebc [libFuzzer] experimental flag -drill (another search heuristic; Mike Aizatsky's idea)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@252838 91177308-0d34-0410-b5e6-96231b3b80d8
2015-11-12 01:02:01 +00:00
Kostya Serebryany
af639be62f [libFuzzer] make -test_single_input more reliable: make sure the input's size is equal to it's capacity
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251961 91177308-0d34-0410-b5e6-96231b3b80d8
2015-11-03 18:57:25 +00:00
Kostya Serebryany
242325ad98 [libFuzzer] add -merge flag to merge corpora
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251168 91177308-0d34-0410-b5e6-96231b3b80d8
2015-10-24 01:16:40 +00:00
Kostya Serebryany
7bcc4cdbdd [libFuzzer] use the indirect caller-callee counter as an independent search heuristic
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@251078 91177308-0d34-0410-b5e6-96231b3b80d8
2015-10-22 23:55:39 +00:00