Commit Graph

455 Commits

Author SHA1 Message Date
Kostya Serebryany
43aeb78cb8 [libFuzzer] replace 'auto' with 'auto *' to better follow the LLVM style
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@286870 91177308-0d34-0410-b5e6-96231b3b80d8
2016-11-14 19:21:38 +00:00
Kostya Serebryany
8f3d5a342b [libFuzzer] use a valid ASCII string for a dummy seed corpus
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@286702 91177308-0d34-0410-b5e6-96231b3b80d8
2016-11-12 02:27:21 +00:00
Kostya Serebryany
22480ffc37 [libFuzzer] use less stack
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@286689 91177308-0d34-0410-b5e6-96231b3b80d8
2016-11-12 00:24:35 +00:00
Kostya Serebryany
04777c43f9 [libFuzzer] do not initialize parts of TracePC -- let them be initialized by the linker. Add no-msan attribute to the memcmp hook.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@286665 91177308-0d34-0410-b5e6-96231b3b80d8
2016-11-11 23:06:53 +00:00
Kostya Serebryany
2d1f4f5e9e [libFuzzer] fix -error_exitcode=N, now with a test
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285958 91177308-0d34-0410-b5e6-96231b3b80d8
2016-11-03 19:31:18 +00:00
Kostya Serebryany
302a19a141 [libFuzzer] enable use_cmp by default
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285353 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-27 21:44:37 +00:00
Kostya Serebryany
56a90b623f [libFuzzer] speculatively trying to fix the Mac build; second attempt
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285262 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-27 00:36:38 +00:00
Kostya Serebryany
9df8914246 [libFuzzer] revert 285259 -- hit commit too soon
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285260 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-27 00:24:34 +00:00
Kostya Serebryany
06289376f7 [libFuzzer] speculatively trying to fix the Mac build
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285259 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-27 00:22:39 +00:00
Kostya Serebryany
3c0deb17ec [libFuzzer] simplify TracePC::HandleTrace even further. Also, when dealing with -exit_on_src_pos, symbolize every PC only once
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285223 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-26 18:52:04 +00:00
Kostya Serebryany
7f59a4b62d [libFuzzer] simplify the code in TracePC::HandleTrace a bit more
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285147 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-26 00:42:52 +00:00
Kostya Serebryany
9c904557f1 [libFuzzer] simplify the code to print new PCs
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285145 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-26 00:20:51 +00:00
Kostya Serebryany
cbe5db8703 [libFuzzer] simplify the code in TracePC::HandleTrace
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285142 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-25 23:52:25 +00:00
Kostya Serebryany
98711e2ac8 [libFuzzer] add StandaloneFuzzTargetMain.c and a test for it
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285135 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-25 22:30:34 +00:00
Kostya Serebryany
0895ad474e [libFuzzer] when mutating based on CMP traces also try adding +/- 1 to the desired bytes. Add another test for use_cmp
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285109 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-25 20:15:15 +00:00
Kostya Serebryany
d2c91bff2f [libFuzzer] simplify the code for use_cmp, also use the position hint when available, add a test
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285049 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-25 02:04:43 +00:00
Kostya Serebryany
9b71256a5b [libFuzzer] mutation: insert the size of the input in bytes as one of the ways to mutate a binary integer
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284909 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-22 03:48:53 +00:00
Kostya Serebryany
76857efb50 [libFuzzer] typo in a test
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284903 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-22 01:07:38 +00:00
Kostya Serebryany
7430a26dd8 [libFuzzer] add a test for asan's strict_string_checks=1
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284902 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-22 00:05:44 +00:00
Reid Kleckner
57a3dc5d8b Fix -Wunused-variable warning in libFuzzer
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284838 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-21 16:26:27 +00:00
Kostya Serebryany
b3960e87ec [libFuzzer] extend -print_coverage to also print uncovered lines, functions, and files.
Example of output:
COVERAGE:
COVERED: in DSO2(int) /pathto/DSO2.cpp:6
COVERED: in DSO2(int) /pathto/DSO2.cpp:8
COVERED: in DSO1(int) /pathto/DSO1.cpp:6
COVERED: in DSO1(int) /pathto/DSO1.cpp:8
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:16
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:19
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:25
COVERED: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:26
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO1.so
UNCOVERED_LINE: in DSO1(int) /pathto/DSO1.cpp:9
UNCOVERED_FUNC: in Uncovered1()
MODULE_WITH_COVERAGE: /pathto/libLLVMFuzzer-DSO2.so
UNCOVERED_LINE: in DSO2(int) /pathto/DSO2.cpp:9
UNCOVERED_FUNC: in Uncovered2()
MODULE_WITH_COVERAGE: /pathto/LLVMFuzzer-DSOTest
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:21
UNCOVERED_LINE: in LLVMFuzzerTestOneInput /pathto/DSOTestMain.cpp:27
UNCOVERED_FILE: /pathto/DSOTestExtra.cpp

Several things are not perfect here:
* we are using objdump+awk instead of sancov because sancov does not support DSOs yet.
* this breaks in the presence of ASAN_OPTIONS=strip_path_prefix=...
  (need to implement another API to get the module name by PC)




git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284554 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-19 00:12:03 +00:00
Kostya Serebryany
761c1ffc64 [libFuzzer] detect leaks after every run when executing fixed inputs (./fuzzer -runs=1000000 my-file)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284514 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-18 18:38:08 +00:00
Kostya Serebryany
db740ff84a [libFuzzer] reshuffle the code for -exit_on_src_pos and -exit_on_item
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284508 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-18 18:06:05 +00:00
Kostya Serebryany
ce6100541e [libFuzzer] swap bytes in integers when handling CMP traces
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284301 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-15 04:00:07 +00:00
Kostya Serebryany
75281e6436 [libFuzzer] better algorithm for -minimize_crash
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284299 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-15 01:00:24 +00:00
Kostya Serebryany
58313a9d67 [libFuzzer] remove subdir fuzzer-test-suite as it is now superseded with https://github.com/google/fuzzer-test-suite
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284275 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-14 20:26:40 +00:00
Kostya Serebryany
3af68729f8 [libFuzzer] add -trace_cmp=1 (guiding mutations based on the observed CMP instructions). This is a reincarnation of the previously deleted -use_traces, but using a different approach for collecting traces. Still a toy, but at least it scales well. Also fix -merge in trace-pc-guard mode
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284273 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-14 20:20:33 +00:00
Kostya Serebryany
76edd8d153 [libFuzzer] more detailed message for disabled leak detection
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284169 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-13 22:24:10 +00:00
Kostya Serebryany
f980fc0b37 [libFuzzer] add -trace_malloc= flag
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284149 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-13 19:06:46 +00:00
Kostya Serebryany
53176d2749 [libFuzzer] reapply r283946: refactoring to speed things up, NFC. Now with a fix for gcc build
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284132 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-13 16:19:09 +00:00
Daniel Jasper
6f0cfa7ab9 Revert "[libFuzzer] refactoring to speed things up, NFC"
This reverts commit r283946.

This breaks when build with GCC:
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: always_inline function might not be inlinable [-Werror=attributes]
lib/Fuzzer/FuzzerTracePC.cpp:169:6: error: inlining failed in call to always_inline 'void fuzzer::TracePC::HandleCmp(void*, T, T) [with T = long unsigned int]': target specific option mismatch
lib/Fuzzer/FuzzerTracePC.cpp:198:65: error: called from here

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283979 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-12 07:26:46 +00:00
Kostya Serebryany
61ec54d21d [libFuzzer] refactoring to speed things up, NFC
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283946 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-11 21:27:37 +00:00
Kostya Serebryany
bb0318af25 [libFuzzer] implement value profile for switch, increase the size of the PCs array, make sure we don't overflow it
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283841 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-11 01:14:41 +00:00
Kostya Serebryany
a0151b6ab1 [libFuzzer] add switch tests
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283840 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-11 01:13:32 +00:00
Kostya Serebryany
0600ead4b7 [libFuzzer] make a test less flaky
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283686 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-09 03:45:38 +00:00
Kostya Serebryany
1a60ba886d [libFuzzer] when shrinking the corpus, delete evicted files previously created by the current process
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283682 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-08 23:24:45 +00:00
Kostya Serebryany
19e25ecdf5 [libFuzzer] control the reload interval by a flag, make it 10 seconds by default
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283676 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-08 22:12:14 +00:00
Kostya Serebryany
c628031047 [libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283675 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-08 21:57:48 +00:00
Kostya Serebryany
89268017c2 [libFuzzer] be more careful with memory usage, print peak rss in status lines
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283418 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-06 05:14:00 +00:00
Kostya Serebryany
aca34111f6 [libFuzzer] when re-running for lsan, don't look at the coverage
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283411 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-05 23:31:01 +00:00
Kostya Serebryany
cc6cbfdebc [libFuzzer] refactoring to make -shrink=1 work for value profile, added a test.
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283409 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-05 22:56:21 +00:00
Kostya Serebryany
d4d50f6f47 [libFuzzer] add ShrinkValueProfileTest, move code around, NFC
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283286 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-05 01:09:40 +00:00
Kostya Serebryany
d277734b71 [libFuzzer] clear the corpus elements if they are evicted (i.e. smaller elements with proper coverage are found). Make sure we never try to mutate empty element. Print the corpus size in bytes in the status lines
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283279 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-05 00:25:17 +00:00
Kostya Serebryany
eedfbe0313 [libFuzzer] remove dfsan support and some related stale code. This is not being used and as is is pretty weak anyway
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283187 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-04 06:08:46 +00:00
Kostya Serebryany
bd79a5935d [libFuzzer] change the probabilities so that we choose only the inputs that are known to be minimal inputs for at least one coverage feature (works only with -shrink=1 for now)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283178 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-04 01:51:44 +00:00
Kostya Serebryany
120924c695 [libFuzzer] add fuzzer test for libxml2, finds https://bugzilla.gnome.org/show_bug.cgi?id=751631
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283024 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-01 07:37:40 +00:00
Kostya Serebryany
1acd70c658 [libFuzzer] fix a recent bugs (buffer overflow)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283021 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-01 07:13:25 +00:00
Kostya Serebryany
f46303af79 [libFuzzer] implement the -shrink=1 option that tires to make elements of the corpus smaller, off by default
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282995 91177308-0d34-0410-b5e6-96231b3b80d8
2016-10-01 01:04:29 +00:00
Kostya Serebryany
b6b3db73a6 [libFuzzer] remove some experimental code
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282983 91177308-0d34-0410-b5e6-96231b3b80d8
2016-09-30 23:29:27 +00:00
Kostya Serebryany
7faa446ffd [libFuzzer] fix openssl fuzzer tests when running on a machine w/o openssl installed
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282972 91177308-0d34-0410-b5e6-96231b3b80d8
2016-09-30 22:35:08 +00:00