diff options
| author | Mike Aizatsky <aizatsky@chromium.org> | 2016-01-06 00:21:22 +0000 |
|---|---|---|
| committer | Mike Aizatsky <aizatsky@chromium.org> | 2016-01-06 00:21:22 +0000 |
| commit | 8b11f877e45f0231990b0db4bd2a31710fdcc881 (patch) | |
| tree | a977ce225656a4c1e993ee568f6a77035141e162 /llvm/lib/Fuzzer | |
| parent | f5c2d129d8dad8306f6cbd299b3a2714ce6c620a (diff) | |
| download | bcm5719-llvm-8b11f877e45f0231990b0db4bd2a31710fdcc881.tar.gz bcm5719-llvm-8b11f877e45f0231990b0db4bd2a31710fdcc881.zip | |
[libfuzzer] print_new_cov_pcs experimental option.
Differential Revision: http://reviews.llvm.org/D15901
llvm-svn: 256882
Diffstat (limited to 'llvm/lib/Fuzzer')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerDriver.cpp | 1 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerFlags.def | 2 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerInternal.h | 2 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerLoop.cpp | 18 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/fuzzer.test | 6 |
5 files changed, 28 insertions, 1 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp index dc5f8babbfe..e8c117ef608 100644 --- a/llvm/lib/Fuzzer/FuzzerDriver.cpp +++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp @@ -281,6 +281,7 @@ int FuzzerDriver(const std::vector<std::string> &Args, if (Flags.verbosity > 0 && !Dictionary.empty()) Printf("Dictionary: %zd entries\n", Dictionary.size()); Options.SaveArtifacts = !Flags.test_single_input; + Options.PrintNewCovPcs = Flags.print_new_cov_pcs; Fuzzer F(USF, Options); diff --git a/llvm/lib/Fuzzer/FuzzerFlags.def b/llvm/lib/Fuzzer/FuzzerFlags.def index c2b506c3c8a..6d98f66ef9c 100644 --- a/llvm/lib/Fuzzer/FuzzerFlags.def +++ b/llvm/lib/Fuzzer/FuzzerFlags.def @@ -72,3 +72,5 @@ FUZZER_FLAG_STRING(exact_artifact_path, FUZZER_FLAG_INT(drill, 0, "Experimental: fuzz using a single unit as the seed " "corpus, then merge with the initial corpus") FUZZER_FLAG_INT(output_csv, 0, "Enable pulse output in CSV format.") +FUZZER_FLAG_INT(print_new_cov_pcs, 0, "If 1, print out new covered pcs.") + diff --git a/llvm/lib/Fuzzer/FuzzerInternal.h b/llvm/lib/Fuzzer/FuzzerInternal.h index e96a4bc35fe..17a2cae94a5 100644 --- a/llvm/lib/Fuzzer/FuzzerInternal.h +++ b/llvm/lib/Fuzzer/FuzzerInternal.h @@ -97,6 +97,7 @@ class Fuzzer { bool SaveArtifacts = true; bool PrintNEW = true; // Print a status line when new units are found; bool OutputCSV = false; + bool PrintNewCovPcs = false; }; Fuzzer(UserSuppliedFuzzer &USF, FuzzingOptions Options); void AddToCorpus(const Unit &U) { Corpus.push_back(U); } @@ -188,6 +189,7 @@ class Fuzzer { long EpochOfLastReadOfOutputCorpus = 0; size_t LastRecordedBlockCoverage = 0; size_t LastRecordedCallerCalleeCoverage = 0; + size_t LastCoveragePcBufferLen = 0; }; class SimpleUserSuppliedFuzzer: public UserSuppliedFuzzer { diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp index 7ea82f4f15d..0b1d9d9686a 100644 --- a/llvm/lib/Fuzzer/FuzzerLoop.cpp +++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp @@ -31,6 +31,8 @@ void __sanitizer_set_death_callback(void (*callback)(void)); __attribute__((weak)) size_t __sanitizer_get_number_of_counters(); __attribute__((weak)) uintptr_t __sanitizer_update_counter_bitset_and_clear_counters(uint8_t *bitset); +__attribute__((weak)) uintptr_t +__sanitizer_get_coverage_pc_buffer(uintptr_t **data); } namespace fuzzer { @@ -249,7 +251,21 @@ void Fuzzer::ExecuteCallback(const Unit &U) { size_t Fuzzer::RecordBlockCoverage() { CHECK_WEAK_API_FUNCTION(__sanitizer_get_total_unique_coverage); - return LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage(); + uintptr_t PrevCoverage = LastRecordedBlockCoverage; + LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage(); + + if (PrevCoverage == LastRecordedBlockCoverage || !Options.PrintNewCovPcs) + return LastRecordedBlockCoverage; + + uintptr_t PrevBufferLen = LastCoveragePcBufferLen; + uintptr_t *CoverageBuf; + LastCoveragePcBufferLen = __sanitizer_get_coverage_pc_buffer(&CoverageBuf); + assert(CoverageBuf); + for (size_t i = PrevBufferLen; i < LastCoveragePcBufferLen; ++i) { + Printf("0x%x\n", CoverageBuf[i]); + } + + return LastRecordedBlockCoverage; } size_t Fuzzer::RecordCallerCalleeCoverage() { diff --git a/llvm/lib/Fuzzer/test/fuzzer.test b/llvm/lib/Fuzzer/test/fuzzer.test index 810410df6fc..150fc7202b0 100644 --- a/llvm/lib/Fuzzer/test/fuzzer.test +++ b/llvm/lib/Fuzzer/test/fuzzer.test @@ -30,3 +30,9 @@ RUN: LLVMFuzzer-SimpleDictionaryTest -seed=1 -runs=100000 RUN: not LLVMFuzzer-UninstrumentedTest-Uninstrumented 2>&1 | FileCheck %s --check-prefix=UNINSTRUMENTED UNINSTRUMENTED: ERROR: __sanitizer_set_death_callback is not defined. Exiting. + +RUN: LLVMFuzzer-SimpleTest -print_new_cov_pcs=1 2>&1 | FileCheck %s --check-prefix=PCS +PCS:{{^0x[a-f0-9]+}} +PCS:NEW +PCS:BINGO + |
