summaryrefslogtreecommitdiffstats
path: root/compiler-rt/lib/fuzzer/FuzzerDriver.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [fuzzer] Add basic support for emscripten.Jonathan Metzman2019-12-121-1/+6
| | | | | | | | | | | | | | | | | | | | | | | Summary: Add basic support for emscripten. This enables libFuzzer to build (using build.sh) for emscripten and fuzz a target compiled with -fsanitize-coverage=inline-8bit-counters. Basic fuzzing and bug finding work with this commit. RSS limit and timeouts will not work because they depend on system functions that are not implemented/widely supported in emscripten. Reviewers: kcc, vitalybuka, hctim Reviewed By: hctim Subscribers: #sanitizers, llvm-commits Tags: #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D71285
* [libFuzzer] Remove lazy counters.Matt Morehouse2019-10-011-1/+0
| | | | | | | | | | | | | | | | Summary: Lazy counters haven't improved performance for large fuzz targets. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Tags: #llvm Differential Revision: https://reviews.llvm.org/D67476 llvm-svn: 373403
* [libFuzzer] implement a better queue for the fork mode. Add an internal flag ↵Kostya Serebryany2019-06-141-0/+2
| | | | | | -stop_file to allow graceful shutdown of fuzzing. Enhance the logging in the fork mode llvm-svn: 363470
* [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.Max Moroz2019-06-141-2/+8
| | | | | | | | | | | | | | | | | | | | | | Summary: Some custom mutators may not peform well when size restriction is enforced by len_control. Because of that, it's safer to disable len_control by default in such cases, but still allow users to enable it manually. Bug example: https://bugs.chromium.org/p/chromium/issues/detail?id=919530. Tested manually with LPM-based and regular fuzz targets. Reviewers: kcc, vitalybuka, metzman Reviewed By: kcc, metzman Subscribers: delcypher, #sanitizers, llvm-commits Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D63334 llvm-svn: 363443
* [libFuzzer] automatically collect the data flow trace (DFT) in the fork mode ↵Kostya Serebryany2019-05-231-1/+3
| | | | | | if -collect_data_flow= is given llvm-svn: 361448
* [libFuzzer] code refactoring; NFCKostya Serebryany2019-05-101-9/+29
| | | | llvm-svn: 360400
* [libFuzzer] small refactoring in the driver; dummy implementation of ↵Kostya Serebryany2019-05-101-21/+29
| | | | | | collect_data_flow; attempt to fix the windows bot llvm-svn: 360399
* [libFuzzer] Replace -seed_corpus to better support fork mode on WinJonathan Metzman2019-04-301-7/+16
| | | | | | | | | | | | | | | | | | Summary: Pass seed corpus list in a file to get around argument length limits on Windows. This limit was preventing many uses of fork mode on Windows. Reviewers: kcc, morehouse Reviewed By: kcc Subscribers: #sanitizers, llvm-commits Tags: #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D60980 llvm-svn: 359610
* [libFuzzer] add -features_dir= flag to dump unique input features on diskKostya Serebryany2019-04-131-0/+2
| | | | llvm-svn: 358317
* [libFuzzer] form mode: add -ignore_crashes flag, honor the max_total_time ↵Kostya Serebryany2019-02-151-0/+1
| | | | | | flag, print the number of ooms/timeouts/crashes, fix a typo llvm-svn: 354175
* [libFuzzer] when doing the merge, keep track of the coveraged edges, not ↵Kostya Serebryany2019-02-151-2/+2
| | | | | | just features llvm-svn: 354087
* [libFuzzer] add threads to the fork mode: now you can pass -fork=N to run N ↵Kostya Serebryany2019-02-141-1/+1
| | | | | | concurrent workers. Fork mode is still work-in-progress. llvm-svn: 353997
* [libFuzzer] move the implementation of the fork mode into a separate fileKostya Serebryany2019-02-121-92/+3
| | | | llvm-svn: 353891
* [libFuzzer] make the fork mode less verboseKostya Serebryany2019-02-121-8/+14
| | | | llvm-svn: 353794
* [libFuzzer] teach the fork mode to ignore OOMs and timeoutsKostya Serebryany2019-02-121-0/+8
| | | | llvm-svn: 353792
* [libFuzzer] extend the -fork=1 functionality. Still not fully usable, but ↵Kostya Serebryany2019-02-121-18/+48
| | | | | | good enough for the first unit test llvm-svn: 353775
* [libFuzzer] more refactoring; change some of the exit codes (timeout, OOM, ↵Kostya Serebryany2019-02-091-9/+19
| | | | | | interrupt) so that the parent process can distinguish those llvm-svn: 353584
* [libFuzzer] refactor the merging code, NFCKostya Serebryany2019-02-081-18/+36
| | | | llvm-svn: 353576
* [libFuzzer] remove two unused experimental flagsKostya Serebryany2019-02-081-5/+2
| | | | llvm-svn: 353573
* [libFuzzer] introduce an experimental mode -fork=1, where fuzzing happens in ↵Kostya Serebryany2019-02-081-10/+58
| | | | | | a subprocess (still running multiple inputs per process), thus making the fuzzing more resilient to timeouts and OOMs. This is just a skeleton of the code, and some associated refactoring, not a fully working feature yet. llvm-svn: 353570
* [libFuzzer] refactor the way we choose the element to cross-over with, NFC ↵Kostya Serebryany2019-02-081-1/+13
| | | | | | (expected1); add a flag -seed_inputs= to pass extra seed inputs as file paths, not dirs llvm-svn: 353494
* [libFuzzer] set libFuzzer's own SEGV handler even one is already present, ↵Kostya Serebryany2019-01-311-3/+1
| | | | | | but call that handler from ours (unless we are unprotecting lazy counters). Call ProtectLazyCounters later, so that it runs after the initialization code in the target. llvm-svn: 352713
* [libFuzzer] experimental performance optimization -lazy_counters, off by ↵Kostya Serebryany2019-01-311-0/+3
| | | | | | default. Posix-only for now, tested on Linux llvm-svn: 352700
* [libFuzzer] remove stale code, NFCKostya Serebryany2019-01-301-29/+0
| | | | llvm-svn: 352604
* [libFuzzer] remove stale code Kostya Serebryany2019-01-291-1/+0
| | | | llvm-svn: 352571
* Update the file headers across all of the LLVM projects in the monorepoChandler Carruth2019-01-191-4/+3
| | | | | | | | | | | | | | | | | to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. llvm-svn: 351636
* [libFuzzer][MSVC] Make attribute-use compatible with MSVCJonathan Metzman2019-01-171-0/+5
| | | | | | | | | | | | | | Summary: Replace attributes with macros that use equivalent declspecs for MSVC. Reviewers: vitalybuka Reviewed By: vitalybuka Differential Revision: https://reviews.llvm.org/D56512 llvm-svn: 351456
* [libFuzzer] Remove unstable edge handlingJonathan Metzman2019-01-151-4/+0
| | | | | | | | | | Summary: Remove code for handling unstable edges from libFuzzer since it has not been found useful. Differential Revision: https://reviews.llvm.org/D56730 llvm-svn: 351262
* [libFuzzer] Remove mutation stats and weighted mutation selection.Max Moroz2018-08-291-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: This was an experimental feature. After evaluating it with: 1) https://github.com/google/fuzzer-test-suite/tree/master/engine-comparison 2) enabling on real world fuzz targets running at ClusterFuzz and OSS-Fuzz The following conclusions were made: 1) With fuzz targets that have reached a code coverage plateau, the feature does not improve libFuzzer's ability to discover new coverage and may actually negatively impact it. 2) With fuzz targets that have not yet reached a code coverage plateau, the feature might speed up new units discovery in some cases, but it is quite rare and hard to confirm with a high level on confidence. Revert of https://reviews.llvm.org/D48054 and https://reviews.llvm.org/D49621. Reviewers: metzman, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D51455 llvm-svn: 340976
* [libFuzzer] Initial implementation of weighted mutation leveraging during ↵Max Moroz2018-08-021-0/+1
| | | | | | | | | | | | | | | | | | | | | runtime. Summary: Added functions that calculate stats while fuzz targets are running and give mutations weight based on how much new coverage they provide, and choose better performing mutations more often. Patch by Kodé Williams (@kodewilliams). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, kcc, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49621 llvm-svn: 338776
* [libFuzzer] Handle unstable edges by disregarding unstable edgesMax Moroz2018-07-241-1/+2
| | | | | | | | | | | | | | | | | | | | Summary: Added a new mode within flag -handle_unstable for new unstable handling algorithm that does the following: When an edge is shown as unstable, copy to UnstableCounters the value 0. During ApplyUnstableCounters we copy back the value 0 to ModuleInline8bitCounters if the edge was unstable. This way we would be ignoring completely features that were collected through non-determinism. Unstable hits would be counted as if it never hit. Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49684 llvm-svn: 337853
* [libFuzzer] Handle unstable edges by using minimum hit countsMax Moroz2018-07-231-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Summary: Created unstable_handle flag that takes 1 or 2, depending on the handling type. Modified RunOne to accommodate the following heuristic: Use the first CollectFeatures to count how many features there are. If no new features, CollectFeatures like before. If there is new feature, we run CB 2 more times, Check which edges are unstable per input and we store the least amount of hit counts for each edge. Apply these hit counts back to inline8bitcounters so that CollectFeatures can work as intended. Modified UnstableCounters to 8int_t and created a bitset UnstableSet to tell which edges are unstable. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D49525 llvm-svn: 337696
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-171-0/+1
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 llvm-svn: 337324
* Revert r337194 (https://reviews.llvm.org/D48891) due to compilation errors.Max Moroz2018-07-161-1/+0
| | | | llvm-svn: 337206
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-161-0/+1
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 llvm-svn: 337194
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-161-0/+1
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 llvm-svn: 337187
* Revert r337175 (https://reviews.llvm.org/D49212) due to unintentional format ↵Max Moroz2018-07-161-6/+5
| | | | | | changes. llvm-svn: 337180
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-161-5/+6
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 llvm-svn: 337175
* [libFuzzer] Make -fsanitize=memory,fuzzer work.Matt Morehouse2018-07-091-0/+2
| | | | | | | | | | | This patch allows libFuzzer to fuzz applications instrumented with MSan without recompiling libFuzzer with MSan instrumentation. Fixes https://github.com/google/sanitizers/issues/958. Differential Revision: https://reviews.llvm.org/D48891 llvm-svn: 336619
* Revert "[libFuzzer] Mutation tracking and logging implemented"Matt Morehouse2018-07-091-1/+0
| | | | | | This reverts r336597 due to bot breakage. llvm-svn: 336616
* [libFuzzer] Mutation tracking and logging implementedMatt Morehouse2018-07-091-0/+1
| | | | | | | | | | | | Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch By: Kode Williams Differntial Revision: https://reviews.llvm.org/D48054 llvm-svn: 336597
* [libFuzzer] remove an experimental flag -use_feature_frequencyKostya Serebryany2018-06-061-1/+0
| | | | llvm-svn: 334146
* [libFuzzer] initial implementation of -data_flow_trace. It parses the data ↵Kostya Serebryany2018-06-061-0/+2
| | | | | | flow trace and prints the summary, but doesn't use the information in any other way yet llvm-svn: 334058
* [libFuzzer] reinstate -dump_coverage, which is still in use (reverts r332036)Kostya Serebryany2018-05-211-0/+1
| | | | llvm-svn: 332876
* [libFuzzer] add an experimental flag -focus_function: libFuzzer will try to ↵Kostya Serebryany2018-05-161-0/+2
| | | | | | focus on inputs that trigger that function llvm-svn: 332554
* [libFuzzer] deprecate equivalence_serverKostya Serebryany2018-05-151-0/+2
| | | | llvm-svn: 332316
* [libFuzzer] remove the dump_coverage flag, it hasn't been working with the ↵Kostya Serebryany2018-05-101-1/+0
| | | | | | inline sanitizer coverage anyway llvm-svn: 332036
* [libFuzzer] remove the experimental support for clang coverage ↵Kostya Serebryany2018-05-101-1/+0
| | | | | | instrumentation. This mode has not been used and our experiments with https://github.com/google/fuzzer-test-suite show that this signal is weaker than the SanitizerCoverage llvm-svn: 332034
* fix some user facing typos / in the commentsSylvestre Ledru2018-03-131-1/+1
| | | | llvm-svn: 327402
* [libFuzzer] Set -experimental_len_control=1000 as default.Matt Morehouse2018-02-131-1/+1
| | | | | | | | | | | | | | | | | | | | Summary: Experiments using https://github.com/google/fuzzer-test-suite/tree/master/engine-comparison show a significant increase in coverage and reduction in corpus size with this option enabled. Addresses https://llvm.org/pr36371. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D42932 llvm-svn: 325050
OpenPOWER on IntegriCloud