summaryrefslogtreecommitdiffstats
path: root/compiler-rt/lib/fuzzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [libFuzzer] Port to WindowsMatt Morehouse2018-08-289-12/+48
| | | | | | | | | | | | | | | | | | | | Summary: Port libFuzzer to windows-msvc. This patch allows libFuzzer targets to be built and run on Windows, using -fsanitize=fuzzer and/or fsanitize=fuzzer-no-link. It allows these forms of coverage instrumentation to work on Windows as well. It does not fix all issues, such as those with -fsanitize-coverage=stack-depth, which is not usable on Windows as of this patch. It also does not fix any libFuzzer integration tests. Nearly all of them fail to compile, fixing them will come in a later patch, so libFuzzer tests are disabled on Windows until them. Patch By: metzman Reviewers: morehouse, rnk Reviewed By: morehouse, rnk Subscribers: morehouse, kcc, eraman Differential Revision: https://reviews.llvm.org/D51022 llvm-svn: 340860
* [sanitizer][fuzzer] Transition back to ZX_TIME_INFINITEPetr Hosek2018-08-271-7/+4
| | | | | | | | | | Now that all Zircon calls have been transitioned to take time as signed value, we can transition back to ZX_TIME_INFINITE, undoing the change made in r337802. Differential Revision: https://reviews.llvm.org/D51266 llvm-svn: 340764
* Revert "[libFuzzer] Use std::discrete_distribution for input selection."Matt Morehouse2018-08-171-4/+7
| | | | | | | This reverts r339973 due to msan.test failing on sanitizer-x86_64-linux-fuzzer bot. llvm-svn: 339976
* [libFuzzer] Use std::discrete_distribution for input selection.Matt Morehouse2018-08-171-7/+4
| | | | | | | | | | | | | | | | | Summary: Since we're casting from double to size_t during input selection, we really want a discrete distribution over size_t rather than a piecewise distribution over doubles. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D50356 llvm-svn: 339973
* [libFuzzer] Optimize handle unstable checks by reducing iterationsMax Moroz2018-08-083-16/+21
| | | | | | | | | | | | | | | | | | Summary: We only run the 3rd check if 2nd check finds unstable edges. 3rd UpdateUnstableCounters is now merged with ApplyUnstableCounters to only run 1 iteration. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D50411 llvm-svn: 339249
* [libFuzzer] Add unstable function printing to print_unstable_stats flagMax Moroz2018-08-061-2/+14
| | | | | | | | | | | | | | | | | | | Summary: There may be cases in which a user wants to know which part of their code is unstable. We use ObservedFuncs and UnstableCounters to print at exit which of the ObservedFunctions are unstable under the -print_unstable_stats flag. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, metzman, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D50264 llvm-svn: 339081
* [libFuzzer] Initial implementation of weighted mutation leveraging during ↵Max Moroz2018-08-026-27/+76
| | | | | | | | | | | | | | | | | | | | | runtime. Summary: Added functions that calculate stats while fuzz targets are running and give mutations weight based on how much new coverage they provide, and choose better performing mutations more often. Patch by Kodé Williams (@kodewilliams). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, kcc, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49621 llvm-svn: 338776
* [libFuzzer] use absolute distance in addition to the hamming distance in ↵Kostya Serebryany2018-08-021-10/+5
| | | | | | value profiling; our A/B testing have (somewhat weak) indication that this provides an additional signal for corpus expansion llvm-svn: 338661
* [libFuzzer] Handle unstable edges by disregarding unstable edgesMax Moroz2018-07-245-7/+19
| | | | | | | | | | | | | | | | | | | | Summary: Added a new mode within flag -handle_unstable for new unstable handling algorithm that does the following: When an edge is shown as unstable, copy to UnstableCounters the value 0. During ApplyUnstableCounters we copy back the value 0 to ModuleInline8bitCounters if the edge was unstable. This way we would be ignoring completely features that were collected through non-determinism. Unstable hits would be counted as if it never hit. Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49684 llvm-svn: 337853
* [sanitizer][fuzzer] Temporarily transition to ZX_TIME_INFINITE_OLDPetr Hosek2018-07-241-4/+7
| | | | | | | | | | | This is a preparation for breaking change when all Zircon calls that take time as an argument will start using signed valued. We will transition back to ZX_TIME_INFITINE after all the changes to these symbols are done and become part of the Fuchsia SDK. Differential Revision: https://reviews.llvm.org/D49694 llvm-svn: 337802
* Revert "[Fuzzer] Update path to libc++ headers"Petr Hosek2018-07-241-2/+2
| | | | | | This reverts commit r337775 since r337727 has been reverted in r337782. llvm-svn: 337784
* [Fuzzer] Update path to libc++ headersPetr Hosek2018-07-231-2/+2
| | | | | | | | | The path to headers which are installed into libc++ build directory has changed in r337727 which broke the libFuzzer build. Differential Revision: https://reviews.llvm.org/D49705 llvm-svn: 337775
* [libFuzzer] Handle unstable edges by using minimum hit countsMax Moroz2018-07-237-19/+54
| | | | | | | | | | | | | | | | | | | | | | | | Summary: Created unstable_handle flag that takes 1 or 2, depending on the handling type. Modified RunOne to accommodate the following heuristic: Use the first CollectFeatures to count how many features there are. If no new features, CollectFeatures like before. If there is new feature, we run CB 2 more times, Check which edges are unstable per input and we store the least amount of hit counts for each edge. Apply these hit counts back to inline8bitcounters so that CollectFeatures can work as intended. Modified UnstableCounters to 8int_t and created a bitset UnstableSet to tell which edges are unstable. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D49525 llvm-svn: 337696
* [libFuzzer] when -print_coverage=1 is given, print more stats (the number of ↵Kostya Serebryany2018-07-192-14/+18
| | | | | | seeds that hit every given function) llvm-svn: 337501
* [libFuzzer] fix the bot (the no-assert build)Kostya Serebryany2018-07-191-0/+1
| | | | llvm-svn: 337437
* [libFuzzer] first experimental attempt at DFT-based mutations ↵Kostya Serebryany2018-07-197-9/+54
| | | | | | (DFT=data-flow-trace) llvm-svn: 337434
* [Fuzzer] Improve crash unwinding on FuchsiaPetr Hosek2018-07-181-36/+237
| | | | | | | | | | | | | | | | | | | | | | | | | | Fuchsia doesn't have signals; instead it expects processes to have a dedicated exception thread that binds to the process' exception port and waits for exception packets to be delivered. On the other hand, libFuzzer and sanitizer_common use expect to collect crash information via libunwind from the same thread that caused the exception. The long term fix is to improve support for remote unwinding in libunbwind, plumb this through sanitizer_common and libFuzzer, and handle the exception exclusively on the exception thread. In the meantime, this revision has the exception thread "resurrect" the crashing thread by: * saving its general purpose register state onto the crashing thread's stack, * setting the crashing thread's program counter to an assembly trampoline with the CFI information needed by libunwind, and * resuming the crashed thread. Patch By: aarongreen Differential Revision: https://reviews.llvm.org/D48509 llvm-svn: 337418
* [libFuzzer] Create single template for visiting Inline8bitCountersMax Moroz2018-07-182-27/+25
| | | | | | | | | | | | | | | | | | Summary: Created IterateInline8bitCounters, a single template for visiting Inline8bitCounters (nested for loop) Made InitializeUnstableCounters and UpdateUnstableCounters both send a lambda to IterateInline8bitCounters. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, kcc, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49453 llvm-svn: 337403
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-176-21/+50
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 llvm-svn: 337324
* libFuzzer: prevent irrelevant strings from leaking into auto-dictionaryMatt Morehouse2018-07-177-26/+18
| | | | | | | | | | | | | | | | This is a fix for bug 37047. https://bugs.llvm.org/show_bug.cgi?id=37047 Implemented by basically reversing the logic. Previously all strings were considered, with some operations excluded. Now strings are excluded by default, and only strings during the CB considered. Patch By: pdknsk Differential Revision: https://reviews.llvm.org/D48800 llvm-svn: 337296
* Revert r337194 (https://reviews.llvm.org/D48891) due to compilation errors.Max Moroz2018-07-166-36/+5
| | | | llvm-svn: 337206
* [CMake] Use cxx-headers as a depedency for C++ headersPetr Hosek2018-07-161-2/+2
| | | | | | | | | | | | We no longer pass CLANG_DEFAULT_CXX_STDLIB to the runtimes build as it was causing issues so we can no longer use this variable. We instead use cxx-headers as a dependency whenever this is available since both XRay and libFuzzer are built as static libraries so this is sufficient. Differential Revision: https://reviews.llvm.org/D49346 llvm-svn: 337199
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-166-5/+36
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 llvm-svn: 337194
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-167-0/+87
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 llvm-svn: 337187
* Revert r337175 (https://reviews.llvm.org/D49212) due to unintentional format ↵Max Moroz2018-07-167-118/+31
| | | | | | changes. llvm-svn: 337180
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-167-31/+118
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 llvm-svn: 337175
* Revert "[Fuzzer] Afl driver changing iterations handling"Matt Morehouse2018-07-101-19/+5
| | | | | | | | | | | This reverts rL334510 due to breakage of afl_driver's command line interface. Patch By: Jonathan Metzman Differential Revision: https://reviews.llvm.org/D49141 llvm-svn: 336719
* [CMake] Add compiler-rt header files to the list of sources for targetsDan Liew2018-07-101-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when building with an IDE so that header files show up in the UI. This massively improves the development workflow in IDEs. To implement this a new function `compiler_rt_process_sources(...)` has been added that adds header files to the list of sources when the generator is an IDE. For non-IDE generators (e.g. Ninja/Makefile) no changes are made to the list of source files. The function can be passed a list of headers via the `ADDITIONAL_HEADERS` argument. For each runtime library a list of explicit header files has been added and passed via `ADDITIONAL_HEADERS`. For `tsan` and `sanitizer_common` a list of headers was already present but it was stale and has been updated to reflect the current state of the source tree. The original version of this patch used file globbing (`*.{h,inc,def}`) to find the headers but the approach was changed due to this being a CMake anti-pattern (if the list of headers changes CMake won't automatically re-generate if globbing is used). The LLVM repo contains a similar function named `llvm_process_sources()` but we don't use it here for several reasons: * It depends on the `LLVM_ENABLE_OPTION` cache variable which is not set in standalone compiler-rt builds. * We would have to `include(LLVMProcessSources)` which I'd like to avoid because it would include a bunch of stuff we don't need. Differential Revision: https://reviews.llvm.org/D48422 llvm-svn: 336663
* [libFuzzer] Make -fsanitize=memory,fuzzer work.Matt Morehouse2018-07-094-10/+43
| | | | | | | | | | | This patch allows libFuzzer to fuzz applications instrumented with MSan without recompiling libFuzzer with MSan instrumentation. Fixes https://github.com/google/sanitizers/issues/958. Differential Revision: https://reviews.llvm.org/D48891 llvm-svn: 336619
* Revert "[libFuzzer] Mutation tracking and logging implemented"Matt Morehouse2018-07-096-61/+22
| | | | | | This reverts r336597 due to bot breakage. llvm-svn: 336616
* [libFuzzer] Mutation tracking and logging implementedMatt Morehouse2018-07-096-22/+61
| | | | | | | | | | | | Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch By: Kode Williams Differntial Revision: https://reviews.llvm.org/D48054 llvm-svn: 336597
* libFuzzer: always print line-break for NEW_FUNC/PC outputKostya Serebryany2018-07-061-3/+6
| | | | | | | | | | | | | | Summary: This is a minor cosmetic change. When function/path exceed ~1000 characters, the output is truncated before the line-break. I noticed this for NEW_FUNC. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D48799 llvm-svn: 336461
* [libFuzzer] [NFC] Inline static variable to avoid the linker warning.George Karpenkov2018-07-041-2/+1
| | | | | | Differential Revision: https://reviews.llvm.org/D48650 llvm-svn: 336238
* [libFuzzer] add one more value profile metric, under a flag (experimental)Kostya Serebryany2018-07-034-6/+13
| | | | llvm-svn: 336234
* [libFuzzer] remove stale code, as suggested in https://reviews.llvm.org/D48800Kostya Serebryany2018-07-031-7/+0
| | | | llvm-svn: 336230
* [libFuzzer] Do not turn unittest warnings into errors.Matt Morehouse2018-06-261-1/+0
| | | | | | | | Some warnings originating from googletest were causing bots to fail while bulding unit tests. The sanitizers address this issue by not using -Werror. We adopt this approach for libFuzzer. llvm-svn: 335640
* [libFuzzer] Use Vector rather than std::vector.Matt Morehouse2018-06-251-1/+1
| | | | llvm-svn: 335487
* [Fuzzer] Set an explicit libc++ dependency when neededPetr Hosek2018-06-181-2/+6
| | | | | | | | | | | | | On targets that don't link internal libc++ (Fuchsia and Linux) but use libc++ as their C++ library and libFuzzer is being built using the just built compiler together with libc++ as part of runtimes, we need an explicit dependency from libFuzzer object library to libc++ to make sure the headers are available by the time we start building libFuzzer. Differential Revision: https://reviews.llvm.org/D48261 llvm-svn: 334928
* [fuzzer] Python 3 print fixesVitaly Buka2018-06-172-4/+4
| | | | llvm-svn: 334902
* [fuzzer] Fix collect_data_flow.py for python 3Vitaly Buka2018-06-171-1/+1
| | | | llvm-svn: 334901
* [Fuzzer] Don't hardcode target architecture for Fuzzer testsPetr Hosek2018-06-151-32/+34
| | | | | | | | | Don't hardcode the architecture for Fuzzer tests which breaks when compiler-rt is being compiled for architectures other than x86_64. Differential Revision: https://reviews.llvm.org/D48207 llvm-svn: 334852
* [libFuzzer] [NFC] Support multi-arch and multi-OS building and testingGeorge Karpenkov2018-06-142-3/+5
| | | | | | Differential Revision: https://reviews.llvm.org/D47296 llvm-svn: 334768
* Reland "Passthrough additional flags to custom libcxx CMake build"Petr Hosek2018-06-131-0/+1
| | | | | | | | This is needed when we're cross-compiling compiler-rt. Differential Revision: https://reviews.llvm.org/D47834 llvm-svn: 334570
* Revert r334458, r334220, r334212, r334139.Matt Morehouse2018-06-121-1/+0
| | | | | | | Reverts changes to AddCompilerRT.cmake due to breakage of http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/. llvm-svn: 334528
* [Fuzzer] Afl driver changing iterations handlingDavid Carlier2018-06-121-5/+19
| | | | | | | | | | | | Handling differently the iterations with the type limit and eventually an error message. Reviewers: morehouse, kcc Reviewed By: morehouse Differential Revision: https://reviews.llvm.org/D47880 llvm-svn: 334510
* [libFuzzer] When printing NEW_FUNC, use 1-base indexing.Kostya Serebryany2018-06-071-1/+1
| | | | | | | | | | | | | | Summary: Otherwise we print things like [0/1] which is visually confusing. Reviewers: kcc Reviewed By: kcc Subscribers: delcypher, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D47837 llvm-svn: 334234
* [Fuzzer] Update the header path for fdio/spawn.h on FuchsiaPetr Hosek2018-06-071-1/+1
| | | | | | | | The path now includes lib/ prefix. Differential Revision: https://reviews.llvm.org/D47866 llvm-svn: 334213
* [libFuzzer] make the corpus elements aware of their data flow tracesKostya Serebryany2018-06-075-5/+41
| | | | llvm-svn: 334158
* [libFuzzer] remove an experimental flag -use_feature_frequencyKostya Serebryany2018-06-065-30/+1
| | | | llvm-svn: 334146
* [Fuzzer] Use private libc++ even for FuchsiaPetr Hosek2018-06-061-7/+2
| | | | | | | | | | | On Fuchsia, we use libc++ compiled with ASan for our ASan built executable which means we cannot use the same libc++ for libFuzzer when building fuzz targets, instead we'll link a custom internal libc++ into Fuchsia's build of libFuzzer like we already do on Linux. Differential Revision: https://reviews.llvm.org/D47835 llvm-svn: 334144
OpenPOWER on IntegriCloud