summaryrefslogtreecommitdiffstats
path: root/compiler-rt/lib/fuzzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [CMake] Passthrough additional flags to custom libcxx CMake buildPetr Hosek2018-06-061-0/+1
| | | | | | | | This is needed when we're cross-compiling compiler-rt. Differential Revision: https://reviews.llvm.org/D47834 llvm-svn: 334139
* Fix compile error with libstdc++.Ilya Biryukov2018-06-061-0/+5
| | | | | | | | | | By adding a ctor to create fuzzer_allocator<T> from fuzzer_allocator<U>. This mimics construcotrs of std::allocator<T>. Without the constructors, some versions of libstdc++ can't compile `vector<bool, fuzzer_allocator<bool>>`. llvm-svn: 334077
* [libFuzzer] initial implementation of -data_flow_trace. It parses the data ↵Kostya Serebryany2018-06-0613-2/+188
| | | | | | flow trace and prints the summary, but doesn't use the information in any other way yet llvm-svn: 334058
* [Fuzzer] Migrate Fuchsia port from launchpad to fdio_spawnPetr Hosek2018-06-021-19/+36
| | | | | | | | fdio_spawn is the new public API for launching processes in Fuchsia. Differential Revision: https://reviews.llvm.org/D47649 llvm-svn: 333809
* [libFuzzer] add collect_data_flow.py that allows to run the data-flow tracer ↵Kostya Serebryany2018-05-311-0/+56
| | | | | | several times on subsets of inputs bytes, to overcome DFSan out-of-label failures llvm-svn: 333616
* [Fuzzer] Update _zx_port_wait function use in Fuchsia portPetr Hosek2018-05-261-5/+5
| | | | | | | | | Fuchsia's _zx_port_wait no longer takes the count argument. This change also updates all symbol uses to use the underscored versions. Differential Revision: https://reviews.llvm.org/D47403 llvm-svn: 333328
* [libFuzzer] Run libFuzzer unit tests only on host architecture.George Karpenkov2018-05-241-32/+33
| | | | | | | | | | LIT tests are used to test other cross-compiled architectures, unit tests are only run on the host. NFC now as currently only a single architecture is supported. Differential Revision: https://reviews.llvm.org/D47286 llvm-svn: 333241
* [libFuzzer] DataFlow tracer now tags a subset of the input. A separate ↵Kostya Serebryany2018-05-242-6/+47
| | | | | | script merges traces from the subsets llvm-svn: 333149
* [libFuzzer] fix two off-by-ones (!!) in the data flow tracerKostya Serebryany2018-05-231-2/+3
| | | | llvm-svn: 333142
* [libFuzzer] change the output format for the DataFlow tracerKostya Serebryany2018-05-231-23/+25
| | | | llvm-svn: 333122
* [libFuzzer] Don't complain about lack of interesting inputs when -runs=0.Max Moroz2018-05-231-1/+1
| | | | | | | | | | | | | | | | | | | Summary: The most common usecase for -runs=0 is for generating code coverage over some corpus. Coverage reports based on sancov are about to be deprecated, which means some external coverage solution will be used, e.g. Clang source based code coverage, which does not use any sancov instrumentations and thus libFuzzer would consider any input to be not interesting in that case. Reviewers: kcc Reviewed By: kcc Subscribers: alex, delcypher, #sanitizers, llvm-commits Differential Revision: https://reviews.llvm.org/D47271 llvm-svn: 333116
* [libFuzzer] modify -print_corpus_stats to print whether the input reaches ↵Kostya Serebryany2018-05-231-2/+2
| | | | | | the focus function llvm-svn: 333048
* [libFuzzer] reinstate -dump_coverage, which is still in use (reverts r332036)Kostya Serebryany2018-05-216-1/+17
| | | | llvm-svn: 332876
* [libFuzzer] add an experimental flag -focus_function: libFuzzer will try to ↵Kostya Serebryany2018-05-168-2/+64
| | | | | | focus on inputs that trigger that function llvm-svn: 332554
* [libFuzzer] deprecate equivalence_serverKostya Serebryany2018-05-152-2/+4
| | | | llvm-svn: 332316
* [libFuzzer] refactor the implementation of -print_coverageKostya Serebryany2018-05-112-44/+43
| | | | llvm-svn: 332073
* [libFuzzer] remove the dump_coverage flag, it hasn't been working with the ↵Kostya Serebryany2018-05-106-17/+1
| | | | | | inline sanitizer coverage anyway llvm-svn: 332036
* [libFuzzer] remove the experimental support for clang coverage ↵Kostya Serebryany2018-05-109-84/+1
| | | | | | instrumentation. This mode has not been used and our experiments with https://github.com/google/fuzzer-test-suite show that this signal is weaker than the SanitizerCoverage llvm-svn: 332034
* [libFuzzer] Experimental data flow tracer for fuzz targets.Kostya Serebryany2018-05-101-0/+203
| | | | | | | | | | | | | | | | | | | | | Summary: Experimental data flow tracer for fuzz targets. Allows to tell which bytes of the input affect which functions of the fuzz target. We previously attempted to use DFSan directly in the libFuzzer process, and that didn't work nicely. Now we will try to collect the data flow information for the seed corpus in a separate process (using this tracer), and then use it in the regular libFuzzer runs. Reviewers: morehouse, pcc, Dor1s Reviewed By: morehouse, Dor1s Subscribers: delcypher, #sanitizers, llvm-commits Differential Revision: https://reviews.llvm.org/D46666 llvm-svn: 332029
* wrong usages of sem_open in the libFuzzerKamil Rytarowski2018-05-101-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: Fixed two non-standard usages of sem_open in the libFuzzer library and one NetBSD-related modification with test script. - The return value to indicate error should be SEM_FAILED instead of (void *)-1 (please refer to "RETURN VALUE" section in this [[ http://pubs.opengroup.org/onlinepubs/9699919799/functions/sem_open.html | page ]]). Actually, SEM_FAILED != (void *)-1 holds in NetBSD. - The SharedMemoryRegion::SemName function should return name starting with slash. Because the behaviour of name which does not start with slash is unspecified as the [[ http://pubs.opengroup.org/onlinepubs/9699919799/functions/sem_open.html | "DESCRIPTION" section ]] specified: > If name does not begin with the <slash> character, the effect is implementation-defined. - The length of name is limited to 14 in NetBSD, it is suggested to reduce the length of equivalence server name in the test script. Patch by: Yang Zheng Reviewers: vitalybuka, krytarowski, kcc Reviewed By: kcc Subscribers: kcc, #sanitizers, llvm-commits, joerg Differential Revision: https://reviews.llvm.org/D46622 llvm-svn: 332003
* [libFuzzer] Guard symbolization with try-lock.Matt Morehouse2018-05-083-13/+29
| | | | | | | | | | | | | | | | | | Summary: When out-of-memory or timeout occurs, threads can be stopped during symbolization, thereby causing a deadlock when the OOM/TO handlers attempt symbolization. We avoid this deadlock by skipping symbolization if another thread is symbolizing. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D46605 llvm-svn: 331825
* [libFuzzer] Don't short-circuit from CrashCallback.Matt Morehouse2018-05-021-3/+2
| | | | | | | | Short-circuiting causes tests to fail on Mac since libFuzzer crashes rather than exiting with an error code when an unexpected signal happens. llvm-svn: 331324
* [libFuzzer] Report at most one crash per input.Matt Morehouse2018-05-012-0/+13
| | | | | | | | | | | | | | | | | | Summary: Fixes https://github.com/google/sanitizers/issues/788/, a deadlock caused by multiple crashes happening at the same time. Before printing a crash report, we now test and set an atomic flag. If the flag was already set, the crash handler returns immediately. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits, kubamracek Differential Revision: https://reviews.llvm.org/D46277 llvm-svn: 331310
* [LibFuzzer] Tweak `MutationDispatcher::Mutate_CopyPart` mutation.Dan Liew2018-04-242-1/+18
| | | | | | | | | | | | It doesn't make sense to non-deterministically choose between `CopyPart(..)` and `InsertPart(..)` when it is known that `InsertPart(..)` will fail. This upstream's a change from JFS solver's fork of LibFuzzer. Differential Revision: https://reviews.llvm.org/D45693 llvm-svn: 330687
* [libFuzzer] Add feature to not use AFL's deferred forkserver.Matt Morehouse2018-04-231-1/+13
| | | | | | | | | | | | | | A small but substantial minority of libFuzzer-based fuzzers run code that does not play well with fork in global constructors or LLVMFuzzerInitialize. This patch allows these fuzzers to use afl_driver by allowing them to opt-out of using AFL's deferred forkserver which deferres calling fork until after this code. Patch By: metzman Differential Revision: https://reviews.llvm.org/D45744 llvm-svn: 330652
* [LibFuzzer] Report when custom counters are available.Dan Liew2018-04-201-0/+3
| | | | | | | | This upstreams a feature from the JFS solver's fork of LibFuzzer. Differential Revision: https://reviews.llvm.org/D45675 llvm-svn: 330391
* [LibFuzzer] Try to unbreak the `FuzzerMutate.ShuffleBytes1` unit test.Dan Liew2018-04-201-1/+1
| | | | | | | | | | | | | | This test is failing on my Linux box. Just increasing the number of iterations works around this. The divergence is likely due to our reliance on `std::shuffle()` which is not guaranteed to have the same behaviour across platforms. This is a strong argument for us to implement our own shuffle function to avoid divergence in behaviour across platforms. Differential Revision: https://reviews.llvm.org/D45767 llvm-svn: 330390
* [LibFuzzer] Unbreak the `trace-malloc-unbalanced.test` when using Python 3.Dan Liew2018-04-201-5/+5
| | | | | | | | | The `unbalanced_allocs.py` script uses Python 2 print statement and `iteritems()`. Running `2to3` over the script fixes these. Differential Revision: https://reviews.llvm.org/D45765 llvm-svn: 330389
* [Fuzzer] Add a missing header in Fuchsia implementationPetr Hosek2018-04-201-0/+1
| | | | | | | | This is needed for fd_set. Differential Revision: https://reviews.llvm.org/D45852 llvm-svn: 330383
* [Fuzzer] Make InterruptHandler non-blocking for FuchsiaPetr Hosek2018-04-191-1/+6
| | | | | | | | | | | | | The initial naive approach to simulate SIGINT on Fuchsia was to getchar and look for ETX. This caused the InterruptHandler thread to lock stdin, preventing musl's exit() from being able to close the stdio descriptors and complete. This change uses select() instead. Patch By: aarongreen Differential Revision: https://reviews.llvm.org/D45636 llvm-svn: 330328
* [Fuzzer] Avoid C++ compiler checks for fuzzer C++ libraryPetr Hosek2018-04-131-1/+2
| | | | | | | | | | | When bulding libFuzzer as part of the toolchain, C++ library may not have been fully built yet so the C++ compiler checks will fail, but we don't care since we don't need C++ library anyway as we're building our own. Differential Revision: https://reviews.llvm.org/D45638 llvm-svn: 330075
* libFuzzer, OpenBSD supportVitaly Buka2018-04-096-8/+39
| | | | | | | | | | | | | | | | | | Summary: - Enabling libfuzzer on OpenBSD - OpenBSD can t support asan, msan ... the tests can t be run. Patch by David CARLIER Reviewers: eugenis, phosek, vitalybuka Reviewed By: vitalybuka Subscribers: srhines, mgorny, krytarowski, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D44877 llvm-svn: 329631
* [libFuzzer] Print a correct error message when a directory can't beMatt Morehouse2018-04-061-1/+1
| | | | | | | | | | | | | | | | | | | | | opened. Summary: Currently if the directory cannot be opened for a reason other than non-existence (e.g. too many open file descriptors) the error message printed is incredibly confusing. Patch By: Alex Gaynor Reviewers: kcc, morehouse Reviewed By: morehouse Subscribers: delcypher, llvm-commits, Sanitizers Differential Revision: https://reviews.llvm.org/D45322 llvm-svn: 329438
* Revert "[compiler-rt] Change std::sort to llvm::sort in response to r327219"Mandeep Singh Grang2018-03-202-10/+10
| | | | | | This reverts commit 2ee210e1963e03aacc0f71c50e4994bb5c66586e. llvm-svn: 327936
* [compiler-rt] Change std::sort to llvm::sort in response to r327219Mandeep Singh Grang2018-03-202-10/+10
| | | | | | | | | | | | | | | | | | | Summary: r327219 added wrappers to std::sort which randomly shuffle the container before sorting. This will help in uncovering non-determinism caused due to undefined sorting order of objects having the same key. To make use of that infrastructure we need to invoke llvm::sort instead of std::sort. Reviewers: kcc, rsmith, RKSimon, eugenis Reviewed By: RKSimon Subscribers: efriedma, kubamracek, dberris, #sanitizers, llvm-commits Differential Revision: https://reviews.llvm.org/D44360 llvm-svn: 327929
* [Fuzzer] Build the shared memory hooks for FuchsiaPetr Hosek2018-03-161-0/+1
| | | | | | | | | This is needed otherwise we'll get undefined references when trying to use the libFuzzer built for Fuchsia. Differential Revision: https://reviews.llvm.org/D44590 llvm-svn: 327759
* fix some user facing typos / in the commentsSylvestre Ledru2018-03-135-8/+8
| | | | llvm-svn: 327402
* [Fuzzer] When building for Fuchsia, add an explicit libc++ dependencyPetr Hosek2018-03-101-0/+5
| | | | | | | | | | libFuzzer dependes on C++ library, when building for Fuchsia, we need to ensure that libFuzzer is only being built after libc++ has been built, so we add an explicity dependency on it. Differential Revision: https://reviews.llvm.org/D44340 llvm-svn: 327196
* [Fuzzer] Avoid the unnecessary rebuild of the custom libc++Petr Hosek2018-03-072-4/+4
| | | | | | | | | | | | This changes the add_custom_libcxx macro to resemble the llvm_ExternalProject_Add. The primary motivation is to avoid unnecessary libFuzzer rebuilds that are being done on every Ninja/Make invocation. The libc++ should be only rebuilt whenever the libc++ source itself changes. Differential Revision: https://reviews.llvm.org/D43213 llvm-svn: 326921
* [libFuzzer] Include TEMP_MAX_LEN in Fuzzer::PrintStats.Matt Morehouse2018-02-221-4/+2
| | | | | | | | | | | | Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D43597 llvm-svn: 325817
* [libFuzzer] Set -experimental_len_control=1000 as default.Matt Morehouse2018-02-134-6/+9
| | | | | | | | | | | | | | | | | | | | Summary: Experiments using https://github.com/google/fuzzer-test-suite/tree/master/engine-comparison show a significant increase in coverage and reduction in corpus size with this option enabled. Addresses https://llvm.org/pr36371. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D42932 llvm-svn: 325050
* [Fuzzer] Use Zircon's public API on FuchsiaPetr Hosek2018-02-071-31/+43
| | | | | | | | | | The original libFuzzer Fuchsia port relied on convenience libraries, but these are not exported as part of Fuchsia sysroot. This change eliminates the use of these libraries and relies on public API only. Differential Revision: https://reviews.llvm.org/D42996 llvm-svn: 324454
* [CMake] Remove -stdlib= which is unused when passing -nostdinc++Jonas Hahnfeld2018-02-011-0/+2
| | | | | | | | | This avoids the warnings when building with LLVM_ENABLE_LIBCXX which automatically adds -stdlib=libc++ to CMAKE_CXX_FLAGS. Differential Revision: https://reviews.llvm.org/D42238 llvm-svn: 323969
* [fuzzer] Update and enable libFuzzer on FuchsiaPetr Hosek2018-01-301-3/+3
| | | | | | | | | | | | | This change updates the Fuchsia-specific code to use the C++ friendly duration expressions and flips on the building of libclang_rt.fuzzer-x86_64.a and similar for Fuchsia. Given that compiler-rt doesn't build on Fuchsia, test have been run by explicitly building the library and linking it against lib/fuzzer/tests/FuzzerUnittest.cpp. Differential Revision: https://reviews.llvm.org/D42670 llvm-svn: 323828
* [libFuzzer] Fix sizeof(ptr) bug.Matt Morehouse2018-01-301-1/+1
| | | | | | | sizeof(const char *) returns 4 or 8 when what we really want is the size of the array. llvm-svn: 323802
* Reland "[Fuzzer] Parametrize add_custom_libcxx"Petr Hosek2018-01-212-11/+11
| | | | | | | | | | | | | add_custom_libcxx uses the just built compiler and installs the built libc++, e.g. for testing, neither of which is desirable in case of Fuzzer where the libc++ should be built using the host compiler and it's only linked into the libFuzzer and should never be installed. This change introduces additional arguments to add_custom_libcxx to allow parametrizing its behavior. Differential Revision: https://reviews.llvm.org/D42330 llvm-svn: 323054
* Revert "[Fuzzer] Parametrize add_custom_libcxx"Petr Hosek2018-01-202-8/+7
| | | | | | This reverts commit r323032: failing on the sanitizer-x86_64-linux-autoconf bot. llvm-svn: 323033
* [Fuzzer] Parametrize add_custom_libcxxPetr Hosek2018-01-202-7/+8
| | | | | | | | | | | | | add_custom_libcxx uses the just built compiler and installs the built libc++, e.g. for testing, neither of which is desirable in case of Fuzzer where the libc++ should be built using the host compiler and it's only linked into the libFuzzer and should never be installed. This change introduces additional arguments to add_custom_libcxx to allow parametrizing its behavior. Differential Revision: https://reviews.llvm.org/D42330 llvm-svn: 323032
* Reland "[libFuzzer] Support using libc++"Petr Hosek2018-01-175-15/+67
| | | | | | | | | | | | This is needed in case the users of libFuzzer use libc++ in their code, which the fuzz target (libFuzzer) will be linked against. When libc++ source is available, we build a private version of it and link it against libFuzzer which allows using the same static library against codebases which use both libc++ and libstdc++. Differential Revision: https://reviews.llvm.org/D37631 llvm-svn: 322755
* Revert "[libFuzzer] Support using libc++"Petr Hosek2018-01-175-67/+15
| | | | | | This reverts commit r322604: test is failing for standalone compiler-rt. llvm-svn: 322689
OpenPOWER on IntegriCloud