summaryrefslogtreecommitdiffstats
path: root/compiler-rt/lib/fuzzer
Commit message (Collapse)AuthorAgeFilesLines
...
* [libFuzzer] Support using libc++Petr Hosek2018-01-175-15/+67
| | | | | | | | | | | | This is needed in case the users of libFuzzer use libc++ in their code, which the fuzz target (libFuzzer) will be linked against. When libc++ source is available, we build a private version of it and link it against libFuzzer which allows using the same static library against codebases which use both libc++ and libstdc++. Differential Revision: https://reviews.llvm.org/D37631 llvm-svn: 322604
* Switch from Bourne shell to simply base shell to build libfuzzerKamil Rytarowski2018-01-121-1/+1
| | | | | | | | | | | | | | Summary: It is not necessary launching the build script with bash. Reviewers: krytarowski Reviewed By: krytarowski Subscribers: llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D42008 llvm-svn: 322422
* lib Fuzzer FreeBSD supportKamil Rytarowski2018-01-128-11/+31
| | | | | | | | | | | | | | Summary: Patch by David CARLIER Reviewers: vitalybuka, kcc, dim, emaste, davide, morehouse, george.karpenkov Reviewed By: morehouse Subscribers: george.karpenkov, kubamracek, srhines, mgorny, emaste, krytarowski Differential Revision: https://reviews.llvm.org/D41642 llvm-svn: 322380
* [libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction().Max Moroz2017-12-201-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: __builtin_clz used for Log calculation returns an undefined result when argument is 0. I noticed that issue when was testing some fuzzers: ``` /src/libfuzzer/FuzzerTracePC.h:282:33: runtime error: shift exponent 450349 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') #0 0x43d83f in operator() /src/libfuzzer/FuzzerTracePC.h:283:33 #1 0x43d83f in void fuzzer::TracePC::CollectFeatures<fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1>(fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1) const /src/libfuzzer/FuzzerTracePC.h:290 #2 0x43cbd4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:445:7 #3 0x43e5f1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:706:5 #4 0x43e9e1 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:739:3 #5 0x432f8c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6 #6 0x42ee18 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #7 0x7f17ffeb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x407838 in _start (/out/rotate_fuzzer+0x407838) Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D41457 llvm-svn: 321211
* [libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver.Matt Morehouse2017-12-131-1/+7
| | | | | | | | | | | | | | | | | | | | Summary: Add dummy call of LLVMFuzzerTestOneInput to afl_driver before it starts executing on actual inputs. Do this so that first time initialization performed by LLVMFuzzerTestOneInput is not considered code covered by a particular input. Patch By: metzman Reviewers: kcc, morehouse Reviewed By: kcc Subscribers: llvm-commits, Sanitizers Differential Revision: https://reviews.llvm.org/D41193 llvm-svn: 320643
* [libFuzzer] change the strategy for -experimental_len_control to grow ↵Kostya Serebryany2017-12-124-11/+7
| | | | | | max_len slower llvm-svn: 320531
* [libFuzzer] even less aggressive step function for stack depth. Also don't ↵Kostya Serebryany2017-12-091-1/+12
| | | | | | use asan in one test to speed it up llvm-svn: 320259
* [libFuzzer] make the stack depth signal less agressive, otherwise we are ↵Kostya Serebryany2017-12-091-1/+1
| | | | | | sometimes exploding the corpus size. This still needs more analysis and tuning llvm-svn: 320237
* [libFuzzer] Add support for Fuchsia OS.Matt Morehouse2017-12-086-2/+279
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: This patch adds the initial support for Fuchsia. - LIBFUZZER_FUCHSIA is added as an OS type in FuzzerDefs.h - Fuchsia is, by design, not POSIX compliant. However, it does use ELF and supports common POSIX I/O functions. Thus, FuzzerExtFunctions.h and FuzzerIO.h are implemented by extending the header guards in FuzzerExtFunctionsWeak.cpp and FuzzerIOPosix.cpp to include LIBFUZZER_FUCHSIA. - The platform-specific portions of FuzzerUtil.h are implemented by FuzzerUtilFuchsia.cpp, which makes use of exception ports, syscalls, and the launchpad library. - The experimental equivalence server is not currently supported, so FuzzerShmem.h is implemented by stub methods in FuzzerShmemFuchsia.cpp. Any future implementation will likely involve VMOs. Tested with ASAN/SanCov on Fuchsia/x86-64 with the canonical toy fuzzer. Patch By: aarongreen Reviewers: kcc, morehouse, flowerhack, phosek Reviewed By: kcc, phosek, Eugene.Zelenko Subscribers: srhines, mgorny, Eugene.Zelenko Differential Revision: https://reviews.llvm.org/D40974 llvm-svn: 320210
* [libFuzzer] honor -use_counters, sligntly change the meaning of ↵Kostya Serebryany2017-12-083-8/+18
| | | | | | -experimental_len_control, call UpdateFeatureFrequency only if instructed by the flag llvm-svn: 320205
* [libFuzzer] Decrease stack usage in unit testsKostya Serebryany2017-12-061-26/+26
| | | | | | | | | | | | Summary: With 3 Dictionary objects, each containing space of ~16k DictionaryEntry objects, the MutationDispatcher object is fairly memory heavy. On platforms with a lower default stack size, this can cause panics in FuzzerUnittest as those tests stack-allocate the MutationDispatcher. This may be especially problematic for platforms that do not (yet) have a way to programmatically change their stack size, aside from link-time flags. In general, it seems more prudent to use the heap for an object of this size. Reviewers: kcc, morehouse Reviewed By: kcc Differential Revision: https://reviews.llvm.org/D40926 llvm-svn: 319988
* [libFuzzer] fix a minor regression in printingKostya Serebryany2017-12-061-1/+1
| | | | llvm-svn: 319975
* [libFuzzer] Make redirects happen in proper sequence.Matt Morehouse2017-12-052-3/+3
| | | | | | | "> file" must come before "2>&1" to have redirection occur correctly in all cases. Fixes a regression on minimize_two_crashes.test. llvm-svn: 319792
* [libFuzzer] Remove const from ignoreRemainingArgs return value.Matt Morehouse2017-12-041-2/+2
| | | | | | In this case const does nothing but trigger a warning. llvm-svn: 319685
* [libFuzzer] Remove FuzzerCommand.cpp from build sources.Matt Morehouse2017-12-041-1/+0
| | | | | | | FuzzerCommand.cpp was not introduced in r319680. Instead, it was implemented in the header file. llvm-svn: 319682
* [libFuzzer] Encapsulate commands in a class.Matt Morehouse2017-12-049-43/+400
| | | | | | | | | | | | | | | | | | | | | Summary: To be more portable (especially w.r.t. platforms without system()), commands should be managed programmatically rather than via string manipulation on the command line. This change introduces Fuzzer::Command, with methods to manage arguments and flags, set output options, and execute the command. Patch By: aarongreen Reviewers: kcc, morehouse Reviewed By: kcc, morehouse Subscribers: llvm-commits, mgorny Differential Revision: https://reviews.llvm.org/D40103 llvm-svn: 319680
* [libFuzzer] add a flag -malloc_limit_mbKostya Serebryany2017-12-014-1/+8
| | | | llvm-svn: 319590
* [libFuzzer] remove stale flags; NFCKostya Serebryany2017-12-014-13/+0
| | | | llvm-svn: 319572
* [libFuzzer] add an experimental search heuristic flag -reduce_depthKostya Serebryany2017-12-015-5/+18
| | | | llvm-svn: 319571
* [LibFuzzer] Improve comments on `CounterToFeature()` function.Dan Liew2017-11-281-1/+12
| | | | | | | | | | | | This is based on discussion in https://reviews.llvm.org/D40376 . The comments try to explain the reason for the current implementation and note that it might change in the future, so clients should not rely on this particular implementation. Differential Revision: https://reviews.llvm.org/D40565 llvm-svn: 319190
* [fuzzer] Initialize PcDescr buffer before calling __sanitizer_symbolize_pcVitaly Buka2017-11-171-1/+1
| | | | | | | __sanitizer_symbolize_pc is not instrumented so msan assumes that PcDescr was not initialized. llvm-svn: 318488
* libfuzzer: Fix file listing on some filesystemsKostya Serebryany2017-11-151-2/+12
| | | | | | | | | | | | | | | | | Summary: For some filesystems, readdir will not populate dirent::d_type with valuable information. This causes libfuzzer to proceed with an empty corpus, instead of the file it contains. This has been tested on a server using XFS. It should fix https://bugs.llvm.org//show_bug.cgi?id=25991 Reviewers: kcc Reviewed By: kcc Differential Revision: https://reviews.llvm.org/D40028 llvm-svn: 318303
* [libFuzzer] respect max_len during mergeKostya Serebryany2017-11-151-1/+1
| | | | llvm-svn: 318302
* [libFuzzer] make sure to flush IO when done merging one fileKostya Serebryany2017-11-091-0/+1
| | | | llvm-svn: 317835
* [libFuzzer] Don't add leaking inputs to corpus.Matt Morehouse2017-11-091-2/+3
| | | | | | | | | | | | Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39850 llvm-svn: 317831
* [libFuzzer] handle SIGUSR1/SIGUSR2 and try to exit grafully on these signalsKostya Serebryany2017-11-097-0/+34
| | | | llvm-svn: 317829
* [libFuzzer] allow merge to resume after being preempted Kostya Serebryany2017-11-092-25/+61
| | | | llvm-svn: 317767
* [libFuzzer] allow user to specify the merge control fileKostya Serebryany2017-11-094-18/+30
| | | | llvm-svn: 317747
* [fuzzer] Fix nested mallocsVitaly Buka2017-11-021-3/+26
| | | | | | | | | | | | Summary: Nested mallocs are possible with internal symbolizer. Reviewers: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39397 llvm-svn: 317186
* [fuzzer] Script to detect unbalanced allocation in -trace_malloc outputVitaly Buka2017-11-011-0/+93
| | | | | | | | | | Reviewers: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39466 llvm-svn: 317119
* [fuzzer] Fix threaded stack printingVitaly Buka2017-11-011-0/+5
| | | | | | | | | | Reviewers: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39397 llvm-svn: 317071
* Revert "[fuzzer] Fix threaded stack printing and nested mallocs"Vitaly Buka2017-11-012-112/+0
| | | | | | | | | | | Fails on darwin Revert "[fuzzer] Script to detect unbalanced allocation in -trace_malloc output" Needs previous one. This reverts commit r317034, r317036. llvm-svn: 317061
* [fuzzer] Script to detect unbalanced allocation in -trace_malloc outputVitaly Buka2017-10-311-0/+93
| | | | | | | | | | Reviewers: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39466 llvm-svn: 317036
* [fuzzer] Fix threaded stack printing and nested mallocsVitaly Buka2017-10-311-0/+19
| | | | | | | | | | | | Summary: Nested mallocs are possible with internal symbolizer. Reviewers: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39397 llvm-svn: 317034
* [Sanitizers-libFuzzer] Addressing coding style issues.Alex Shlyapnikov2017-10-231-37/+44
| | | | | | | | | | | | Summary: The result of clang-format and few manual changes (as prompted on D39155). Reviewers: vitalybuka Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39211 llvm-svn: 316395
* [libFuzzer] Periodically purge allocator's quarantine to prolong fuzzing ↵Alex Shlyapnikov2017-10-236-1/+32
| | | | | | | | | | | | | | | | | | | | | sessions. Summary: Fuzzing targets that allocate/deallocate a lot of memory tend to consume a lot of RSS when ASan quarantine is enabled. Purging quarantine between iterations and returning memory to OS keeps RSS down and should not reduce the quarantine effectiveness provided the fuzz target does not preserve state between iterations (in this case this feature can be turned off). Based on D39153. Reviewers: vitalybuka Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D39155 llvm-svn: 316382
* [libFuzzer] print a better warning if we hit the ld bugKostya Serebryany2017-10-141-3/+5
| | | | llvm-svn: 315778
* [Sanitizers] Always build libFuzzer with frame pointers.Alex Shlyapnikov2017-10-131-0/+2
| | | | | | | Lacking frame pointers, sanitized fuzzers collect bogus stack traces and the set of stack traces grows indefinitely, leading to OOMs. llvm-svn: 315770
* [libFuzzer] tweam use_feature_frequency to be less aggressive; run a dummy ↵Kostya Serebryany2017-10-132-6/+21
| | | | | | input before the seed corpus llvm-svn: 315657
* [libFuzzer] disable use_feature_frequency as it degrades some of the ↵Kostya Serebryany2017-10-111-1/+1
| | | | | | benchmarks too much :( llvm-svn: 315503
* [libFuzzer] make -use_feature_frequency less aggressive and enable by defaultKostya Serebryany2017-10-112-3/+2
| | | | llvm-svn: 315490
* [libFuzzer] experimental flag to tweak the corpus distribution. Seems to ↵Kostya Serebryany2017-10-115-9/+29
| | | | | | improve the situation dramatically on the png benchmark and make things worse on a number of micro-puzzles. Needs more A/B testing llvm-svn: 315407
* [libFuzzer] Disable experimental clang coverage support by default.Max Moroz2017-10-055-1/+8
| | | | | | | | | | | | | | | | | Summary: It can be enabled via "-use_clang_coverage=1" flag. Reason for disabling: libFuzzer resets Clang Counters and makes it impossible to generate coverage report for a regular fuzz target (i.e. not standalone build). Reviewers: kcc Reviewed By: kcc Subscribers: kcc Differential Revision: https://reviews.llvm.org/D38604 llvm-svn: 315029
* [libFuzzer] minor refactoring, NFCKostya Serebryany2017-09-153-7/+4
| | | | llvm-svn: 313406
* [libFuzzer] reduce the size of the merge control file by not dumping ↵Kostya Serebryany2017-09-151-9/+17
| | | | | | redundant features into it llvm-svn: 313403
* [libFuzzer] factor out some code into GetSizedFilesFromDir; NFCKostya Serebryany2017-09-123-19/+31
| | | | llvm-svn: 313081
* [libfuzzer] Compare TotalNumberOfRuns with MaxNumberOfRuns when testing a ↵Max Moroz2017-09-121-0/+2
| | | | | | | | | | | | | | | | | | | memory leak. Summary: Fuzzer::TryDetectingAMemoryLeak may call ExecuteCallback which would increment TotalNumberOfRuns, but it doesn't respect Options.MaxNumberOfRuns value specified by a user. Context: https://github.com/google/oss-fuzz/issues/822#issuecomment-328153970 Reviewers: kcc Reviewed By: kcc Differential Revision: https://reviews.llvm.org/D37632 llvm-svn: 312993
* [libFuzzer] remove a couple of reduntant includesKostya Serebryany2017-09-092-2/+0
| | | | llvm-svn: 312848
* [libFuzzer] tolerate missing files when loading the seed corpusKostya Serebryany2017-08-311-1/+1
| | | | llvm-svn: 312269
* Add preliminary NetBSD support in libfuzzerKamil Rytarowski2017-08-305-7/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Summary: This code already works and passes some number of tests. There is need to finish remaining sanitizers to get better coverage. Many tests fail due to overly long file names of executables (>31). This is a current shortcoming of the NetBSD 8(beta) kernel, as certain functions can fail (like retrieving file name of executable). Sponsored by <The NetBSD Foundation> Reviewers: joerg, kcc, vitalybuka, george.karpenkov Reviewed By: kcc Subscribers: mgorny, llvm-commits, #sanitizers Tags: #sanitizers Differential Revision: https://reviews.llvm.org/D37304 llvm-svn: 312183
OpenPOWER on IntegriCloud