summaryrefslogtreecommitdiffstats
path: root/llvm/lib/Fuzzer
Commit message (Collapse)AuthorAgeFilesLines
* [lib/Fuzzer] make assertions more informative and update comments for the ↵Kostya Serebryany2015-05-302-4/+8
| | | | | | user-supplied mutator llvm-svn: 238658
* [lib/Fuzzer] relax an assertionKostya Serebryany2015-05-291-2/+2
| | | | llvm-svn: 238608
* [lib/Fuzzer] make the fuzzing timeout 1200 seconds by default (was: infinity)Kostya Serebryany2015-05-262-1/+3
| | | | llvm-svn: 238251
* [lib/Fuzzer] fix docsKostya Serebryany2015-05-261-2/+2
| | | | llvm-svn: 238236
* [lib/Fuzzer] fix build with assertionsKostya Serebryany2015-05-262-3/+4
| | | | llvm-svn: 238235
* [lib/Fuzzer] doxygen-ify the comments for the user interfaceKostya Serebryany2015-05-231-13/+22
| | | | llvm-svn: 238086
* [lib/Fuzzer] fully get rid of std::cerr in libFuzzerKostya Serebryany2015-05-233-38/+23
| | | | llvm-svn: 238081
* [lib/Fuzzer] start getting rid of std::cerr. Sadly, these parts of C++ ↵Kostya Serebryany2015-05-234-56/+47
| | | | | | library used in libFuzzer badly interract with the same code used in the target function and also with dfsan. It's easier to just not use std::cerr than to defeat these issues. llvm-svn: 238078
* [lib/Fuzzer] remove -use_coverage_pairs=1, an experimental feature that is ↵Kostya Serebryany2015-05-225-30/+1
| | | | | | unlikely to ever scale llvm-svn: 238063
* [lib/Fuzzer] extend the fuzzer interface to allow user-supplied mutatorsKostya Serebryany2015-05-2212-67/+258
| | | | llvm-svn: 238059
* [lib/Fuzzer] ignore flags that start with --; use git pull --rebase instead ↵Kostya Serebryany2015-05-212-2/+12
| | | | | | of just git pull llvm-svn: 237950
* [lib/Fuzzer] change the meaning of -timeout flag: now timeout is applied to ↵Kostya Serebryany2015-05-196-7/+22
| | | | | | every unit of work separately llvm-svn: 237735
* [lib/Fuzzer] more efficient reload logic; also don't spam git too muchKostya Serebryany2015-05-193-8/+11
| | | | llvm-svn: 237649
* [lib/Fuzzer] when -sync_command=<CMD> is given, periodically execute 'CMD ↵Kostya Serebryany2015-05-186-1/+29
| | | | | | CORPUS' to synchronize with other processes llvm-svn: 237617
* Code cleanup: Reindent Fuzzer::MutateAndTestOne.Logan Chien2015-05-171-2/+2
| | | | llvm-svn: 237533
* [lib/Fuzzer] Add SHA1 implementation from public domain.Kostya Serebryany2015-05-145-38/+225
| | | | | | | | | | | | | | | | | | | | | | | Summary: This adds a SHA1 implementation taken from public domain code. The change is trivial, but as it involves third-party code I'd like a second pair of eyes before commit. LibFuzzer can not use SHA1 from openssl because openssl may not be available and because we may be fuzzing openssl itself. Using sha1sum via a pipe is too slow. Test Plan: n/a Reviewers: chandlerc Reviewed By: chandlerc Subscribers: majnemer, llvm-commits Differential Revision: http://reviews.llvm.org/D9733 llvm-svn: 237400
* [lib/Fuzzer] enable -use_counters=1 by defaultKostya Serebryany2015-05-131-1/+1
| | | | llvm-svn: 237272
* [lib/Fuzzer] A simple script to synchronise a fuzz test corpus with an ↵Kostya Serebryany2015-05-121-0/+17
| | | | | | external git repository. llvm-svn: 237208
* [lib/Fuzzer] use sha1sum for the file hashKostya Serebryany2015-05-121-0/+30
| | | | llvm-svn: 237198
* [lib/Fuzzer] guess the right number of workers if -jobs=N is given but ↵Kostya Serebryany2015-05-124-1/+18
| | | | | | -workers=M is not. Update the docs. llvm-svn: 237163
* [lib/Fuzzer] remove the -dfsan=1 flag, just use -use_traces=1 (w/ or w/o dfsan)Kostya Serebryany2015-05-125-8/+4
| | | | llvm-svn: 237083
* [lib/Fuzzer] detach the pulse thread instad of joining itKostya Serebryany2015-05-121-1/+1
| | | | llvm-svn: 237082
* [lib/Fuzzer] don't record traces when trace collection is offKostya Serebryany2015-05-111-1/+2
| | | | llvm-svn: 237067
* [lib/Fuzzer] when running multiple fuzzing processes, print something every ↵Kostya Serebryany2015-05-111-2/+14
| | | | | | 10 minutes to avoid buildbot timeouts llvm-svn: 237054
* [lib/Fuzzer] rename FuzzerDFSan.cpp to FuzzerTraceState.cpp; update ↵Kostya Serebryany2015-05-114-44/+54
| | | | | | comments. NFC expected llvm-svn: 237050
* [lib/Fuzzer] add a trace-based mutatation logic. Same idea as with ↵Kostya Serebryany2015-05-115-12/+68
| | | | | | DFSan-based mutator, but instead of relying on taint tracking, try to find the data directly in the input. More (logic and comments) to go. llvm-svn: 237043
* [lib/Fuzzer] build tests that work well with dfsan also w/o dfsanKostya Serebryany2015-05-085-10/+12
| | | | llvm-svn: 236909
* [lib/Fuzzer] use -fsanitize-coverage=trace-cmp when building LLVM with ↵Kostya Serebryany2015-05-086-10/+68
| | | | | | LLVM_USE_SANITIZE_COVERAGE; in lib/Fuzzer try to reload the corpus to pick up new units from other processes llvm-svn: 236906
* Update CMake flags, LibFuzzer comments and docs for new -fsanitize-coverage= ↵Alexey Samsonov2015-05-072-3/+2
| | | | | | flags. llvm-svn: 236797
* [lib/Fuzzer] change the way we use taint information for fuzzing. Now, we ↵Kostya Serebryany2015-05-074-49/+84
| | | | | | run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex. llvm-svn: 236772
* [lib/Fuzzer] minor refactoring/simplification, NFCKostya Serebryany2015-05-073-31/+41
| | | | llvm-svn: 236757
* [lib/Fuzzer] add dfsan_weak_hook_memcmp, enable the test that uses it, ↵Kostya Serebryany2015-05-076-17/+35
| | | | | | simplify the test runner llvm-svn: 236683
* [lib/Fuzzer] remove dfsan_fuzzer_abi.list -- its contents are now moved to ↵Kostya Serebryany2015-05-063-17/+2
| | | | | | dfsan proper llvm-svn: 236659
* [lib/Fuzzer] add a fuzzer test for memcmp (does not work yet) Kostya Serebryany2015-05-062-0/+9
| | | | llvm-svn: 236656
* [lib/Fuzzer] rename TestOneInput to LLVMFuzzerTestOneInput to make it more ↵Kostya Serebryany2015-05-0612-15/+15
| | | | | | unique llvm-svn: 236652
* [lib/Fuzzer] on crash print the contents of the crashy input as base64Kostya Serebryany2015-05-053-0/+8
| | | | llvm-svn: 236548
* [lib/Fuzzer] use handle_abort=1 by default so that when assert() fires we ↵Kostya Serebryany2015-05-051-1/+2
| | | | | | save the test case llvm-svn: 236476
* Removing a spurious space; NFC.Aaron Ballman2015-04-061-1/+1
| | | | llvm-svn: 234168
* [fuzzer] document the -tokens flag. Also change the diagnostic outputKostya Serebryany2015-04-011-4/+7
| | | | llvm-svn: 233842
* [fuzzer] Add support for token-based fuzzing (e.g. for C++). Allow string ↵Kostya Serebryany2015-03-3110-58/+422
| | | | | | flags. llvm-svn: 233745
* Move lib/Fuzzer docs from a README.txt to a proper .rst file.Kostya Serebryany2015-03-301-111/+1
| | | | | | | | | | | | | | | | | | Summary: Move lib/Fuzzer docs from a README.txt to a proper .rst file. This change does not add any content, just formatting. Test Plan: n/a Reviewers: samsonov Reviewed By: samsonov Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D8710 llvm-svn: 233638
* [fuzzer] when a single unit takes over 1 second to run and it is the slowest ↵Kostya Serebryany2015-03-302-4/+17
| | | | | | one so far, print it. llvm-svn: 233637
* [fuzzer] print various stats in a unified wayKostya Serebryany2015-03-302-21/+25
| | | | llvm-svn: 233624
* DFSan-based fuzzer (proof of concept).Kostya Serebryany2015-03-3011-4/+361
| | | | | | | | | | | | | | | | | | Summary: This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator, see the comments for details. Test Plan: a test added Reviewers: samsonov, pcc Reviewed By: samsonov, pcc Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D8669 llvm-svn: 233613
* [sanitizer/coverage] Add AFL-style coverage counters (search heuristic for ↵Kostya Serebryany2015-03-037-1/+43
| | | | | | | | | | | | | | | | | | | | | | | | | fuzzing). Introduce -mllvm -sanitizer-coverage-8bit-counters=1 which adds imprecise thread-unfriendly 8-bit coverage counters. The run-time library maps these 8-bit counters to 8-bit bitsets in the same way AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does: counter values are divided into 8 ranges and based on the counter value one of the bits in the bitset is set. The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+. These counters provide a search heuristic for single-threaded coverage-guided fuzzers, we do not expect them to be useful for other purposes. Depending on the value of -fsanitize-coverage=[123] flag, these counters will be added to the function entry blocks (=1), every basic block (=2), or every edge (=3). Use these counters as an optional search heuristic in the Fuzzer library. Add a test where this heuristic is critical. llvm-svn: 231166
* [fuzzer] one more experimental search mode: -use_coverage_pairs=1 Kostya Serebryany2015-02-207-2/+55
| | | | llvm-svn: 229957
* [fuzzer] split main() into FuzzerDriver() that takes a callback as a ↵Kostya Serebryany2015-02-196-183/+235
| | | | | | parameter and a tiny main() in a separate file llvm-svn: 229882
* [fuzzer] properly annotate fallthrough, add one more entry to FAQKostya Serebryany2015-02-192-1/+7
| | | | llvm-svn: 229880
* [fuzzer] move default sanitizer options to a separate fileKostya Serebryany2015-02-063-7/+19
| | | | llvm-svn: 228429
* [fuzzer] add flag prefer_small_during_initial_shuffle, be a bit more verboseKostya Serebryany2015-02-044-6/+32
| | | | llvm-svn: 228235
OpenPOWER on IntegriCloud