summaryrefslogtreecommitdiff
path: root/lib/fuzzer/FuzzerDriver.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [libFuzzer] Remove lazy counters.Matt Morehouse2019-10-011-1/+0
| | | | | | | | | | | | | | | | Summary: Lazy counters haven't improved performance for large fuzz targets. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Tags: #llvm Differential Revision: https://reviews.llvm.org/D67476 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@373403 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] implement a better queue for the fork mode. Add an internal flag ↵Kostya Serebryany2019-06-141-0/+2
| | | | | | -stop_file to allow graceful shutdown of fuzzing. Enhance the logging in the fork mode git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@363470 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.Max Moroz2019-06-141-2/+8
| | | | | | | | | | | | | | | | | | | | | | Summary: Some custom mutators may not peform well when size restriction is enforced by len_control. Because of that, it's safer to disable len_control by default in such cases, but still allow users to enable it manually. Bug example: https://bugs.chromium.org/p/chromium/issues/detail?id=919530. Tested manually with LPM-based and regular fuzz targets. Reviewers: kcc, vitalybuka, metzman Reviewed By: kcc, metzman Subscribers: delcypher, #sanitizers, llvm-commits Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D63334 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@363443 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] automatically collect the data flow trace (DFT) in the fork mode ↵Kostya Serebryany2019-05-231-1/+3
| | | | | | if -collect_data_flow= is given git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@361448 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] code refactoring; NFCKostya Serebryany2019-05-101-9/+29
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@360400 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] small refactoring in the driver; dummy implementation of ↵Kostya Serebryany2019-05-101-21/+29
| | | | | | collect_data_flow; attempt to fix the windows bot git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@360399 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Replace -seed_corpus to better support fork mode on WinJonathan Metzman2019-04-301-7/+16
| | | | | | | | | | | | | | | | | | Summary: Pass seed corpus list in a file to get around argument length limits on Windows. This limit was preventing many uses of fork mode on Windows. Reviewers: kcc, morehouse Reviewed By: kcc Subscribers: #sanitizers, llvm-commits Tags: #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D60980 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@359610 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] add -features_dir= flag to dump unique input features on diskKostya Serebryany2019-04-131-0/+2
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@358317 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] form mode: add -ignore_crashes flag, honor the max_total_time ↵Kostya Serebryany2019-02-151-0/+1
| | | | | | flag, print the number of ooms/timeouts/crashes, fix a typo git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354175 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] when doing the merge, keep track of the coveraged edges, not ↵Kostya Serebryany2019-02-151-2/+2
| | | | | | just features git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354087 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] add threads to the fork mode: now you can pass -fork=N to run N ↵Kostya Serebryany2019-02-141-1/+1
| | | | | | concurrent workers. Fork mode is still work-in-progress. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353997 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] move the implementation of the fork mode into a separate fileKostya Serebryany2019-02-121-92/+3
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353891 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] make the fork mode less verboseKostya Serebryany2019-02-121-8/+14
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353794 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] teach the fork mode to ignore OOMs and timeoutsKostya Serebryany2019-02-121-0/+8
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353792 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] extend the -fork=1 functionality. Still not fully usable, but ↵Kostya Serebryany2019-02-121-18/+48
| | | | | | good enough for the first unit test git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353775 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] more refactoring; change some of the exit codes (timeout, OOM, ↵Kostya Serebryany2019-02-091-9/+19
| | | | | | interrupt) so that the parent process can distinguish those git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353584 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] refactor the merging code, NFCKostya Serebryany2019-02-081-18/+36
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353576 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove two unused experimental flagsKostya Serebryany2019-02-081-5/+2
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353573 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] introduce an experimental mode -fork=1, where fuzzing happens in ↵Kostya Serebryany2019-02-081-10/+58
| | | | | | a subprocess (still running multiple inputs per process), thus making the fuzzing more resilient to timeouts and OOMs. This is just a skeleton of the code, and some associated refactoring, not a fully working feature yet. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353570 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] refactor the way we choose the element to cross-over with, NFC ↵Kostya Serebryany2019-02-081-1/+13
| | | | | | (expected1); add a flag -seed_inputs= to pass extra seed inputs as file paths, not dirs git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353494 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] set libFuzzer's own SEGV handler even one is already present, ↵Kostya Serebryany2019-01-311-3/+1
| | | | | | but call that handler from ours (unless we are unprotecting lazy counters). Call ProtectLazyCounters later, so that it runs after the initialization code in the target. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352713 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] experimental performance optimization -lazy_counters, off by ↵Kostya Serebryany2019-01-311-0/+3
| | | | | | default. Posix-only for now, tested on Linux git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352700 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove stale code, NFCKostya Serebryany2019-01-301-29/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352604 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove stale code Kostya Serebryany2019-01-291-1/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352571 91177308-0d34-0410-b5e6-96231b3b80d8
* Update the file headers across all of the LLVM projects in the monorepoChandler Carruth2019-01-191-4/+3
| | | | | | | | | | | | | | | | | to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351636 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer][MSVC] Make attribute-use compatible with MSVCJonathan Metzman2019-01-171-0/+5
| | | | | | | | | | | | | | Summary: Replace attributes with macros that use equivalent declspecs for MSVC. Reviewers: vitalybuka Reviewed By: vitalybuka Differential Revision: https://reviews.llvm.org/D56512 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351456 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Remove unstable edge handlingJonathan Metzman2019-01-151-4/+0
| | | | | | | | | | Summary: Remove code for handling unstable edges from libFuzzer since it has not been found useful. Differential Revision: https://reviews.llvm.org/D56730 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351262 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Remove mutation stats and weighted mutation selection.Max Moroz2018-08-291-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: This was an experimental feature. After evaluating it with: 1) https://github.com/google/fuzzer-test-suite/tree/master/engine-comparison 2) enabling on real world fuzz targets running at ClusterFuzz and OSS-Fuzz The following conclusions were made: 1) With fuzz targets that have reached a code coverage plateau, the feature does not improve libFuzzer's ability to discover new coverage and may actually negatively impact it. 2) With fuzz targets that have not yet reached a code coverage plateau, the feature might speed up new units discovery in some cases, but it is quite rare and hard to confirm with a high level on confidence. Revert of https://reviews.llvm.org/D48054 and https://reviews.llvm.org/D49621. Reviewers: metzman, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D51455 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@340976 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Initial implementation of weighted mutation leveraging during ↵Max Moroz2018-08-021-0/+1
| | | | | | | | | | | | | | | | | | | | | runtime. Summary: Added functions that calculate stats while fuzz targets are running and give mutations weight based on how much new coverage they provide, and choose better performing mutations more often. Patch by Kodé Williams (@kodewilliams). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, kcc, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49621 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@338776 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Handle unstable edges by disregarding unstable edgesMax Moroz2018-07-241-1/+2
| | | | | | | | | | | | | | | | | | | | Summary: Added a new mode within flag -handle_unstable for new unstable handling algorithm that does the following: When an edge is shown as unstable, copy to UnstableCounters the value 0. During ApplyUnstableCounters we copy back the value 0 to ModuleInline8bitCounters if the edge was unstable. This way we would be ignoring completely features that were collected through non-determinism. Unstable hits would be counted as if it never hit. Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, morehouse Subscribers: delcypher, llvm-commits, #sanitizers Differential Revision: https://reviews.llvm.org/D49684 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337853 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Handle unstable edges by using minimum hit countsMax Moroz2018-07-231-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Summary: Created unstable_handle flag that takes 1 or 2, depending on the handling type. Modified RunOne to accommodate the following heuristic: Use the first CollectFeatures to count how many features there are. If no new features, CollectFeatures like before. If there is new feature, we run CB 2 more times, Check which edges are unstable per input and we store the least amount of hit counts for each edge. Apply these hit counts back to inline8bitcounters so that CollectFeatures can work as intended. Modified UnstableCounters to 8int_t and created a bitset UnstableSet to tell which edges are unstable. Patch by Kyungtak Woo (@kevinwkt). Reviewers: Dor1s, metzman, morehouse Reviewed By: Dor1s, morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Differential Revision: https://reviews.llvm.org/D49525 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337696 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-171-0/+1
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337324 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert r337194 (https://reviews.llvm.org/D48891) due to compilation errors.Max Moroz2018-07-161-1/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337206 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Mutation tracking and logging implemented.Max Moroz2018-07-161-0/+1
| | | | | | | | | | | | | | | | | | | Summary: Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch by Kodé Williams (@kodewilliams). Reviewers: metzman, Dor1s, morehouse, kcc Reviewed By: Dor1s, morehouse, kcc Subscribers: delcypher, kubamracek, kcc, morehouse, llvm-commits, #sanitizers, mgorny Differential Revision: https://reviews.llvm.org/D48054 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337194 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-161-0/+1
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337187 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert r337175 (https://reviews.llvm.org/D49212) due to unintentional format ↵Max Moroz2018-07-161-6/+5
| | | | | | changes. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337180 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Implement stat::stability_rate based on the percentage of ↵Max Moroz2018-07-161-5/+6
| | | | | | | | | | | | | | | | | | | | | unstable edges. Summary: Created a -print_unstable_stats flag. When -print_unstable_stats=1, we run it 2 more times on interesting inputs poisoning unstable edges in an array. On program termination, we run PrintUnstableStats() which will print a line with a stability percentage like AFL does. Patch by Kyungtak Woo (@kevinwkt). Reviewers: metzman, Dor1s, kcc, morehouse Reviewed By: metzman, Dor1s, morehouse Subscribers: delcypher, llvm-commits, #sanitizers, kcc, morehouse, Dor1s Differential Revision: https://reviews.llvm.org/D49212 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@337175 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Make -fsanitize=memory,fuzzer work.Matt Morehouse2018-07-091-0/+2
| | | | | | | | | | | This patch allows libFuzzer to fuzz applications instrumented with MSan without recompiling libFuzzer with MSan instrumentation. Fixes https://github.com/google/sanitizers/issues/958. Differential Revision: https://reviews.llvm.org/D48891 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@336619 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert "[libFuzzer] Mutation tracking and logging implemented"Matt Morehouse2018-07-091-1/+0
| | | | | | This reverts r336597 due to bot breakage. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@336616 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Mutation tracking and logging implementedMatt Morehouse2018-07-091-0/+1
| | | | | | | | | | | | Code now exists to track number of mutations that are used in fuzzing in total and ones that produce new coverage. The stats are currently being dumped to the command line. Patch By: Kode Williams Differntial Revision: https://reviews.llvm.org/D48054 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@336597 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove an experimental flag -use_feature_frequencyKostya Serebryany2018-06-061-1/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@334146 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] initial implementation of -data_flow_trace. It parses the data ↵Kostya Serebryany2018-06-061-0/+2
| | | | | | flow trace and prints the summary, but doesn't use the information in any other way yet git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@334058 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] reinstate -dump_coverage, which is still in use (reverts r332036)Kostya Serebryany2018-05-211-0/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@332876 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] add an experimental flag -focus_function: libFuzzer will try to ↵Kostya Serebryany2018-05-161-0/+2
| | | | | | focus on inputs that trigger that function git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@332554 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] deprecate equivalence_serverKostya Serebryany2018-05-151-0/+2
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@332316 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove the dump_coverage flag, it hasn't been working with the ↵Kostya Serebryany2018-05-101-1/+0
| | | | | | inline sanitizer coverage anyway git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@332036 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove the experimental support for clang coverage ↵Kostya Serebryany2018-05-101-1/+0
| | | | | | instrumentation. This mode has not been used and our experiments with https://github.com/google/fuzzer-test-suite show that this signal is weaker than the SanitizerCoverage git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@332034 91177308-0d34-0410-b5e6-96231b3b80d8
* fix some user facing typos / in the commentsSylvestre Ledru2018-03-131-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@327402 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Set -experimental_len_control=1000 as default.Matt Morehouse2018-02-131-1/+1
| | | | | | | | | | | | | | | | | | | | Summary: Experiments using https://github.com/google/fuzzer-test-suite/tree/master/engine-comparison show a significant increase in coverage and reduction in corpus size with this option enabled. Addresses https://llvm.org/pr36371. Reviewers: kcc Reviewed By: kcc Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D42932 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@325050 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] fix a minor regression in printingKostya Serebryany2017-12-061-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@319975 91177308-0d34-0410-b5e6-96231b3b80d8
View Lorry Controller Status