summaryrefslogtreecommitdiff
path: root/lib/fuzzer/FuzzerMerge.cpp
Commit message (Collapse)AuthorAgeFilesLines
* [libFuzzer] Make -merge=1 to reuse coverage information from the control file.Max Moroz2019-09-111-19/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: This change allows to perform corpus merging in two steps. This is useful when the user wants to address the following two points simultaneously: 1) Get trustworthy incremental stats for the coverage and corpus size changes when adding new corpus units. 2) Make sure the shorter units will be preferred when two or more units give the same unique signal (equivalent to the `REDUCE` logic). This solution was brainstormed together with @kcc, hopefully it looks good to the other people too. The proposed use case scenario: 1) We have a `fuzz_target` binary and `existing_corpus` directory. 2) We do fuzzing and write new units into the `new_corpus` directory. 3) We want to merge the new corpus into the existing corpus and satisfy the points mentioned above. 4) We create an empty directory `merged_corpus` and run the first merge step: ` ./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus ` this provides the initial stats for `existing_corpus`, e.g. from the output: ` MERGE-OUTER: 3 new files with 11 new features added; 11 new coverage edges ` 5) We recreate `merged_corpus` directory and run the second merge step: ` ./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus ./new_corpus ` this provides the final stats for the merged corpus, e.g. from the output: ` MERGE-OUTER: 6 new files with 14 new features added; 14 new coverage edges ` Alternative solutions to this approach are: A) Store precise coverage information for every unit (not only unique signal). B) Execute the same two steps without reusing the control file. Either of these would be suboptimal as it would impose an extra disk or CPU load respectively, which is bad given the quadratic complexity in the worst case. Tested on Linux, Mac, Windows. Reviewers: morehouse, metzman, hctim, kcc Reviewed By: morehouse Subscribers: JDevlieghere, delcypher, mgrang, #sanitizers, llvm-commits, kcc Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D66107 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@371620 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Merge: print feature coverage number as well.Max Moroz2019-08-121-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Summary: feature coverage is a useful signal that is available during the merge process, but was not printed previously. Output example: ``` $ ./fuzzer -use_value_profile=1 -merge=1 new_corpus/ seed_corpus/ INFO: Seed: 1676551929 INFO: Loaded 1 modules (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc), INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8), MERGE-OUTER: 180 files, 78 in the initial corpus MERGE-OUTER: attempt 1 INFO: Seed: 1676574577 INFO: Loaded 1 modules (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc), INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8), INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes MERGE-INNER: using the control file '/tmp/libFuzzerTemp.111754.txt' MERGE-INNER: 180 total files; 0 processed earlier; will process 180 files now #1 pulse cov: 134 ft: 330 exec/s: 0 rss: 37Mb #2 pulse cov: 142 ft: 462 exec/s: 0 rss: 38Mb #4 pulse cov: 152 ft: 651 exec/s: 0 rss: 38Mb #8 pulse cov: 152 ft: 943 exec/s: 0 rss: 38Mb #16 pulse cov: 520 ft: 2783 exec/s: 0 rss: 39Mb #32 pulse cov: 552 ft: 3280 exec/s: 0 rss: 41Mb #64 pulse cov: 576 ft: 3641 exec/s: 0 rss: 50Mb #78 LOADED cov: 602 ft: 3936 exec/s: 0 rss: 88Mb #128 pulse cov: 611 ft: 3996 exec/s: 0 rss: 93Mb #180 DONE cov: 611 ft: 4016 exec/s: 0 rss: 155Mb MERGE-OUTER: succesfull in 1 attempt(s) MERGE-OUTER: the control file has 39741 bytes MERGE-OUTER: consumed 0Mb (37Mb rss) to parse the control file MERGE-OUTER: 9 new files with 80 new features added; 9 new coverage edges ``` Reviewers: hctim, morehouse Reviewed By: morehouse Subscribers: delcypher, #sanitizers, llvm-commits, kcc Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D66030 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@368617 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Merge: print stats after reading the output corpus dir.Max Moroz2019-08-091-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Summary: The purpose is to be able to extract the number of new edges added to the original (i.e. output) corpus directory after doing the merge. Use case example: in ClusterFuzz, we do merge after every fuzzing session, to avoid uploading too many corpus files, and we also record coverage stats at that point. Having a separate line indicating stats after reading the initial output corpus directory would make the stats extraction easier for both humans and parsing scripts. Context: https://github.com/google/clusterfuzz/issues/802. Reviewers: morehouse, hctim Reviewed By: hctim Subscribers: delcypher, #sanitizers, llvm-commits, kcc Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D66020 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@368461 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] automatically collect the data flow trace (DFT) in the fork mode ↵Kostya Serebryany2019-05-231-0/+1
| | | | | | if -collect_data_flow= is given git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@361448 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer][Windows] Port fork mode to WindowsJonathan Metzman2019-02-271-1/+1
| | | | | | | | | | | | | | | | | | | | | Summary: Port libFuzzer's fork mode to Windows. Implement Windows versions of MkDir, RmDir, and IterateDirRecursive to do this. Don't print error messages under new normal uses of FileSize (on a non-existent file). Implement portable way of piping output to /dev/null. Fix test for Windows and comment fork-sigusr.test on why it won't be ported to Win. Reviewers: zturner Reviewed By: zturner Subscribers: kcc, zturner, jdoerfert, #sanitizers, llvm-commits Tags: #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D58513 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@355019 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] print new functions as they are discovered in the fork modeKostya Serebryany2019-02-151-5/+5
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354092 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] fix the unit testsKostya Serebryany2019-02-151-3/+5
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354088 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] when doing the merge, keep track of the coveraged edges, not ↵Kostya Serebryany2019-02-151-13/+18
| | | | | | just features git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354087 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] when doing the merge, keep track of the coveraged edges, not ↵Kostya Serebryany2019-02-141-7/+24
| | | | | | just features git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354076 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] a bit of refactoring of the fork modeKostya Serebryany2019-02-131-0/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353910 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] make the fork mode less verboseKostya Serebryany2019-02-121-19/+26
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353794 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] teach the fork mode to ignore OOMs and timeoutsKostya Serebryany2019-02-121-6/+0
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353792 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] extend the -fork=1 functionality. Still not fully usable, but ↵Kostya Serebryany2019-02-121-11/+16
| | | | | | good enough for the first unit test git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353775 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] more refactoring; change some of the exit codes (timeout, OOM, ↵Kostya Serebryany2019-02-091-17/+17
| | | | | | interrupt) so that the parent process can distinguish those git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353584 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] refactor the merging code, NFCKostya Serebryany2019-02-081-18/+14
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353576 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] remove two unused experimental flagsKostya Serebryany2019-02-081-44/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353573 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] introduce an experimental mode -fork=1, where fuzzing happens in ↵Kostya Serebryany2019-02-081-27/+15
| | | | | | a subprocess (still running multiple inputs per process), thus making the fuzzing more resilient to timeouts and OOMs. This is just a skeleton of the code, and some associated refactoring, not a fully working feature yet. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353570 91177308-0d34-0410-b5e6-96231b3b80d8
* Update the file headers across all of the LLVM projects in the monorepoChandler Carruth2019-01-191-4/+3
| | | | | | | | | | | | | | | | | to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351636 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert "[compiler-rt] Change std::sort to llvm::sort in response to r327219"Mandeep Singh Grang2018-03-201-9/+9
| | | | | | This reverts commit 2ee210e1963e03aacc0f71c50e4994bb5c66586e. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@327936 91177308-0d34-0410-b5e6-96231b3b80d8
* [compiler-rt] Change std::sort to llvm::sort in response to r327219Mandeep Singh Grang2018-03-201-9/+9
| | | | | | | | | | | | | | | | | | | Summary: r327219 added wrappers to std::sort which randomly shuffle the container before sorting. This will help in uncovering non-determinism caused due to undefined sorting order of objects having the same key. To make use of that infrastructure we need to invoke llvm::sort instead of std::sort. Reviewers: kcc, rsmith, RKSimon, eugenis Reviewed By: RKSimon Subscribers: efriedma, kubamracek, dberris, #sanitizers, llvm-commits Differential Revision: https://reviews.llvm.org/D44360 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@327929 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Encapsulate commands in a class.Matt Morehouse2017-12-041-6/+8
| | | | | | | | | | | | | | | | | | | | | Summary: To be more portable (especially w.r.t. platforms without system()), commands should be managed programmatically rather than via string manipulation on the command line. This change introduces Fuzzer::Command, with methods to manage arguments and flags, set output options, and execute the command. Patch By: aarongreen Reviewers: kcc, morehouse Reviewed By: kcc, morehouse Subscribers: llvm-commits, mgorny Differential Revision: https://reviews.llvm.org/D40103 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@319680 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] respect max_len during mergeKostya Serebryany2017-11-151-1/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@318302 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] make sure to flush IO when done merging one fileKostya Serebryany2017-11-091-0/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@317835 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] handle SIGUSR1/SIGUSR2 and try to exit grafully on these signalsKostya Serebryany2017-11-091-0/+2
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@317829 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] allow merge to resume after being preempted Kostya Serebryany2017-11-091-25/+59
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@317767 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] allow user to specify the merge control fileKostya Serebryany2017-11-091-8/+14
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@317747 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] minor refactoring, NFCKostya Serebryany2017-09-151-2/+1
| | | | git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@313406 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] reduce the size of the merge control file by not dumping ↵Kostya Serebryany2017-09-151-9/+17
| | | | | | redundant features into it git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@313403 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Use custom allocators for STL containers in libFuzzer.George Karpenkov2017-08-271-15/+15
| | | | | | | | Avoids ODR violations causing spurious ASAN warnings. Differential Revision: https://reviews.llvm.org/D37086 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@311866 91177308-0d34-0410-b5e6-96231b3b80d8
* Revert "[libFuzzer] Use custom allocators for STL containers in libFuzzer"George Karpenkov2017-08-261-7/+7
| | | | | | This reverts commit 3539efc2f2218dba2bcbd645d0fe276f2b5cf588. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@311831 91177308-0d34-0410-b5e6-96231b3b80d8
* [libFuzzer] Use custom allocators for STL containers in libFuzzerGeorge Karpenkov2017-08-261-7/+7
| | | | | | | | Avoids ODR violations causing spurious ASAN container overflow warnings. Differential Revision: https://reviews.llvm.org/D37086 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@311830 91177308-0d34-0410-b5e6-96231b3b80d8
* Move libFuzzer to compiler_rt.George Karpenkov2017-08-211-0/+338
Resulting library binaries will be named libclang_rt.fuzzer*, and will be placed in Clang toolchain, allowing redistribution. Differential Revision: https://reviews.llvm.org/D36908 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@311407 91177308-0d34-0410-b5e6-96231b3b80d8
View Lorry Controller Status