From 8e3825a8a650aeafc0d7be6c541524612c80d1d6 Mon Sep 17 00:00:00 2001 From: Jonathan Metzman Date: Thu, 17 Jan 2019 16:36:05 +0000 Subject: [libFuzzer][MSVC] Make attribute-use compatible with MSVC Summary: Replace attributes with macros that use equivalent declspecs for MSVC. Reviewers: vitalybuka Reviewed By: vitalybuka Differential Revision: https://reviews.llvm.org/D56512 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351456 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index ff2a639ac..92d4489c6 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -29,7 +29,12 @@ // This function should be present in the libFuzzer so that the client // binary can test for its existence. +#if LIBFUZZER_MSVC +extern "C" void __libfuzzer_is_present() {} +#pragma comment(linker, "/include:__libfuzzer_is_present") +#else extern "C" __attribute__((used)) void __libfuzzer_is_present() {} +#endif // LIBFUZZER_MSVC namespace fuzzer { -- cgit v1.2.1 From 58d43607862096aeb32d72173911c9df244a30f1 Mon Sep 17 00:00:00 2001 From: Chandler Carruth Date: Sat, 19 Jan 2019 08:50:56 +0000 Subject: Update the file headers across all of the LLVM projects in the monorepo to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@351636 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 92d4489c6..306e64427 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -1,9 +1,8 @@ //===- FuzzerDriver.cpp - FuzzerDriver function and flags -----------------===// // -// The LLVM Compiler Infrastructure -// -// This file is distributed under the University of Illinois Open Source -// License. See LICENSE.TXT for details. +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // FuzzerDriver and flag parsing. -- cgit v1.2.1 From 8babb8092dfae9db1bffd7427d7b87488f2ebe10 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 29 Jan 2019 23:53:28 +0000 Subject: [libFuzzer] remove stale code git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352571 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 306e64427..8a74d3630 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -621,7 +621,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.PrintFinalStats = Flags.print_final_stats; Options.PrintCorpusStats = Flags.print_corpus_stats; Options.PrintCoverage = Flags.print_coverage; - Options.DumpCoverage = Flags.dump_coverage; if (Flags.exit_on_src_pos) Options.ExitOnSrcPos = Flags.exit_on_src_pos; if (Flags.exit_on_item) -- cgit v1.2.1 From 3ba2b09f35cfb78b54ff1753c613023e84845d96 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Wed, 30 Jan 2019 06:21:20 +0000 Subject: [libFuzzer] remove stale code, NFC git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352604 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 29 ----------------------------- 1 file changed, 29 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 8a74d3630..6528d4d92 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -15,7 +15,6 @@ #include "FuzzerInternal.h" #include "FuzzerMutate.h" #include "FuzzerRandom.h" -#include "FuzzerShmem.h" #include "FuzzerTracePC.h" #include #include @@ -672,34 +671,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { if (Flags.cleanse_crash) return CleanseCrashInput(Args, Options); -#if 0 // deprecated, to be removed. - if (auto Name = Flags.run_equivalence_server) { - SMR.Destroy(Name); - if (!SMR.Create(Name)) { - Printf("ERROR: can't create shared memory region\n"); - return 1; - } - Printf("INFO: EQUIVALENCE SERVER UP\n"); - while (true) { - SMR.WaitClient(); - size_t Size = SMR.ReadByteArraySize(); - SMR.WriteByteArray(nullptr, 0); - const Unit tmp(SMR.GetByteArray(), SMR.GetByteArray() + Size); - F->ExecuteCallback(tmp.data(), tmp.size()); - SMR.PostServer(); - } - return 0; - } - - if (auto Name = Flags.use_equivalence_server) { - if (!SMR.Open(Name)) { - Printf("ERROR: can't open shared memory region\n"); - return 1; - } - Printf("INFO: EQUIVALENCE CLIENT UP\n"); - } -#endif - if (DoPlainRun) { Options.SaveArtifacts = false; int Runs = std::max(1, Flags.runs); -- cgit v1.2.1 From 11c441a4215bedd053fb1816b3b3094f53ccefbd Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 31 Jan 2019 00:09:43 +0000 Subject: [libFuzzer] experimental performance optimization -lazy_counters, off by default. Posix-only for now, tested on Linux git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352700 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 6528d4d92..acebd3a7b 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -658,7 +658,10 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.HandleXfsz = Flags.handle_xfsz; Options.HandleUsr1 = Flags.handle_usr1; Options.HandleUsr2 = Flags.handle_usr2; + Options.LazyCounters = Flags.lazy_counters; SetSignalHandler(Options); + if (Options.LazyCounters) + TPC.ProtectLazyCounters(); std::atexit(Fuzzer::StaticExitCallback); -- cgit v1.2.1 From c2cbf86c51bb06d73f5673f288b15c26abe2cf6d Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 31 Jan 2019 01:40:14 +0000 Subject: [libFuzzer] set libFuzzer's own SEGV handler even one is already present, but call that handler from ours (unless we are unprotecting lazy counters). Call ProtectLazyCounters later, so that it runs after the initialization code in the target. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@352713 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index acebd3a7b..0f8389cb3 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -628,6 +628,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.FocusFunction = Flags.focus_function; if (Flags.data_flow_trace) Options.DataFlowTrace = Flags.data_flow_trace; + Options.LazyCounters = Flags.lazy_counters; unsigned Seed = Flags.seed; // Initialize Seed. @@ -658,10 +659,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.HandleXfsz = Flags.handle_xfsz; Options.HandleUsr1 = Flags.handle_usr1; Options.HandleUsr2 = Flags.handle_usr2; - Options.LazyCounters = Flags.lazy_counters; SetSignalHandler(Options); - if (Options.LazyCounters) - TPC.ProtectLazyCounters(); std::atexit(Fuzzer::StaticExitCallback); -- cgit v1.2.1 From 89ce99374691983d64bdbd008b151e7d356cee8d Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 8 Feb 2019 01:20:54 +0000 Subject: [libFuzzer] refactor the way we choose the element to cross-over with, NFC (expected1); add a flag -seed_inputs= to pass extra seed inputs as file paths, not dirs git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353494 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 0f8389cb3..2bc895d00 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -732,7 +732,19 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { exit(0); } - F->Loop(*Inputs); + // Parse -seed_inputs=file1,file2,... + Vector ExtraSeedFiles; + if (Flags.seed_inputs) { + std::string s = Flags.seed_inputs; + size_t comma_pos; + while ((comma_pos = s.find_last_of(',')) != std::string::npos) { + ExtraSeedFiles.push_back(s.substr(comma_pos + 1)); + s = s.substr(0, comma_pos); + } + ExtraSeedFiles.push_back(s); + } + + F->Loop(*Inputs, ExtraSeedFiles); if (Flags.verbosity) Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(), -- cgit v1.2.1 From 4bdfbe8883e81de78f806e2539c0718af49c02c7 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 8 Feb 2019 21:27:23 +0000 Subject: [libFuzzer] introduce an experimental mode -fork=1, where fuzzing happens in a subprocess (still running multiple inputs per process), thus making the fuzzing more resilient to timeouts and OOMs. This is just a skeleton of the code, and some associated refactoring, not a fully working feature yet. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353570 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 68 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 10 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 2bc895d00..418bebb93 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -16,6 +16,7 @@ #include "FuzzerMutate.h" #include "FuzzerRandom.h" #include "FuzzerTracePC.h" +#include "FuzzerMerge.h" #include #include #include @@ -24,6 +25,7 @@ #include #include #include +#include // This function should be present in the libFuzzer so that the client // binary can test for its existence. @@ -304,6 +306,11 @@ static std::string GetDedupTokenFromFile(const std::string &Path) { return S.substr(Beg, End - Beg); } +static std::string TempPath(const char *Extension) { + return DirPlusFile(TmpDir(), + "libFuzzerTemp." + std::to_string(GetPid()) + Extension); +} + int CleanseCrashInput(const Vector &Args, const FuzzingOptions &Options) { if (Inputs->size() != 1 || !Flags.exact_artifact_path) { @@ -319,10 +326,8 @@ int CleanseCrashInput(const Vector &Args, assert(Cmd.hasArgument(InputFilePath)); Cmd.removeArgument(InputFilePath); - auto LogFilePath = DirPlusFile( - TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt"); - auto TmpFilePath = DirPlusFile( - TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".repro"); + auto LogFilePath = TempPath(".txt"); + auto TmpFilePath = TempPath(".repro"); Cmd.addArgument(TmpFilePath); Cmd.setOutputFile(LogFilePath); Cmd.combineOutAndErr(); @@ -382,8 +387,7 @@ int MinimizeCrashInput(const Vector &Args, BaseCmd.addFlag("max_total_time", "600"); } - auto LogFilePath = DirPlusFile( - TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt"); + auto LogFilePath = TempPath(".txt"); BaseCmd.setOutputFile(LogFilePath); BaseCmd.combineOutAndErr(); @@ -467,6 +471,36 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { return 0; } +// This is just a sceleton of an experimental -fork=1 feature. +void FuzzWithFork(const FuzzingOptions &Options, + const Vector &Args, + const Vector &Corpora) { + auto CFPath = TempPath(".fork"); + Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " + "be more resistant to crashes, timeouts, and OOMs\n"); + auto Files = + CrashResistantMerge(Args, Corpora, CFPath, nullptr, nullptr); + Printf("INFO: -fork=1: seed corpus analyzed, %zd seeds chosen, starting to " + "fuzz in separate processes\n", Files.size()); + + Command Cmd(Args); + Cmd.removeFlag("fork"); + if (Files.size() >= 2) + Cmd.addFlag("seed_inputs", + Files.back() + "," + Files[Files.size() - 2]); + Cmd.addFlag("runs", "1000000"); + Cmd.addFlag("max_total_time", "30"); + for (size_t i = 0; i < 1000; i++) { + Printf("RUN %s\n", Cmd.toString().c_str()); + int ExitCode = ExecuteCommand(Cmd); + // TODO: sniff the crash, ignore OOMs and timeouts. + if (ExitCode != 0) break; + } + + RemoveFile(CFPath); + exit(0); +} + int AnalyzeDictionary(Fuzzer *F, const Vector& Dict, UnitVector& Corpus) { Printf("Started dictionary minimization (up to %d tests)\n", @@ -694,11 +728,25 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { exit(0); } + if (Flags.fork) + FuzzWithFork(Options, Args, *Inputs); + if (Flags.merge) { - F->CrashResistantMerge(Args, *Inputs, - Flags.load_coverage_summary, - Flags.save_coverage_summary, - Flags.merge_control_file); + if (Inputs->size() < 2) { + Printf("INFO: Merge requires two or more corpus dirs\n"); + exit(0); + } + std::string CFPath = + Flags.merge_control_file ? Flags.merge_control_file : TempPath(".txt"); + auto Files = + CrashResistantMerge(Args, *Inputs, CFPath, Flags.load_coverage_summary, + Flags.save_coverage_summary); + for (auto &Path : Files) + F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); + // We are done, delete the control file if it was a temporary one. + if (!Flags.merge_control_file) + RemoveFile(CFPath); + exit(0); } -- cgit v1.2.1 From 4c775333c188cc37182c72eb2a7261f7eaeb32a5 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 8 Feb 2019 22:02:37 +0000 Subject: [libFuzzer] remove two unused experimental flags git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353573 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 418bebb93..a0c9f185f 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -478,8 +478,7 @@ void FuzzWithFork(const FuzzingOptions &Options, auto CFPath = TempPath(".fork"); Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " "be more resistant to crashes, timeouts, and OOMs\n"); - auto Files = - CrashResistantMerge(Args, Corpora, CFPath, nullptr, nullptr); + auto Files = CrashResistantMerge(Args, Corpora, CFPath); Printf("INFO: -fork=1: seed corpus analyzed, %zd seeds chosen, starting to " "fuzz in separate processes\n", Files.size()); @@ -738,9 +737,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { } std::string CFPath = Flags.merge_control_file ? Flags.merge_control_file : TempPath(".txt"); - auto Files = - CrashResistantMerge(Args, *Inputs, CFPath, Flags.load_coverage_summary, - Flags.save_coverage_summary); + auto Files = CrashResistantMerge(Args, *Inputs, CFPath); for (auto &Path : Files) F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); // We are done, delete the control file if it was a temporary one. -- cgit v1.2.1 From 170fdb7696b9c114106a40c7c3a9b523e6341db0 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 8 Feb 2019 22:59:03 +0000 Subject: [libFuzzer] refactor the merging code, NFC git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353576 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 54 ++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 18 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index a0c9f185f..f4e3c39bf 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -471,14 +471,21 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { return 0; } -// This is just a sceleton of an experimental -fork=1 feature. +// This is just a skeleton of an experimental -fork=1 feature. void FuzzWithFork(const FuzzingOptions &Options, const Vector &Args, const Vector &Corpora) { auto CFPath = TempPath(".fork"); Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " "be more resistant to crashes, timeouts, and OOMs\n"); - auto Files = CrashResistantMerge(Args, Corpora, CFPath); + + + Vector Corpus; + for (auto &Dir : Corpora) + GetSizedFilesFromDir(Dir, &Corpus); + std::sort(Corpus.begin(), Corpus.end()); + + auto Files = CrashResistantMerge(Args, {}, Corpus, CFPath); Printf("INFO: -fork=1: seed corpus analyzed, %zd seeds chosen, starting to " "fuzz in separate processes\n", Files.size()); @@ -500,6 +507,31 @@ void FuzzWithFork(const FuzzingOptions &Options, exit(0); } +void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, + const Vector &Corpora, const char *CFPathOrNull) { + if (Corpora.size() < 2) { + Printf("INFO: Merge requires two or more corpus dirs\n"); + exit(0); + } + + Vector OldCorpus, NewCorpus; + GetSizedFilesFromDir(Corpora[0], &OldCorpus); + for (size_t i = 1; i < Corpora.size(); i++) + GetSizedFilesFromDir(Corpora[i], &NewCorpus); + std::sort(OldCorpus.begin(), OldCorpus.end()); + std::sort(NewCorpus.begin(), NewCorpus.end()); + + std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath(".txt"); + auto Files = CrashResistantMerge(Args, OldCorpus, NewCorpus, CFPath); + for (auto &Path : Files) + F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); + // We are done, delete the control file if it was a temporary one. + if (!Flags.merge_control_file) + RemoveFile(CFPath); + + exit(0); +} + int AnalyzeDictionary(Fuzzer *F, const Vector& Dict, UnitVector& Corpus) { Printf("Started dictionary minimization (up to %d tests)\n", @@ -730,22 +762,8 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { if (Flags.fork) FuzzWithFork(Options, Args, *Inputs); - if (Flags.merge) { - if (Inputs->size() < 2) { - Printf("INFO: Merge requires two or more corpus dirs\n"); - exit(0); - } - std::string CFPath = - Flags.merge_control_file ? Flags.merge_control_file : TempPath(".txt"); - auto Files = CrashResistantMerge(Args, *Inputs, CFPath); - for (auto &Path : Files) - F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); - // We are done, delete the control file if it was a temporary one. - if (!Flags.merge_control_file) - RemoveFile(CFPath); - - exit(0); - } + if (Flags.merge) + Merge(F, Options, Args, *Inputs, Flags.merge_control_file); if (Flags.merge_inner) { const size_t kDefaultMaxMergeLen = 1 << 20; -- cgit v1.2.1 From 00ab2236146c035d7cabab47c76d13596a4ea315 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Sat, 9 Feb 2019 00:16:21 +0000 Subject: [libFuzzer] more refactoring; change some of the exit codes (timeout, OOM, interrupt) so that the parent process can distinguish those git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353584 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index f4e3c39bf..c381fb844 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -475,22 +475,27 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { void FuzzWithFork(const FuzzingOptions &Options, const Vector &Args, const Vector &Corpora) { - auto CFPath = TempPath(".fork"); Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " "be more resistant to crashes, timeouts, and OOMs\n"); - Vector Corpus; for (auto &Dir : Corpora) GetSizedFilesFromDir(Dir, &Corpus); std::sort(Corpus.begin(), Corpus.end()); - auto Files = CrashResistantMerge(Args, {}, Corpus, CFPath); - Printf("INFO: -fork=1: seed corpus analyzed, %zd seeds chosen, starting to " - "fuzz in separate processes\n", Files.size()); + Vector Files; + Set Features; + if (!Corpus.empty()) { + auto CFPath = TempPath(".fork"); + CrashResistantMerge(Args, {}, Corpus, &Files, {}, &Features, CFPath); + RemoveFile(CFPath); + } + Printf("INFO: -fork=1: %zd seeds, starting to fuzz\n", Files.size()); Command Cmd(Args); Cmd.removeFlag("fork"); + for (auto &C : Corpora) // Remove all corpora from the args. + Cmd.removeArgument(C); if (Files.size() >= 2) Cmd.addFlag("seed_inputs", Files.back() + "," + Files[Files.size() - 2]); @@ -499,11 +504,13 @@ void FuzzWithFork(const FuzzingOptions &Options, for (size_t i = 0; i < 1000; i++) { Printf("RUN %s\n", Cmd.toString().c_str()); int ExitCode = ExecuteCommand(Cmd); - // TODO: sniff the crash, ignore OOMs and timeouts. + if (ExitCode == Options.InterruptExitCode) + exit(0); + if (ExitCode == Options.TimeoutExitCode || ExitCode == Options.OOMExitCode) + continue; if (ExitCode != 0) break; } - RemoveFile(CFPath); exit(0); } @@ -522,8 +529,11 @@ void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, std::sort(NewCorpus.begin(), NewCorpus.end()); std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath(".txt"); - auto Files = CrashResistantMerge(Args, OldCorpus, NewCorpus, CFPath); - for (auto &Path : Files) + Vector NewFiles; + Set NewFeatures; + CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures, + CFPath); + for (auto &Path : NewFiles) F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); // We are done, delete the control file if it was a temporary one. if (!Flags.merge_control_file) -- cgit v1.2.1 From c8bc1b3d9e088ca7fe256c9ee6a609f385b884b6 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 12 Feb 2019 00:12:33 +0000 Subject: [libFuzzer] extend the -fork=1 functionality. Still not fully usable, but good enough for the first unit test git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353775 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 66 ++++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 18 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index c381fb844..232b3a873 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -472,46 +472,76 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { } // This is just a skeleton of an experimental -fork=1 feature. -void FuzzWithFork(const FuzzingOptions &Options, +void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, const Vector &Args, const Vector &Corpora) { Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " "be more resistant to crashes, timeouts, and OOMs\n"); + auto Rand = F->GetMD().GetRand(); Vector Corpus; for (auto &Dir : Corpora) GetSizedFilesFromDir(Dir, &Corpus); std::sort(Corpus.begin(), Corpus.end()); + auto CFPath = TempPath(".fork"); Vector Files; Set Features; if (!Corpus.empty()) { - auto CFPath = TempPath(".fork"); CrashResistantMerge(Args, {}, Corpus, &Files, {}, &Features, CFPath); RemoveFile(CFPath); } - Printf("INFO: -fork=1: %zd seeds, starting to fuzz\n", Files.size()); + auto TempDir = TempPath("Dir"); + MkDir(TempDir); + Printf("INFO: -fork=1: %zd seeds, starting to fuzz; scratch: %s\n", + Files.size(), TempDir.c_str()); - Command Cmd(Args); - Cmd.removeFlag("fork"); + Command BaseCmd(Args); + BaseCmd.removeFlag("fork"); for (auto &C : Corpora) // Remove all corpora from the args. - Cmd.removeArgument(C); - if (Files.size() >= 2) - Cmd.addFlag("seed_inputs", - Files.back() + "," + Files[Files.size() - 2]); - Cmd.addFlag("runs", "1000000"); - Cmd.addFlag("max_total_time", "30"); - for (size_t i = 0; i < 1000; i++) { + BaseCmd.removeArgument(C); + BaseCmd.addFlag("runs", "1000000"); + BaseCmd.addFlag("max_total_time", "30"); + BaseCmd.addArgument(TempDir); + int ExitCode = 0; + for (size_t i = 0; i < 1000000; i++) { + // TODO: take new files from disk e.g. those generated by another process. + Command Cmd(BaseCmd); + if (Files.size() >= 2) + Cmd.addFlag("seed_inputs", + Files[Rand.SkewTowardsLast(Files.size())] + "," + + Files[Rand.SkewTowardsLast(Files.size())]); Printf("RUN %s\n", Cmd.toString().c_str()); - int ExitCode = ExecuteCommand(Cmd); + RmFilesInDir(TempDir); + ExitCode = ExecuteCommand(Cmd); + Printf("Exit code: %d\n", ExitCode); if (ExitCode == Options.InterruptExitCode) - exit(0); - if (ExitCode == Options.TimeoutExitCode || ExitCode == Options.OOMExitCode) - continue; + break; + Vector TempFiles; + VectorFilesToAdd; + Set NewFeatures; + GetSizedFilesFromDir(TempDir, &TempFiles); + CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features, + &NewFeatures, CFPath); + RemoveFile(CFPath); + for (auto &Path : FilesToAdd) { + auto NewPath = F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); + if (!NewPath.empty()) + Files.push_back(NewPath); + } + Features.insert(NewFeatures.begin(), NewFeatures.end()); + Printf("INFO: temp_files: %zd files_added: %zd newft: %zd ft: %zd\n", + TempFiles.size(), FilesToAdd.size(), NewFeatures.size(), + Features.size()); if (ExitCode != 0) break; } - exit(0); + RmFilesInDir(TempDir); + RmDir(TempDir); + + // Use the exit code from the last child process. + Printf("Fork: exiting: %d\n", ExitCode); + exit(ExitCode); } void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, @@ -770,7 +800,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { } if (Flags.fork) - FuzzWithFork(Options, Args, *Inputs); + FuzzWithFork(F, Options, Args, *Inputs); if (Flags.merge) Merge(F, Options, Args, *Inputs, Flags.merge_control_file); -- cgit v1.2.1 From 57bf2400336b66c1c1fbc112228907474a451fc2 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 12 Feb 2019 02:18:53 +0000 Subject: [libFuzzer] teach the fork mode to ignore OOMs and timeouts git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353792 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 232b3a873..8ad99d0a3 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -533,6 +533,12 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, Printf("INFO: temp_files: %zd files_added: %zd newft: %zd ft: %zd\n", TempFiles.size(), FilesToAdd.size(), NewFeatures.size(), Features.size()); + // Continue if our crash is one of the ignorred ones. + if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode) + continue; + if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode) + continue; + // And exit if we don't ignore this crash. if (ExitCode != 0) break; } @@ -681,6 +687,8 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.UnitTimeoutSec = Flags.timeout; Options.ErrorExitCode = Flags.error_exitcode; Options.TimeoutExitCode = Flags.timeout_exitcode; + Options.IgnoreTimeouts = Flags.ignore_timeouts; + Options.IgnoreOOMs = Flags.ignore_ooms; Options.MaxTotalTimeSec = Flags.max_total_time; Options.DoCrossOver = Flags.cross_over; Options.MutateDepth = Flags.mutate_depth; -- cgit v1.2.1 From a098df1569900e6c3498ce9e9002db7374a284e6 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 12 Feb 2019 03:12:40 +0000 Subject: [libFuzzer] make the fork mode less verbose git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353794 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 8ad99d0a3..dc67512b6 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -484,11 +484,12 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, GetSizedFilesFromDir(Dir, &Corpus); std::sort(Corpus.begin(), Corpus.end()); auto CFPath = TempPath(".fork"); + auto LogPath = TempPath(".log"); Vector Files; Set Features; if (!Corpus.empty()) { - CrashResistantMerge(Args, {}, Corpus, &Files, {}, &Features, CFPath); + CrashResistantMerge(Args, {}, Corpus, &Files, {}, &Features, CFPath, false); RemoveFile(CFPath); } auto TempDir = TempPath("Dir"); @@ -500,8 +501,8 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, BaseCmd.removeFlag("fork"); for (auto &C : Corpora) // Remove all corpora from the args. BaseCmd.removeArgument(C); - BaseCmd.addFlag("runs", "1000000"); - BaseCmd.addFlag("max_total_time", "30"); + if (!BaseCmd.hasFlag("max_total_time")) + BaseCmd.addFlag("max_total_time", "60"); BaseCmd.addArgument(TempDir); int ExitCode = 0; for (size_t i = 0; i < 1000000; i++) { @@ -511,10 +512,11 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, Cmd.addFlag("seed_inputs", Files[Rand.SkewTowardsLast(Files.size())] + "," + Files[Rand.SkewTowardsLast(Files.size())]); - Printf("RUN %s\n", Cmd.toString().c_str()); + Cmd.setOutputFile(LogPath); + Cmd.combineOutAndErr(); RmFilesInDir(TempDir); ExitCode = ExecuteCommand(Cmd); - Printf("Exit code: %d\n", ExitCode); + // Printf("done [%d] %s\n", ExitCode, Cmd.toString().c_str()); if (ExitCode == Options.InterruptExitCode) break; Vector TempFiles; @@ -522,7 +524,7 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, Set NewFeatures; GetSizedFilesFromDir(TempDir, &TempFiles); CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features, - &NewFeatures, CFPath); + &NewFeatures, CFPath, false); RemoveFile(CFPath); for (auto &Path : FilesToAdd) { auto NewPath = F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); @@ -539,7 +541,11 @@ void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode) continue; // And exit if we don't ignore this crash. - if (ExitCode != 0) break; + if (ExitCode != 0) { + Printf("INFO: log from the inner process:\n%s", + FileToString(LogPath).c_str()); + break; + } } RmFilesInDir(TempDir); @@ -568,7 +574,7 @@ void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, Vector NewFiles; Set NewFeatures; CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures, - CFPath); + CFPath, true); for (auto &Path : NewFiles) F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); // We are done, delete the control file if it was a temporary one. -- cgit v1.2.1 From 6e85a0356f6258e8653ddc3eecb78ded33498218 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Tue, 12 Feb 2019 22:48:55 +0000 Subject: [libFuzzer] move the implementation of the fork mode into a separate file git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353891 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 95 ++------------------------------------------- 1 file changed, 3 insertions(+), 92 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index dc67512b6..00dae3fda 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -10,13 +10,14 @@ #include "FuzzerCommand.h" #include "FuzzerCorpus.h" +#include "FuzzerFork.h" #include "FuzzerIO.h" #include "FuzzerInterface.h" #include "FuzzerInternal.h" +#include "FuzzerMerge.h" #include "FuzzerMutate.h" #include "FuzzerRandom.h" #include "FuzzerTracePC.h" -#include "FuzzerMerge.h" #include #include #include @@ -306,11 +307,6 @@ static std::string GetDedupTokenFromFile(const std::string &Path) { return S.substr(Beg, End - Beg); } -static std::string TempPath(const char *Extension) { - return DirPlusFile(TmpDir(), - "libFuzzerTemp." + std::to_string(GetPid()) + Extension); -} - int CleanseCrashInput(const Vector &Args, const FuzzingOptions &Options) { if (Inputs->size() != 1 || !Flags.exact_artifact_path) { @@ -471,91 +467,6 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { return 0; } -// This is just a skeleton of an experimental -fork=1 feature. -void FuzzWithFork(Fuzzer *F, const FuzzingOptions &Options, - const Vector &Args, - const Vector &Corpora) { - Printf("INFO: -fork=1: doing fuzzing in a separate process in order to " - "be more resistant to crashes, timeouts, and OOMs\n"); - auto Rand = F->GetMD().GetRand(); - - Vector Corpus; - for (auto &Dir : Corpora) - GetSizedFilesFromDir(Dir, &Corpus); - std::sort(Corpus.begin(), Corpus.end()); - auto CFPath = TempPath(".fork"); - auto LogPath = TempPath(".log"); - - Vector Files; - Set Features; - if (!Corpus.empty()) { - CrashResistantMerge(Args, {}, Corpus, &Files, {}, &Features, CFPath, false); - RemoveFile(CFPath); - } - auto TempDir = TempPath("Dir"); - MkDir(TempDir); - Printf("INFO: -fork=1: %zd seeds, starting to fuzz; scratch: %s\n", - Files.size(), TempDir.c_str()); - - Command BaseCmd(Args); - BaseCmd.removeFlag("fork"); - for (auto &C : Corpora) // Remove all corpora from the args. - BaseCmd.removeArgument(C); - if (!BaseCmd.hasFlag("max_total_time")) - BaseCmd.addFlag("max_total_time", "60"); - BaseCmd.addArgument(TempDir); - int ExitCode = 0; - for (size_t i = 0; i < 1000000; i++) { - // TODO: take new files from disk e.g. those generated by another process. - Command Cmd(BaseCmd); - if (Files.size() >= 2) - Cmd.addFlag("seed_inputs", - Files[Rand.SkewTowardsLast(Files.size())] + "," + - Files[Rand.SkewTowardsLast(Files.size())]); - Cmd.setOutputFile(LogPath); - Cmd.combineOutAndErr(); - RmFilesInDir(TempDir); - ExitCode = ExecuteCommand(Cmd); - // Printf("done [%d] %s\n", ExitCode, Cmd.toString().c_str()); - if (ExitCode == Options.InterruptExitCode) - break; - Vector TempFiles; - VectorFilesToAdd; - Set NewFeatures; - GetSizedFilesFromDir(TempDir, &TempFiles); - CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features, - &NewFeatures, CFPath, false); - RemoveFile(CFPath); - for (auto &Path : FilesToAdd) { - auto NewPath = F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); - if (!NewPath.empty()) - Files.push_back(NewPath); - } - Features.insert(NewFeatures.begin(), NewFeatures.end()); - Printf("INFO: temp_files: %zd files_added: %zd newft: %zd ft: %zd\n", - TempFiles.size(), FilesToAdd.size(), NewFeatures.size(), - Features.size()); - // Continue if our crash is one of the ignorred ones. - if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode) - continue; - if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode) - continue; - // And exit if we don't ignore this crash. - if (ExitCode != 0) { - Printf("INFO: log from the inner process:\n%s", - FileToString(LogPath).c_str()); - break; - } - } - - RmFilesInDir(TempDir); - RmDir(TempDir); - - // Use the exit code from the last child process. - Printf("Fork: exiting: %d\n", ExitCode); - exit(ExitCode); -} - void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, const Vector &Corpora, const char *CFPathOrNull) { if (Corpora.size() < 2) { @@ -814,7 +725,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { } if (Flags.fork) - FuzzWithFork(F, Options, Args, *Inputs); + FuzzWithFork(F->GetMD().GetRand(), Options, Args, *Inputs); if (Flags.merge) Merge(F, Options, Args, *Inputs, Flags.merge_control_file); -- cgit v1.2.1 From 858a4063683599382d77005e49e4a31bf2ca9501 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 14 Feb 2019 00:25:43 +0000 Subject: [libFuzzer] add threads to the fork mode: now you can pass -fork=N to run N concurrent workers. Fork mode is still work-in-progress. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@353997 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 00dae3fda..434c48128 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -725,7 +725,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { } if (Flags.fork) - FuzzWithFork(F->GetMD().GetRand(), Options, Args, *Inputs); + FuzzWithFork(F->GetMD().GetRand(), Options, Args, *Inputs, Flags.fork); if (Flags.merge) Merge(F, Options, Args, *Inputs, Flags.merge_control_file); -- cgit v1.2.1 From 8d70b932e3dbd7218d31d28c2c5ed277018de7e9 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 15 Feb 2019 00:08:16 +0000 Subject: [libFuzzer] when doing the merge, keep track of the coveraged edges, not just features git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354087 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 434c48128..9f1621fcd 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -483,9 +483,9 @@ void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector &Args, std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath(".txt"); Vector NewFiles; - Set NewFeatures; + Set NewFeatures, NewCov; CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures, - CFPath, true); + {}, &NewCov, CFPath, true); for (auto &Path : NewFiles) F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen)); // We are done, delete the control file if it was a temporary one. -- cgit v1.2.1 From 0fd94f0eebbec71043d5111c0e419a55da6a4557 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 15 Feb 2019 21:51:15 +0000 Subject: [libFuzzer] form mode: add -ignore_crashes flag, honor the max_total_time flag, print the number of ooms/timeouts/crashes, fix a typo git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@354175 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 9f1621fcd..9c99d5ffb 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -606,6 +606,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.TimeoutExitCode = Flags.timeout_exitcode; Options.IgnoreTimeouts = Flags.ignore_timeouts; Options.IgnoreOOMs = Flags.ignore_ooms; + Options.IgnoreCrashes = Flags.ignore_crashes; Options.MaxTotalTimeSec = Flags.max_total_time; Options.DoCrossOver = Flags.cross_over; Options.MutateDepth = Flags.mutate_depth; -- cgit v1.2.1 From c438ef37dfc4b954ead9df6222fe0bb36987268e Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Sat, 13 Apr 2019 00:20:31 +0000 Subject: [libFuzzer] add -features_dir= flag to dump unique input features on disk git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@358317 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index 9c99d5ffb..a51ac9310 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -659,6 +659,8 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.FocusFunction = Flags.focus_function; if (Flags.data_flow_trace) Options.DataFlowTrace = Flags.data_flow_trace; + if (Flags.features_dir) + Options.FeaturesDir = Flags.features_dir; Options.LazyCounters = Flags.lazy_counters; unsigned Seed = Flags.seed; -- cgit v1.2.1 From 0128c9bfa882ac8ca16929201352e3d8bea9aff8 Mon Sep 17 00:00:00 2001 From: Jonathan Metzman Date: Tue, 30 Apr 2019 20:56:18 +0000 Subject: [libFuzzer] Replace -seed_corpus to better support fork mode on Win Summary: Pass seed corpus list in a file to get around argument length limits on Windows. This limit was preventing many uses of fork mode on Windows. Reviewers: kcc, morehouse Reviewed By: kcc Subscribers: #sanitizers, llvm-commits Tags: #sanitizers, #llvm Differential Revision: https://reviews.llvm.org/D60980 git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@359610 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/fuzzer/FuzzerDriver.cpp | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'lib/fuzzer/FuzzerDriver.cpp') diff --git a/lib/fuzzer/FuzzerDriver.cpp b/lib/fuzzer/FuzzerDriver.cpp index a51ac9310..b9c892747 100644 --- a/lib/fuzzer/FuzzerDriver.cpp +++ b/lib/fuzzer/FuzzerDriver.cpp @@ -763,16 +763,25 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { exit(0); } - // Parse -seed_inputs=file1,file2,... + // Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file Vector ExtraSeedFiles; if (Flags.seed_inputs) { - std::string s = Flags.seed_inputs; - size_t comma_pos; - while ((comma_pos = s.find_last_of(',')) != std::string::npos) { - ExtraSeedFiles.push_back(s.substr(comma_pos + 1)); - s = s.substr(0, comma_pos); + std::string SeedInputs; + if (Flags.seed_inputs[0] == '@') + SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list. + else + SeedInputs = Flags.seed_inputs; // seed_inputs contains the list. + if (SeedInputs.empty()) { + Printf("seed_inputs is empty or @file does not exist.\n"); + exit(1); + } + // Parse SeedInputs. + size_t comma_pos = 0; + while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) { + ExtraSeedFiles.push_back(SeedInputs.substr(comma_pos + 1)); + SeedInputs = SeedInputs.substr(0, comma_pos); } - ExtraSeedFiles.push_back(s); + ExtraSeedFiles.push_back(SeedInputs); } F->Loop(*Inputs, ExtraSeedFiles); -- cgit v1.2.1