search for: fuzzerloop

...library and clang-fuzzer, but it doesn't seem to build for me. From the cmake files, I was pretty sure all I need to do is set -DLLVM_USE_SANITIZE_COVERAGE=ON, but with this I get a number of link errors for "lib/Fuzzer/test/LLVMFuzzer-CounterTest", for example: lib/libLLVMFuzzer.a(FuzzerLoop.cpp.o): In function `SetDeathCallback': /home/bogner/code/llvm/lib/Fuzzer/FuzzerLoop.cpp:31: undefined reference to `__sanitizer_set_death_callback' lib/libLLVMFuzzer.a(FuzzerLoop.cpp.o): In function `fuzzer::Fuzzer::SetDeathCallback()': /home/bogner/code/llvm/lib/Fuzzer/FuzzerLoo...

...er::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned char*) /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5 #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5 #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3 #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize() /home/brian/src/fuzzpy/llvm_src//llvm/...

...itsetAndClearCounters(unsigned >> char*) >> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5 >> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() >> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5 >> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, >> std::allocator<unsigned char> > const&) >> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3 >> #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize() &g...

...gt;>>> char*) >>>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5 >>>> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5 >>>> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, >>>> std::allocator<unsigned char> > const&) >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3 >>>> #5 0x1b6be3 in fuzzer:...

First off, thanks -- this is a pretty great library and it feels like I'm learning a lot. I'm getting some more experience with libfuzzer and finding that I have a couple of questions: - How does libfuzzer decide to write a new test file? What distinguishes this one from all the other cases for which new test inputs were not written? Must be something about the path taken through the

...vm/lib/Fuzzer/FuzzerIO.cpp:69 #17 0x0000000000579636 in fuzzer::Fuzzer::WriteToCrash (this=0x7fffd956f440, U=..., Prefix=0x1435ec0 <.str.11> "timeout-") #18 0x000000000057a89a in fuzzer::Fuzzer::AlarmCallback (this=0x7fffd956f440) at /home/brian/tmp/testing/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:73 #19 0x0000000000579b97 in fuzzer::Fuzzer::StaticAlarmCallback () at /home/brian/tmp/testing/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:57 #20 0x0000000000572355 in fuzzer::AlarmHandler () at /home/brian/tmp/testing/llvm_src//llvm/lib/Fuzzer/FuzzerUtil.cpp:49 #21 <signal handler called> #...

On Sat, Sep 5, 2015 at 11:50 AM, Greg Stark <stark at mit.edu> wrote: > On Sat, Sep 5, 2015 at 6:38 PM, Kostya Serebryany <kcc at google.com> wrote: > > > > This is more like a limitation of asan, not libFuzzer. > > By design, asan does not recover from the first crash. > > This feature has been criticized quite a lot, but I am still convinced > this >

...roblem I'm stumped on. I'm not sure if it's the dynamic linker or something in Postgres that's interfering with the coverage feedback but it's exiting after one call thinking the newcoverage isn't increasing over the previous coverage. The test that causing it to exit is at FuzzerLoop.cpp:250 if (NewCoverage > OldCoverage || NumNewBits) return NewCoverage; 250 if (NewCoverage > OldCoverage || NumNewBits) (gdb) p NewCoverage $3 = 14422 (gdb) p OldCoverage $4 = 14422 (gdb) p NumNewBits $5 = 0 And after that it just returns. In fact the only call it makes to my test...

On Sun, Aug 30, 2015 at 9:11 AM, Brian Cain via llvm-dev < llvm-dev at lists.llvm.org> wrote: > > > On Sun, Aug 30, 2015 at 9:30 AM, Greg Stark via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > >> I have a project I want to do based on Libfuzzer. Is there a separate >> list for it or should I bring up any ideas for it here? >> >> No separate

I'm fairly sure your compiler (or rather linker) errors are coming from the fact that you are not linking to the C++ runtime library. Use `clang++ -std=c++11 *.o`, and I'm reasonably sure it will do what you want. -- Mats On 3 September 2015 at 12:26, Greg Stark via llvm-dev < llvm-dev at lists.llvm.org> wrote: > On Sun, Aug 30, 2015 at 3:30 PM, Greg Stark <stark at

...compiler-rt or libcxx. [r252747](http://reviews.llvm.org/rL252747). * An 'empty token' is now defined (written as `token empty`) for when using tokens in LLVM IR. [r252811](http://reviews.llvm.org/rL252811). * LibFuzzer gained a new experimental search heuristic, drill. As the comment in FuzzerLoop.cpp explains, this will 1) read+shuffle+execute+minimize the corpus, 2) choose a random unit, 3) reset the coverage, 4) start fuzzing as if the chosen unit was the only element of the corpus, 5) reset the coverage again when done, 6) merge the newly created corpus into the original one. [r252838](h...