LLVM  4.0.0
Classes | Typedefs | Functions | Variables
fuzzer Namespace Reference

Classes

struct  InputInfo
 
class  InputCorpus
 
struct  ScopedDoingMyOwnMemmem
 
class  FixedWord
 
class  DictionaryEntry
 
class  Dictionary
 
struct  FlagDescription
 
struct  ExternalFunctions
 
class  Fuzzer
 
struct  MallocFreeTracer
 
struct  MergeFileInfo
 
struct  Merger
 
class  MutationDispatcher
 
struct  FuzzingOptions
 
class  Random
 
struct  TableOfRecentCompares
 
class  TracePC
 
struct  TraceBasedMutation
 
class  TraceState
 
struct  ValueBitMap
 

Typedefs

typedef std::vector< uint8_t > Unit
 
typedef std::vector< UnitUnitVector
 
typedef int(* UserCallback )(const uint8_t *Data, size_t Size)
 
typedef FixedWord< 27 > Word
 

Functions

template<class T >
T Min (T a, T b)
 
template<class T >
T Max (T a, T b)
 
int FuzzerDriver (int *argc, char ***argv, UserCallback Callback)
 
uint8_t Bswap (uint8_t x)
 
uint16_t Bswap (uint16_t x)
 
uint32_t Bswap (uint32_t x)
 
uint64_t Bswap (uint64_t x)
 
bool ParseOneDictionaryEntry (const std::string &Str, Unit *U)
 
bool ParseDictionaryFile (const std::string &Text, std::vector< Unit > *Units)
 
 FUZZER_FLAG_INT (runs,-1,"Number of individual test runs (-1 for infinite runs).") FUZZER_FLAG_INT(max_len
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it 
FUZZER_FLAG_INT (mutate_depth, 5,"Apply this number of consecutive mutations to each input.") FUZZER_FLAG_INT(prefer_small
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle 
FUZZER_FLAG_INT (timeout, 1200,"Timeout in seconds (if positive). ""If one unit runs more than this number of seconds the process will abort.") FUZZER_FLAG_INT(error_exitcode
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used 
FUZZER_FLAG_INT (timeout_exitcode, 77,"When libFuzzer reports a timeout ""this exit code will be used.") FUZZER_FLAG_INT(max_total_time
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer 
FUZZER_FLAG_INT (merge, 0,"If 1, the 2-nd, 3-rd, etc corpora will be ""merged into the 1-st corpus. Only interesting units will be taken. ""This flag can be used to minimize a corpus.") FUZZER_FLAG_INT(minimize_crash
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc 
FUZZER_FLAG_INT (use_memmem, 1,"Use hints from intercepting memmem, strstr, etc") FUZZER_FLAG_INT(use_value_profile
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing 
FUZZER_FLAG_UNSIGNED (jobs, 0,"Number of jobs to run. If jobs >= 1 we spawn"" this number of jobs in separate worker processes"" with stdout/stderr redirected to fuzz-JOB.log.") FUZZER_FLAG_UNSIGNED(workers
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If 
min (jobs, NumberOfCpuCores()/2)\" is used.") FUZZER_FLAG_INT(reload
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled 
FUZZER_FLAG_INT (report_slow_units, 10,"Report slowest units if they run for more than this number of seconds.") FUZZER_FLAG_INT(only_ascii
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only 
ASCII (isprint+isspace) inputs.") FUZZER_FLAG_STRING(artifact_prefix
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing 
artifacts (crash," "timeout, or slow inputs) as" "$(artifact_prefix) file") FUZZER_FLAG_STRING(exact_artifact_path
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on 
failure (crash, timeout)" "as $(exact_artifact_path).This override s-artifact_prefix" "and will not use checksum in the file name.Do not" "use the same path for several parallel processes.") FUZZER_FLAG_INT(print_corpus_stats
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit 
FUZZER_FLAG_INT (print_coverage, 0,"If 1, print coverage information at exit."" Experimental, only with trace-pc-guard") FUZZER_FLAG_INT(dump_coverage
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard 
FUZZER_FLAG_INT (close_fd_mask, 0,"If 1, close stdout at startup; ""if 2, close stderr; if 3, close both. ""Be careful, this will also close e.g. asan's stderr/stdout.") FUZZER_FLAG_INT(detect_leaks
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard and if
LeakSanitizer is enabled try
to detect memory leaks during 
fuzzing (i.e.not only at shut down).") FUZZER_FLAG_INT(trace_malloc
 
long GetEpoch (const std::string &Path)
 
Unit FileToVector (const std::string &Path, size_t MaxSize, bool ExitOnError)
 
std::string FileToString (const std::string &Path)
 
void CopyFileToErr (const std::string &Path)
 
void WriteToFile (const Unit &U, const std::string &Path)
 
void ReadDirToVectorOfUnits (const char *Path, std::vector< Unit > *V, long *Epoch, size_t MaxSize, bool ExitOnError)
 
std::string DirPlusFile (const std::string &DirPath, const std::string &FileName)
 
void DupAndCloseStderr ()
 
void CloseStdout ()
 
void Printf (const char *Fmt,...)
 
std::string DirName (const std::string &FileName)
 
std::string TmpDir ()
 
bool IsFile (const std::string &Path)
 
void ListFilesInDirRecursive (const std::string &Dir, long *Epoch, std::vector< std::string > *V, bool TopDir)
 
char GetSeparator ()
 
FILE * OpenFile (int Fd, const char *Mode)
 
int CloseFile (int Fd)
 
int DuplicateFile (int Fd)
 
void RemoveFile (const std::string &Path)
 
static void MissingExternalApiFunction (const char *FnName)
 
ATTRIBUTE_NO_SANITIZE_MEMORY void MallocHook (const volatile void *ptr, size_t size)
 
ATTRIBUTE_NO_SANITIZE_MEMORY void FreeHook (const volatile void *ptr)
 
static void WarnOnUnsuccessfullMerge (bool DoWarn)
 
static size_t ComputeMutationLen (size_t MaxInputSize, size_t MaxMutationLen, Random &Rand)
 
static void PrintASCII (const Word &W, const char *PrintAfter)
 
static char RandCh (Random &Rand)
 
template<class T >
size_t ChangeBinaryInteger (uint8_t *Data, size_t Size, Random &Rand)
 
void ComputeSHA1 (const uint8_t *Data, size_t Len, uint8_t *Out)
 
std::string Sha1ToString (const uint8_t Sha1[kSHA1NumBytes])
 
std::string Hash (const Unit &U)
 
static bool IsInterestingCoverageFile (std::string &File)
 
static size_t InternalStrnlen (const char *S, size_t MaxLen)
 
void PrintHexArray (const uint8_t *Data, size_t Size, const char *PrintAfter)
 
void Print (const Unit &v, const char *PrintAfter)
 
void PrintASCIIByte (uint8_t Byte)
 
void PrintASCII (const uint8_t *Data, size_t Size, const char *PrintAfter)
 
void PrintASCII (const Unit &U, const char *PrintAfter)
 
bool ToASCII (uint8_t *Data, size_t Size)
 
bool IsASCII (const Unit &U)
 
bool IsASCII (const uint8_t *Data, size_t Size)
 
std::string Base64 (const Unit &U)
 
std::string DescribePC (const char *SymbolizedFMT, uintptr_t PC)
 
void PrintPC (const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC)
 
unsigned NumberOfCpuCores ()
 
bool ExecuteCommandAndReadOutput (const std::string &Command, std::string *Out)
 
void PrintHexArray (const Unit &U, const char *PrintAfter="")
 
void SetSignalHandler (const FuzzingOptions &Options)
 
void SleepSeconds (int Seconds)
 
unsigned long GetPid ()
 
size_t GetPeakRSSMb ()
 
int ExecuteCommand (const std::string &Command)
 
FILE * OpenProcessPipe (const char *Command, const char *Mode)
 
const void * SearchMemory (const void *haystack, size_t haystacklen, const void *needle, size_t needlelen)
 
std::string CloneArgsWithoutX (const std::vector< std::string > &Args, const char *X1, const char *X2)
 
std::string CloneArgsWithoutX (const std::vector< std::string > &Args, const char *X)
 

Variables

ExternalFunctionsEF
 
struct {
   Maximum length of the test input   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If   fuzzer::positive
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with   fuzzer::runs
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with   fuzzer::strcmp
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If   fuzzer::zero
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit   fuzzer::Experimental
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard   fuzzer::If
 
Flags
 
static FILE * OutputFile = stderr
 
static const size_t kMaxUnitSizeToPrint = 256
 
static FuzzerF
 
static MallocFreeTracer AllocTracer
 
static const int kSHA1NumBytes = 20
 
TracePC TPC
 
static bool RecordingMemcmp = false
 
static bool RecordingMemmem = false
 
static bool DoingMyOwnMemmem = false
 
static TraceStateTS
 

Typedef Documentation

typedef std::vector<uint8_t> fuzzer::Unit

Definition at line 71 of file FuzzerDefs.h.

typedef std::vector<Unit> fuzzer::UnitVector

Definition at line 72 of file FuzzerDefs.h.

typedef int(* fuzzer::UserCallback)(const uint8_t *Data, size_t Size)

Definition at line 73 of file FuzzerDefs.h.

typedef FixedWord<27> fuzzer::Word

Definition at line 53 of file FuzzerDictionary.h.

Function Documentation

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing fuzzer::@269::artifacts ( crash  ,
" "  timeout,
or slow  inputs 
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every<N> seconds to get new units discovered by other processes disabled generate only fuzzer::ASCII ( isprint+  isspace)
std::string fuzzer::Base64 ( const Unit &  U)

Definition at line 154 of file FuzzerUtil.cpp.

References i.

Referenced by TEST().

uint8_t fuzzer::Bswap ( uint8_t  x)
inline

Definition at line 82 of file FuzzerDefs.h.

Referenced by ChangeBinaryInteger().

uint16_t fuzzer::Bswap ( uint16_t  x)
inline

Definition at line 83 of file FuzzerDefs.h.

uint32_t fuzzer::Bswap ( uint32_t  x)
inline

Definition at line 84 of file FuzzerDefs.h.

uint64_t fuzzer::Bswap ( uint64_t  x)
inline

Definition at line 85 of file FuzzerDefs.h.

template<class T >
size_t fuzzer::ChangeBinaryInteger ( uint8_t *  Data,
size_t  Size,
Random &  Rand 
)

Definition at line 362 of file FuzzerMutate.cpp.

References llvm::MCID::Add, assert(), Bswap(), fuzzer::Random::RandBool(), and T.

std::string fuzzer::CloneArgsWithoutX ( const std::vector< std::string > &  Args,
const char *  X1,
const char *  X2 
)
std::string fuzzer::CloneArgsWithoutX ( const std::vector< std::string > &  Args,
const char *  X 
)
inline

Definition at line 65 of file FuzzerUtil.h.

References CloneArgsWithoutX().

int fuzzer::CloseFile ( int  Fd)

Referenced by CloseStdout(), and DupAndCloseStderr().

void fuzzer::CloseStdout ( )

Definition at line 105 of file FuzzerIO.cpp.

References CloseFile().

static size_t fuzzer::ComputeMutationLen ( size_t  MaxInputSize,
size_t  MaxMutationLen,
Random &  Rand 
)
static

Definition at line 710 of file FuzzerLoop.cpp.

References assert(), Min(), and fuzzer::Random::Rand().

void fuzzer::ComputeSHA1 ( const uint8_t *  Data,
size_t  Len,
uint8_t *  Out 
)

Definition at line 202 of file FuzzerSHA1.cpp.

References HASH_LENGTH.

Referenced by fuzzer::InputCorpus::AddToCorpus(), and Hash().

void fuzzer::CopyFileToErr ( const std::string &  Path)

Definition at line 57 of file FuzzerIO.cpp.

References llvm::c_str(), FileToString(), and Printf().

std::string fuzzer::DescribePC ( const char *  SymbolizedFMT,
uintptr_t  PC 
)

Definition at line 182 of file FuzzerUtil.cpp.

References EF.

Referenced by fuzzer::TracePC::PrintCoverage(), and PrintPC().

std::string fuzzer::DirName ( const std::string &  FileName)
std::string fuzzer::DirPlusFile ( const std::string &  DirPath,
const std::string &  FileName 
)

Definition at line 87 of file FuzzerIO.cpp.

References GetSeparator().

Referenced by fuzzer::Fuzzer::CrashResistantMerge(), and fuzzer::InputCorpus::DeleteInput().

void fuzzer::DupAndCloseStderr ( )

Definition at line 92 of file FuzzerIO.cpp.

References CloseFile(), DuplicateFile(), EF, OpenFile(), and OutputFile.

int fuzzer::DuplicateFile ( int  Fd)

Referenced by DupAndCloseStderr().

int fuzzer::ExecuteCommand ( const std::string &  Command)
bool fuzzer::ExecuteCommandAndReadOutput ( const std::string &  Command,
std::string *  Out 
)

Definition at line 208 of file FuzzerUtil.cpp.

References N, OpenProcessPipe(), and AMDGPU::RuntimeMD::KernelArg::Pipe.

Referenced by fuzzer::TracePC::PrintCoverage().

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on fuzzer::@269::failure ( crash  ,
timeout   
)
override
std::string fuzzer::FileToString ( const std::string &  Path)

Definition at line 51 of file FuzzerIO.cpp.

References T.

Referenced by CopyFileToErr().

Unit fuzzer::FileToVector ( const std::string &  Path,
size_t  MaxSize,
bool  ExitOnError 
)
ATTRIBUTE_NO_SANITIZE_MEMORY void fuzzer::FreeHook ( const volatile void *  ptr)
fuzzer::@269::FUZZER_FLAG_INT ( runs  ,
1,
"Number of individual test runs (-1 for infinite runs)."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it fuzzer::@269::FUZZER_FLAG_INT ( mutate_depth  ,
,
"Apply this number of consecutive mutations to each input."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle fuzzer::@269::FUZZER_FLAG_INT ( timeout  ,
1200  ,
"Timeout in seconds (if positive). ""If one unit runs more than this number of seconds the process will abort."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used fuzzer::@269::FUZZER_FLAG_INT ( timeout_exitcode  ,
77  ,
"When libFuzzer reports a timeout ""this exit code will be used."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer fuzzer::@269::FUZZER_FLAG_INT ( merge  ,
,
"If  1,
the 2-  nd,
3-  rd,
etc corpora will be" "merged into the 1-st corpus.Only interesting units will be taken." "This flag can be used to minimize a corpus."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc fuzzer::@269::FUZZER_FLAG_INT ( use_memmem  ,
,
"Use hints from intercepting  memmem,
strstr  ,
etc"   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled fuzzer::@269::FUZZER_FLAG_INT ( report_slow_units  ,
10  ,
"Report slowest units if they run for more than this number of seconds."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on print statistics on corpus elements at exit fuzzer::@269::FUZZER_FLAG_INT ( print_coverage  ,
,
"If  1,
print coverage information at exit." "  Experimental,
only with trace-pc-guard"   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on print statistics on corpus elements at exit dump coverage information at exit only with trace pc guard fuzzer::@269::FUZZER_FLAG_INT ( close_fd_mask  ,
,
"If  1,
close stdout at startup;" "if  2,
close stderr;if  3,
close both." "Be  careful,
this will also close e.g.asan's stderr/stdout."   
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing fuzzer::@269::FUZZER_FLAG_UNSIGNED ( jobs  ,
,
"Number of jobs to run. If jobs >= 1 we spawn"" this number of jobs in separate worker processes"" with stdout/stderr redirected to fuzz-JOB.log."   
)
int fuzzer::FuzzerDriver ( int *  argc,
char ***  argv,
UserCallback  Callback 
)

Referenced by main().

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on print statistics on corpus elements at exit dump coverage information at exit only with trace pc guard and if LeakSanitizer is enabled try to detect memory leaks during fuzzer::@269::fuzzing ( i.e.not only at shut  down)
long fuzzer::GetEpoch ( const std::string &  Path)

Definition at line 26 of file FuzzerIO.cpp.

Referenced by fuzzer::Fuzzer::Fuzzer(), and ReadDirToVectorOfUnits().

size_t fuzzer::GetPeakRSSMb ( )
unsigned long fuzzer::GetPid ( )
char fuzzer::GetSeparator ( )

Referenced by DirPlusFile().

std::string fuzzer::Hash ( const Unit &  U)
static size_t fuzzer::InternalStrnlen ( const char *  S,
size_t  MaxLen 
)
static

Definition at line 199 of file FuzzerTraceState.cpp.

Referenced by __sanitizer_weak_hook_strncmp().

bool fuzzer::IsASCII ( const Unit &  U)

Definition at line 73 of file FuzzerUtil.cpp.

bool fuzzer::IsASCII ( const uint8_t *  Data,
size_t  Size 
)

Definition at line 75 of file FuzzerUtil.cpp.

References i.

bool fuzzer::IsFile ( const std::string &  Path)
static bool fuzzer::IsInterestingCoverageFile ( std::string &  File)
static

Definition at line 70 of file FuzzerTracePC.cpp.

Referenced by fuzzer::TracePC::PrintCoverage().

void fuzzer::ListFilesInDirRecursive ( const std::string &  Dir,
long *  Epoch,
std::vector< std::string > *  V,
bool  TopDir 
)
ATTRIBUTE_NO_SANITIZE_MEMORY void fuzzer::MallocHook ( const volatile void *  ptr,
size_t  size 
)
template<class T >
T fuzzer::Max ( T  a,
T  b 
)

Definition at line 57 of file FuzzerDefs.h.

Referenced by getDecodedRMWOperation().

template<class T >
T fuzzer::Min ( T  a,
T  b 
)
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If fuzzer::min ( jobs  ,
NumberOfCpuCores()/  2 
)

Referenced by __sanitizer_weak_hook_strcmp(), __sanitizer_weak_hook_strncmp(), llvm::AbsoluteDifference(), add(), fuzzer::TraceState::AddInterestingWord(), llvm::DwarfExpression::AddUnsignedConstant(), fuzzer::TracePC::AddValueForMemcmp(), fuzzer::TracePC::AddValueForStrcmp(), llvm::IntervalMapImpl::NodeBase< std::pair< KeyT, KeyT >, ValT, N >::adjustFromLeftSib(), llvm::GCNHazardRecognizer::AdvanceCycle(), llvm::BitVector::anyCommon(), llvm::SmallBitVector::anyCommon(), llvm::LanaiInstrInfo::areMemAccessesTriviallyDisjoint(), llvm::HexagonFrameLowering::assignCalleeSavedSpillSlots(), assignCalleeSavedSpillSlots(), calculateSetFPREG(), canReduceVMulWidth(), llvm::CC_ARM_AAPCS_Custom_Aggregate(), llvm::CC_X86_32_MCUInReg(), checkLinkerOptCommand(), combineLoad(), combineStore(), llvm::StringRef::compare(), llvm::StringRef::compare_lower(), llvm::StringRef::compare_numeric(), llvm::ComputeEditDistance(), llvm::SelectionDAG::computeKnownBits(), computeKnownBitsFromOperator(), computeKnownBitsMul(), ComputeNumSignBits(), llvm::SelectionDAG::ComputeNumSignBits(), computeNumSignBitsVectorConstant(), llvm::FunctionLoweringInfo::ComputePHILiveOutRegInfo(), llvm::ConstantFoldBinaryInstruction(), llvm::APInt::countTrailingZeros(), fuzzer::MutationDispatcher::CrossOver(), DecodeDPRRegListOperand(), llvm::msf::StreamRefBase< ReadableStream, ReadableStreamRef >::drop_front(), EmitNop(), llvm::ARMFrameLowering::emitPrologue(), llvm::emitSourceFileHeader(), llvm::X86FrameLowering::emitSPUpdate(), llvm::SystemZSelectionDAGInfo::EmitTargetCodeForMemset(), llvm::emitThumbRegPlusImmediate(), llvm::CodeViewContext::encodeDefRange(), llvm::CodeViewContext::encodeInlineLineTable(), estimateRSStackSizeLimit(), llvm::AlignmentFromAssumptionsPass::extractAlignmentInfo(), FileToVector(), llvm::BlockFrequencyInfoImplBase::finalizeMetrics(), llvm::StringRef::find(), llvm::StringRef::find_first_not_of(), llvm::StringRef::find_first_of(), llvm::StringRef::find_last_not_of(), llvm::StringRef::find_last_of(), findCommonAlignment(), FoldIntToFPToInt(), llvm::InstCombiner::FoldItoFPtoI(), llvm::X86InstrInfo::foldMemoryOperandImpl(), getBranchHint(), llvm::AMDGPUSubtarget::getFlatWorkGroupSizes(), getFullUnrollBoostingFactor(), llvm::AMDGPUDisassembler::getInstruction(), getInt64Count(), llvm::ARMTTIImpl::getIntImmCost(), llvm::SIRegisterInfo::getMaxNumSGPRs(), getMaxWaves(), getMemsetStringVal(), llvm::ScalarEvolution::GetMinTrailingZeros(), llvm::ScalarEvolution::getMulExpr(), getNoopInput(), llvm::getOrEnforceKnownAlignment(), llvm::object::COFFObjectFile::getSymbolAlignment(), llvm::MipsTargetLowering::HandleByVal(), llvm::TextInstrProfReader::hasFormat(), llvm::raw_ostream::indent(), llvm::SelectionDAG::InferPtrAlignment(), llvm::ResourcePriorityQueue::initNumRegDefsLeft(), llvm::InlineFunction(), intersect(), llvm::AArch64TargetLowering::isLegalAddImmediate(), isOverwrite(), isVectorPromotionViableForSlice(), llvm::msf::StreamRefBase< ReadableStream, ReadableStreamRef >::keep_front(), KnuthDiv(), LLVMDisasmInstruction(), LLVMInitializeMCJITCompilerOptions(), llvm::AMDGPUTargetLowering::LowerDIVREM24(), LowerVAARG(), llvm::ConstantRange::lshr(), llvm::StringRef::ltrim(), llvm::detail::IEEEFloat::makeNaN(), mapNameAndUniqueName(), llvm::codeview::CodeViewRecordIO::maxFieldLength(), llvm::RandomNumberGenerator::min(), MIsNeedChainEdge(), llvm::object::COFFObjectFile::moveSymbolNext(), llvm::ConstantRange::multiply(), fuzzer::MutationDispatcher::Mutate_InsertRepeatedBytes(), fuzzer::MutationDispatcher::Mutate_ShuffleBytes(), operator new(), llvm::BitVector::operator&=(), llvm::BitVector::operator==(), llvm::pdb::PDBFile::parseFileHeaders(), PerformSTORECombine(), PerformVMOVRRDCombine(), llvm::SMDiagnostic::print(), llvm::X86FrameLowering::processFunctionBeforeFrameFinalized(), llvm::AArch64TargetLowering::ReconstructShuffle(), llvm::BitVector::reset(), llvm::SmallBitVector::reset(), RewriteP2Align(), llvm::StringRef::rfind(), llvm::StringRef::rfind_lower(), llvm::StringRef::rtrim(), llvm::Interpreter::runFunction(), scalarizeMaskedLoad(), llvm::detail::scalbn(), llvm::CachePruning::setMaxSize(), llvm::ConstantRange::shl(), SimplifyExtractValueInst(), llvm::StringRef::slice(), llvm::SplitEditor::splitRegInBlock(), llvm::SplitEditor::splitRegOutBlock(), llvm::SplitEditor::splitSingleBlock(), llvm::StringRef::substr(), llvm::SmallPtrSetImplBase::swap(), llvm::BitVector::test(), llvm::SmallBitVector::test(), llvm::MachineInstr::tieOperands(), llvm::ScaledNumberBase::toString(), toStringAPFloat(), fuzzer::TraceState::TraceMemcmpCallback(), llvm::sroa::AllocaSliceRewriter::visit(), llvm::InstCombiner::visitSwitchInst(), llvm::write_hex(), and llvm::msf::WritableMappedBlockStream::writeBytes().

static void fuzzer::MissingExternalApiFunction ( const char *  FnName)
static

Definition at line 45 of file FuzzerLoop.cpp.

References Printf().

unsigned fuzzer::NumberOfCpuCores ( )

Definition at line 198 of file FuzzerUtil.cpp.

References N, and Printf().

FILE* fuzzer::OpenFile ( int  Fd,
const char *  Mode 
)

Referenced by DupAndCloseStderr().

FILE* fuzzer::OpenProcessPipe ( const char *  Command,
const char *  Mode 
)
bool fuzzer::ParseDictionaryFile ( const std::string &  Text,
std::vector< Unit > *  Units 
)

Definition at line 127 of file FuzzerUtil.cpp.

References ParseOneDictionaryEntry(), and Printf().

Referenced by TEST().

bool fuzzer::ParseOneDictionaryEntry ( const std::string &  Str,
Unit *  U 
)

Definition at line 81 of file FuzzerUtil.cpp.

References assert(), and L.

Referenced by ParseDictionaryFile(), and TEST().

void fuzzer::Print ( const Unit &  v,
const char *  PrintAfter 
)

Definition at line 34 of file FuzzerUtil.cpp.

References PrintAfter(), and PrintHexArray().

static void fuzzer::PrintASCII ( const Word &  W,
const char *  PrintAfter 
)
static
void fuzzer::PrintASCII ( const uint8_t *  Data,
size_t  Size,
const char *  PrintAfter 
)

Definition at line 49 of file FuzzerUtil.cpp.

References i, PrintASCIIByte(), and Printf().

void fuzzer::PrintASCII ( const Unit &  U,
const char *  PrintAfter 
)

Definition at line 55 of file FuzzerUtil.cpp.

References PrintAfter(), and PrintASCII().

void fuzzer::PrintASCIIByte ( uint8_t  Byte)

Definition at line 38 of file FuzzerUtil.cpp.

References Printf().

Referenced by PrintASCII().

void fuzzer::Printf ( const char *  Fmt,
  ... 
)
void fuzzer::PrintHexArray ( const Unit &  U,
const char *  PrintAfter = "" 
)
void fuzzer::PrintHexArray ( const uint8_t *  Data,
size_t  Size,
const char *  PrintAfter 
)

Definition at line 27 of file FuzzerUtil.cpp.

References i, and Printf().

Referenced by Print().

void fuzzer::PrintPC ( const char *  SymbolizedFMT,
const char *  FallbackFMT,
uintptr_t  PC 
)

Definition at line 191 of file FuzzerUtil.cpp.

References llvm::c_str(), DescribePC(), EF, and Printf().

Referenced by fuzzer::TracePC::PrintNewPCs().

static char fuzzer::RandCh ( Random &  Rand)
static
void fuzzer::ReadDirToVectorOfUnits ( const char *  Path,
std::vector< Unit > *  V,
long *  Epoch,
size_t  MaxSize,
bool  ExitOnError 
)
void fuzzer::RemoveFile ( const std::string &  Path)
const void* fuzzer::SearchMemory ( const void *  haystack,
size_t  haystacklen,
const void *  needle,
size_t  needlelen 
)
void fuzzer::SetSignalHandler ( const FuzzingOptions &  Options)
std::string fuzzer::Sha1ToString ( const uint8_t  Sha1[kSHA1NumBytes])
void fuzzer::SleepSeconds ( int  Seconds)
std::string fuzzer::TmpDir ( )
bool fuzzer::ToASCII ( uint8_t *  Data,
size_t  Size 
)

Definition at line 59 of file FuzzerUtil.cpp.

References i, and X.

static void fuzzer::WarnOnUnsuccessfullMerge ( bool  DoWarn)
static

Definition at line 219 of file FuzzerLoop.cpp.

References Printf().

void fuzzer::WriteToFile ( const Unit &  U,
const std::string &  Path 
)

Definition at line 61 of file FuzzerIO.cpp.

Variable Documentation

MallocFreeTracer fuzzer::AllocTracer
static

Definition at line 138 of file FuzzerLoop.cpp.

Referenced by fuzzer::Fuzzer::ExecuteCallback(), FreeHook(), and MallocHook().

bool fuzzer::DoingMyOwnMemmem = false
static
ExternalFunctions* fuzzer::EF

Referenced by DescribePC(), DupAndCloseStderr(), FreeHook(), fuzzer::Fuzzer::Fuzzer(), llvm::object::ELFObjectFile< ELFT >::getArch(), llvm::object::ELFObjectFile< ELFT >::getFileFormatName(), llvm::object::ELFObjectFile< ELFT >::getRel(), llvm::object::ELFObjectFile< ELFT >::getRela(), llvm::object::ELFObjectFile< ELFT >::getRelocatedSection(), llvm::object::ELFObjectFile< ELFT >::getRelocationOffset(), llvm::object::ELFObjectFile< ELFT >::getRelocationSymbol(), llvm::object::ELFObjectFile< ELFT >::getRelocationType(), llvm::object::ELFObjectFile< ELFT >::getRelocationTypeName(), llvm::object::ELFObjectFile< ELFT >::getSectionName(), llvm::object::ELFObjectFile< ELFT >::getSymbolAddress(), llvm::object::ELFObjectFile< ELFT >::getSymbolFlags(), llvm::object::ELFObjectFile< ELFT >::getSymbolName(), llvm::object::ELFObjectFile< ELFT >::getSymbolSection(), llvm::object::ELFObjectFile< ELFT >::getSymbolValueImpl(), fuzzer::Fuzzer::HandleMalloc(), llvm::object::ELFObjectFile< ELFT >::isRelocatableObject(), MallocHook(), fuzzer::MutationDispatcher::Mutate_Custom(), fuzzer::MutationDispatcher::Mutate_CustomCrossOver(), fuzzer::MutationDispatcher::MutationDispatcher(), fuzzer::TracePC::PrintCoverage(), PrintPC(), fuzzer::Fuzzer::RssLimitCallback(), llvm::object::ELFObjectFile< ELFT >::section_begin(), llvm::object::ELFObjectFile< ELFT >::section_end(), llvm::object::ELFObjectFile< ELFT >::section_rel_begin(), llvm::object::ELFObjectFile< ELFT >::section_rel_end(), TEST(), TestAddWordFromDictionary(), TestAddWordFromDictionaryWithHint(), TestChangeASCIIInteger(), TestChangeBinaryInteger(), TestChangeBit(), TestChangeByte(), TestCopyPart(), TestEraseBytes(), TestInsertByte(), TestInsertRepeatedBytes(), TestShuffleBytes(), and fuzzer::Fuzzer::TryDetectingAMemoryLeak().

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on print statistics on corpus elements at exit dump coverage information at exit fuzzer::Experimental

Definition at line 86 of file FuzzerDriver.cpp.

Fuzzer* fuzzer::F
static
struct { ... } fuzzer::Flags

Referenced by llvm::MachineInstrBuilder::addDef(), addFastMathFlag(), llvm::addFrameReference(), llvm::ModuleSymbolTable::addModule(), addSaveRestoreRegs(), llvm::MachineInstrBuilder::addUse(), llvm::BitstreamCursor::advance(), llvm::BitstreamCursor::advanceSkippingSubblocks(), llvm::FastMathFlags::allowReciprocal(), llvm::CCState::AnalyzeCallResult(), llvm::FastMathFlags::any(), argsAreStructReturn(), llvm::DwarfDebug::beginInstruction(), llvm::BinaryConstantExpr::BinaryConstantExpr(), BuildExactSDIV(), llvm::buildModuleSummaryIndex(), llvm::TargetLowering::BuildSDIV(), callIsStructReturn(), canUseSiblingCall(), llvm::object::MachOObjectFile::checkSymbolTable(), llvm::FastMathFlags::clear(), llvm::MachineInstr::clearFlag(), combineBrCond(), combineCMov(), computeAliasSummary(), computeFunctionSummary(), llvm::rdf::Liveness::computePhiInfo(), llvm::RuntimeDyldImpl::computeTotalAllocSize(), computeVariableSummary(), llvm::GetElementPtrConstantExpr::Create(), llvm::MCContext::createELFRelSection(), llvm::IRBuilderBase::CreateGCStatepointCall(), llvm::IRBuilderBase::CreateGCStatepointInvoke(), llvm::FastISel::createMachineMemOperandFor(), llvm::DIBuilder::createObjectPointerType(), llvm::MDBuilder::createTBAANode(), llvm::MipsTargetELFStreamer::emitDirectiveAbiCalls(), llvm::MipsTargetELFStreamer::emitDirectiveNaN2008(), llvm::MipsTargetELFStreamer::emitDirectiveNaNLegacy(), llvm::MipsTargetELFStreamer::emitDirectiveOptionPic0(), llvm::MipsTargetELFStreamer::emitDirectiveOptionPic2(), llvm::MipsTargetELFStreamer::emitDirectiveSetMips16(), llvm::MipsTargetELFStreamer::emitDirectiveSetNoReorder(), EmitDwarfLineTable(), llvm::ARMAsmPrinter::EmitEndOfAsmFile(), llvm::X86AsmPrinter::EmitEndOfAsmFile(), llvm::SITargetLowering::EmitInstrWithCustomInserter(), llvm::TargetLoweringBase::emitPatchPoint(), llvm::TargetLoweringObjectFileELF::emitPersonalityValue(), llvm::HexagonSelectionDAGInfo::EmitTargetCodeForMemcpy(), llvm::ARMBaseInstrInfo::expandLoadStackGuardBase(), llvm::pdb::DIARawSymbol::findChildren(), llvm::pdb::DIARawSymbol::findChildrenByRVA(), llvm::orc::remote::OrcRemoteTargetClient< ChannelT >::RCIndirectStubsManager::findPointer(), llvm::orc::remote::OrcRemoteTargetClient< ChannelT >::RCIndirectStubsManager::findStub(), llvm::object::MachOBindEntry::flags(), llvm::TargetInstrInfo::foldMemoryOperand(), llvm::JITSymbolFlags::fromGlobalValue(), llvm::JITSymbolFlags::fromObjectSymbol(), false::GepNode::GepNode(), ExtraFlags::get(), llvm::ConstantExpr::getAdd(), llvm::ScalarEvolution::getAddRecExpr(), llvm::rdf::Liveness::getAllReachingDefs(), getCOFFSectionFlags(), getELFSectionFlags(), llvm::TargetLoweringObjectFileELF::getExplicitSectionGlobal(), llvm::MachineInstr::getFlag(), llvm::MCSectionELF::getFlags(), llvm::MCDwarfLoc::getFlags(), llvm::MachineInstr::getFlags(), llvm::SymbolTableEntry::getFlags(), llvm::DILocalVariable::getFlags(), llvm::MDNodeKeyImpl< DIDerivedType >::getHashValue(), llvm::MDNodeKeyImpl< DISubroutineType >::getHashValue(), llvm::MDNodeKeyImpl< DILocalVariable >::getHashValue(), getMClassFlagsMask(), llvm::ConstantExpr::getMul(), GetNegatedExpression(), llvm::rdf::DataFlowGraph::getNextShadow(), getOptimizationFlags(), llvm::NVPTXTargetLowering::getPrototype(), llvm::CCState::getRemainingRegParmsForType(), llvm::GetReturnInfo(), llvm::object::MachOObjectFile::getSectionType(), llvm::ConstantExpr::getShl(), getStaticStructorSection(), llvm::ConstantExpr::getSub(), llvm::object::ObjectFile::getSymbolValue(), getTargetFlagName(), getXCoreSectionFlags(), handleAsmUndefinedRefs(), llvm::CallLowering::handleAssignments(), llvm::FunctionImporter::importFunctions(), llvm::ARMElfTargetObjectFile::Initialize(), llvm::HexagonInstrInfo::insertBranch(), llvm::HexagonMCInstrInfo::isInnerLoop(), llvm::MDNodeKeyImpl< DIDerivedType >::isKeyOf(), llvm::MDNodeKeyImpl< DICompositeType >::isKeyOf(), llvm::MDNodeKeyImpl< DISubroutineType >::isKeyOf(), llvm::MDNodeKeyImpl< DISubprogram >::isKeyOf(), llvm::MDNodeKeyImpl< DILocalVariable >::isKeyOf(), llvm::HexagonMCInstrInfo::isMemReorderDisabled(), llvm::HexagonMCInstrInfo::isMemStoreReorderEnabled(), llvm::HexagonMCInstrInfo::isOuterLoop(), llvm::rdf::DataFlowGraph::IsPreservingDef(), llvm::object::MachOObjectFile::isSectionBSS(), llvm::object::MachOObjectFile::isSectionData(), llvm::object::MachOObjectFile::isSectionText(), llvm::RuntimeDyldImpl::loadObjectImpl(), llvm::SelectionDAGBuilder::LowerAsSTATEPOINT(), llvm::HexagonTargetLowering::LowerCall(), llvm::NVPTXTargetLowering::LowerCall(), llvm::SparcTargetLowering::LowerCall_32(), llvm::FastISel::lowerCallTo(), llvm::TargetLowering::LowerCallTo(), llvm::HexagonTargetLowering::LowerFormalArguments(), llvm::SITargetLowering::LowerFormalArguments(), llvm::SparcTargetLowering::LowerFormalArguments_32(), llvm::HexagonTargetLowering::LowerINLINEASM(), makeStatepointExplicitImpl(), llvm::MapMetadata(), llvm::MapValue(), llvm::codeview::MemberAttributes::MemberAttributes(), llvm::object::MachOBindEntry::moveNext(), llvm::FastMathFlags::noInfs(), llvm::FastMathFlags::noNaNs(), llvm::FastMathFlags::noSignedZeros(), llvm::FastMathFlags::operator&=(), llvm::rdf::operator<<(), llvm::MachineInstr::print(), llvm::ARMAsmPrinter::PrintAsmOperand(), llvm::MipsAsmPrinter::PrintAsmOperand(), llvm::opt::OptTable::PrintHelp(), llvm::MCSectionELF::PrintSwitchToSection(), llvm::MIPrinter::printTargetFlags(), promoteExtBeforeAdd(), llvm::RemapFunction(), llvm::RemapInstruction(), llvm::SelectionDAGISel::SelectInlineAsmMemoryOperands(), llvm::TargetLoweringObjectFileELF::SelectSectionForGlobal(), llvm::FastMathFlags::setAllowReciprocal(), llvm::MCAssembler::setELFHeaderEFlags(), llvm::MachineInstr::setFlag(), llvm::MCSectionELF::setFlags(), llvm::MCDwarfLoc::setFlags(), llvm::MachineInstr::setFlags(), llvm::FastMathFlags::setNoInfs(), llvm::FastMathFlags::setNoNaNs(), llvm::FastMathFlags::setNoSignedZeros(), llvm::SCEVCommutativeExpr::setNoWrapFlags(), llvm::SCEVAddRecExpr::setNoWrapFlags(), llvm::FastMathFlags::setUnsafeAlgebra(), llvm::MipsTargetELFStreamer::setUsesMicroMips(), llvm::TargetLowering::SimplifyDemandedBits(), llvm::DINode::splitFlags(), StrengthenNoWrapFlags(), llvm::thinLTOInternalizeModule(), llvm::InductionDescriptor::transform(), llvm::FastMathFlags::unsafeAlgebra(), llvm::InstCombiner::visitFDiv(), llvm::MachObjectWriter::writeHeader(), and llvm::MachObjectWriter::writeObject().

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If Reload the main corpus every< N > seconds to get new units discovered by other processes disabled generate only Write fuzzing Write the single artifact on print statistics on corpus elements at exit dump coverage information at exit only with trace pc guard and if LeakSanitizer is enabled try to detect memory leaks during fuzzer::If

Definition at line 18 of file FuzzerDriver.cpp.

const size_t fuzzer::kMaxUnitSizeToPrint = 256
static

Definition at line 41 of file FuzzerLoop.cpp.

const int fuzzer::kSHA1NumBytes = 20
static

Definition at line 22 of file FuzzerSHA1.h.

Referenced by fuzzer::InputCorpus::AddToCorpus(), Hash(), and Sha1ToString().

FILE* fuzzer::OutputFile = stderr
static

Definition at line 24 of file FuzzerIO.cpp.

Referenced by DupAndCloseStderr(), Printf(), and printSymbolizedStackTrace().

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If fuzzer::positive

Definition at line 36 of file FuzzerDriver.cpp.

bool fuzzer::RecordingMemcmp = false
static
bool fuzzer::RecordingMemmem = false
static
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with fuzzer::runs
Initial value:
=N or -max_total_time=N to limit "
"the number attempts")
FUZZER_FLAG_INT(use_memcmp, 1,
"Use hints from intercepting memcmp
#define N

Definition at line 44 of file FuzzerDriver.cpp.

Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with fuzzer::strcmp
TracePC fuzzer::TPC
TraceState* fuzzer::TS
static
Maximum length of the test input libFuzzer tries to guess a good value based on the corpus and reports it always prefer smaller inputs during the corpus shuffle When libFuzzer itself reports a bug this exit code will be used If indicates the maximal total time in seconds to run the fuzzer minimizes the provided crash input Use with etc Experimental Use value profile to guide fuzzing Number of simultaneous worker processes to run the jobs If fuzzer::zero