LLVM  4.0.0
Classes | Namespaces | Macros | Functions | Variables
FuzzerDriver.cpp File Reference
#include "FuzzerCorpus.h"
#include "FuzzerInterface.h"
#include "FuzzerInternal.h"
#include "FuzzerIO.h"
#include "FuzzerMutate.h"
#include "FuzzerRandom.h"
#include "FuzzerTracePC.h"
#include <algorithm>
#include <atomic>
#include <chrono>
#include <cstring>
#include <mutex>
#include <string>
#include <thread>
#include "FuzzerFlags.def"
Include dependency graph for FuzzerDriver.cpp:

Go to the source code of this file.

Classes

struct  fuzzer::FlagDescription
 

Namespaces

 fuzzer
 

Macros

#define FUZZER_DEPRECATED_FLAG(Name)
 
#define FUZZER_FLAG_INT(Name, Default, Description)   int Name;
 
#define FUZZER_FLAG_UNSIGNED(Name, Default, Description)   unsigned int Name;
 
#define FUZZER_FLAG_STRING(Name, Description)   const char *Name;
 
#define FUZZER_DEPRECATED_FLAG(Name)   {#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},
 
#define FUZZER_FLAG_INT(Name, Default, Description)   {#Name, Description, Default, &Flags.Name, nullptr, nullptr},
 
#define FUZZER_FLAG_UNSIGNED(Name, Default, Description)
 
#define FUZZER_FLAG_STRING(Name, Description)   {#Name, Description, 0, nullptr, &Flags.Name, nullptr},
 

Functions

 __attribute__ ((used)) void __libfuzzer_is_present()
 
 fuzzer::FUZZER_FLAG_INT (runs,-1,"Number of individual test runs (-1 for infinite runs).") FUZZER_FLAG_INT(max_len
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it 
fuzzer::FUZZER_FLAG_INT (mutate_depth, 5,"Apply this number of consecutive mutations to each input.") FUZZER_FLAG_INT(prefer_small
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle 
fuzzer::FUZZER_FLAG_INT (timeout, 1200,"Timeout in seconds (if positive). ""If one unit runs more than this number of seconds the process will abort.") FUZZER_FLAG_INT(error_exitcode
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used 
fuzzer::FUZZER_FLAG_INT (timeout_exitcode, 77,"When libFuzzer reports a timeout ""this exit code will be used.") FUZZER_FLAG_INT(max_total_time
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer 
fuzzer::FUZZER_FLAG_INT (merge, 0,"If 1, the 2-nd, 3-rd, etc corpora will be ""merged into the 1-st corpus. Only interesting units will be taken. ""This flag can be used to minimize a corpus.") FUZZER_FLAG_INT(minimize_crash
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc 
fuzzer::FUZZER_FLAG_INT (use_memmem, 1,"Use hints from intercepting memmem, strstr, etc") FUZZER_FLAG_INT(use_value_profile
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing 
fuzzer::FUZZER_FLAG_UNSIGNED (jobs, 0,"Number of jobs to run. If jobs >= 1 we spawn"" this number of jobs in separate worker processes"" with stdout/stderr redirected to fuzz-JOB.log.") FUZZER_FLAG_UNSIGNED(workers
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If 
fuzzer::min (jobs, NumberOfCpuCores()/2)\" is used.") FUZZER_FLAG_INT(reload
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled 
fuzzer::FUZZER_FLAG_INT (report_slow_units, 10,"Report slowest units if they run for more than this number of seconds.") FUZZER_FLAG_INT(only_ascii
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only 
fuzzer::ASCII (isprint+isspace) inputs.") FUZZER_FLAG_STRING(artifact_prefix
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing 
fuzzer::artifacts (crash," "timeout, or slow inputs) as" "$(artifact_prefix) file") FUZZER_FLAG_STRING(exact_artifact_path
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on 
fuzzer::failure (crash, timeout)" "as $(exact_artifact_path).This override s-artifact_prefix" "and will not use checksum in the file name.Do not" "use the same path for several parallel processes.") FUZZER_FLAG_INT(print_corpus_stats
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit 
fuzzer::FUZZER_FLAG_INT (print_coverage, 0,"If 1, print coverage information at exit."" Experimental, only with trace-pc-guard") FUZZER_FLAG_INT(dump_coverage
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard 
fuzzer::FUZZER_FLAG_INT (close_fd_mask, 0,"If 1, close stdout at startup; ""if 2, close stderr; if 3, close both. ""Be careful, this will also close e.g. asan's stderr/stdout.") FUZZER_FLAG_INT(detect_leaks
 
Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard and if
LeakSanitizer is enabled try
to detect memory leaks during 
fuzzer::fuzzing (i.e.not only at shut down).") FUZZER_FLAG_INT(trace_malloc
 

Variables

struct {
   Maximum length of the test input   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If   fuzzer::positive
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with   fuzzer::runs
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with   fuzzer::strcmp
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If   fuzzer::zero
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit   fuzzer::If
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit   fuzzer::Experimental
 
   Maximum length of the test
input libFuzzer tries to guess
a good value based on the
corpus and reports it always
prefer smaller inputs during
the corpus shuffle When
libFuzzer itself reports a bug
this exit code will be used If
indicates the maximal total
time in seconds to run the
fuzzer minimizes the provided
crash input Use with etc
Experimental Use value profile
to guide fuzzing Number of
simultaneous worker processes
to run the jobs If Reload the
main corpus every< N > seconds
to get new units discovered by
other processes disabled
generate only Write fuzzing
Write the single artifact on
print statistics on corpus
elements at exit dump coverage
information at exit only with
trace pc guard   fuzzer::If
 
fuzzer::Flags
 

Macro Definition Documentation

#define FUZZER_DEPRECATED_FLAG (   Name)

Definition at line 56 of file FuzzerDriver.cpp.

#define FUZZER_DEPRECATED_FLAG (   Name)    {#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},

Definition at line 56 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_INT (   Name,
  Default,
  Description 
)    int Name;

Definition at line 58 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_INT (   Name,
  Default,
  Description 
)    {#Name, Description, Default, &Flags.Name, nullptr, nullptr},

Definition at line 58 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_STRING (   Name,
  Description 
)    const char *Name;

Definition at line 63 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_STRING (   Name,
  Description 
)    {#Name, Description, 0, nullptr, &Flags.Name, nullptr},

Definition at line 63 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_UNSIGNED (   Name,
  Default,
  Description 
)    unsigned int Name;

Definition at line 60 of file FuzzerDriver.cpp.

#define FUZZER_FLAG_UNSIGNED (   Name,
  Default,
  Description 
)
Value:
{#Name, Description, static_cast<int>(Default), \
nullptr, nullptr, &Flags.Name},
struct fuzzer::@269 Flags

Definition at line 60 of file FuzzerDriver.cpp.

Function Documentation

__attribute__ ( (used)  )

Definition at line 29 of file FuzzerDriver.cpp.