From d75ddafc2ff3879c2b39c7d1ba974cdc2bff40b3 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Sat, 23 Jan 2016 19:34:19 +0000 Subject: [PATCH] [libFuzzer] add -abort_on_timeout option git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@258631 91177308-0d34-0410-b5e6-96231b3b80d8 --- docs/LibFuzzer.rst | 1 + lib/Fuzzer/FuzzerDriver.cpp | 1 + lib/Fuzzer/FuzzerFlags.def | 1 + lib/Fuzzer/FuzzerInternal.h | 1 + lib/Fuzzer/FuzzerLoop.cpp | 2 ++ lib/Fuzzer/test/fuzzer-timeout.test | 1 + 6 files changed, 7 insertions(+) diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst index 8f4163bd895a..7a8d090241cf 100644 --- a/docs/LibFuzzer.rst +++ b/docs/LibFuzzer.rst @@ -61,6 +61,7 @@ The most important flags are:: cross_over 1 If 1, cross over inputs. mutate_depth 5 Apply this number of consecutive mutations to each input. timeout 1200 Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort. + abort_on_timeout 0 If positive, call abort on timeout. max_total_time 0 If positive, indicates the maximal total time in seconds to run the fuzzer. help 0 Print help. merge 0 If 1, the 2-nd, 3-rd, etc corpora will be merged into the 1-st corpus. Only interesting units will be taken. diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp index 33bdcfb7320a..d117681ba93f 100644 --- a/lib/Fuzzer/FuzzerDriver.cpp +++ b/lib/Fuzzer/FuzzerDriver.cpp @@ -268,6 +268,7 @@ int FuzzerDriver(const std::vector &Args, Options.Verbosity = Flags.verbosity; Options.MaxLen = Flags.max_len; Options.UnitTimeoutSec = Flags.timeout; + Options.AbortOnTimeout = Flags.abort_on_timeout; Options.MaxTotalTimeSec = Flags.max_total_time; Options.DoCrossOver = Flags.cross_over; Options.MutateDepth = Flags.mutate_depth; diff --git a/lib/Fuzzer/FuzzerFlags.def b/lib/Fuzzer/FuzzerFlags.def index a36b6ba50bc5..7f8d705a0d92 100644 --- a/lib/Fuzzer/FuzzerFlags.def +++ b/lib/Fuzzer/FuzzerFlags.def @@ -29,6 +29,7 @@ FUZZER_FLAG_INT( timeout, 1200, "Timeout in seconds (if positive). " "If one unit runs more than this number of seconds the process will abort.") +FUZZER_FLAG_INT(abort_on_timeout, 0, "If positive, call abort on timeout.") FUZZER_FLAG_INT(max_total_time, 0, "If positive, indicates the maximal total " "time in seconds to run the fuzzer.") FUZZER_FLAG_INT(help, 0, "Print help.") diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h index 53b6cef4d917..b2a62dd79327 100644 --- a/lib/Fuzzer/FuzzerInternal.h +++ b/lib/Fuzzer/FuzzerInternal.h @@ -174,6 +174,7 @@ class Fuzzer { int Verbosity = 1; int MaxLen = 0; int UnitTimeoutSec = 300; + bool AbortOnTimeout = false; int MaxTotalTimeSec = 0; bool DoCrossOver = true; int MutateDepth = 5; diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp index a84c2348b535..b39860ceec66 100644 --- a/lib/Fuzzer/FuzzerLoop.cpp +++ b/lib/Fuzzer/FuzzerLoop.cpp @@ -112,6 +112,8 @@ void Fuzzer::AlarmCallback() { if (__sanitizer_print_stack_trace) __sanitizer_print_stack_trace(); Printf("SUMMARY: libFuzzer: timeout\n"); + if (Options.AbortOnTimeout) + abort(); exit(1); } } diff --git a/lib/Fuzzer/test/fuzzer-timeout.test b/lib/Fuzzer/test/fuzzer-timeout.test index c3a9e8a3a9e0..51d48e98e5c3 100644 --- a/lib/Fuzzer/test/fuzzer-timeout.test +++ b/lib/Fuzzer/test/fuzzer-timeout.test @@ -11,3 +11,4 @@ RUN: not LLVMFuzzer-TimeoutTest -timeout=1 -test_single_input=%S/hi.txt 2>&1 | F SingleInputTimeoutTest: ALARM: working on the last Unit for SingleInputTimeoutTest-NOT: Test unit written to ./timeout- +RUN: not --crash LLVMFuzzer-TimeoutTest -timeout=1 -abort_on_timeout=1