<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/149942>149942</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Fuzzer: test case minimizer handles input size incorrectly for `mutate_depth > 1`
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
andyleiserson
</td>
</tr>
</table>
<pre>
This bug is in the `MinimizeCrashLoop` function here:
https://github.com/llvm/llvm-project/blob/354944d675c04c87bc0e9ebcca900148f5a344b8/compiler-rt/lib/fuzzer/FuzzerLoop.cpp#L919
On line 926, it passes `U.size()` to `MD.Mutate`. `U.size()` is the size of the unit at the start of the function, but after the call to `MD.Mutate`, there is a revised size in `NewSize`. If `mutate_depth` is not 1, passing `U.size()` to subsequent calls to the mutator is incorrect. This caused problems in my custom mutator, which was attempting to maintain certain properties of the input strings. I am able to work around the problem by setting `mutate_depth` to 1.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJyUU02P5CYQ_TX4UloL46_2wYfNbiyNNJMckpwjwOU2CQYHiml1__oId7cijSaHlSyBiyrqvccrGaM5O8SRtT-x9nshE60-jNLNV4smYojeFcrP1_H31URQ6QwmgnFAKwLr-JtxZjM3_BZkXF-931nHYUlOk_EOVgzI6q-M528l2mP-ExMT09nQmlSp_cbEZO37c_myB_8XamJiUtYrJqa6bYammbu-1bzRp15pjgMqreXAedWcllbWTaNOTEzab7uxGL6EXG9NLl_S7YaBiWk6Nhljqfedifp1qIY7tF8dWOMQBtEx8Q0MwS5jxJgZ_lFGc0MmTkwMmRz5g_f38i2RJGQdLz9LM_GQKAfBL8c-OUMg6R4nGeh58NQr91aJQC6E4TjR0tpPOuZEyuLmNhICvpuI872ZcTn7F7z8lvFkdC9LjmxH8Z8z7rQ-ADpPUOW7Mlvjzv9DNyYV8Z-Ejg48MccyuONGH-6G0D4E1FTC4RMtUwa0B68sbodhtivoFMlvz7rc-LIavcJFRpBEuO2UUZCHTRpH0jjQGI51D37HQAbjUzTj9kQQKRh3jiW8gNxAKou5_OLD3yCDT24-ch84QF0hItGD6kdFyENVFvNYz0M9yALHqm_rquF9NxTr2J36hiM2cpZcLV2z9Lpve9X1c13VYuCFGQUXLe9FJepaNEMpZVvJE1YnOfRL1Xes4bhJY8vs89KHc2FiTDhWzTA0orBSoY3HIArh8ALHKRMiz2UYj-FQ6RxZw62JFP-7hgxZHO_-ZvVXIIz5qSLC9hjPAKt0s8X4lO3ulMej2SssPnyUBFj9M1Ss40UKdvzh6T3QRyamB733UfwbAAD__47LdCM">