[llvm] r284299 - [libFuzzer] better algorithm for -minimize_crash
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Oct 14 18:00:24 PDT 2016
Author: kcc
Date: Fri Oct 14 20:00:24 2016
New Revision: 284299
URL: http://llvm.org/viewvc/llvm-project?rev=284299&view=rev
Log:
[libFuzzer] better algorithm for -minimize_crash
Modified:
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=284299&r1=284298&r2=284299&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Fri Oct 14 20:00:24 2016
@@ -345,7 +345,7 @@ int MinimizeCrashInputInternalStep(Fuzze
Corpus->AddToCorpus(U, 0);
F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1);
- F->Loop();
+ F->MinimizeCrashLoop(U);
Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
exit(0);
return 0;
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=284299&r1=284298&r2=284299&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Fri Oct 14 20:00:24 2016
@@ -56,6 +56,7 @@ public:
FuzzingOptions Options);
~Fuzzer();
void Loop();
+ void MinimizeCrashLoop(const Unit &U);
void ShuffleAndMinimize(UnitVector *V);
void InitializeTraceState();
void RereadOutputCorpus(size_t MaxSize);
@@ -64,6 +65,13 @@ public:
return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
.count();
}
+
+ bool TimedOut() {
+ return Options.MaxTotalTimeSec > 0 &&
+ secondsSinceProcessStartUp() >
+ static_cast<size_t>(Options.MaxTotalTimeSec);
+ }
+
size_t execPerSec() {
size_t Seconds = secondsSinceProcessStartUp();
return Seconds ? TotalNumberOfRuns / Seconds : 0;
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=284299&r1=284298&r2=284299&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Fri Oct 14 20:00:24 2016
@@ -753,10 +753,7 @@ void Fuzzer::Loop() {
}
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
break;
- if (Options.MaxTotalTimeSec > 0 &&
- secondsSinceProcessStartUp() >
- static_cast<size_t>(Options.MaxTotalTimeSec))
- break;
+ if (TimedOut()) break;
// Perform several mutations and runs.
MutateAndTestOne();
}
@@ -765,6 +762,21 @@ void Fuzzer::Loop() {
MD.PrintRecommendedDictionary();
}
+void Fuzzer::MinimizeCrashLoop(const Unit &U) {
+ if (U.size() <= 2) return;
+ while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) {
+ MD.StartMutationSequence();
+ memcpy(CurrentUnitData, U.data(), U.size());
+ for (int i = 0; i < Options.MutateDepth; i++) {
+ size_t NewSize = MD.Mutate(CurrentUnitData, U.size(), MaxMutationLen);
+ assert(NewSize > 0 && NewSize <= MaxMutationLen);
+ RunOne(CurrentUnitData, NewSize);
+ TryDetectingAMemoryLeak(CurrentUnitData, NewSize,
+ /*DuringInitialCorpusExecution*/ false);
+ }
+ }
+}
+
} // namespace fuzzer
extern "C" {
More information about the llvm-commits
mailing list