[llvm] r307873 - [libFuzzer] experimental feature -reduce_inputs (off by default) that tries to replace elements in the corpus with smaller ones that have the same feature set. Still needs tuning

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Wed Jul 12 18:08:53 PDT 2017


Author: kcc
Date: Wed Jul 12 18:08:53 2017
New Revision: 307873

URL: http://llvm.org/viewvc/llvm-project?rev=307873&view=rev
Log:
[libFuzzer] experimental feature -reduce_inputs (off by default) that tries to replace elements in the corpus with smaller ones that have the same feature set. Still needs tuning

Added:
    llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
    llvm/trunk/lib/Fuzzer/test/reduce_inputs.test
Modified:
    llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
    llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
    llvm/trunk/lib/Fuzzer/FuzzerInternal.h
    llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
    llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
    llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp
    llvm/trunk/lib/Fuzzer/test/shrink.test

Modified: llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerCorpus.h?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerCorpus.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerCorpus.h Wed Jul 12 18:08:53 2017
@@ -34,6 +34,7 @@ struct InputInfo {
   size_t NumExecutedMutations = 0;
   size_t NumSuccessfullMutations = 0;
   bool MayDeleteFile = false;
+  std::vector<uint32_t> FeatureSet;
 };
 
 class InputCorpus {
@@ -68,24 +69,81 @@ class InputCorpus {
   }
   bool empty() const { return Inputs.empty(); }
   const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
-  void AddToCorpus(const Unit &U, size_t NumFeatures,
-                   bool MayDeleteFile = false) {
+  void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
+                   const std::vector<uint32_t> &FeatureSet) {
     assert(!U.empty());
-    uint8_t Hash[kSHA1NumBytes];
     if (FeatureDebug)
       Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
-    ComputeSHA1(U.data(), U.size(), Hash);
-    Hashes.insert(Sha1ToString(Hash));
     Inputs.push_back(new InputInfo());
     InputInfo &II = *Inputs.back();
     II.U = U;
     II.NumFeatures = NumFeatures;
     II.MayDeleteFile = MayDeleteFile;
-    memcpy(II.Sha1, Hash, kSHA1NumBytes);
+    II.FeatureSet = FeatureSet;
+    ComputeSHA1(U.data(), U.size(), II.Sha1);
+    Hashes.insert(Sha1ToString(II.Sha1));
     UpdateCorpusDistribution();
+    PrintCorpus();
     // ValidateFeatureSet();
   }
 
+  // Debug-only
+  void PrintUnit(const Unit &U) {
+    if (!FeatureDebug) return;
+    for (uint8_t C : U) {
+      if (C != 'F' && C != 'U' && C != 'Z')
+        C = '.';
+      Printf("%c", C);
+    }
+  }
+
+  // Debug-only
+  void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) {
+    if (!FeatureDebug) return;
+    Printf("{");
+    for (uint32_t Feature: FeatureSet)
+      Printf("%u,", Feature);
+    Printf("}");
+  }
+
+  // Debug-only
+  void PrintCorpus() {
+    if (!FeatureDebug) return;
+    Printf("======= CORPUS:\n");
+    int i = 0;
+    for (auto II : Inputs) {
+      if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
+        Printf("[%2d] ", i);
+        Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
+        PrintUnit(II->U);
+        Printf(" ");
+        PrintFeatureSet(II->FeatureSet);
+        Printf("\n");
+      }
+      i++;
+    }
+  }
+
+  // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
+  bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
+                    const std::vector<uint32_t> &FeatureSet) {
+    if (II->U.size() > Size && II->FeatureSet.size() &&
+        II->FeatureSet == FeatureSet) {
+      if (FeatureDebug)
+        Printf("Replace: %zd => %zd\n", II->U.size(), Size);
+      Replace(II, {Data, Data + Size});
+      PrintCorpus();
+      return true;
+    }
+    return false;
+  }
+
+  void Replace(InputInfo *II, const Unit &U) {
+    ComputeSHA1(U.data(), U.size(), II->Sha1);
+    Hashes.insert(Sha1ToString(II->Sha1));
+    II->U = U;
+  }
+
   bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
   bool HasUnit(const std::string &H) { return Hashes.count(H); }
   InputInfo &ChooseUnitToMutate(Random &Rand) {

Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Wed Jul 12 18:08:53 2017
@@ -441,7 +441,6 @@ int MinimizeCrashInputInternalStep(Fuzze
     Printf("INFO: The input is small enough, exiting\n");
     exit(0);
   }
-  Corpus->AddToCorpus(U, 0);
   F->SetMaxInputLen(U.size());
   F->SetMaxMutationLen(U.size() - 1);
   F->MinimizeCrashLoop(U);

Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Wed Jul 12 18:08:53 2017
@@ -65,7 +65,8 @@ public:
   static void StaticFileSizeExceedCallback();
 
   void ExecuteCallback(const uint8_t *Data, size_t Size);
-  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false);
+  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
+              InputInfo *II = nullptr);
 
   // Merge Corpora[1:] into Corpora[0].
   void Merge(const std::vector<std::string> &Corpora);
@@ -101,7 +102,6 @@ private:
   void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
   void PrintStatusForNewUnit(const Unit &U);
   void ShuffleCorpus(UnitVector *V);
-  void AddToCorpus(const Unit &U);
   void CheckExitOnSrcPosOrItem();
 
   // Trace-based fuzzing: we run a unit with some kind of tracing
@@ -142,7 +142,7 @@ private:
   size_t MaxInputLen = 0;
   size_t MaxMutationLen = 0;
 
-  std::vector<size_t> FeatureSetTmp;
+  std::vector<uint32_t> FeatureSetTmp;
 
   // Need to know our own thread.
   static thread_local bool IsMyThread;

Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Wed Jul 12 18:08:53 2017
@@ -397,7 +397,8 @@ void Fuzzer::PrintPulseAndReportSlowInpu
   }
 }
 
-bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
+bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,
+                    InputInfo *II) {
   if (!Size) return false;
 
   ExecuteCallback(Data, Size);
@@ -412,10 +413,16 @@ bool Fuzzer::RunOne(const uint8_t *Data,
   PrintPulseAndReportSlowInput(Data, Size);
   size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
   if (NumNewFeatures) {
+    Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
+                       FeatureSetTmp);
     CheckExitOnSrcPosOrItem();
-    Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile);
+    return true;
   }
-  return NumNewFeatures > 0;
+  if (II && Corpus.TryToReplace(II, Data, Size, FeatureSetTmp)) {
+    CheckExitOnSrcPosOrItem();
+    return true;
+  }
+  return false;
 }
 
 size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
@@ -596,7 +603,7 @@ void Fuzzer::MutateAndTestOne() {
     if (i == 0)
       StartTraceRecording();
     II.NumExecutedMutations++;
-    if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true))
+    if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II))
       ReportNewCoverage(&II, {CurrentUnitData, CurrentUnitData + Size});
 
     StopTraceRecording();

Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Wed Jul 12 18:08:53 2017
@@ -118,6 +118,7 @@ set(Tests
   SingleStrncmpTest
   SpamyTest
   ShrinkControlFlowTest
+  ShrinkControlFlowSimpleTest
   ShrinkValueProfileTest
   StrcmpTest
   StrncmpOOBTest

Modified: llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp Wed Jul 12 18:08:53 2017
@@ -593,7 +593,7 @@ TEST(Corpus, Distribution) {
   size_t N = 10;
   size_t TriesPerUnit = 1<<16;
   for (size_t i = 0; i < N; i++)
-    C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0);
+    C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0, false, {});
 
   std::vector<size_t> Hist(N);
   for (size_t i = 0; i < N * TriesPerUnit; i++) {

Added: llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp?rev=307873&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp Wed Jul 12 18:08:53 2017
@@ -0,0 +1,19 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 2) return 0;
+  if (Data[0] == 'F' && Data[Size / 2] == 'U' && Data[Size - 1] == 'Z')
+    Sink++;
+  return 0;
+}
+

Added: llvm/trunk/lib/Fuzzer/test/reduce_inputs.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/reduce_inputs.test?rev=307873&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/reduce_inputs.test (added)
+++ llvm/trunk/lib/Fuzzer/test/reduce_inputs.test Wed Jul 12 18:08:53 2017
@@ -0,0 +1,2 @@
+CHECK: INFO: found item with checksum '0eb8e4ed029b774d80f2b66408203801cb982a60'
+RUN: LLVMFuzzer-ShrinkControlFlowSimpleTest  -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60   -reduce_inputs=1 -runs=1000000 2>&1 | FileCheck %s

Modified: llvm/trunk/lib/Fuzzer/test/shrink.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/shrink.test?rev=307873&r1=307872&r2=307873&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/shrink.test (original)
+++ llvm/trunk/lib/Fuzzer/test/shrink.test Wed Jul 12 18:08:53 2017
@@ -1,4 +1,4 @@
-RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=10000000  -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
+RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000  -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
 RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=0 2>&1 | FileCheck %s --check-prefix=SHRINK0
 RUN: LLVMFuzzer-ShrinkValueProfileTest -seed=1 -exit_on_item=aea2e3923af219a8956f626558ef32f30a914ebc -runs=100000 -shrink=1 -use_value_profile=1 2>&1 | FileCheck %s --check-prefix=SHRINK1_VP
 




More information about the llvm-commits mailing list