<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 12:44 PM, Sean Silva <span dir="ltr"><<a href="mailto:chisophugis@gmail.com" target="_blank">chisophugis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class=""><span style="font-size:13px">- bool MutateDepth = 10;</span><br style="font-size:13px"><span style="font-size:13px">+ int MutateDepth = 5;</span><br><div><span style="font-size:13px"><br></span></div></span><div><span style="font-size:13px">Ouch, I feel like we should maybe have a warning for this?</span></div></div></blockquote><div><br>Agreed - we do have -Wliteral-conversion which catches some cases like this, but I don't think it catches cases where the destination is bool, unfortunately. I think I tried to improve this years ago & it was more work than I had time for, at the time.<br><br>- David<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span class="HOEnZb"><font color="#888888"><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">-- Sean Silva</span></div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 11:10 AM, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: kcc<br>
Date: Wed Feb 4 13:10:20 2015<br>
New Revision: 228170<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=228170&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=228170&view=rev</a><br>
Log:<br>
[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units<br>
<br>
Modified:<br>
llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>
llvm/trunk/lib/Fuzzer/FuzzerIO.cpp<br>
llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>
llvm/trunk/lib/Fuzzer/FuzzerMain.cpp<br>
llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Wed Feb 4 13:10:20 2015<br>
@@ -16,7 +16,7 @@ FUZZER_FLAG(int, iterations, -1,<br>
"Number of iterations of the fuzzer (-1 for infinite runs).")<br>
FUZZER_FLAG(int, max_len, 64, "Maximal length of the test input.")<br>
FUZZER_FLAG(int, cross_over, 1, "If 1, cross over inputs.")<br>
-FUZZER_FLAG(int, mutate_depth, 10,<br>
+FUZZER_FLAG(int, mutate_depth, 5,<br>
"Apply this number of consecutive mutations to each input.")<br>
FUZZER_FLAG(int, exit_on_first, 0,<br>
"If 1, exit after the first new interesting input is found.")<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerIO.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerIO.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerIO.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerIO.cpp (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerIO.cpp Wed Feb 4 13:10:20 2015<br>
@@ -9,6 +9,8 @@<br>
// IO functions.<br>
//===----------------------------------------------------------------------===//<br>
#include "FuzzerInternal.h"<br>
+#include <iostream><br>
+#include <iterator><br>
#include <fstream><br>
#include <dirent.h><br>
namespace fuzzer {<br>
@@ -31,6 +33,12 @@ Unit FileToVector(const std::string &Pat<br>
std::istreambuf_iterator<char>());<br>
}<br>
<br>
+void CopyFileToErr(const std::string &Path) {<br>
+ std::ifstream T(Path);<br>
+ std::copy(std::istreambuf_iterator<char>(T), std::istreambuf_iterator<char>(),<br>
+ std::ostream_iterator<char>(std::cerr, ""));<br>
+}<br>
+<br>
void WriteToFile(const Unit &U, const std::string &Path) {<br>
std::ofstream OF(Path);<br>
OF.write((const char*)U.data(), U.size());<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Wed Feb 4 13:10:20 2015<br>
@@ -23,6 +23,7 @@ using namespace std::chrono;<br>
Unit ReadFile(const char *Path);<br>
void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V);<br>
void WriteToFile(const Unit &U, const std::string &Path);<br>
+void CopyFileToErr(const std::string &Path);<br>
// Returns "Dir/FileName" or equivalent for the current OS.<br>
std::string DirPlusFile(const std::string &DirPath,<br>
const std::string &FileName);<br>
@@ -42,7 +43,7 @@ class Fuzzer {<br>
int Verbosity = 1;<br>
int MaxLen = 0;<br>
bool DoCrossOver = true;<br>
- bool MutateDepth = 10;<br>
+ int MutateDepth = 5;<br>
bool ExitOnFirst = false;<br>
bool UseFullCoverageSet = false;<br>
std::string OutputCorpus;<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Wed Feb 4 13:10:20 2015<br>
@@ -146,9 +146,8 @@ void Fuzzer::SaveCorpus() {<br>
<br>
size_t Fuzzer::MutateAndTestOne(Unit *U) {<br>
size_t NewUnits = 0;<br>
- for (size_t i = 0; i < Options.MutateDepth; i++) {<br>
+ for (int i = 0; i < Options.MutateDepth; i++) {<br>
Mutate(U, Options.MaxLen);<br>
- if (U->empty()) continue;<br>
size_t NewCoverage = RunOne(*U);<br>
if (NewCoverage) {<br>
Corpus.push_back(*U);<br>
@@ -158,6 +157,7 @@ size_t Fuzzer::MutateAndTestOne(Unit *U)<br>
<< "\tNEW: " << NewCoverage<br>
<< " L: " << U->size()<br>
<< " S: " << Corpus.size()<br>
+ << " I: " << i<br>
<< "\t";<br>
if (U->size() < 30) {<br>
PrintASCII(*U);<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerMain.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMain.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMain.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerMain.cpp (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerMain.cpp Wed Feb 4 13:10:20 2015<br>
@@ -17,6 +17,7 @@<br>
#include <iostream><br>
#include <thread><br>
#include <atomic><br>
+#include <mutex><br>
<br>
// ASAN options:<br>
// * don't dump the coverage to disk.<br>
@@ -105,20 +106,30 @@ static void ParseFlags(int argc, char **<br>
}<br>
<br>
static void WorkerThread(const std::string &Cmd, std::atomic<int> *Counter,<br>
- int NumJobs) {<br>
+ int NumJobs, std::atomic<bool> *HasErrors) {<br>
+ static std::mutex CerrMutex;<br>
while (true) {<br>
int C = (*Counter)++;<br>
- if (C >= NumJobs) return;<br>
- std::string ToRun = Cmd + " > fuzz-" + std::to_string(C) + ".log 2>&1\n";<br>
+ if (C >= NumJobs) break;<br>
+ std::string Log = "fuzz-" + std::to_string(C) + ".log";<br>
+ std::string ToRun = Cmd + " > " + Log + " 2>&1\n";<br>
if (Flags.verbosity)<br>
std::cerr << ToRun;<br>
- system(ToRun.c_str());<br>
+ int ExitCode = system(ToRun.c_str());<br>
+ if (ExitCode != 0)<br>
+ *HasErrors = true;<br>
+ std::lock_guard<std::mutex> Lock(CerrMutex);<br>
+ std::cerr << "================== Job " << C<br>
+ << " exited with exit code " << ExitCode<br>
+ << " =================\n";<br>
+ fuzzer::CopyFileToErr(Log);<br>
}<br>
}<br>
<br>
static int RunInMultipleProcesses(int argc, char **argv, int NumWorkers,<br>
int NumJobs) {<br>
std::atomic<int> Counter(0);<br>
+ std::atomic<bool> HasErrors(false);<br>
std::string Cmd;<br>
for (int i = 0; i < argc; i++) {<br>
if (FlagValue(argv[i], "jobs") || FlagValue(argv[i], "workers")) continue;<br>
@@ -127,10 +138,10 @@ static int RunInMultipleProcesses(int ar<br>
}<br>
std::vector<std::thread> V;<br>
for (int i = 0; i < NumWorkers; i++)<br>
- V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs));<br>
+ V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs, &HasErrors));<br>
for (auto &T : V)<br>
T.join();<br>
- return 0;<br>
+ return HasErrors ? 1 : 0;<br>
}<br>
<br>
int main(int argc, char **argv) {<br>
<br>
Modified: llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>
==============================================================================<br>
--- llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp (original)<br>
+++ llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp Wed Feb 4 13:10:20 2015<br>
@@ -31,18 +31,25 @@ static char RandCh() {<br>
return Special[rand() % (sizeof(Special) - 1)];<br>
}<br>
<br>
+// Mutate U in place.<br>
void Mutate(Unit *U, size_t MaxLen) {<br>
assert(MaxLen > 0);<br>
assert(U->size() <= MaxLen);<br>
+ if (U->empty()) {<br>
+ for (size_t i = 0; i < MaxLen; i++)<br>
+ U->push_back(RandCh());<br>
+ return;<br>
+ }<br>
+ assert(!U->empty());<br>
switch (rand() % 3) {<br>
case 0:<br>
- if (U->size())<br>
+ if (U->size() > 1) {<br>
U->erase(U->begin() + rand() % U->size());<br>
- break;<br>
+ break;<br>
+ }<br>
+ // Fallthrough<br>
case 1:<br>
- if (U->empty()) {<br>
- U->push_back(RandCh());<br>
- } else if (U->size() < MaxLen) {<br>
+ if (U->size() < MaxLen) {<br>
U->insert(U->begin() + rand() % U->size(), RandCh());<br>
} else { // At MaxLen.<br>
uint8_t Ch = RandCh();<br>
@@ -51,12 +58,13 @@ void Mutate(Unit *U, size_t MaxLen) {<br>
}<br>
break;<br>
default:<br>
- if (!U->empty()) {<br>
- size_t idx = rand() % U->size();<br>
- (*U)[idx] = FlipRandomBit((*U)[idx]);<br>
+ {<br>
+ size_t Idx = rand() % U->size();<br>
+ (*U)[Idx] = FlipRandomBit((*U)[Idx]);<br>
}<br>
break;<br>
}<br>
+ assert(!U->empty());<br>
}<br>
<br>
} // namespace fuzzer<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@cs.uiuc.edu" target="_blank">llvm-commits@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>