
<div dir="ltr"><span style="font-size:13px">-    bool MutateDepth = 10;</span><br style="font-size:13px"><span style="font-size:13px">+    int  MutateDepth = 5;</span><br><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">Ouch, I feel like we should maybe have a warning for this?</span></div><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">-- Sean Silva</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 11:10 AM, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: kcc<br>

Date: Wed Feb  4 13:10:20 2015<br>

New Revision: 228170<br>

<br>

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=228170&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=228170&view=rev</a><br>

Log:<br>

[fuzzer] make multi-process execution more verbose; fix mutation to actually respect mutation depth and to never produce empty units<br>

<br>

Modified:<br>

    llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>

    llvm/trunk/lib/Fuzzer/FuzzerIO.cpp<br>

    llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>

    llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>

    llvm/trunk/lib/Fuzzer/FuzzerMain.cpp<br>

    llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Wed Feb  4 13:10:20 2015<br>

@@ -16,7 +16,7 @@ FUZZER_FLAG(int, iterations, -1,<br>

             "Number of iterations of the fuzzer (-1 for infinite runs).")<br>

 FUZZER_FLAG(int, max_len, 64, "Maximal length of the test input.")<br>

 FUZZER_FLAG(int, cross_over, 1, "If 1, cross over inputs.")<br>

-FUZZER_FLAG(int, mutate_depth, 10,<br>

+FUZZER_FLAG(int, mutate_depth, 5,<br>

             "Apply this number of consecutive mutations to each input.")<br>

 FUZZER_FLAG(int, exit_on_first, 0,<br>

             "If 1, exit after the first new interesting input is found.")<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerIO.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerIO.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerIO.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerIO.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerIO.cpp Wed Feb  4 13:10:20 2015<br>

@@ -9,6 +9,8 @@<br>

 // IO functions.<br>

 //===----------------------------------------------------------------------===//<br>

 #include "FuzzerInternal.h"<br>

+#include <iostream><br>

+#include <iterator><br>

 #include <fstream><br>

 #include <dirent.h><br>

 namespace fuzzer {<br>

@@ -31,6 +33,12 @@ Unit FileToVector(const std::string &Pat<br>

               std::istreambuf_iterator<char>());<br>

 }<br>

<br>

+void CopyFileToErr(const std::string &Path) {<br>

+  std::ifstream T(Path);<br>

+  std::copy(std::istreambuf_iterator<char>(T), std::istreambuf_iterator<char>(),<br>

+            std::ostream_iterator<char>(std::cerr, ""));<br>

+}<br>

+<br>

 void WriteToFile(const Unit &U, const std::string &Path) {<br>

   std::ofstream OF(Path);<br>

   OF.write((const char*)U.data(), U.size());<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Wed Feb  4 13:10:20 2015<br>

@@ -23,6 +23,7 @@ using namespace std::chrono;<br>

 Unit ReadFile(const char *Path);<br>

 void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V);<br>

 void WriteToFile(const Unit &U, const std::string &Path);<br>

+void CopyFileToErr(const std::string &Path);<br>

 // Returns "Dir/FileName" or equivalent for the current OS.<br>

 std::string DirPlusFile(const std::string &DirPath,<br>

                         const std::string &FileName);<br>

@@ -42,7 +43,7 @@ class Fuzzer {<br>

     int Verbosity = 1;<br>

     int MaxLen = 0;<br>

     bool DoCrossOver = true;<br>

-    bool MutateDepth = 10;<br>

+    int  MutateDepth = 5;<br>

     bool ExitOnFirst = false;<br>

     bool UseFullCoverageSet  = false;<br>

     std::string OutputCorpus;<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Wed Feb  4 13:10:20 2015<br>

@@ -146,9 +146,8 @@ void Fuzzer::SaveCorpus() {<br>

<br>

 size_t Fuzzer::MutateAndTestOne(Unit *U) {<br>

   size_t NewUnits = 0;<br>

-  for (size_t i = 0; i < Options.MutateDepth; i++) {<br>

+  for (int i = 0; i < Options.MutateDepth; i++) {<br>

     Mutate(U, Options.MaxLen);<br>

-    if (U->empty()) continue;<br>

     size_t NewCoverage = RunOne(*U);<br>

     if (NewCoverage) {<br>

       Corpus.push_back(*U);<br>

@@ -158,6 +157,7 @@ size_t Fuzzer::MutateAndTestOne(Unit *U)<br>

                   << "\tNEW: " << NewCoverage<br>

                   << " L: " << U->size()<br>

                   << " S: " << Corpus.size()<br>

+                  << " I: " << i<br>

                   << "\t";<br>

         if (U->size() < 30) {<br>

           PrintASCII(*U);<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerMain.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMain.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMain.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerMain.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerMain.cpp Wed Feb  4 13:10:20 2015<br>

@@ -17,6 +17,7 @@<br>

 #include <iostream><br>

 #include <thread><br>

 #include <atomic><br>

+#include <mutex><br>

<br>

 // ASAN options:<br>

 //   * don't dump the coverage to disk.<br>

@@ -105,20 +106,30 @@ static void ParseFlags(int argc, char **<br>

 }<br>

<br>

 static void WorkerThread(const std::string &Cmd, std::atomic<int> *Counter,<br>

-                         int NumJobs) {<br>

+                        int NumJobs, std::atomic<bool> *HasErrors) {<br>

+  static std::mutex CerrMutex;<br>

   while (true) {<br>

     int C = (*Counter)++;<br>

-    if (C >= NumJobs) return;<br>

-    std::string ToRun = Cmd + " > fuzz-" + std::to_string(C) + ".log 2>&1\n";<br>

+    if (C >= NumJobs) break;<br>

+    std::string Log = "fuzz-" + std::to_string(C) + ".log";<br>

+    std::string ToRun = Cmd + " > " + Log + " 2>&1\n";<br>

     if (Flags.verbosity)<br>

       std::cerr << ToRun;<br>

-    system(ToRun.c_str());<br>

+    int ExitCode = system(ToRun.c_str());<br>

+    if (ExitCode != 0)<br>

+      *HasErrors = true;<br>

+    std::lock_guard<std::mutex> Lock(CerrMutex);<br>

+    std::cerr << "================== Job " << C<br>

+              << " exited with exit code " << ExitCode<br>

+              << " =================\n";<br>

+    fuzzer::CopyFileToErr(Log);<br>

   }<br>

 }<br>

<br>

 static int RunInMultipleProcesses(int argc, char **argv, int NumWorkers,<br>

                                   int NumJobs) {<br>

   std::atomic<int> Counter(0);<br>

+  std::atomic<bool> HasErrors(false);<br>

   std::string Cmd;<br>

   for (int i = 0; i < argc; i++) {<br>

     if (FlagValue(argv[i], "jobs") || FlagValue(argv[i], "workers")) continue;<br>

@@ -127,10 +138,10 @@ static int RunInMultipleProcesses(int ar<br>

   }<br>

   std::vector<std::thread> V;<br>

   for (int i = 0; i < NumWorkers; i++)<br>

-    V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs));<br>

+    V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs, &HasErrors));<br>

   for (auto &T : V)<br>

     T.join();<br>

-  return 0;<br>

+  return HasErrors ? 1 : 0;<br>

 }<br>

<br>

 int main(int argc, char **argv) {<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=228170&r1=228169&r2=228170&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=228170&r1=228169&r2=228170&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp Wed Feb  4 13:10:20 2015<br>

@@ -31,18 +31,25 @@ static char RandCh() {<br>

   return Special[rand() % (sizeof(Special) - 1)];<br>

 }<br>

<br>

+// Mutate U in place.<br>

 void Mutate(Unit *U, size_t MaxLen) {<br>

   assert(MaxLen > 0);<br>

   assert(U->size() <= MaxLen);<br>

+  if (U->empty()) {<br>

+    for (size_t i = 0; i < MaxLen; i++)<br>

+      U->push_back(RandCh());<br>

+    return;<br>

+  }<br>

+  assert(!U->empty());<br>

   switch (rand() % 3) {<br>

   case 0:<br>

-    if (U->size())<br>

+    if (U->size() > 1) {<br>

       U->erase(U->begin() + rand() % U->size());<br>

-    break;<br>

+      break;<br>

+    }<br>

+    // Fallthrough<br>

   case 1:<br>

-    if (U->empty()) {<br>

-      U->push_back(RandCh());<br>

-    } else if (U->size() < MaxLen) {<br>

+    if (U->size() < MaxLen) {<br>

       U->insert(U->begin() + rand() % U->size(), RandCh());<br>

     } else { // At MaxLen.<br>

       uint8_t Ch = RandCh();<br>

@@ -51,12 +58,13 @@ void Mutate(Unit *U, size_t MaxLen) {<br>

     }<br>

     break;<br>

   default:<br>

-    if (!U->empty()) {<br>

-      size_t idx = rand() % U->size();<br>

-      (*U)[idx] = FlipRandomBit((*U)[idx]);<br>

+    {<br>

+      size_t Idx = rand() % U->size();<br>

+      (*U)[Idx] = FlipRandomBit((*U)[Idx]);<br>

     }<br>

     break;<br>

   }<br>

+  assert(!U->empty());<br>

 }<br>

<br>

 }  // namespace fuzzer<br>

<br>

<br>

_______________________________________________<br>

llvm-commits mailing list<br>

<a href="mailto:llvm-commits@cs.uiuc.edu">llvm-commits@cs.uiuc.edu</a><br>

<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>

</blockquote></div><br></div>