
<div dir="ltr">Tests are failing now, please check. <div><br><div><div>[ RUN      ] Corpus.TruncateUnits</div><div>/usr/local/google/home/kcc/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp:445: Failure</div><div>Value of: NewCorpus.size()</div><div>  Actual: 3</div><div>Expected: 1ul</div><div>Which is: 1</div><div>[  FAILED  ] Corpus.TruncateUnits (10 ms)</div><div>[----------] 1 test from Corpus (11 ms total)</div></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 24, 2016 at 4:14 PM, Mike Aizatsky via llvm-commits <span dir="ltr"><<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: aizatsky<br>

Date: Tue May 24 18:14:29 2016<br>

New Revision: 270632<br>

<br>

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=270632&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=270632&view=rev</a><br>

Log:<br>

[libfuzzer] Trying random unit prefixes during corpus load.<br>

<br>

Differential Revision: <a href="http://reviews.llvm.org/D20301" rel="noreferrer" target="_blank">http://reviews.llvm.org/D20301</a><br>

<br>

Modified:<br>

    llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp<br>

    llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>

    llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>

    llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>

    llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=270632&r1=270631&r2=270632&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=270632&r1=270631&r2=270632&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Tue May 24 18:14:29 2016<br>

@@ -330,6 +330,7 @@ static int FuzzerDriver(const std::vecto<br>

   Options.SaveArtifacts = !DoPlainRun;<br>

   Options.PrintNewCovPcs = Flags.print_new_cov_pcs;<br>

   Options.PrintFinalStats = Flags.print_final_stats;<br>

+  Options.TruncateUnits = Flags.truncate_units;<br>

<br>

   unsigned Seed = Flags.seed;<br>

   // Initialize Seed.<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=270632&r1=270631&r2=270632&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=270632&r1=270631&r2=270632&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Tue May 24 18:14:29 2016<br>

@@ -84,6 +84,7 @@ FUZZER_FLAG_INT(detect_leaks, 1, "If 1,<br>

     "try to detect memory leaks during fuzzing (i.e. not only at shut down).")<br>

 FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"<br>

     "reaching this limit of RSS memory usage.")<br>

+FUZZER_FLAG_INT(truncate_units, 0, "Try truncated units when loading corpus.")<br>

<br>

 FUZZER_DEPRECATED_FLAG(exit_on_first)<br>

 FUZZER_DEPRECATED_FLAG(save_minimized_corpus)<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=270632&r1=270631&r2=270632&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=270632&r1=270631&r2=270632&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Tue May 24 18:14:29 2016<br>

@@ -317,6 +317,7 @@ public:<br>

     bool PrintNewCovPcs = false;<br>

     bool PrintFinalStats = false;<br>

     bool DetectLeaks = true;<br>

+    bool TruncateUnits = false;<br>

   };<br>

<br>

   // Aggregates all available coverage measurements.<br>

@@ -354,6 +355,7 @@ public:<br>

   }<br>

   size_t ChooseUnitIdxToMutate();<br>

   const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };<br>

+  void TruncateUnits(std::vector<Unit> *NewCorpus);<br>

   void Loop();<br>

   void Drill();<br>

   void ShuffleAndMinimize();<br>

@@ -396,6 +398,9 @@ public:<br>

   void SetMaxLen(size_t MaxLen);<br>

   void RssLimitCallback();<br>

<br>

+  // Public for tests.<br>

+  void ResetCoverage();<br>

+<br>

 private:<br>

   void AlarmCallback();<br>

   void CrashCallback();<br>

@@ -416,7 +421,6 @@ private:<br>

   // Must be called whenever the corpus or unit weights are changed.<br>

   void UpdateCorpusDistribution();<br>

<br>

-  void ResetCoverage();<br>

   bool UpdateMaxCoverage();<br>

<br>

   // Trace-based fuzzing: we run a unit with some kind of tracing<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=270632&r1=270631&r2=270632&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=270632&r1=270631&r2=270632&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Tue May 24 18:14:29 2016<br>

@@ -59,6 +59,7 @@ __attribute__((weak)) int __lsan_do_reco<br>

<br>

 namespace fuzzer {<br>

 static const size_t kMaxUnitSizeToPrint = 256;<br>

+static const size_t TruncateMaxRuns = 1000;<br>

<br>

 static void MissingWeakApiFunction(const char *FnName) {<br>

   Printf("ERROR: %s is not defined. Exiting.\n"<br>

@@ -353,12 +354,54 @@ void Fuzzer::ShuffleCorpus(UnitVector *V<br>

     });<br>

 }<br>

<br>

+// Tries random prefixes of corpus items.<br>

+// Prefix length is chosen according to exponential distribution<br>

+// to sample short lengths much more heavily.<br>

+void Fuzzer::TruncateUnits(std::vector<Unit> *NewCorpus) {<br>

+  size_t MaxCorpusLen = 0;<br>

+  for (const auto &U : Corpus)<br>

+    MaxCorpusLen = std::max(MaxCorpusLen, U.size());<br>

+<br>

+  if (MaxCorpusLen <= 1)<br>

+    return;<br>

+<br>

+  // 50% of exponential distribution is Log[2]/lambda.<br>

+  // Choose lambda so that median is MaxCorpusLen / 2.<br>

+  double Lambda = 2.0 * log(2.0) / static_cast<double>(MaxCorpusLen);<br>

+  std::exponential_distribution<> Dist(Lambda);<br>

+  std::vector<double> Sizes;<br>

+  size_t TruncatePoints = std::max(1ul, TruncateMaxRuns / Corpus.size());<br>

+  Sizes.reserve(TruncatePoints);<br>

+  for (size_t I = 0; I < TruncatePoints; ++I) {<br>

+    Sizes.push_back(Dist(MD.GetRand().Get_mt19937()) + 1);<br>

+  }<br>

+  std::sort(Sizes.begin(), Sizes.end());<br>

+<br>

+  for (size_t S : Sizes) {<br>

+    for (const auto &U : Corpus) {<br>

+      if (S < U.size() && RunOne(U.data(), S)) {<br>

+        Unit U1(U.begin(), U.begin() + S);<br>

+        NewCorpus->push_back(U1);<br>

+        WriteToOutputCorpus(U1);<br>

+        PrintStatusForNewUnit(U1);<br>

+      }<br>

+    }<br>

+  }<br>

+  PrintStats("TRUNC  ");<br>

+}<br>

+<br>

 void Fuzzer::ShuffleAndMinimize() {<br>

   PrintStats("READ  ");<br>

   std::vector<Unit> NewCorpus;<br>

   if (Options.ShuffleAtStartUp)<br>

     ShuffleCorpus(&Corpus);<br>

<br>

+  if (Options.TruncateUnits) {<br>

+    ResetCoverage();<br>

+    TruncateUnits(&NewCorpus);<br>

+    ResetCoverage();<br>

+  }<br>

+<br>

   for (const auto &U : Corpus) {<br>

     if (RunOne(U)) {<br>

       NewCorpus.push_back(U);<br>

<br>

Modified: llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp?rev=270632&r1=270631&r2=270632&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp?rev=270632&r1=270631&r2=270632&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp (original)<br>

+++ llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp Tue May 24 18:14:29 2016<br>

@@ -13,6 +13,10 @@ extern "C" int LLVMFuzzerTestOneInput(co<br>

   abort();<br>

 }<br>

<br>

+static int EmptyLLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {<br>

+  return 0;<br>

+}<br>

+<br>

 TEST(Fuzzer, CrossOver) {<br>

   Random Rand(0);<br>

   MutationDispatcher MD(Rand);<br>

@@ -423,3 +427,21 @@ TEST(Corpus, Distribution) {<br>

     EXPECT_GT(Hist[i], TriesPerUnit / N / 3);<br>

   }<br>

 }<br>

+<br>

+TEST(Corpus, TruncateUnits) {<br>

+  Random Rand(0);<br>

+  MutationDispatcher MD(Rand);<br>

+  Fuzzer::FuzzingOptions Options;<br>

+  Options.OutputCorpus = ""; // stops from writing new units.<br>

+  Fuzzer Fuzz(EmptyLLVMFuzzerTestOneInput, MD, Options);<br>

+<br>

+  Fuzz.AddToCorpus(Unit(1024, static_cast<uint8_t>(1)));<br>

+  Fuzz.ResetCoverage();<br>

+<br>

+  std::vector<Unit> NewCorpus;<br>

+  Fuzz.TruncateUnits(&NewCorpus);<br>

+<br>

+  // New corpus should have a shorter unit.<br>

+  EXPECT_EQ(1ul, NewCorpus.size());<br>

+  EXPECT_EQ(1ul, NewCorpus[0].size());<br>

+}<br>

<br>

<br>

_______________________________________________<br>

llvm-commits mailing list<br>

<a href="mailto:llvm-commits@lists.llvm.org">llvm-commits@lists.llvm.org</a><br>

<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>

</blockquote></div><br></div>