<div dir="ltr">Fix in 353e5aa42dfee3f119fd1790509ea35a280295f7</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 20, 2020 at 6:43 PM Richard Smith <<a href="mailto:richard@metafoo.co.uk" target="_blank">richard@metafoo.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Tue, 19 May 2020 at 10:31, Matt Morehouse via llvm-commits <<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Author: Matt Morehouse<br>
Date: 2020-05-19T10:28:57-07:00<br>
New Revision: e2e38fca64e49d684de0b100437fe2f227f8fcdd<br>
<br>
URL: <a href="https://github.com/llvm/llvm-project/commit/e2e38fca64e49d684de0b100437fe2f227f8fcdd" rel="noreferrer" target="_blank">https://github.com/llvm/llvm-project/commit/e2e38fca64e49d684de0b100437fe2f227f8fcdd</a><br>
DIFF: <a href="https://github.com/llvm/llvm-project/commit/e2e38fca64e49d684de0b100437fe2f227f8fcdd.diff" rel="noreferrer" target="_blank">https://github.com/llvm/llvm-project/commit/e2e38fca64e49d684de0b100437fe2f227f8fcdd.diff</a><br>
<br>
LOG: Entropic: Boosting LibFuzzer Performance<br>
<br>
Summary:<br>
This is collaboration between Marcel Boehme @ Monash, Australia and Valentin Manès plus Sang Kil Cha @ KAIST, South Korea.<br>
<br>
We have made a few modifications to boost LibFuzzer performance by changing how weights are assigned to the seeds in the corpus. Essentially, seeds that reveal more "information" about globally rare features are assigned a higher weight. Our results on the Fuzzer Test Suite seem quite promising. In terms of bug finding, our Entropic patch usually finds the same errors much faster and in more runs. In terms of coverage, our version Entropic achieves the same coverage in less than half the time for the majority of subjects. For the lack of space, we shared more detailed performance results directly with @kcc. We'll publish the preprint with all the technical details as soon as it is accepted. Happy to share if you drop us an email.<br>
<br>
There should be plenty of opportunities to optimise further. For instance, while Entropic achieves the same coverage in less than half the time, Entropic has a much lower #execs per second. We ran the perf-tool and found a few performance bottlenecks.<br>
<br>
Thanks for open-sourcing LibFuzzer (and the entire LLVM Compiler Infrastructure)! This has been such a tremendous help to my research.<br>
<br>
Patch By: Marcel Boehme<br>
<br>
Reviewers: kcc, metzman, morehouse, Dor1s, vitalybuka<br>
<br>
Reviewed By: kcc<br>
<br>
Subscribers: dgg5503, Valentin, llvm-commits, kcc<br>
<br>
Tags: #llvm<br>
<br>
Differential Revision: <a href="https://reviews.llvm.org/D73776" rel="noreferrer" target="_blank">https://reviews.llvm.org/D73776</a><br>
<br>
Added: <br>
<br>
<br>
Modified: <br>
compiler-rt/lib/fuzzer/FuzzerCorpus.h<br>
compiler-rt/lib/fuzzer/FuzzerDriver.cpp<br>
compiler-rt/lib/fuzzer/FuzzerFlags.def<br>
compiler-rt/lib/fuzzer/FuzzerLoop.cpp<br>
compiler-rt/lib/fuzzer/FuzzerOptions.h<br>
compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp<br>
<br>
Removed: <br>
<br>
<br>
<br>
################################################################################<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerCorpus.h b/compiler-rt/lib/fuzzer/FuzzerCorpus.h<br>
index 6a95ef3a8e64..54d1e09ec6df 100644<br>
--- a/compiler-rt/lib/fuzzer/FuzzerCorpus.h<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerCorpus.h<br>
@@ -38,12 +38,102 @@ struct InputInfo {<br>
bool HasFocusFunction = false;<br>
Vector<uint32_t> UniqFeatureSet;<br>
Vector<uint8_t> DataFlowTraceForFocusFunction;<br>
+ // Power schedule.<br>
+ bool NeedsEnergyUpdate = false;<br>
+ double Energy = 0.0;<br>
+ size_t SumIncidence = 0;<br>
+ Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs;<br>
+<br>
+ // Delete feature Idx and its frequency from FeatureFreqs.<br>
+ bool DeleteFeatureFreq(uint32_t Idx) {<br>
+ if (FeatureFreqs.empty())<br>
+ return false;<br>
+<br>
+ // Binary search over local feature frequencies sorted by index.<br>
+ auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),<br>
+ std::pair<uint32_t, uint16_t>(Idx, 0));<br>
+<br>
+ if (Lower != FeatureFreqs.end() && Lower->first == Idx) {<br>
+ FeatureFreqs.erase(Lower);<br>
+ return true;<br>
+ }<br>
+ return false;<br>
+ }<br>
+<br>
+ // Assign more energy to a high-entropy seed, i.e., that reveals more<br>
+ // information about the globally rare features in the neighborhood<br>
+ // of the seed. Since we do not know the entropy of a seed that has<br>
+ // never been executed we assign fresh seeds maximum entropy and<br>
+ // let II->Energy approach the true entropy from above.<br>
+ void UpdateEnergy(size_t GlobalNumberOfFeatures) {<br>
+ Energy = 0.0;<br>
+ SumIncidence = 0;<br>
+<br>
+ // Apply add-one smoothing to locally discovered features.<br>
+ for (auto F : FeatureFreqs) {<br>
+ size_t LocalIncidence = F.second + 1;<br>
+ Energy -= LocalIncidence * logl(LocalIncidence);<br>
+ SumIncidence += LocalIncidence;<br>
+ }<br>
+<br>
+ // Apply add-one smoothing to locally undiscovered features.<br>
+ // PreciseEnergy -= 0; // since logl(1.0) == 0)<br>
+ SumIncidence += (GlobalNumberOfFeatures - FeatureFreqs.size());<br>
+<br>
+ // Add a single locally abundant feature apply add-one smoothing.<br>
+ size_t AbdIncidence = NumExecutedMutations + 1;<br>
+ Energy -= AbdIncidence * logl(AbdIncidence);<br>
+ SumIncidence += AbdIncidence;<br>
+<br>
+ // Normalize.<br>
+ if (SumIncidence != 0)<br>
+ Energy = (Energy / SumIncidence) + logl(SumIncidence);<br>
+ }<br>
+<br>
+ // Increment the frequency of the feature Idx.<br>
+ void UpdateFeatureFrequency(uint32_t Idx) {<br>
+ NeedsEnergyUpdate = true;<br>
+<br>
+ // The local feature frequencies is an ordered vector of pairs.<br>
+ // If there are no local feature frequencies, push_back preserves order.<br>
+ // Set the feature frequency for feature Idx32 to 1.<br>
+ if (FeatureFreqs.empty()) {<br>
+ FeatureFreqs.push_back(std::pair<uint32_t, uint16_t>(Idx, 1));<br>
+ return;<br>
+ }<br>
+<br>
+ // Binary search over local feature frequencies sorted by index.<br>
+ auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),<br>
+ std::pair<uint32_t, uint16_t>(Idx, 0));<br>
+<br>
+ // If feature Idx32 already exists, increment its frequency.<br>
+ // Otherwise, insert a new pair right after the next lower index.<br>
+ if (Lower != FeatureFreqs.end() && Lower->first == Idx) {<br>
+ Lower->second++;<br>
+ } else {<br>
+ FeatureFreqs.insert(Lower, std::pair<uint32_t, uint16_t>(Idx, 1));<br>
+ }<br>
+ }<br>
+};<br>
+<br>
+struct EntropicOptions {<br>
+ bool Enabled;<br>
+ size_t NumberOfRarestFeatures;<br>
+ size_t FeatureFrequencyThreshold;<br>
};<br>
<br>
class InputCorpus {<br>
- static const size_t kFeatureSetSize = 1 << 21;<br>
- public:<br>
- InputCorpus(const std::string &OutputCorpus) : OutputCorpus(OutputCorpus) {<br>
+ static const uint32_t kFeatureSetSize = 1 << 21;<br>
+ static const uint8_t kMaxMutationFactor = 20;<br>
+ static const size_t kSparseEnergyUpdates = 100;<br>
+<br>
+ size_t NumExecutedMutations = 0;<br>
+<br>
+ EntropicOptions Entropic;<br>
+<br>
+public:<br>
+ InputCorpus(const std::string &OutputCorpus, EntropicOptions Entropic)<br>
+ : Entropic(Entropic), OutputCorpus(OutputCorpus) {<br>
memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));<br>
memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));<br>
}<br>
@@ -70,6 +160,7 @@ class InputCorpus {<br>
Res = std::max(Res, II->U.size());<br>
return Res;<br>
}<br>
+ void IncrementNumExecutedMutations() { NumExecutedMutations++; }<br>
<br>
size_t NumInputsThatTouchFocusFunction() {<br>
return std::count_if(Inputs.begin(), Inputs.end(), [](const InputInfo *II) {<br>
@@ -99,6 +190,10 @@ class InputCorpus {<br>
II.MayDeleteFile = MayDeleteFile;<br>
II.UniqFeatureSet = FeatureSet;<br>
II.HasFocusFunction = HasFocusFunction;<br>
+ // Assign maximal energy to the new seed.<br>
+ II.Energy = RareFeatures.empty() ? 1.0 : log(RareFeatures.size());<br>
+ II.SumIncidence = RareFeatures.size();<br>
+ II.NeedsEnergyUpdate = false;<br>
std::sort(II.UniqFeatureSet.begin(), II.UniqFeatureSet.end());<br>
ComputeSHA1(U.data(), U.size(), II.Sha1);<br>
auto Sha1Str = Sha1ToString(II.Sha1);<br>
@@ -111,7 +206,7 @@ class InputCorpus {<br>
// But if we don't, we'll use the DFT of its base input.<br>
if (II.DataFlowTraceForFocusFunction.empty() && BaseII)<br>
II.DataFlowTraceForFocusFunction = BaseII->DataFlowTraceForFocusFunction;<br>
- UpdateCorpusDistribution();<br>
+ DistributionNeedsUpdate = true;<br>
PrintCorpus();<br>
// ValidateFeatureSet();<br>
return &II;<br>
@@ -162,7 +257,7 @@ class InputCorpus {<br>
Hashes.insert(Sha1ToString(II->Sha1));<br>
II->U = U;<br>
II->Reduced = true;<br>
- UpdateCorpusDistribution();<br>
+ DistributionNeedsUpdate = true;<br>
}<br>
<br>
bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }<br>
@@ -175,6 +270,7 @@ class InputCorpus {<br>
<br>
// Returns an index of random unit from the corpus to mutate.<br>
size_t ChooseUnitIdxToMutate(Random &Rand) {<br>
+ UpdateCorpusDistribution(Rand);<br>
size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));<br>
assert(Idx < Inputs.size());<br>
return Idx;<br>
@@ -210,10 +306,65 @@ class InputCorpus {<br>
InputInfo &II = *Inputs[Idx];<br>
DeleteFile(II);<br>
Unit().swap(II.U);<br>
+ II.Energy = 0.0;<br>
+ II.NeedsEnergyUpdate = false;<br>
+ DistributionNeedsUpdate = true;<br>
if (FeatureDebug)<br>
Printf("EVICTED %zd\n", Idx);<br>
}<br>
<br>
+ void AddRareFeature(uint32_t Idx) {<br>
+ // Maintain *at least* TopXRarestFeatures many rare features<br>
+ // and all features with a frequency below ConsideredRare.<br>
+ // Remove all other features.<br>
+ while (RareFeatures.size() > Entropic.NumberOfRarestFeatures &&<br>
+ FreqOfMostAbundantRareFeature > Entropic.FeatureFrequencyThreshold) {<br>
+<br>
+ // Find most and second most abbundant feature.<br>
+ uint32_t MostAbundantRareFeatureIndices[2] = {RareFeatures[0],<br>
+ RareFeatures[0]};<br>
+ size_t Delete = 0;<br>
+ for (size_t i = 0; i < RareFeatures.size(); i++) {<br>
+ uint32_t Idx2 = RareFeatures[i];<br>
+ if (GlobalFeatureFreqs[Idx2] >=<br>
+ GlobalFeatureFreqs[MostAbundantRareFeatureIndices[0]]) {<br>
+ MostAbundantRareFeatureIndices[1] = MostAbundantRareFeatureIndices[0];<br>
+ MostAbundantRareFeatureIndices[0] = Idx2;<br>
+ Delete = i;<br>
+ }<br>
+ }<br>
+<br>
+ // Remove most abundant rare feature.<br>
+ RareFeatures[Delete] = RareFeatures.back();<br>
+ RareFeatures.pop_back();<br>
+<br>
+ for (auto II : Inputs) {<br>
+ if (II->DeleteFeatureFreq(MostAbundantRareFeatureIndices[0]))<br>
+ II->NeedsEnergyUpdate = true;<br>
+ }<br>
+<br>
+ // Set 2nd most abundant as the new most abundant feature count.<br>
+ FreqOfMostAbundantRareFeature =<br>
+ GlobalFeatureFreqs[MostAbundantRareFeatureIndices[1]];<br>
+ }<br>
+<br>
+ // Add rare feature, handle collisions, and update energy.<br>
+ RareFeatures.push_back(Idx);<br>
+ GlobalFeatureFreqs[Idx] = 0;<br>
+ for (auto II : Inputs) {<br>
+ II->DeleteFeatureFreq(Idx);<br>
+<br>
+ // Apply add-one smoothing to this locally undiscovered feature.<br>
+ // Zero energy seeds will never be fuzzed and remain zero energy.<br>
+ if (II->Energy > 0.0) {<br>
+ II->SumIncidence += 1;<br>
+ II->Energy += logl(II->SumIncidence) / II->SumIncidence;<br>
+ }<br>
+ }<br>
+<br>
+ DistributionNeedsUpdate = true;<br>
+ }<br>
+<br>
bool AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {<br>
assert(NewSize);<br>
Idx = Idx % kFeatureSetSize;<br>
@@ -228,6 +379,8 @@ class InputCorpus {<br>
DeleteInput(OldIdx);<br>
} else {<br>
NumAddedFeatures++;<br>
+ if (Entropic.Enabled)<br>
+ AddRareFeature((uint32_t)Idx);<br>
}<br>
NumUpdatedFeatures++;<br>
if (FeatureDebug)<br>
@@ -239,6 +392,30 @@ class InputCorpus {<br>
return false;<br>
}<br>
<br>
+ // Increment frequency of feature Idx globally and locally.<br>
+ void UpdateFeatureFrequency(InputInfo *II, size_t Idx) {<br>
+ uint32_t Idx32 = Idx % kFeatureSetSize;<br>
+<br>
+ // Saturated increment.<br>
+ if (GlobalFeatureFreqs[Idx32] == 0xFFFF)<br>
+ return;<br>
+ uint16_t Freq = GlobalFeatureFreqs[Idx32]++;<br>
+<br>
+ // Skip if abundant.<br>
+ if (Freq > FreqOfMostAbundantRareFeature ||<br>
+ std::find(RareFeatures.begin(), RareFeatures.end(), Idx32) ==<br>
+ RareFeatures.end())<br>
+ return;<br>
+<br>
+ // Update global frequencies.<br>
+ if (Freq == FreqOfMostAbundantRareFeature)<br>
+ FreqOfMostAbundantRareFeature++;<br>
+<br>
+ // Update local frequencies.<br>
+ if (II)<br>
+ II->UpdateFeatureFrequency(Idx32);<br>
+ }<br>
+<br>
size_t NumFeatures() const { return NumAddedFeatures; }<br>
size_t NumFeatureUpdates() const { return NumUpdatedFeatures; }<br>
<br>
@@ -265,19 +442,60 @@ class InputCorpus {<br>
// Updates the probability distribution for the units in the corpus.<br>
// Must be called whenever the corpus or unit weights are changed.<br>
//<br>
- // Hypothesis: units added to the corpus last are more interesting.<br>
- //<br>
- // Hypothesis: inputs with infrequent features are more interesting.<br>
- void UpdateCorpusDistribution() {<br>
+ // Hypothesis: inputs that maximize information about globally rare features<br>
+ // are interesting.<br>
+ void UpdateCorpusDistribution(Random &Rand) {<br>
+ // Skip update if no seeds or rare features were added/deleted.<br>
+ // Sparse updates for local change of feature frequencies,<br>
+ // i.e., randomly do not skip.<br>
+ if (!DistributionNeedsUpdate &&<br>
+ (!Entropic.Enabled || Rand(kSparseEnergyUpdates)))<br>
+ return;<br>
+<br>
+ DistributionNeedsUpdate = false;<br>
+<br>
size_t N = Inputs.size();<br>
assert(N);<br>
Intervals.resize(N + 1);<br>
Weights.resize(N);<br>
std::iota(Intervals.begin(), Intervals.end(), 0);<br>
- for (size_t i = 0; i < N; i++)<br>
- Weights[i] = Inputs[i]->NumFeatures<br>
- ? (i + 1) * (Inputs[i]->HasFocusFunction ? 1000 : 1)<br>
- : 0.;<br>
+<br>
+ bool VanillaSchedule = true;<br>
+ if (Entropic.Enabled) {<br>
+ for (auto II : Inputs) {<br>
+ if (II->NeedsEnergyUpdate && II->Energy != 0.0) {<br>
+ II->NeedsEnergyUpdate = false;<br>
+ II->UpdateEnergy(RareFeatures.size());<br>
+ }<br>
+ }<br>
+<br>
+ for (size_t i = 0; i < N; i++) {<br>
+<br>
+ if (Inputs[i]->NumFeatures == 0) {<br>
+ // If the seed doesn't represent any features, assign zero energy.<br>
+ Weights[i] = 0.;<br>
+ } else if (Inputs[i]->NumExecutedMutations / kMaxMutationFactor ><br>
+ NumExecutedMutations / Inputs.size()) {<br>
+ // If the seed was fuzzed a lot more than average, assign zero energy.<br>
+ Weights[i] = 0.;<br>
+ } else {<br>
+ // Otherwise, simply assign the computed energy.<br>
+ Weights[i] = Inputs[i]->Energy;<br>
+ }<br>
+<br>
+ // If energy for all seeds is zero, fall back to vanilla schedule.<br>
+ if (Weights[i] > 0.0)<br>
+ VanillaSchedule = false;<br>
+ }<br>
+ }<br>
+<br>
+ if (VanillaSchedule) {<br>
+ for (size_t i = 0; i < N; i++)<br>
+ Weights[i] = Inputs[i]->NumFeatures<br>
+ ? (i + 1) * (Inputs[i]->HasFocusFunction ? 1000 : 1)<br>
+ : 0.;<br>
+ }<br>
+<br>
if (FeatureDebug) {<br>
for (size_t i = 0; i < N; i++)<br>
Printf("%zd ", Inputs[i]->NumFeatures);<br>
@@ -302,6 +520,11 @@ class InputCorpus {<br>
uint32_t InputSizesPerFeature[kFeatureSetSize];<br>
uint32_t SmallestElementPerFeature[kFeatureSetSize];<br>
<br>
+ bool DistributionNeedsUpdate = true;<br>
+ uint16_t FreqOfMostAbundantRareFeature = 0;<br>
+ uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {};<br>
+ Vector<uint32_t> RareFeatures;<br>
+<br>
std::string OutputCorpus;<br>
};<br>
<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerDriver.cpp b/compiler-rt/lib/fuzzer/FuzzerDriver.cpp<br>
index 0d4e468a674b..1a0b2580c5b7 100644<br>
--- a/compiler-rt/lib/fuzzer/FuzzerDriver.cpp<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerDriver.cpp<br>
@@ -708,6 +708,26 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {<br>
Options.CollectDataFlow = Flags.collect_data_flow;<br>
if (Flags.stop_file)<br>
Options.StopFile = Flags.stop_file;<br>
+ Options.Entropic = Flags.entropic;<br>
+ Options.EntropicFeatureFrequencyThreshold =<br>
+ (size_t)Flags.entropic_feature_frequency_threshold;<br>
+ Options.EntropicNumberOfRarestFeatures =<br>
+ (size_t)Flags.entropic_number_of_rarest_features;<br>
+ if (Options.Entropic) {<br>
+ if (!Options.FocusFunction.empty()) {<br>
+ Printf("ERROR: The parameters `--entropic` and `--focus_function` cannot "<br>
+ "be used together.\n");<br>
+ exit(1);<br>
+ }<br>
+ Printf("INFO: Running with entropic power schedule (0x%X, %d).\n",<br>
+ Options.EntropicFeatureFrequencyThreshold,<br>
+ Options.EntropicNumberOfRarestFeatures);<br>
+ }<br>
+ struct EntropicOptions Entropic;<br>
+ Entropic.Enabled = Options.Entropic;<br>
+ Entropic.FeatureFrequencyThreshold =<br>
+ Options.EntropicFeatureFrequencyThreshold;<br>
+ Entropic.NumberOfRarestFeatures = Options.EntropicNumberOfRarestFeatures;<br>
<br>
unsigned Seed = Flags.seed;<br>
// Initialize Seed.<br>
@@ -728,7 +748,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {<br>
<br>
Random Rand(Seed);<br>
auto *MD = new MutationDispatcher(Rand, Options);<br>
- auto *Corpus = new InputCorpus(Options.OutputCorpus);<br>
+ auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);<br>
auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);<br>
<br>
for (auto &U: Dictionary)<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerFlags.def b/compiler-rt/lib/fuzzer/FuzzerFlags.def<br>
index d2aaf24587d2..832224a705d2 100644<br>
--- a/compiler-rt/lib/fuzzer/FuzzerFlags.def<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerFlags.def<br>
@@ -153,6 +153,14 @@ FUZZER_FLAG_STRING(focus_function, "Experimental. "<br>
"Fuzzing will focus on inputs that trigger calls to this function. "<br>
"If -focus_function=auto and -data_flow_trace is used, libFuzzer "<br>
"will choose the focus functions automatically.")<br>
+FUZZER_FLAG_INT(entropic, 0, "Experimental. Enables entropic power schedule.")<br>
+FUZZER_FLAG_INT(entropic_feature_frequency_threshold, 0xFF, "Experimental. If "<br>
+ "entropic is enabled, all features which are observed less often than "<br>
+ "the specified value are considered as rare.")<br>
+FUZZER_FLAG_INT(entropic_number_of_rarest_features, 100, "Experimental. If "<br>
+ "entropic is enabled, we keep track of the frequencies only for the "<br>
+ "Top-X least abundant features (union features that are considered as "<br>
+ "rare).")<br>
<br>
FUZZER_FLAG_INT(analyze_dict, 0, "Experimental")<br>
FUZZER_DEPRECATED_FLAG(use_clang_coverage)<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerLoop.cpp b/compiler-rt/lib/fuzzer/FuzzerLoop.cpp<br>
index 273c62919e89..7c3288fc5750 100644<br>
--- a/compiler-rt/lib/fuzzer/FuzzerLoop.cpp<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerLoop.cpp<br>
@@ -475,6 +475,8 @@ bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,<br>
TPC.CollectFeatures([&](size_t Feature) {<br>
if (Corpus.AddFeature(Feature, Size, Options.Shrink))<br>
UniqFeatureSetTmp.push_back(Feature);<br>
+ if (Options.Entropic)<br>
+ Corpus.UpdateFeatureFrequency(II, Feature);<br>
if (Options.ReduceInputs && II)<br>
if (std::binary_search(II->UniqFeatureSet.begin(),<br>
II->UniqFeatureSet.end(), Feature))<br>
@@ -693,6 +695,7 @@ void Fuzzer::MutateAndTestOne() {<br>
assert(NewSize <= CurrentMaxMutationLen && "Mutator return oversized unit");<br>
Size = NewSize;<br>
II.NumExecutedMutations++;<br>
+ Corpus.IncrementNumExecutedMutations();<br>
<br>
bool FoundUniqFeatures = false;<br>
bool NewCov = RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II,<br>
@@ -706,6 +709,8 @@ void Fuzzer::MutateAndTestOne() {<br>
if (Options.ReduceDepth && !FoundUniqFeatures)<br>
break;<br>
}<br>
+<br>
+ II.NeedsEnergyUpdate = true;<br>
}<br>
<br>
void Fuzzer::PurgeAllocator() {<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerOptions.h b/compiler-rt/lib/fuzzer/FuzzerOptions.h<br>
index beecc980380b..9d975bd61fe7 100644<br>
--- a/compiler-rt/lib/fuzzer/FuzzerOptions.h<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerOptions.h<br>
@@ -44,6 +44,9 @@ struct FuzzingOptions {<br>
size_t MaxNumberOfRuns = -1L;<br>
int ReportSlowUnits = 10;<br>
bool OnlyASCII = false;<br>
+ bool Entropic = false;<br>
+ size_t EntropicFeatureFrequencyThreshold = 0xFF;<br>
+ size_t EntropicNumberOfRarestFeatures = 100;<br>
std::string OutputCorpus;<br>
std::string ArtifactPrefix = "./";<br>
std::string ExactArtifactPath;<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp b/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp<br>
index 7fc4b9a55b08..b480e9f0fff5 100644<br>
--- a/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp<br>
+++ b/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp<br>
@@ -592,7 +592,8 @@ TEST(FuzzerUtil, Base64) {<br>
TEST(Corpus, Distribution) {<br>
DataFlowTrace DFT;<br>
Random Rand(0);<br>
- std::unique_ptr<InputCorpus> C(new InputCorpus(""));<br>
+ struct EntropicOptions Entropic = {false, 0xFF, 100};<br>
+ std::unique_ptr<InputCorpus> C(new InputCorpus("", Entropic));<br>
size_t N = 10;<br>
size_t TriesPerUnit = 1<<16;<br>
for (size_t i = 0; i < N; i++)<br>
@@ -1050,6 +1051,68 @@ TEST(FuzzerCommand, SetOutput) {<br>
EXPECT_EQ(CmdLine, makeCmdLine("", ">thud 2>&1"));<br>
}<br>
<br>
+TEST(Entropic, UpdateFrequency) {<br>
+ const size_t One = 1, Two = 2;<br>
+ const size_t FeatIdx1 = 0, FeatIdx2 = 42, FeatIdx3 = 12, FeatIdx4 = 26;<br>
+ size_t Index;<br>
+ // Create input corpus with default entropic configuration<br>
+ struct EntropicOptions Entropic = {true, 0xFF, 100};<br>
+ std::unique_ptr<InputCorpus> C(new InputCorpus("", Entropic));<br>
+ InputInfo *II = new InputInfo();<br></blockquote><div><br></div><div>This is leaked.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+<br>
+ C->AddRareFeature(FeatIdx1);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx1);<br>
+ EXPECT_EQ(II->FeatureFreqs.size(), One);<br>
+ C->AddRareFeature(FeatIdx2);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx1);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx2);<br>
+ EXPECT_EQ(II->FeatureFreqs.size(), Two);<br>
+ EXPECT_EQ(II->FeatureFreqs[0].second, 2);<br>
+ EXPECT_EQ(II->FeatureFreqs[1].second, 1);<br>
+<br>
+ C->AddRareFeature(FeatIdx3);<br>
+ C->AddRareFeature(FeatIdx4);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx3);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx3);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx3);<br>
+ C->UpdateFeatureFrequency(II, FeatIdx4);<br>
+<br>
+ for (Index = 1; Index < II->FeatureFreqs.size(); Index++)<br>
+ EXPECT_LT(II->FeatureFreqs[Index - 1].first, II->FeatureFreqs[Index].first);<br>
+<br>
+ II->DeleteFeatureFreq(FeatIdx3);<br>
+ for (Index = 1; Index < II->FeatureFreqs.size(); Index++)<br>
+ EXPECT_LT(II->FeatureFreqs[Index - 1].first, II->FeatureFreqs[Index].first);<br>
+}<br>
+<br>
+double SubAndSquare(double X, double Y) {<br>
+ double R = X - Y;<br>
+ R = R * R;<br>
+ return R;<br>
+}<br>
+<br>
+TEST(Entropic, ComputeEnergy) {<br>
+ const double Precision = 0.01;<br>
+ struct EntropicOptions Entropic = {true, 0xFF, 100};<br>
+ std::unique_ptr<InputCorpus> C(new InputCorpus("", Entropic));<br>
+ InputInfo *II = new InputInfo();<br></blockquote><div><br></div><div>As is this. Please can you fix or revert?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+ Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs = {{1, 3}, {2, 3}, {3, 3}};<br>
+ II->FeatureFreqs = FeatureFreqs;<br>
+ II->NumExecutedMutations = 0;<br>
+ II->UpdateEnergy(4);<br>
+ EXPECT_LT(SubAndSquare(II->Energy, 1.450805), Precision);<br>
+<br>
+ II->NumExecutedMutations = 9;<br>
+ II->UpdateEnergy(5);<br>
+ EXPECT_LT(SubAndSquare(II->Energy, 1.525496), Precision);<br>
+<br>
+ II->FeatureFreqs[0].second++;<br>
+ II->FeatureFreqs.push_back(std::pair<uint32_t, uint16_t>(42, 6));<br>
+ II->NumExecutedMutations = 20;<br>
+ II->UpdateEnergy(10);<br>
+ EXPECT_LT(SubAndSquare(II->Energy, 1.792831), Precision);<br>
+}<br>
+<br>
int main(int argc, char **argv) {<br>
testing::InitGoogleTest(&argc, argv);<br>
return RUN_ALL_TESTS();<br>
<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>
</blockquote></div></div>
</blockquote></div>