[cfe-dev] Introducing clang-triage: A bot to test clang with fuzzed inputs
Sean Silva
chisophugis at gmail.com
Tue Jan 6 12:45:01 PST 2015
On Tue, Jan 6, 2015 at 5:11 AM, Sami Liedes <sami.liedes at iki.fi> wrote:
> On Mon, Jan 05, 2015 at 04:36:32PM -0800, Sean Silva wrote:
> > I'm wondering how much we can improve on that 300 executions/second. My
> > guess is that a lot of time is constant-overhead startup code. A back of
> > the envelope calculation:
> >
> > 300 executions/second * 300 bytes/source file (small files) ~ 100 000
> > bytes/second.
> > 4 cores * 3 giga instructions/second ~ 10 000 000 000
> instructions/second.
> >
> > So that's about 1 million instructions per byte, which seems excessive.
>
> One thing that clearly does cause an overhead is the instrumentation
> done by afl to get the edge coverage. It could probably also be made
> more efficient by turning it into an LLVM pass instead of the current
> textual search-and-replace on .s files (never before I've seen
> instrumentation done that way), since now it among other things always
> saves and restores registers at every conditional branch and function
> entry point[1] (plus a few non-conditionals "due to the simplicity of
> afl-as" [2]).
>
Do you have any idea how to quantify the overhead? Like what is the time
difference between an instrumented and non-instrumented clang?
-- Sean Silva
>
> Sami
>
>
> [1] https://github.com/mcarpenter/afl/blob/master/afl-as.h#L115
> [2] https://groups.google.com/d/msg/afl-users/9swBIFHTmpo/P_PNdubKpQwJ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150106/5d0c596e/attachment.html>
More information about the cfe-dev
mailing list