[PATCH] D24049: [libfuzzer] simplified unit truncation; do not write trunc items to disc
Mike Aizatsky via llvm-commits
llvm-commits at lists.llvm.org
Tue Aug 30 13:57:20 PDT 2016
This revision was automatically updated to reflect the committed changes.
aizatsky marked 2 inline comments as done.
Closed by commit rL280153: [libfuzzer] simplified unit truncation; do not write trunc items to disc (authored by aizatsky).
Changed prior to commit:
https://reviews.llvm.org/D24049?vs=69736&id=69751#toc
Repository:
rL LLVM
https://reviews.llvm.org/D24049
Files:
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer-trunc.test
Index: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
===================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
@@ -33,7 +33,6 @@
namespace fuzzer {
static const size_t kMaxUnitSizeToPrint = 256;
-static const size_t TruncateMaxRuns = 1000;
thread_local bool Fuzzer::IsMyThread;
@@ -371,39 +370,22 @@
}
// Tries random prefixes of corpus items.
-// Prefix length is chosen according to exponential distribution
-// to sample short lengths much more heavily.
void Fuzzer::TruncateUnits(std::vector<Unit> *NewCorpus) {
- size_t MaxCorpusLen = 0;
- for (const auto &U : Corpus)
- MaxCorpusLen = std::max(MaxCorpusLen, U.size());
-
- if (MaxCorpusLen <= 1)
- return;
+ std::vector<double> Fractions = {0.25, 0.5, 0.75, 1.0};
- // 50% of exponential distribution is Log[2]/lambda.
- // Choose lambda so that median is MaxCorpusLen / 2.
- double Lambda = 2.0 * log(2.0) / static_cast<double>(MaxCorpusLen);
- std::exponential_distribution<> Dist(Lambda);
- std::vector<double> Sizes;
- size_t TruncatePoints = std::max(1ul, TruncateMaxRuns / Corpus.size());
- Sizes.reserve(TruncatePoints);
- for (size_t I = 0; I < TruncatePoints; ++I) {
- Sizes.push_back(Dist(MD.GetRand().Get_mt19937()) + 1);
- }
- std::sort(Sizes.begin(), Sizes.end());
-
- for (size_t S : Sizes) {
+ size_t TruncInputs = 0;
+ for (double Fraction : Fractions) {
for (const auto &U : Corpus) {
- if (S < U.size() && RunOne(U.data(), S)) {
- Unit U1(U.begin(), U.begin() + S);
- NewCorpus->push_back(U1);
- WriteToOutputCorpus(U1);
- PrintStatusForNewUnit(U1);
- }
+ uint64_t S = MD.GetRand()(U.size() * Fraction);
+ if (!S || !RunOne(U.data(), S))
+ continue;
+ TruncInputs++;
+ Unit U1(U.begin(), U.begin() + S);
+ NewCorpus->push_back(U1);
}
}
- PrintStats("TRUNC ");
+ if (TruncInputs)
+ Printf("\tINFO TRUNC %zd units added to in-memory corpus\n", TruncInputs);
}
void Fuzzer::ShuffleAndMinimize() {
Index: llvm/trunk/lib/Fuzzer/test/fuzzer-trunc.test
===================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-trunc.test
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-trunc.test
@@ -2,9 +2,7 @@
RUN: rm -rf FuzzerTruncateTestCORPUS
RUN: mkdir FuzzerTruncateTestCORPUS
RUN: echo "01234567890123456789012345678901234567890" > FuzzerTruncateTestCORPUS/unit1
-# Simply running a fuzzer won't produce new results
-RUN: LLVMFuzzer-EmptyTest -seed=1 -runs=100 -truncate_units=0 ./FuzzerTruncateTestCORPUS
-# Truncating would create a new unit of length 1.
-RUN: LLVMFuzzer-EmptyTest -seed=1 -runs=0 -truncate_units=1 ./FuzzerTruncateTestCORPUS
-RUN: find FuzzerTruncateTestCORPUS/b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
+RUN: LLVMFuzzer-EmptyTest -seed=1 -runs=0 -truncate_units=1 ./FuzzerTruncateTestCORPUS 2>&1 | FileCheck %s
RUN: rm -rf FuzzerTruncateTestCORPUS
+
+CHECK: INFO TRUNC 1 units added
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D24049.69751.patch
Type: text/x-patch
Size: 3031 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20160830/fd872442/attachment.bin>
More information about the llvm-commits
mailing list