[llvm] r282219 - [libFuzzer] move value profiling logic into TracePC
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Thu Sep 22 17:46:18 PDT 2016
Author: kcc
Date: Thu Sep 22 19:46:18 2016
New Revision: 282219
URL: http://llvm.org/viewvc/llvm-project?rev=282219&view=rev
Log:
[libFuzzer] move value profiling logic into TracePC
Modified:
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerOptions.h
llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Thu Sep 22 19:46:18 2016
@@ -397,6 +397,7 @@ int FuzzerDriver(int *argc, char ***argv
Options.UseIndirCalls = Flags.use_indir_calls;
Options.UseMemcmp = Flags.use_memcmp;
Options.UseMemmem = Flags.use_memmem;
+ Options.UseValueProfile = Flags.use_value_profile;
Options.ShuffleAtStartUp = Flags.shuffle;
Options.PreferSmall = Flags.prefer_small;
Options.Reload = Flags.reload;
@@ -428,9 +429,6 @@ int FuzzerDriver(int *argc, char ***argv
Options.PrintCoverage = Flags.print_coverage;
Options.PruneCorpus = Flags.prune_corpus;
- if (Flags.use_value_profile)
- EnableValueProfile();
-
unsigned Seed = Flags.seed;
// Initialize Seed.
if (Seed == 0)
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Thu Sep 22 19:46:18 2016
@@ -29,10 +29,6 @@ namespace fuzzer {
using namespace std::chrono;
-// See FuzzerTraceState.cpp
-void EnableValueProfile();
-bool VPMapMergeFromCurrent(ValueBitMap &M);
-
class Fuzzer {
public:
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Thu Sep 22 19:46:18 2016
@@ -115,7 +115,7 @@ bool Fuzzer::RecordMaxCoverage(Fuzzer::C
if (TPC.UpdateCounterMap(&C->TPCMap))
Res = true;
- if (VPMapMergeFromCurrent(C->VPMap))
+ if (TPC.UpdateValueProfileMap(&C->VPMap))
Res = true;
if (EF->__sanitizer_get_coverage_pc_buffer_pos) {
@@ -168,6 +168,7 @@ Fuzzer::Fuzzer(UserCallback CB, InputCor
if (Options.DetectLeaks && EF->__sanitizer_install_malloc_and_free_hooks)
EF->__sanitizer_install_malloc_and_free_hooks(MallocHook, FreeHook);
TPC.SetUseCounters(Options.UseCounters);
+ TPC.SetUseValueProfile(Options.UseValueProfile);
if (Options.PrintNewCovPcs) {
PcBufferLen = 1 << 24;
Modified: llvm/trunk/lib/Fuzzer/FuzzerOptions.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerOptions.h?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerOptions.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerOptions.h Thu Sep 22 19:46:18 2016
@@ -30,7 +30,7 @@ struct FuzzingOptions {
bool UseIndirCalls = true;
bool UseMemcmp = true;
bool UseMemmem = true;
- bool UseFullCoverageSet = false;
+ bool UseValueProfile = false;
bool Reload = true;
bool ShuffleAtStartUp = true;
bool PreferSmall = true;
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.h?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.h Thu Sep 22 19:46:18 2016
@@ -22,11 +22,16 @@ class TracePC {
void HandleTrace(uintptr_t *guard, uintptr_t PC);
void HandleInit(uintptr_t *start, uintptr_t *stop);
void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
+ void HandleValueProfile(size_t Value) { ValueProfileMap.AddValue(Value); }
size_t GetTotalCoverage() { return TotalCoverage; }
void SetUseCounters(bool UC) { UseCounters = UC; }
+ void SetUseValueProfile(bool VP) { UseValueProfile = VP; }
bool UpdateCounterMap(ValueBitMap *MaxCounterMap) {
return UseCounters && MaxCounterMap->MergeFrom(CounterMap);
}
+ bool UpdateValueProfileMap(ValueBitMap *MaxValueProfileMap) {
+ return UseValueProfile && MaxValueProfileMap->MergeFrom(ValueProfileMap);
+ }
void FinalizeTrace();
size_t GetNewPCIDs(uintptr_t **NewPCIDsPtr) {
@@ -51,6 +56,7 @@ class TracePC {
private:
bool UseCounters = false;
+ bool UseValueProfile = false;
size_t TotalCoverage = 0;
static const size_t kMaxNewPCIDs = 64;
@@ -77,6 +83,7 @@ private:
uintptr_t PCs[kNumPCs];
ValueBitMap CounterMap;
+ ValueBitMap ValueProfileMap;
ValueBitMap TotalCoverageMap;
};
Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=282219&r1=282218&r2=282219&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Thu Sep 22 19:46:18 2016
@@ -75,6 +75,7 @@
#include "FuzzerDictionary.h"
#include "FuzzerMutate.h"
#include "FuzzerRandom.h"
+#include "FuzzerTracePC.h"
#include <algorithm>
#include <cstring>
@@ -175,7 +176,6 @@ struct TraceBasedMutation {
// Declared as static globals for faster checks inside the hooks.
static bool RecordingMemcmp = false;
static bool RecordingMemmem = false;
-static bool RecordingValueProfile = false;
static bool DoingMyOwnMemmem = false;
struct ScopedDoingMyOwnMemmem {
@@ -532,21 +532,13 @@ static size_t InternalStrnlen(const char
// Value profile.
// We keep track of various values that affect control flow.
-// These values are inserted into a bit-set-based hash map (ValueBitMap VP).
+// These values are inserted into a bit-set-based hash map.
// Every new bit in the map is treated as a new coverage.
//
// For memcmp/strcmp/etc the interesting value is the length of the common
// prefix of the parameters.
// For cmp instructions the interesting value is a XOR of the parameters.
// The interesting value is mixed up with the PC and is then added to the map.
-static ValueBitMap VP;
-
-void EnableValueProfile() { RecordingValueProfile = true; }
-
-bool VPMapMergeFromCurrent(ValueBitMap &M) {
- if (!RecordingValueProfile) return 0;
- return M.MergeFrom(VP);
-}
static void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
size_t n) {
@@ -562,7 +554,7 @@ static void AddValueForMemcmp(void *call
size_t Idx = I;
// if (I < Len)
// Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
- VP.AddValue((PC & 4095) | (Idx << 12));
+ TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
}
static void AddValueForStrcmp(void *caller_pc, const char *s1, const char *s2,
@@ -579,7 +571,7 @@ static void AddValueForStrcmp(void *call
size_t Idx = I;
// if (I < Len && A1[I])
// Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
- VP.AddValue((PC & 4095) | (Idx << 12));
+ TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
}
ATTRIBUTE_TARGET_POPCNT
@@ -589,7 +581,7 @@ static void AddValueForCmp(void *PCptr,
uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
uint64_t ArgDistance = __builtin_popcountl(Arg1 ^ Arg2) - 1; // [0,63]
uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
- VP.AddValue(Idx);
+ TPC.HandleValueProfile(Idx);
}
static void AddValueForSingleVal(void *PCptr, uintptr_t Val) {
@@ -597,14 +589,13 @@ static void AddValueForSingleVal(void *P
uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
uint64_t ArgDistance = __builtin_popcountl(Val) - 1; // [0,63]
uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
- VP.AddValue(Idx);
+ TPC.HandleValueProfile(Idx);
}
} // namespace fuzzer
using fuzzer::TS;
using fuzzer::RecordingMemcmp;
-using fuzzer::RecordingValueProfile;
extern "C" {
void __dfsw___sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
@@ -670,8 +661,7 @@ void dfsan_weak_hook_strcmp(void *caller
#if LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
const void *s2, size_t n, int result) {
- if (RecordingValueProfile)
- fuzzer::AddValueForMemcmp(caller_pc, s1, s2, n);
+ fuzzer::AddValueForMemcmp(caller_pc, s1, s2, n);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
if (n <= 1) return; // Not interesting.
@@ -681,8 +671,7 @@ void __sanitizer_weak_hook_memcmp(void *
void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
const char *s2, size_t n, int result) {
- if (RecordingValueProfile)
- fuzzer::AddValueForStrcmp(caller_pc, s1, s2, n);
+ fuzzer::AddValueForStrcmp(caller_pc, s1, s2, n);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = fuzzer::InternalStrnlen(s1, n);
@@ -696,8 +685,7 @@ void __sanitizer_weak_hook_strncmp(void
void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
const char *s2, int result) {
- if (RecordingValueProfile)
- fuzzer::AddValueForStrcmp(caller_pc, s1, s2, 64);
+ fuzzer::AddValueForStrcmp(caller_pc, s1, s2, 64);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = strlen(s1);
@@ -736,8 +724,7 @@ void __sanitizer_weak_hook_memmem(void *
__attribute__((visibility("default")))
void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
uint64_t Arg2) {
- if (RecordingValueProfile)
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
}
__attribute__((visibility("default")))
More information about the llvm-commits
mailing list