[llvm] r283286 - [libFuzzer] add ShrinkValueProfileTest, move code around, NFC
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Tue Oct 4 18:09:40 PDT 2016
Author: kcc
Date: Tue Oct 4 20:09:40 2016
New Revision: 283286
URL: http://llvm.org/viewvc/llvm-project?rev=283286&view=rev
Log:
[libFuzzer] add ShrinkValueProfileTest, move code around, NFC
Added:
llvm/trunk/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
- copied unchanged from r283259, llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp
llvm/trunk/lib/Fuzzer/test/ShrinkValueProfileTest.cpp
Removed:
llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp
Modified:
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
llvm/trunk/lib/Fuzzer/test/fuzzer.test
llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Tue Oct 4 20:09:40 2016
@@ -117,6 +117,70 @@ void TracePC::PrintCoverage() {
}
}
+// Value profile.
+// We keep track of various values that affect control flow.
+// These values are inserted into a bit-set-based hash map.
+// Every new bit in the map is treated as a new coverage.
+//
+// For memcmp/strcmp/etc the interesting value is the length of the common
+// prefix of the parameters.
+// For cmp instructions the interesting value is a XOR of the parameters.
+// The interesting value is mixed up with the PC and is then added to the map.
+
+void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
+ size_t n) {
+ if (!n) return;
+ size_t Len = std::min(n, (size_t)32);
+ const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
+ const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
+ size_t I = 0;
+ for (; I < Len; I++)
+ if (A1[I] != A2[I])
+ break;
+ size_t PC = reinterpret_cast<size_t>(caller_pc);
+ size_t Idx = I;
+ // if (I < Len)
+ // Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
+ TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
+}
+
+void TracePC::AddValueForStrcmp(void *caller_pc, const char *s1, const char *s2,
+ size_t n) {
+ if (!n) return;
+ size_t Len = std::min(n, (size_t)32);
+ const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
+ const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
+ size_t I = 0;
+ for (; I < Len; I++)
+ if (A1[I] != A2[I] || A1[I] == 0)
+ break;
+ size_t PC = reinterpret_cast<size_t>(caller_pc);
+ size_t Idx = I;
+ // if (I < Len && A1[I])
+ // Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
+ TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
+}
+
+ATTRIBUTE_TARGET_POPCNT
+static void AddValueForCmp(void *PCptr, uint64_t Arg1, uint64_t Arg2) {
+ if (Arg1 == Arg2)
+ return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
+ uint64_t ArgDistance = __builtin_popcountl(Arg1 ^ Arg2) - 1; // [0,63]
+ uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
+ TPC.HandleValueProfile(Idx);
+}
+
+static void AddValueForSingleVal(void *PCptr, uintptr_t Val) {
+ if (!Val) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
+ uint64_t ArgDistance = __builtin_popcountl(Val) - 1; // [0,63]
+ uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
+ TPC.HandleValueProfile(Idx);
+}
+
+
+
} // namespace fuzzer
extern "C" {
@@ -136,4 +200,47 @@ void __sanitizer_cov_trace_pc_indir(uint
uintptr_t PC = (uintptr_t)__builtin_return_address(0);
fuzzer::TPC.HandleCallerCallee(PC, Callee);
}
+
+// TODO: this one will not be used with the newest clang. Remove it.
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
+ uint64_t Arg2) {
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
+}
+
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_cmp8(uint64_t Arg1, int64_t Arg2) {
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_cmp4(uint32_t Arg1, int32_t Arg2) {
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_cmp2(uint16_t Arg1, int16_t Arg2) {
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_cmp1(uint8_t Arg1, int8_t Arg2) {
+ fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
+}
+
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
+ // TODO(kcc): support value profile here.
+}
+
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div4(uint32_t Val) {
+ fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div8(uint64_t Val) {
+ fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_gep(uintptr_t Idx) {
+ fuzzer::AddValueForSingleVal(__builtin_return_address(0), Idx);
+}
+
+} // extern "C"
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.h?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.h Tue Oct 4 20:09:40 2016
@@ -62,6 +62,11 @@ class TracePC {
bool HasFeature(size_t Idx) { return CounterMap.Get(Idx); }
+ void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
+ size_t n);
+ void AddValueForStrcmp(void *caller_pc, const char *s1, const char *s2,
+ size_t n);
+
private:
bool UseCounters = false;
bool UseValueProfile = false;
Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Tue Oct 4 20:09:40 2016
@@ -251,68 +251,6 @@ static size_t InternalStrnlen(const char
return Len;
}
-// Value profile.
-// We keep track of various values that affect control flow.
-// These values are inserted into a bit-set-based hash map.
-// Every new bit in the map is treated as a new coverage.
-//
-// For memcmp/strcmp/etc the interesting value is the length of the common
-// prefix of the parameters.
-// For cmp instructions the interesting value is a XOR of the parameters.
-// The interesting value is mixed up with the PC and is then added to the map.
-
-static void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
- size_t n) {
- if (!n) return;
- size_t Len = std::min(n, (size_t)32);
- const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
- const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
- size_t I = 0;
- for (; I < Len; I++)
- if (A1[I] != A2[I])
- break;
- size_t PC = reinterpret_cast<size_t>(caller_pc);
- size_t Idx = I;
- // if (I < Len)
- // Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
- TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
-}
-
-static void AddValueForStrcmp(void *caller_pc, const char *s1, const char *s2,
- size_t n) {
- if (!n) return;
- size_t Len = std::min(n, (size_t)32);
- const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
- const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
- size_t I = 0;
- for (; I < Len; I++)
- if (A1[I] != A2[I] || A1[I] == 0)
- break;
- size_t PC = reinterpret_cast<size_t>(caller_pc);
- size_t Idx = I;
- // if (I < Len && A1[I])
- // Idx += __builtin_popcountl((A1[I] ^ A2[I])) - 1;
- TPC.HandleValueProfile((PC & 4095) | (Idx << 12));
-}
-
-ATTRIBUTE_TARGET_POPCNT
-static void AddValueForCmp(void *PCptr, uint64_t Arg1, uint64_t Arg2) {
- if (Arg1 == Arg2)
- return;
- uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
- uint64_t ArgDistance = __builtin_popcountl(Arg1 ^ Arg2) - 1; // [0,63]
- uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
- TPC.HandleValueProfile(Idx);
-}
-
-static void AddValueForSingleVal(void *PCptr, uintptr_t Val) {
- if (!Val) return;
- uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
- uint64_t ArgDistance = __builtin_popcountl(Val) - 1; // [0,63]
- uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
- TPC.HandleValueProfile(Idx);
-}
-
} // namespace fuzzer
using fuzzer::TS;
@@ -328,7 +266,7 @@ extern "C" {
#if LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
const void *s2, size_t n, int result) {
- fuzzer::AddValueForMemcmp(caller_pc, s1, s2, n);
+ fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
if (n <= 1) return; // Not interesting.
@@ -338,7 +276,7 @@ void __sanitizer_weak_hook_memcmp(void *
void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
const char *s2, size_t n, int result) {
- fuzzer::AddValueForStrcmp(caller_pc, s1, s2, n);
+ fuzzer::TPC.AddValueForStrcmp(caller_pc, s1, s2, n);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = fuzzer::InternalStrnlen(s1, n);
@@ -352,7 +290,7 @@ void __sanitizer_weak_hook_strncmp(void
void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
const char *s2, int result) {
- fuzzer::AddValueForStrcmp(caller_pc, s1, s2, 64);
+ fuzzer::TPC.AddValueForStrcmp(caller_pc, s1, s2, 64);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = strlen(s1);
@@ -386,47 +324,4 @@ void __sanitizer_weak_hook_memmem(void *
}
#endif // LLVM_FUZZER_DEFINES_SANITIZER_WEAK_HOOOKS
-
-// TODO: this one will not be used with the newest clang. Remove it.
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
- uint64_t Arg2) {
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
-}
-
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_cmp8(uint64_t Arg1, int64_t Arg2) {
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
-}
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_cmp4(uint32_t Arg1, int32_t Arg2) {
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
-}
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_cmp2(uint16_t Arg1, int16_t Arg2) {
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
-}
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_cmp1(uint8_t Arg1, int8_t Arg2) {
- fuzzer::AddValueForCmp(__builtin_return_address(0), Arg1, Arg2);
-}
-
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
- // TODO(kcc): support value profile here.
-}
-
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_div4(uint32_t Val) {
- fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
-}
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_div8(uint64_t Val) {
- fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
-}
-__attribute__((visibility("default")))
-void __sanitizer_cov_trace_gep(uintptr_t Idx) {
- fuzzer::AddValueForSingleVal(__builtin_return_address(0), Idx);
-}
-
} // extern "C"
Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Tue Oct 4 20:09:40 2016
@@ -80,7 +80,6 @@ set(Tests
LeakTest
LeakTimeoutTest
LoadTest
- MinimizeCorpusTest
NullDerefTest
NullDerefOnEmptyTest
NthRunCrashTest
@@ -98,6 +97,8 @@ set(Tests
SingleStrcmpTest
SingleStrncmpTest
SpamyTest
+ ShrinkControlFlowTest
+ ShrinkValueProfileTest
StrcmpTest
StrncmpTest
StrstrTest
Removed: llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp?rev=283285&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp (removed)
@@ -1,28 +0,0 @@
-// This file is distributed under the University of Illinois Open Source
-// License. See LICENSE.TXT for details.
-
-// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
-#include <cstdint>
-#include <cstdlib>
-#include <cstddef>
-#include <cstring>
-#include <cstdio>
-
-static volatile int Sink;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
- int8_t Ids[256];
- memset(Ids, -1, sizeof(Ids));
- for (size_t i = 0; i < Size; i++)
- if (Ids[Data[i]] == -1)
- Ids[Data[i]] = i;
- int F = Ids[(unsigned char)'F'];
- int U = Ids[(unsigned char)'U'];
- int Z = Ids[(unsigned char)'Z'];
- if (F >= 0 && U > F && Z > U) {
- Sink++;
- // fprintf(stderr, "IDS: %d %d %d\n", F, U, Z);
- }
- return 0;
-}
-
Added: llvm/trunk/lib/Fuzzer/test/ShrinkValueProfileTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/ShrinkValueProfileTest.cpp?rev=283286&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/ShrinkValueProfileTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/ShrinkValueProfileTest.cpp Tue Oct 4 20:09:40 2016
@@ -0,0 +1,21 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <cstring>
+#include <cstdio>
+
+static volatile uint32_t Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ if (Size < sizeof(uint32_t)) return 0;
+ uint32_t X;
+ size_t Offset = Size < 8 ? 0 : Size / 2;
+ memcpy(&X, Data + Offset, sizeof(uint32_t));
+ Sink = X == 0xAABBCCDD;
+ return 0;
+}
+
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Tue Oct 4 20:09:40 2016
@@ -54,6 +54,6 @@ DSO: INFO: Loaded 3 modules
DSO: BINGO
RUN: LLVMFuzzer-SimpleTest-TracePC -exit_on_src_pos=SimpleTest.cpp:17 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
-RUN: LLVMFuzzer-MinimizeCorpusTest-TracePC -exit_on_src_pos=MinimizeCorpusTest.cpp:23 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
+RUN: LLVMFuzzer-ShrinkControlFlowTest-TracePC -exit_on_src_pos=ShrinkControlFlowTest.cpp:23 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
EXIT_ON_SRC_POS: INFO: found line matching '{{.*}}', exiting.
Modified: llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt?rev=283286&r1=283285&r2=283286&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt Tue Oct 4 20:09:40 2016
@@ -8,7 +8,8 @@ set(TracePCTests
CounterTest
CallerCalleeTest
NullDerefTest
- MinimizeCorpusTest
+ ShrinkControlFlowTest
+ ShrinkValueProfileTest
FullCoverageSetTest
)
More information about the llvm-commits
mailing list