[llvm] r289998 - [libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Dec 16 14:42:05 PST 2016
Author: kcc
Date: Fri Dec 16 16:42:05 2016
New Revision: 289998
URL: http://llvm.org/viewvc/llvm-project?rev=289998&view=rev
Log:
[libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code
Modified:
llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
llvm/trunk/lib/Fuzzer/FuzzerFlags.def
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp
llvm/trunk/lib/Fuzzer/FuzzerOptions.h
Modified: llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerCorpus.h?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerCorpus.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerCorpus.h Fri Dec 16 16:42:05 2016
@@ -59,6 +59,12 @@ class InputCorpus {
Res += !II->U.empty();
return Res;
}
+ size_t MaxInputSize() const {
+ size_t Res = 0;
+ for (auto II : Inputs)
+ Res = std::max(Res, II->U.size());
+ return Res;
+ }
bool empty() const { return Inputs.empty(); }
const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile = false) {
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Fri Dec 16 16:42:05 2016
@@ -390,6 +390,9 @@ int FuzzerDriver(int *argc, char ***argv
FuzzingOptions Options;
Options.Verbosity = Flags.verbosity;
Options.MaxLen = Flags.max_len;
+ Options.ExperimentalLenControl = Flags.experimental_len_control;
+ if (Flags.experimental_len_control && Flags.max_len == 64)
+ Options.MaxLen = 1 << 20;
Options.UnitTimeoutSec = Flags.timeout;
Options.ErrorExitCode = Flags.error_exitcode;
Options.TimeoutExitCode = Flags.timeout_exitcode;
Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Fri Dec 16 16:42:05 2016
@@ -17,6 +17,7 @@ FUZZER_FLAG_INT(runs, -1,
FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
"If 0, libFuzzer tries to guess a good value based on the corpus "
"and reports it. ")
+FUZZER_FLAG_INT(experimental_len_control, 0, "experimental flag")
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG_INT(mutate_depth, 5,
"Apply this number of consecutive mutations to each input.")
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Fri Dec 16 16:42:05 2016
@@ -697,6 +697,19 @@ void Fuzzer::TryDetectingAMemoryLeak(con
}
}
+static size_t ComputeMutationLen(size_t MaxInputSize, size_t MaxMutationLen,
+ Random &Rand) {
+ assert(MaxInputSize <= MaxMutationLen);
+ if (MaxInputSize == MaxMutationLen) return MaxMutationLen;
+ size_t Result = MaxInputSize;
+ size_t R = Rand.Rand();
+ if ((R % (1U << 7)) == 0)
+ Result++;
+ if ((R % (1U << 15)) == 0)
+ Result += 10 + Result / 2;
+ return Min(Result, MaxMutationLen);
+}
+
void Fuzzer::MutateAndTestOne() {
MD.StartMutationSequence();
@@ -710,13 +723,19 @@ void Fuzzer::MutateAndTestOne() {
assert(MaxMutationLen > 0);
+ size_t CurrentMaxMutationLen =
+ Options.ExperimentalLenControl
+ ? ComputeMutationLen(Corpus.MaxInputSize(), MaxMutationLen,
+ MD.GetRand())
+ : MaxMutationLen;
+
for (int i = 0; i < Options.MutateDepth; i++) {
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
break;
size_t NewSize = 0;
- NewSize = MD.Mutate(CurrentUnitData, Size, MaxMutationLen);
+ NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen);
assert(NewSize > 0 && "Mutator returned empty unit");
- assert(NewSize <= MaxMutationLen && "Mutator return overisized unit");
+ assert(NewSize <= CurrentMaxMutationLen && "Mutator return overisized unit");
Size = NewSize;
if (i == 0)
StartTraceRecording();
Modified: llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp Fri Dec 16 16:42:05 2016
@@ -485,13 +485,6 @@ size_t MutationDispatcher::MutateImpl(ui
size_t MaxSize,
const std::vector<Mutator> &Mutators) {
assert(MaxSize > 0);
- if (Size == 0) {
- for (size_t i = 0; i < MaxSize; i++)
- Data[i] = RandCh(Rand);
- if (Options.OnlyASCII)
- ToASCII(Data, MaxSize);
- return MaxSize;
- }
assert(Size > 0);
// Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
// in which case they will return 0.
Modified: llvm/trunk/lib/Fuzzer/FuzzerOptions.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerOptions.h?rev=289998&r1=289997&r2=289998&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerOptions.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerOptions.h Fri Dec 16 16:42:05 2016
@@ -19,6 +19,7 @@ namespace fuzzer {
struct FuzzingOptions {
int Verbosity = 1;
size_t MaxLen = 0;
+ bool ExperimentalLenControl = false;
int UnitTimeoutSec = 300;
int TimeoutExitCode = 77;
int ErrorExitCode = 77;
More information about the llvm-commits
mailing list