[llvm] r290031 - [libFuzzer] when tracing switch statements, handle only one case at a time (to make things faster). Also ensure that the signals from value profile do not intersect with the regular coverage
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Dec 16 18:03:34 PST 2016
Author: kcc
Date: Fri Dec 16 20:03:34 2016
New Revision: 290031
URL: http://llvm.org/viewvc/llvm-project?rev=290031&view=rev
Log:
[libFuzzer] when tracing switch statements, handle only one case at a time (to make things faster). Also ensure that the signals from value profile do not intersect with the regular coverage
Modified:
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=290031&r1=290030&r2=290031&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Fri Dec 16 20:03:34 2016
@@ -290,12 +290,22 @@ void __sanitizer_cov_trace_cmp1(uint8_t
__attribute__((visibility("default")))
void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
+ // Updates the value profile based on the relative position of Val and Cases.
+ // We want to handle one random case at every call (handling all is slow).
+ // Since none of the arguments contain any random bits we use a thread-local
+ // counter to choose the random case to handle.
+ static thread_local size_t Counter;
+ Counter++;
uint64_t N = Cases[0];
uint64_t *Vals = Cases + 2;
char *PC = (char*)__builtin_return_address(0);
- for (size_t i = 0; i < N; i++)
- if (Val != Vals[i])
- fuzzer::TPC.HandleCmp(PC + i, Val, Vals[i]);
+ size_t Idx = Counter % N;
+ uint64_t TwoIn32 = 1ULL << 32;
+ if ((Val | Vals[Idx]) < TwoIn32)
+ fuzzer::TPC.HandleCmp(PC + Idx, static_cast<uint32_t>(Val),
+ static_cast<uint32_t>(Vals[Idx]));
+ else
+ fuzzer::TPC.HandleCmp(PC + Idx, Val, Vals[Idx]);
}
__attribute__((visibility("default")))
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.h?rev=290031&r1=290030&r2=290031&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.h Fri Dec 16 20:03:34 2016
@@ -144,7 +144,7 @@ size_t TracePC::CollectFeatures(Callback
}
if (UseValueProfile)
ValueProfileMap.ForEach([&](size_t Idx) {
- if (CB(NumGuards + Idx))
+ if (CB(NumGuards * 8 + Idx))
Res++;
});
return Res;
Modified: llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp?rev=290031&r1=290030&r2=290031&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp Fri Dec 16 20:03:34 2016
@@ -20,8 +20,8 @@ bool Switch(const uint8_t *Data, size_t
case 101: Sink = __LINE__; break;
case 1001: Sink = __LINE__; break;
case 10001: Sink = __LINE__; break;
- case 100001: Sink = __LINE__; break;
- case 1000001: Sink = __LINE__; break;
+// case 100001: Sink = __LINE__; break;
+// case 1000001: Sink = __LINE__; break;
case 10000001: Sink = __LINE__; break;
case 100000001: return true;
}
More information about the llvm-commits
mailing list