[llvm] r308253 - [libFuzzer] improve -reduce_inputs=1: now only consider the unique features of very input (seems to work much better)
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Mon Jul 17 18:36:50 PDT 2017
Author: kcc
Date: Mon Jul 17 18:36:50 2017
New Revision: 308253
URL: http://llvm.org/viewvc/llvm-project?rev=308253&view=rev
Log:
[libFuzzer] improve -reduce_inputs=1: now only consider the unique features of very input (seems to work much better)
Modified:
llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/test/reduce_inputs.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerCorpus.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerCorpus.h?rev=308253&r1=308252&r2=308253&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerCorpus.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerCorpus.h Mon Jul 17 18:36:50 2017
@@ -34,7 +34,7 @@ struct InputInfo {
size_t NumExecutedMutations = 0;
size_t NumSuccessfullMutations = 0;
bool MayDeleteFile = false;
- std::vector<uint32_t> FeatureSet;
+ std::vector<uint32_t> UniqFeatureSet;
};
class InputCorpus {
@@ -79,7 +79,8 @@ class InputCorpus {
II.U = U;
II.NumFeatures = NumFeatures;
II.MayDeleteFile = MayDeleteFile;
- II.FeatureSet = FeatureSet;
+ II.UniqFeatureSet = FeatureSet;
+ std::sort(II.UniqFeatureSet.begin(), II.UniqFeatureSet.end());
ComputeSHA1(U.data(), U.size(), II.Sha1);
Hashes.insert(Sha1ToString(II.Sha1));
UpdateCorpusDistribution();
@@ -117,27 +118,13 @@ class InputCorpus {
Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
PrintUnit(II->U);
Printf(" ");
- PrintFeatureSet(II->FeatureSet);
+ PrintFeatureSet(II->UniqFeatureSet);
Printf("\n");
}
i++;
}
}
- // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
- bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
- const std::vector<uint32_t> &FeatureSet) {
- if (II->U.size() > Size && II->FeatureSet.size() &&
- II->FeatureSet == FeatureSet) {
- if (FeatureDebug)
- Printf("Replace: %zd => %zd\n", II->U.size(), Size);
- Replace(II, {Data, Data + Size});
- PrintCorpus();
- return true;
- }
- return false;
- }
-
void Replace(InputInfo *II, const Unit &U) {
assert(II->U.size());
Hashes.erase(Sha1ToString(II->Sha1));
@@ -198,7 +185,7 @@ class InputCorpus {
Printf("EVICTED %zd\n", Idx);
}
- void AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {
+ bool AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {
assert(NewSize);
Idx = Idx % kFeatureSetSize;
uint32_t OldSize = GetFeature(Idx);
@@ -218,7 +205,9 @@ class InputCorpus {
Printf("ADD FEATURE %zd sz %d\n", Idx, NewSize);
SmallestElementPerFeature[Idx] = Inputs.size();
InputSizesPerFeature[Idx] = NewSize;
+ return true;
}
+ return false;
}
size_t NumFeatures() const { return NumAddedFeatures; }
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=308253&r1=308252&r2=308253&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Mon Jul 17 18:36:50 2017
@@ -132,7 +132,7 @@ private:
size_t MaxInputLen = 0;
size_t MaxMutationLen = 0;
- std::vector<uint32_t> FeatureSetTmp;
+ std::vector<uint32_t> UniqFeatureSetTmp;
// Need to know our own thread.
static thread_local bool IsMyThread;
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=308253&r1=308252&r2=308253&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Mon Jul 17 18:36:50 2017
@@ -402,22 +402,29 @@ bool Fuzzer::RunOne(const uint8_t *Data,
ExecuteCallback(Data, Size);
- FeatureSetTmp.clear();
+ UniqFeatureSetTmp.clear();
+ size_t FoundUniqFeaturesOfII = 0;
size_t NumUpdatesBefore = Corpus.NumFeatureUpdates();
TPC.CollectFeatures([&](size_t Feature) {
- Corpus.AddFeature(Feature, Size, Options.Shrink);
- if (Options.ReduceInputs)
- FeatureSetTmp.push_back(Feature);
+ if (Corpus.AddFeature(Feature, Size, Options.Shrink))
+ UniqFeatureSetTmp.push_back(Feature);
+ if (Options.ReduceInputs && II)
+ if (std::binary_search(II->UniqFeatureSet.begin(),
+ II->UniqFeatureSet.end(), Feature))
+ FoundUniqFeaturesOfII++;
});
PrintPulseAndReportSlowInput(Data, Size);
size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
if (NumNewFeatures) {
Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
- FeatureSetTmp);
+ UniqFeatureSetTmp);
CheckExitOnSrcPosOrItem();
return true;
}
- if (II && Corpus.TryToReplace(II, Data, Size, FeatureSetTmp)) {
+ if (II && FoundUniqFeaturesOfII &&
+ FoundUniqFeaturesOfII == II->UniqFeatureSet.size() &&
+ II->U.size() > Size) {
+ Corpus.Replace(II, {Data, Data + Size});
CheckExitOnSrcPosOrItem();
return true;
}
Modified: llvm/trunk/lib/Fuzzer/test/reduce_inputs.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/reduce_inputs.test?rev=308253&r1=308252&r2=308253&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/reduce_inputs.test (original)
+++ llvm/trunk/lib/Fuzzer/test/reduce_inputs.test Mon Jul 17 18:36:50 2017
@@ -9,5 +9,6 @@ CHECK: INFO: found item with checksum '0
RUN: LLVMFuzzer-ShrinkControlFlowSimpleTest -runs=0 %t/C 2>&1 | FileCheck %s --check-prefix=COUNT
COUNT: READ units: 3
-
+# a bit longer test
+RUN: LLVMFuzzer-ShrinkControlFlowTest -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -seed=1 -reduce_inputs=1 -runs=1000000 2>&1 | FileCheck %s
More information about the llvm-commits
mailing list