[PATCH] D66030: [libFuzzer] Merge: print feature coverage number as well.

Max Moroz via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Fri Aug 9 13:58:02 PDT 2019 

Dor1s created this revision.
Dor1s added reviewers: hctim, morehouse.
Herald added subscribers: llvm-commits, Sanitizers, delcypher.
Herald added projects: LLVM, Sanitizers.

feature coverage is a useful signal that is available during the merge
process, but was not printed previously.

Output example:

  $ ./fuzzer -use_value_profile=1 -merge=1 new_corpus/ seed_corpus/
  INFO: Seed: 1676551929
  INFO: Loaded 1 modules   (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc), 
  INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8), 
  MERGE-OUTER: 180 files, 78 in the initial corpus
  MERGE-OUTER: attempt 1
  INFO: Seed: 1676574577
  INFO: Loaded 1 modules   (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc), 
  INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8), 
  INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
  MERGE-INNER: using the control file '/tmp/libFuzzerTemp.111754.txt'
  MERGE-INNER: 180 total files; 0 processed earlier; will process 180 files now
  #1	pulse  cov: 134 ft: 330 exec/s: 0 rss: 37Mb
  #2	pulse  cov: 142 ft: 462 exec/s: 0 rss: 38Mb
  #4	pulse  cov: 152 ft: 651 exec/s: 0 rss: 38Mb
  #8	pulse  cov: 152 ft: 943 exec/s: 0 rss: 38Mb
  #16	pulse  cov: 520 ft: 2783 exec/s: 0 rss: 39Mb
  #32	pulse  cov: 552 ft: 3280 exec/s: 0 rss: 41Mb
  #64	pulse  cov: 576 ft: 3641 exec/s: 0 rss: 50Mb
  #78	LOADED cov: 602 ft: 3936 exec/s: 0 rss: 88Mb
  #128	pulse  cov: 611 ft: 3996 exec/s: 0 rss: 93Mb
  #180	DONE   cov: 611 ft: 4016 exec/s: 0 rss: 155Mb
  MERGE-OUTER: succesfull in 1 attempt(s)
  MERGE-OUTER: the control file has 39741 bytes
  MERGE-OUTER: consumed 0Mb (37Mb rss) to parse the control file
  MERGE-OUTER: 9 new files with 80 new features added; 9 new coverage edges


Repository:
  rCRT Compiler Runtime

https://reviews.llvm.org/D66030

Files:
  lib/fuzzer/FuzzerInternal.h
  lib/fuzzer/FuzzerLoop.cpp
  lib/fuzzer/FuzzerMerge.cpp


Index: lib/fuzzer/FuzzerMerge.cpp
===================================================================
--- lib/fuzzer/FuzzerMerge.cpp
+++ lib/fuzzer/FuzzerMerge.cpp
@@ -210,6 +210,9 @@
 
   std::ofstream OF(CFPath, std::ofstream::out | std::ofstream::app);
   Set<size_t> AllFeatures;
+  auto PrintStatsWrapper = [this, &AllFeatures](const char* Where) {
+    this->PrintStats(Where, "\n", 0, AllFeatures.size());
+  };
   Set<const TracePC::PCTableEntry *> AllPCs;
   for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {
     Fuzzer::MaybeExitGracefully();
@@ -238,9 +241,9 @@
     TPC.UpdateObservedPCs();
     // Show stats.
     if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))
-      PrintStats("pulse ");
+      PrintStatsWrapper("pulse ");
     if (TotalNumberOfRuns == M.NumFilesInFirstCorpus)
-      PrintStats("LOADED");
+      PrintStatsWrapper("LOADED");
     // Write the post-run marker and the coverage.
     OF << "FT " << i;
     for (size_t F : UniqFeatures)
@@ -254,7 +257,7 @@
     OF << "\n";
     OF.flush();
   }
-  PrintStats("DONE  ");
+  PrintStatsWrapper("DONE  ");
 }
 
 static void WriteNewControlFile(const std::string &CFPath,
Index: lib/fuzzer/FuzzerLoop.cpp
===================================================================
--- lib/fuzzer/FuzzerLoop.cpp
+++ lib/fuzzer/FuzzerLoop.cpp
@@ -319,14 +319,15 @@
   _Exit(Options.OOMExitCode); // Stop right now.
 }
 
-void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units) {
+void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units,
+                        size_t Features) {
   size_t ExecPerSec = execPerSec();
   if (!Options.Verbosity)
     return;
   Printf("#%zd\t%s", TotalNumberOfRuns, Where);
   if (size_t N = TPC.GetTotalPCCoverage())
     Printf(" cov: %zd", N);
-  if (size_t N = Corpus.NumFeatures())
+  if (size_t N = Features ? Features : Corpus.NumFeatures())
     Printf(" ft: %zd", N);
   if (!Corpus.empty()) {
     Printf(" corp: %zd", Corpus.NumActiveUnits());
Index: lib/fuzzer/FuzzerInternal.h
===================================================================
--- lib/fuzzer/FuzzerInternal.h
+++ lib/fuzzer/FuzzerInternal.h
@@ -98,7 +98,8 @@
   void ReportNewCoverage(InputInfo *II, const Unit &U);
   void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size);
   void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
-  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
+  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0,
+                  size_t Features = 0);
   void PrintStatusForNewUnit(const Unit &U, const char *Text);
   void CheckExitOnSrcPosOrItem();
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D66030.214446.patch
Type: text/x-patch
Size: 2703 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190809/92e6e620/attachment.bin>

More information about the llvm-commits mailing list