From 234cfada1839319ca5dd95658611605e3e4fab4d Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Wed, 12 Aug 2015 01:55:37 +0000 Subject: [PATCH] [libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244712 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/FuzzerDriver.cpp | 2 ++ lib/Fuzzer/FuzzerFlags.def | 4 ++++ lib/Fuzzer/FuzzerInternal.h | 3 +++ lib/Fuzzer/FuzzerLoop.cpp | 23 +++++++++++++++++------ lib/Fuzzer/FuzzerTraceState.cpp | 3 +-- lib/Fuzzer/test/fuzzer-dfsan.test | 2 +- lib/Fuzzer/test/fuzzer.test | 6 +++--- 7 files changed, 31 insertions(+), 12 deletions(-) diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp index 4136e016461..d94eb98a4da 100644 --- a/lib/Fuzzer/FuzzerDriver.cpp +++ b/lib/Fuzzer/FuzzerDriver.cpp @@ -241,6 +241,8 @@ int FuzzerDriver(int argc, char **argv, UserSuppliedFuzzer &USF) { Options.Tokens = ReadTokensFile(Flags.tokens); Options.Reload = Flags.reload; Options.OnlyASCII = Flags.only_ascii; + Options.TBMDepth = Flags.tbm_depth; + Options.TBMWidth = Flags.tbm_width; if (Flags.runs >= 0) Options.MaxNumberOfRuns = Flags.runs; if (!inputs.empty()) diff --git a/lib/Fuzzer/FuzzerFlags.def b/lib/Fuzzer/FuzzerFlags.def index 91aff99f045..d5a428bb25a 100644 --- a/lib/Fuzzer/FuzzerFlags.def +++ b/lib/Fuzzer/FuzzerFlags.def @@ -62,3 +62,7 @@ FUZZER_FLAG_INT(report_slow_units, 10, "Report slowest units if they run for more than this number of seconds.") FUZZER_FLAG_INT(only_ascii, 0, "If 1, generate only ASCII (isprint+isspace) inputs.") +FUZZER_FLAG_INT(tbm_depth, 5, "Apply at most this number of consecutive" + "trace-based-mutations (tbm).") +FUZZER_FLAG_INT(tbm_width, 5, "Apply at most this number of independent" + "trace-based-mutations (tbm)") diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h index 6f7525e7875..d9dc5283689 100644 --- a/lib/Fuzzer/FuzzerInternal.h +++ b/lib/Fuzzer/FuzzerInternal.h @@ -74,6 +74,8 @@ class Fuzzer { int SyncTimeout = 600; int ReportSlowUnits = 10; bool OnlyASCII = false; + int TBMDepth = 10; + int TBMWidth = 10; std::string OutputCorpus; std::string SyncCommand; std::vector Tokens; @@ -136,6 +138,7 @@ class Fuzzer { Unit CurrentUnit; size_t TotalNumberOfRuns = 0; + size_t TotalNumberOfExecutedTraceBasedMutations = 0; std::vector Corpus; std::unordered_set UnitHashesAddedToCorpus; diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp index b9c27e3f4a3..87ba0c0bbcd 100644 --- a/lib/Fuzzer/FuzzerLoop.cpp +++ b/lib/Fuzzer/FuzzerLoop.cpp @@ -81,9 +81,11 @@ void Fuzzer::PrintStats(const char *Where, size_t Cov, const char *End) { if (!Options.Verbosity) return; size_t Seconds = secondsSinceProcessStartUp(); size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0); - Printf("#%zd\t%s cov: %zd bits: %zd units: %zd exec/s: %zd %s", - TotalNumberOfRuns, Where, Cov, TotalBits(), Corpus.size(), ExecPerSec, - End); + Printf("#%zd\t%s cov: %zd bits: %zd units: %zd exec/s: %zd", + TotalNumberOfRuns, Where, Cov, TotalBits(), Corpus.size(), ExecPerSec); + if (TotalNumberOfExecutedTraceBasedMutations) + Printf(" tbm: %zd", TotalNumberOfExecutedTraceBasedMutations); + Printf("%s", End); } void Fuzzer::RereadOutputCorpus() { @@ -311,9 +313,18 @@ void Fuzzer::MutateAndTestOne(Unit *U) { U->resize(NewSize); RunOneAndUpdateCorpus(*U); size_t NumTraceBasedMutations = StopTraceRecording(); - for (size_t j = 0; j < NumTraceBasedMutations; j++) { - ApplyTraceBasedMutation(j, U); - RunOneAndUpdateCorpus(*U); + size_t TBMWidth = + std::min((size_t)Options.TBMWidth, NumTraceBasedMutations); + size_t TBMDepth = + std::min((size_t)Options.TBMDepth, NumTraceBasedMutations); + Unit BackUp = *U; + for (size_t w = 0; w < TBMWidth; w++) { + *U = BackUp; + for (size_t d = 0; d < TBMDepth; d++) { + TotalNumberOfExecutedTraceBasedMutations++; + ApplyTraceBasedMutation(USF.GetRand()(NumTraceBasedMutations), U); + RunOneAndUpdateCorpus(*U); + } } } } diff --git a/lib/Fuzzer/FuzzerTraceState.cpp b/lib/Fuzzer/FuzzerTraceState.cpp index 1cf89eb077f..2e57e259e14 100644 --- a/lib/Fuzzer/FuzzerTraceState.cpp +++ b/lib/Fuzzer/FuzzerTraceState.cpp @@ -232,8 +232,7 @@ class TraceState { size_t StopTraceRecording(FuzzerRandomBase &Rand) { RecordingTraces = false; - std::random_shuffle(Mutations.begin(), Mutations.end(), Rand); - return std::min(Mutations.size(), 128UL); + return Mutations.size(); } void ApplyTraceBasedMutation(size_t Idx, fuzzer::Unit *U); diff --git a/lib/Fuzzer/test/fuzzer-dfsan.test b/lib/Fuzzer/test/fuzzer-dfsan.test index d6820323710..982f143669d 100644 --- a/lib/Fuzzer/test/fuzzer-dfsan.test +++ b/lib/Fuzzer/test/fuzzer-dfsan.test @@ -9,7 +9,7 @@ CHECK_DFSanSwitchCallback: DFSanSwitchCallback: PC RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK1 RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback -RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK2 +RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK2 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK3 diff --git a/lib/Fuzzer/test/fuzzer.test b/lib/Fuzzer/test/fuzzer.test index 83fc0f88caa..888e1460059 100644 --- a/lib/Fuzzer/test/fuzzer.test +++ b/lib/Fuzzer/test/fuzzer.test @@ -25,14 +25,14 @@ RUN: not LLVMFuzzer-CxxTokensTest -seed=1 -timeout=15 -tokens=%S/../cxx_fuzzer_t RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s -RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s +RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=100000 2>&1 | FileCheck %s RUN: LLVMFuzzer-MemcmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 Done1000000: Done 1000000 runs in -RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s +RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=100000 2>&1 | FileCheck %s RUN: LLVMFuzzer-StrncmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 -RUN: not LLVMFuzzer-StrcmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s +RUN: not LLVMFuzzer-StrcmpTest -use_traces=1 -seed=1 -runs=100000 2>&1 | FileCheck %s RUN: LLVMFuzzer-StrcmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 RUN: not LLVMFuzzer-SwitchTest -use_traces=1 -seed=1 -runs=1000000 2>&1 | FileCheck %s -- 2.34.1