From 589eae515e82e1f382ddf83984d6418a347d7f3a Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Thu, 15 Jun 2017 22:43:40 +0000
Subject: [PATCH] [libFuzzer] change the default max_len from 64 to 4096. This
 will affect cases where libFuzzer is run w/o initial corpus or with a corpus
 of very small items.

llvm-svn: 305521
---
 llvm/lib/Fuzzer/FuzzerDriver.cpp                     | 4 ++--
 llvm/lib/Fuzzer/FuzzerLoop.cpp                       | 4 +++-
 llvm/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp     | 2 +-
 llvm/lib/Fuzzer/test/FourIndependentBranchesTest.cpp | 1 +
 llvm/lib/Fuzzer/test/ShrinkControlFlowTest.cpp       | 1 +
 llvm/lib/Fuzzer/test/SimpleHashTest.cpp              | 2 +-
 llvm/lib/Fuzzer/test/SingleStrncmpTest.cpp           | 1 +
 llvm/lib/Fuzzer/test/fuzzer-dirs.test                | 8 ++++++--
 llvm/lib/Fuzzer/test/inline-8bit-counters.test       | 2 +-
 9 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp
index 9aad3771784d..0453a7f443b5 100644
--- a/llvm/lib/Fuzzer/FuzzerDriver.cpp
+++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp
@@ -553,12 +553,12 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
     return RunInMultipleProcesses(Args, Flags.workers, Flags.jobs);
 
   const size_t kMaxSaneLen = 1 << 20;
-  const size_t kMinDefaultLen = 64;
+  const size_t kMinDefaultLen = 4096;
   FuzzingOptions Options;
   Options.Verbosity = Flags.verbosity;
   Options.MaxLen = Flags.max_len;
   Options.ExperimentalLenControl = Flags.experimental_len_control;
-  if (Flags.experimental_len_control && Flags.max_len == 64)
+  if (Flags.experimental_len_control && Flags.max_len == kMinDefaultLen)
     Options.MaxLen = 1 << 20;
   Options.UnitTimeoutSec = Flags.timeout;
   Options.ErrorExitCode = Flags.error_exitcode;
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp
index f6083282ab61..fbf18357ede6 100644
--- a/llvm/lib/Fuzzer/FuzzerLoop.cpp
+++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp
@@ -301,7 +301,9 @@ void Fuzzer::SetMaxInputLen(size_t MaxInputLen) {
   this->MaxInputLen = MaxInputLen;
   this->MaxMutationLen = MaxInputLen;
   AllocateCurrentUnitData();
-  Printf("INFO: -max_len is not provided, using %zd\n", MaxInputLen);
+  Printf("INFO: -max_len is not provided; "
+         "libFuzzer will not generate inputs larger than %zd bytes\n",
+         MaxInputLen);
 }
 
 void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) {
diff --git a/llvm/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp b/llvm/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp
index dfb6007b7970..b5a61ddca715 100644
--- a/llvm/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp
+++ b/llvm/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp
@@ -9,7 +9,7 @@
 #include <cstring>
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size < 16) return 0;
+  if (Size < 16 || Size > 64) return 0;
   int64_t x;
   uint64_t y;
   memcpy(&x, Data, sizeof(x));
diff --git a/llvm/lib/Fuzzer/test/FourIndependentBranchesTest.cpp b/llvm/lib/Fuzzer/test/FourIndependentBranchesTest.cpp
index bbf5ea235c7a..ba963d9b1de8 100644
--- a/llvm/lib/Fuzzer/test/FourIndependentBranchesTest.cpp
+++ b/llvm/lib/Fuzzer/test/FourIndependentBranchesTest.cpp
@@ -8,6 +8,7 @@
 #include <iostream>
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
   int bits = 0;
   if (Size > 0 && Data[0] == 'F') bits |= 1;
   if (Size > 1 && Data[1] == 'U') bits |= 2;
diff --git a/llvm/lib/Fuzzer/test/ShrinkControlFlowTest.cpp b/llvm/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
index d09542963626..37eeede7cbff 100644
--- a/llvm/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
+++ b/llvm/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
@@ -11,6 +11,7 @@
 static volatile int Sink;
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
   int8_t Ids[256];
   memset(Ids, -1, sizeof(Ids));
   for (size_t i = 0; i < Size; i++)
diff --git a/llvm/lib/Fuzzer/test/SimpleHashTest.cpp b/llvm/lib/Fuzzer/test/SimpleHashTest.cpp
index 99e96cb25dcd..a3f4211ebeef 100644
--- a/llvm/lib/Fuzzer/test/SimpleHashTest.cpp
+++ b/llvm/lib/Fuzzer/test/SimpleHashTest.cpp
@@ -26,7 +26,7 @@ static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size < 14)
+  if (Size < 14 || Size > 64)
     return 0;
 
   uint32_t Hash = simple_hash(&Data[0], Size - 4);
diff --git a/llvm/lib/Fuzzer/test/SingleStrncmpTest.cpp b/llvm/lib/Fuzzer/test/SingleStrncmpTest.cpp
index b302670fb743..b38c7995d8ff 100644
--- a/llvm/lib/Fuzzer/test/SingleStrncmpTest.cpp
+++ b/llvm/lib/Fuzzer/test/SingleStrncmpTest.cpp
@@ -8,6 +8,7 @@
 #include <cstring>
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
   char *S = (char*)Data;
   volatile auto Strncmp = &(strncmp);   // Make sure strncmp is not inlined.
   if (Size >= 6 && !Strncmp(S, "qwerty", 6)) {
diff --git a/llvm/lib/Fuzzer/test/fuzzer-dirs.test b/llvm/lib/Fuzzer/test/fuzzer-dirs.test
index 3de64f278f5d..622ff5da3a29 100644
--- a/llvm/lib/Fuzzer/test/fuzzer-dirs.test
+++ b/llvm/lib/Fuzzer/test/fuzzer-dirs.test
@@ -5,9 +5,13 @@ RUN: echo b > %t/SUB1/SUB2/b
 RUN: echo c > %t/SUB1/SUB2/SUB3/c
 RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=SUBDIRS
 SUBDIRS: READ   units: 3
-RUN: echo -n zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > %t/SUB1/long
+RUN: echo -n zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > %t/SUB1/f64
+RUN: cat %t/SUB1/f64 %t/SUB1/f64 %t/SUB1/f64 %t/SUB1/f64 > %t/SUB1/f256
+RUN: cat %t/SUB1/f256 %t/SUB1/f256 %t/SUB1/f256 %t/SUB1/f256 > %t/SUB1/f1024
+RUN: cat %t/SUB1/f1024 %t/SUB1/f1024 %t/SUB1/f1024 %t/SUB1/f1024 > %t/SUB1/f4096
+RUN: cat %t/SUB1/f4096 %t/SUB1/f4096 > %t/SUB1/f8192
 RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=LONG
-LONG: INFO: -max_len is not provided, using 93
+LONG: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 8192 bytes
 RUN: rm -rf %t/SUB1
 
 RUN: not LLVMFuzzer-SimpleTest NONEXISTENT_DIR 2>&1 | FileCheck %s --check-prefix=NONEXISTENT_DIR
diff --git a/llvm/lib/Fuzzer/test/inline-8bit-counters.test b/llvm/lib/Fuzzer/test/inline-8bit-counters.test
index 4b6ae8374449..8747af81451f 100644
--- a/llvm/lib/Fuzzer/test/inline-8bit-counters.test
+++ b/llvm/lib/Fuzzer/test/inline-8bit-counters.test
@@ -1,4 +1,4 @@
 REQUIRES: linux
 CHECK: INFO: Loaded 1 modules with {{.*}} inline 8-bit counters
 CHECK: BINGO
-RUN: LLVMFuzzer-SimpleTest-Inline8bitCounters -runs=100000 -seed=1 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-SimpleTest-Inline8bitCounters -runs=1000000 -seed=1 2>&1 | FileCheck %s