[libFuzzer] when mutating based on CMP traces also try adding +/- 1 to the desired bytes. Add another test for use_cmp

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285109 91177308-0d34-0410-b5e6-96231b3b80d8
2025-02-24 23:22:10 +00:00 · 2016-10-25 20:15:15 +00:00 · 2016-10-25 20:15:15 +00:00 · 0895ad474e
commit 0895ad474e
parent 20cfefb146
3 changed files with 10 additions and 11 deletions
--- a/lib/Fuzzer/FuzzerMutate.cpp
+++ b/lib/Fuzzer/FuzzerMutate.cpp
@ -205,8 +205,6 @@ template <class T>
 DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
    T Arg1, T Arg2, const uint8_t *Data, size_t Size) {
  ScopedDoingMyOwnMemmem scoped_doing_my_own_memmem;
-  if (Rand.RandBool()) Arg1 = Bswap(Arg1);
-  if (Rand.RandBool()) Arg2 = Bswap(Arg2);
  bool HandleFirst = Rand.RandBool();
  T ExistingBytes, DesiredBytes;
  Word W;
@ -214,6 +212,9 @@ DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
  for (int Arg = 0; Arg < 2; Arg++) {
    ExistingBytes = HandleFirst ? Arg1 : Arg2;
    DesiredBytes = HandleFirst ? Arg2 : Arg1;
+    DesiredBytes += Rand(-1, 1);
+    if (Rand.RandBool()) ExistingBytes = Bswap(ExistingBytes);
+    if (Rand.RandBool()) DesiredBytes = Bswap(DesiredBytes);
    HandleFirst = !HandleFirst;
    W.Set(reinterpret_cast<uint8_t*>(&DesiredBytes), sizeof(T));
    const size_t kMaxNumPositions = 8;
@ -236,15 +237,9 @@ size_t MutationDispatcher::Mutate_AddWordFromTORC(
    uint8_t *Data, size_t Size, size_t MaxSize) {
  Word W;
  DictionaryEntry DE;
-  bool Debug = false;
  if (Rand.RandBool()) {
    auto X = TPC.TORC8.Get(Rand.Rand());
    DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
-    if (X.A > 10000 &&X.B > 10000) Debug = false;
-    if (Debug) {
-      Printf("ZZZ %zx %zx\n", X.A, X.B);
-      DE.Print();
-    }
  } else {
    auto X = TPC.TORC4.Get(Rand.Rand());
    if ((X.A >> 16) == 0 && (X.B >> 16) == 0 && Rand.RandBool())
@ -255,9 +250,6 @@ size_t MutationDispatcher::Mutate_AddWordFromTORC(
  }
  Size = ApplyDictionaryEntry(Data, Size, MaxSize, DE);
  if (!Size) return 0;
-  if (Debug) {
-    Printf("DONE\n");
-  }
  DictionaryEntry &DERef =
      CmpDictionaryEntriesDeque[CmpDictionaryEntriesDequeIdx++ %
                                kCmpDictionaryEntriesDequeSize];
--- a/lib/Fuzzer/FuzzerRandom.h
+++ b/lib/Fuzzer/FuzzerRandom.h
@ -21,6 +21,11 @@ class Random {
  size_t Rand() { return R(); }
  size_t RandBool() { return Rand() % 2; }
  size_t operator()(size_t n) { return n ? Rand() % n : 0; }
+  intptr_t operator()(intptr_t From, intptr_t To) {
+    assert(From < To);
+    intptr_t RangeSize = To - From + 1;
+    return operator()(RangeSize) + From;
+  }
  std::mt19937 &Get_mt19937() { return R; }
 private:
  std::mt19937 R;
--- a/lib/Fuzzer/test/simple-cmp.test
+++ b/lib/Fuzzer/test/simple-cmp.test
@ -0,0 +1,2 @@
+CHECK: BINGO
+RUN: not LLVMFuzzer-SimpleCmpTest -seed=1 -use_cmp=1 -runs=100000000 2>&1 | FileCheck %s