[libFuzzer] add two flags, -tbm_depth and -tbm_width to control how the trace-based-mutations are applied

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244712 91177308-0d34-0410-b5e6-96231b3b80d8

lib/Fuzzer/FuzzerDriver.cpp

@@ -241,6 +241,8 @@ int FuzzerDriver(int argc, char **argv, UserSuppliedFuzzer &USF) {
   Options.Tokens = ReadTokensFile(Flags.tokens);
   Options.Reload = Flags.reload;
   Options.OnlyASCII = Flags.only_ascii;
+  Options.TBMDepth = Flags.tbm_depth;
+  Options.TBMWidth = Flags.tbm_width;
   if (Flags.runs >= 0)
     Options.MaxNumberOfRuns = Flags.runs;
   if (!inputs.empty())

lib/Fuzzer/FuzzerFlags.def

@@ -62,3 +62,7 @@ FUZZER_FLAG_INT(report_slow_units, 10,
     "Report slowest units if they run for more than this number of seconds.")
 FUZZER_FLAG_INT(only_ascii, 0,
                 "If 1, generate only ASCII (isprint+isspace) inputs.")
+FUZZER_FLAG_INT(tbm_depth, 5, "Apply at most this number of consecutive"
+                               "trace-based-mutations (tbm).")
+FUZZER_FLAG_INT(tbm_width, 5, "Apply at most this number of independent"
+                               "trace-based-mutations (tbm)")

lib/Fuzzer/FuzzerInternal.h

@@ -74,6 +74,8 @@ class Fuzzer {
     int SyncTimeout = 600;
     int ReportSlowUnits = 10;
     bool OnlyASCII = false;
+    int TBMDepth = 10;
+    int TBMWidth = 10;
     std::string OutputCorpus;
     std::string SyncCommand;
     std::vector<std::string> Tokens;
@@ -136,6 +138,7 @@ class Fuzzer {
   Unit CurrentUnit;
 
   size_t TotalNumberOfRuns = 0;
+  size_t TotalNumberOfExecutedTraceBasedMutations = 0;
 
   std::vector<Unit> Corpus;
   std::unordered_set<std::string> UnitHashesAddedToCorpus;

lib/Fuzzer/FuzzerLoop.cpp

@@ -81,9 +81,11 @@ void Fuzzer::PrintStats(const char *Where, size_t Cov, const char *End) {
   if (!Options.Verbosity) return;
   size_t Seconds = secondsSinceProcessStartUp();
   size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
-  Printf("#%zd\t%s cov: %zd bits: %zd units: %zd exec/s: %zd %s",
-         TotalNumberOfRuns, Where, Cov, TotalBits(), Corpus.size(), ExecPerSec,
-         End);
+  Printf("#%zd\t%s cov: %zd bits: %zd units: %zd exec/s: %zd",
+         TotalNumberOfRuns, Where, Cov, TotalBits(), Corpus.size(), ExecPerSec);
+  if (TotalNumberOfExecutedTraceBasedMutations)
+    Printf(" tbm: %zd", TotalNumberOfExecutedTraceBasedMutations);
+  Printf("%s", End);
 }
 
 void Fuzzer::RereadOutputCorpus() {
@@ -311,9 +313,18 @@ void Fuzzer::MutateAndTestOne(Unit *U) {
     U->resize(NewSize);
     RunOneAndUpdateCorpus(*U);
     size_t NumTraceBasedMutations = StopTraceRecording();
-    for (size_t j = 0; j < NumTraceBasedMutations; j++) {
-      ApplyTraceBasedMutation(j, U);
-      RunOneAndUpdateCorpus(*U);
+    size_t TBMWidth =
+        std::min((size_t)Options.TBMWidth, NumTraceBasedMutations);
+    size_t TBMDepth =
+        std::min((size_t)Options.TBMDepth, NumTraceBasedMutations);
+    Unit BackUp = *U;
+    for (size_t w = 0; w < TBMWidth; w++) {
+      *U = BackUp;
+      for (size_t d = 0; d < TBMDepth; d++) {
+        TotalNumberOfExecutedTraceBasedMutations++;
+        ApplyTraceBasedMutation(USF.GetRand()(NumTraceBasedMutations), U);
+        RunOneAndUpdateCorpus(*U);
+      }
     }
   }
 }

lib/Fuzzer/FuzzerTraceState.cpp

@@ -232,8 +232,7 @@ class TraceState {
 
   size_t StopTraceRecording(FuzzerRandomBase &Rand) {
     RecordingTraces = false;
-    std::random_shuffle(Mutations.begin(), Mutations.end(), Rand);
-    return std::min(Mutations.size(), 128UL);
+    return Mutations.size();
   }
 
   void ApplyTraceBasedMutation(size_t Idx, fuzzer::Unit *U);

lib/Fuzzer/test/fuzzer-dfsan.test

@@ -9,7 +9,7 @@ CHECK_DFSanSwitchCallback: DFSanSwitchCallback: PC
 RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK1
 RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
-RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK2
+RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK2
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
 RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s --check-prefix=CHECK3

lib/Fuzzer/test/fuzzer.test

@@ -25,14 +25,14 @@ RUN: not LLVMFuzzer-CxxTokensTest -seed=1 -timeout=15 -tokens=%S/../cxx_fuzzer_t
 
 RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s
 
-RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=100000   2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 Done1000000: Done 1000000 runs in
 
-RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=100000   2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-StrncmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 
-RUN: not LLVMFuzzer-StrcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-StrcmpTest -use_traces=1 -seed=1 -runs=100000   2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-StrcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 
 RUN: not LLVMFuzzer-SwitchTest -use_traces=1 -seed=1 -runs=1000000  2>&1 | FileCheck %s