[libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@289998 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany 2016-12-16 22:42:05 +00:00
parent f638013746
commit eb30028464
6 changed files with 32 additions and 9 deletions

View File

@ -59,6 +59,12 @@ class InputCorpus {
Res += !II->U.empty();
return Res;
}
size_t MaxInputSize() const {
size_t Res = 0;
for (auto II : Inputs)
Res = std::max(Res, II->U.size());
return Res;
}
bool empty() const { return Inputs.empty(); }
const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile = false) {

View File

@ -390,6 +390,9 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
FuzzingOptions Options;
Options.Verbosity = Flags.verbosity;
Options.MaxLen = Flags.max_len;
Options.ExperimentalLenControl = Flags.experimental_len_control;
if (Flags.experimental_len_control && Flags.max_len == 64)
Options.MaxLen = 1 << 20;
Options.UnitTimeoutSec = Flags.timeout;
Options.ErrorExitCode = Flags.error_exitcode;
Options.TimeoutExitCode = Flags.timeout_exitcode;

View File

@ -17,6 +17,7 @@ FUZZER_FLAG_INT(runs, -1,
FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
"If 0, libFuzzer tries to guess a good value based on the corpus "
"and reports it. ")
FUZZER_FLAG_INT(experimental_len_control, 0, "experimental flag")
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG_INT(mutate_depth, 5,
"Apply this number of consecutive mutations to each input.")

View File

@ -697,6 +697,19 @@ void Fuzzer::TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
}
}
static size_t ComputeMutationLen(size_t MaxInputSize, size_t MaxMutationLen,
Random &Rand) {
assert(MaxInputSize <= MaxMutationLen);
if (MaxInputSize == MaxMutationLen) return MaxMutationLen;
size_t Result = MaxInputSize;
size_t R = Rand.Rand();
if ((R % (1U << 7)) == 0)
Result++;
if ((R % (1U << 15)) == 0)
Result += 10 + Result / 2;
return Min(Result, MaxMutationLen);
}
void Fuzzer::MutateAndTestOne() {
MD.StartMutationSequence();
@ -710,13 +723,19 @@ void Fuzzer::MutateAndTestOne() {
assert(MaxMutationLen > 0);
size_t CurrentMaxMutationLen =
Options.ExperimentalLenControl
? ComputeMutationLen(Corpus.MaxInputSize(), MaxMutationLen,
MD.GetRand())
: MaxMutationLen;
for (int i = 0; i < Options.MutateDepth; i++) {
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
break;
size_t NewSize = 0;
NewSize = MD.Mutate(CurrentUnitData, Size, MaxMutationLen);
NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen);
assert(NewSize > 0 && "Mutator returned empty unit");
assert(NewSize <= MaxMutationLen && "Mutator return overisized unit");
assert(NewSize <= CurrentMaxMutationLen && "Mutator return overisized unit");
Size = NewSize;
if (i == 0)
StartTraceRecording();

View File

@ -485,13 +485,6 @@ size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,
size_t MaxSize,
const std::vector<Mutator> &Mutators) {
assert(MaxSize > 0);
if (Size == 0) {
for (size_t i = 0; i < MaxSize; i++)
Data[i] = RandCh(Rand);
if (Options.OnlyASCII)
ToASCII(Data, MaxSize);
return MaxSize;
}
assert(Size > 0);
// Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
// in which case they will return 0.

View File

@ -19,6 +19,7 @@ namespace fuzzer {
struct FuzzingOptions {
int Verbosity = 1;
size_t MaxLen = 0;
bool ExperimentalLenControl = false;
int UnitTimeoutSec = 300;
int TimeoutExitCode = 77;
int ErrorExitCode = 77;