summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKostya Serebryany <kcc@google.com>2017-12-12 23:11:28 +0000
committerKostya Serebryany <kcc@google.com>2017-12-12 23:11:28 +0000
commite4c546028442192e48480ff2d3d9e29ecc62774d (patch)
treeb1a48dfc35675aff67861a4d3c1bbb39d7505723
parent8106beb37dc9b0d632c3596895bda21ef8108e7d (diff)
[libFuzzer] change the strategy for -experimental_len_control to grow max_len slower
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@320531 91177308-0d34-0410-b5e6-96231b3b80d8
-rw-r--r--lib/fuzzer/FuzzerInternal.h2
-rw-r--r--lib/fuzzer/FuzzerLoop.cpp12
-rw-r--r--lib/fuzzer/FuzzerTracePC.h2
-rw-r--r--lib/fuzzer/FuzzerUtil.h2
-rw-r--r--test/fuzzer/trace-malloc-unbalanced.test4
5 files changed, 9 insertions, 13 deletions
diff --git a/lib/fuzzer/FuzzerInternal.h b/lib/fuzzer/FuzzerInternal.h
index 5ae9e2b8f..2b2638f1f 100644
--- a/lib/fuzzer/FuzzerInternal.h
+++ b/lib/fuzzer/FuzzerInternal.h
@@ -124,8 +124,6 @@ private:
size_t NumberOfNewUnitsAdded = 0;
size_t LastCorpusUpdateRun = 0;
- system_clock::time_point LastCorpusUpdateTime = system_clock::now();
-
bool HasMoreMallocsThanFrees = false;
size_t NumberOfLeakDetectionAttempts = 0;
diff --git a/lib/fuzzer/FuzzerLoop.cpp b/lib/fuzzer/FuzzerLoop.cpp
index 6ed48e08b..5b451ca12 100644
--- a/lib/fuzzer/FuzzerLoop.cpp
+++ b/lib/fuzzer/FuzzerLoop.cpp
@@ -567,7 +567,6 @@ void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) {
NumberOfNewUnitsAdded++;
CheckExitOnSrcPosOrItem(); // Check only after the unit is saved to corpus.
LastCorpusUpdateRun = TotalNumberOfRuns;
- LastCorpusUpdateTime = system_clock::now();
}
// Tries detecting a memory leak on the particular input that we have just
@@ -758,18 +757,15 @@ void Fuzzer::Loop(const Vector<std::string> &CorpusDirs) {
// Update TmpMaxMutationLen
if (Options.ExperimentalLenControl) {
if (TmpMaxMutationLen < MaxMutationLen &&
- (TotalNumberOfRuns - LastCorpusUpdateRun >
- Options.ExperimentalLenControl &&
- duration_cast<seconds>(Now - LastCorpusUpdateTime).count() >= 1)) {
- LastCorpusUpdateRun = TotalNumberOfRuns;
- LastCorpusUpdateTime = Now;
+ TotalNumberOfRuns - LastCorpusUpdateRun >
+ Options.ExperimentalLenControl * Log(TmpMaxMutationLen)) {
TmpMaxMutationLen =
- Min(MaxMutationLen,
- TmpMaxMutationLen + Max(size_t(4), TmpMaxMutationLen / 8));
+ Min(MaxMutationLen, TmpMaxMutationLen + Log(TmpMaxMutationLen));
if (TmpMaxMutationLen <= MaxMutationLen)
Printf("#%zd\tTEMP_MAX_LEN: %zd (%zd %zd)\n", TotalNumberOfRuns,
TmpMaxMutationLen, Options.ExperimentalLenControl,
LastCorpusUpdateRun);
+ LastCorpusUpdateRun = TotalNumberOfRuns;
}
} else {
TmpMaxMutationLen = MaxMutationLen;
diff --git a/lib/fuzzer/FuzzerTracePC.h b/lib/fuzzer/FuzzerTracePC.h
index 300e5db38..dc65cd720 100644
--- a/lib/fuzzer/FuzzerTracePC.h
+++ b/lib/fuzzer/FuzzerTracePC.h
@@ -276,7 +276,7 @@ void TracePC::CollectFeatures(Callback HandleFeature) const {
// Step function, grows similar to 8 * Log_2(A).
auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
- uint32_t Log2 = 32 - __builtin_clz(A) - 1;
+ uint32_t Log2 = Log(A);
if (Log2 < 3) return A;
Log2 -= 3;
return (Log2 + 1) * 8 + ((A >> Log2) & 7);
diff --git a/lib/fuzzer/FuzzerUtil.h b/lib/fuzzer/FuzzerUtil.h
index 9a6227ea7..f2ed028ce 100644
--- a/lib/fuzzer/FuzzerUtil.h
+++ b/lib/fuzzer/FuzzerUtil.h
@@ -80,6 +80,8 @@ std::string SearchRegexCmd(const std::string &Regex);
size_t SimpleFastHash(const uint8_t *Data, size_t Size);
+inline uint32_t Log(uint32_t X) { return 32 - __builtin_clz(X) - 1; }
+
} // namespace fuzzer
#endif // LLVM_FUZZER_UTIL_H
diff --git a/test/fuzzer/trace-malloc-unbalanced.test b/test/fuzzer/trace-malloc-unbalanced.test
index 53b83fb68..8be5fab0c 100644
--- a/test/fuzzer/trace-malloc-unbalanced.test
+++ b/test/fuzzer/trace-malloc-unbalanced.test
@@ -6,10 +6,10 @@ UNSUPPORTED: darwin
RUN: %cpp_compiler %S/TraceMallocTest.cpp -o %t-TraceMallocTest
-RUN: %t-TraceMallocTest -seed=1 -trace_malloc=1 -runs=100 2>&1 | \
+RUN: %t-TraceMallocTest -seed=1 -trace_malloc=1 -runs=200 2>&1 | \
RUN: %libfuzzer_src/scripts/unbalanced_allocs.py --skip=5 | FileCheck %s
-RUN: %t-TraceMallocTest -seed=1 -trace_malloc=2 -runs=100 2>&1 | \
+RUN: %t-TraceMallocTest -seed=1 -trace_malloc=2 -runs=200 2>&1 | \
RUN: %libfuzzer_src/scripts/unbalanced_allocs.py --skip=5 | FileCheck %s --check-prefixes=CHECK,CHECK2
CHECK: MallocFreeTracer: START