llvm.org GIT mirror llvm / eb30028
[libFuzzer] add an experimental flag -experimental_len_control=1 that sets max_len to 1M and tries to increases the actual max sizes of mutations very gradually. Also remove a bit of dead code git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@289998 91177308-0d34-0410-b5e6-96231b3b80d8 Kostya Serebryany 3 years ago
6 changed file(s) with 32 addition(s) and 9 deletion(s). Raw diff Collapse all Expand all
5656 size_t Res = 0;
5757 for (auto II : Inputs)
5858 Res += !II->U.empty();
59 return Res;
60 }
61 size_t MaxInputSize() const {
62 size_t Res = 0;
63 for (auto II : Inputs)
64 Res = std::max(Res, II->U.size());
5965 return Res;
6066 }
6167 bool empty() const { return Inputs.empty(); }
389389 FuzzingOptions Options;
390390 Options.Verbosity = Flags.verbosity;
391391 Options.MaxLen = Flags.max_len;
392 Options.ExperimentalLenControl = Flags.experimental_len_control;
393 if (Flags.experimental_len_control && Flags.max_len == 64)
394 Options.MaxLen = 1 << 20;
392395 Options.UnitTimeoutSec = Flags.timeout;
393396 Options.ErrorExitCode = Flags.error_exitcode;
394397 Options.TimeoutExitCode = Flags.timeout_exitcode;
1616 FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
1717 "If 0, libFuzzer tries to guess a good value based on the corpus "
1818 "and reports it. ")
19 FUZZER_FLAG_INT(experimental_len_control, 0, "experimental flag")
1920 FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
2021 FUZZER_FLAG_INT(mutate_depth, 5,
2122 "Apply this number of consecutive mutations to each input.")
696696 }
697697 }
698698
699 static size_t ComputeMutationLen(size_t MaxInputSize, size_t MaxMutationLen,
700 Random &Rand) {
701 assert(MaxInputSize <= MaxMutationLen);
702 if (MaxInputSize == MaxMutationLen) return MaxMutationLen;
703 size_t Result = MaxInputSize;
704 size_t R = Rand.Rand();
705 if ((R % (1U << 7)) == 0)
706 Result++;
707 if ((R % (1U << 15)) == 0)
708 Result += 10 + Result / 2;
709 return Min(Result, MaxMutationLen);
710 }
711
699712 void Fuzzer::MutateAndTestOne() {
700713 MD.StartMutationSequence();
701714
709722
710723 assert(MaxMutationLen > 0);
711724
725 size_t CurrentMaxMutationLen =
726 Options.ExperimentalLenControl
727 ? ComputeMutationLen(Corpus.MaxInputSize(), MaxMutationLen,
728 MD.GetRand())
729 : MaxMutationLen;
730
712731 for (int i = 0; i < Options.MutateDepth; i++) {
713732 if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
714733 break;
715734 size_t NewSize = 0;
716 NewSize = MD.Mutate(CurrentUnitData, Size, MaxMutationLen);
735 NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen);
717736 assert(NewSize > 0 && "Mutator returned empty unit");
718 assert(NewSize <= MaxMutationLen && "Mutator return overisized unit");
737 assert(NewSize <= CurrentMaxMutationLen && "Mutator return overisized unit");
719738 Size = NewSize;
720739 if (i == 0)
721740 StartTraceRecording();
484484 size_t MaxSize,
485485 const std::vector &Mutators) {
486486 assert(MaxSize > 0);
487 if (Size == 0) {
488 for (size_t i = 0; i < MaxSize; i++)
489 Data[i] = RandCh(Rand);
490 if (Options.OnlyASCII)
491 ToASCII(Data, MaxSize);
492 return MaxSize;
493 }
494487 assert(Size > 0);
495488 // Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
496489 // in which case they will return 0.
1818 struct FuzzingOptions {
1919 int Verbosity = 1;
2020 size_t MaxLen = 0;
21 bool ExperimentalLenControl = false;
2122 int UnitTimeoutSec = 300;
2223 int TimeoutExitCode = 77;
2324 int ErrorExitCode = 77;