This is an archive of the discontinued LLVM Phabricator instance.

Differential D16419

Use std::piecewise_constant_distribution instead of ad-hoc binary search.
ClosedPublic

Authored by krasin on Jan 21 2016, 10:49 AM.

Details

Reviewers
kcc
aizatsky
Commits
rGb008fd4d8955: Use std::piecewise_constant_distribution instead of ad-hoc binary search.
rL258473: Use std::piecewise_constant_distribution instead of ad-hoc binary search.
Summary

Fix the issue with the most recently discovered unit receiving much less attention.

Note: I had to change the seed for one test to make it pass. Alternatively,
the number of runs could be increased. I believe that the average time of
'foo' discovery is not increased, just seed=1 was particularly convenient
for the previous PRNG scheme used.

Diff Detail

Event Timeline

krasin updated this revision to Diff 45566.Jan 21 2016, 10:49 AM
krasin retitled this revision from to Use std::piecewise_constant_distribution instead of ad-hoc binary search..
krasin updated this object.
krasin added a reviewer: aizatsky.
krasin added subscribers: kcc, llvm-commits.
krasin updated this revision to Diff 45568.Jan 21 2016, 10:52 AM

Added a comment.

kcc added inline comments.Jan 21 2016, 11:22 AM
lib/Fuzzer/FuzzerInternal.h
287

We should not be using yet another random generator, we already have one.
Please use it. (USF.GetRand())

krasin added inline comments.Jan 21 2016, 11:28 AM
lib/Fuzzer/FuzzerInternal.h
287

USF.GetRand does not meet the requirements for UniformRandomNumberGenerator: http://en.cppreference.com/w/cpp/concept/UniformRandomNumberGenerator and that is needed to use std::piecewise_constant_distribution.

Should I change USF.GetRand definition to be more standard-compliant?

kcc added inline comments.Jan 21 2016, 11:55 AM
lib/Fuzzer/FuzzerInternal.h
287

Can you *extend* it to be more standard-compliant?

krasin updated this revision to Diff 45594.Jan 21 2016, 2:22 PM

Extend FuzzerRandomBase to satisfy UniformRandomNumberGenerator requirement.

krasin updated this revision to Diff 45597.Jan 21 2016, 2:23 PM

nits

krasin added inline comments.Jan 21 2016, 2:25 PM
lib/Fuzzer/FuzzerInternal.h
287

Done, but I have made an assumption about the max value of Rand(). I imply it's RAND_MAX.

If that could be not the case, the implementation is broken. Please, complain loudly, if so.

kcc added inline comments.Jan 21 2016, 2:37 PM
lib/Fuzzer/FuzzerLoop.cpp
417–419

please use an explicit cast operator.
Are you sure it will ever return the corner values (0 and N-1)?

507

why do you need two vectors here, given that their values are the same?

please avoid sp many push backs, just create a properly sized vector.

the following loop looks like std::iota, please replace with such.

krasin updated this revision to Diff 45613.Jan 21 2016, 4:21 PM

Addressed comments.

krasin added a comment.Jan 21 2016, 4:22 PM

Please, take another look.

lib/Fuzzer/FuzzerLoop.cpp
417–419

I've taken a closer look at the generated values. One bug found (not here, though).
This is what I get (histogram for a corpus of size 15)

16606 0
33392 1
49472 2
66160 3
82898 4
99791 5

116215 6
132234 7
149854 8
166098 9
183056 10
199628 11
216078 12
232118 13
248708 14

507

why do you need two vectors here, given that their values are the same?

I need two vectors because one is for intervals and another one for weights.
They are coincidentally similar. That will not be the case, when dynamic weights are introduced.
See http://en.cppreference.com/w/cpp/numeric/random/piecewise_constant_distribution

please avoid sp many push backs, just create a properly sized vector.

Done. Thank you.

the following loop looks like std::iota, please replace with such.

Sorry, I don't understand the request. Can you please rephrase the request or give an example?

kcc added inline comments.Jan 21 2016, 4:31 PM
lib/Fuzzer/FuzzerLoop.cpp
507

a loop like

for (size_t i = 0; i < Corpus.size(); i++)  x[i] = i + 1

can be replaced with
std::iota(x.begin(), x.end(), 1);

krasin updated this revision to Diff 45618.Jan 21 2016, 4:58 PM

Added a unit test for the CorpusDistribution.

krasin added inline comments.Jan 21 2016, 5:01 PM
lib/Fuzzer/FuzzerLoop.cpp
507

ugh. Obscure!

Let me know, if you really want it.

kcc added a comment.Jan 21 2016, 5:08 PM

almost LGTM

lib/Fuzzer/FuzzerLoop.cpp
511

yep, iota would be nicer.
Also, the current code does not initialize Intervals[0]

lib/Fuzzer/test/FuzzerUnittest.cpp
410

why cast from double from size_t.
Better just write 1 << 20.

krasin updated this revision to Diff 45623.Jan 21 2016, 5:20 PM

Use std::iota

lib/Fuzzer/FuzzerLoop.cpp
511

yep, iota would be nicer.

Done

Also, the current code does not initialize Intervals[0]

explicit vector(size_type count) constructor initializes Intervals with all zeros.

lib/Fuzzer/test/FuzzerUnittest.cpp
410

Sorry, I don't understand which cast do you mean here. The function does not cast from double to size_t anywhere.

kcc accepted this revision.Jan 21 2016, 5:23 PM
kcc added a reviewer: kcc.

LGTM with a nit

lib/Fuzzer/test/FuzzerUnittest.cpp
410

1E6 is a floating point constant

This revision is now accepted and ready to land.Jan 21 2016, 5:23 PM
kcc added a comment.Jan 21 2016, 5:23 PM

LGTM with a nit

krasin updated this revision to Diff 45628.Jan 21 2016, 5:29 PM
krasin edited edge metadata.

1E6 -> 1<<20.

lib/Fuzzer/test/FuzzerUnittest.cpp
410

Done.

Thank you. Golang has typeless constants (which get types at the time of assignment). I totally forgot that C does not. :)

krasin closed this revision.Jan 21 2016, 5:36 PM

Revision Contents

PathSize
lib/
Fuzzer/
12 lines
7 lines
33 lines
test/
22 lines

Diff 45628

lib/Fuzzer/FuzzerInterface.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines public:
FuzzerRandomBase(){} FuzzerRandomBase(){}
virtual ~FuzzerRandomBase(){}; virtual ~FuzzerRandomBase(){};
virtual void ResetSeed(unsigned int seed) = 0; virtual void ResetSeed(unsigned int seed) = 0;
// Return a random number. // Return a random number.
virtual size_t Rand() = 0; virtual size_t Rand() = 0;
// Return a random number in range [0,n). // Return a random number in range [0,n).
size_t operator()(size_t n) { return n ? Rand() % n : 0; } size_t operator()(size_t n) { return n ? Rand() % n : 0; }
bool RandBool() { return Rand() % 2; } bool RandBool() { return Rand() % 2; }
// The methods below is to satisfy UniformRandomNumberGenerator:
// http://en.cppreference.com/w/cpp/concept/UniformRandomNumberGenerator\
// Returns a random number between 0 and RAND_MAX inclusive.
double operator()() { return operator()(RAND_MAX); }
// Returns the smallest value that operator() may return.
double min() { return 0; }
// Returns the largest value that operator() may return.
double max() { return RAND_MAX; }
}; };
// Using libc's stand/rand. // Using libc's stand/rand.
class FuzzerRandomLibc : public FuzzerRandomBase { class FuzzerRandomLibc : public FuzzerRandomBase {
public: public:
FuzzerRandomLibc(unsigned int seed) { ResetSeed(seed); } FuzzerRandomLibc(unsigned int seed) { ResetSeed(seed); }
void ResetSeed(unsigned int seed) override; void ResetSeed(unsigned int seed) override;
~FuzzerRandomLibc() override {}; ~FuzzerRandomLibc() override {};
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerInternal.h

Show All 11 Lines
#ifndef LLVM_FUZZER_INTERNAL_H #ifndef LLVM_FUZZER_INTERNAL_H
#define LLVM_FUZZER_INTERNAL_H #define LLVM_FUZZER_INTERNAL_H
#include <cassert> #include <cassert>
#include <climits> #include <climits>
#include <chrono> #include <chrono>
#include <cstddef> #include <cstddef>
#include <cstdlib> #include <cstdlib>
#include <random>
#include <string> #include <string>
#include <string.h> #include <string.h>
#include <vector> #include <vector>
#include <unordered_set> #include <unordered_set>
#include "FuzzerInterface.h" #include "FuzzerInterface.h"
namespace fuzzer { namespace fuzzer {
▲ Show 20 LinesShow All 167 Lines▼ Show 20 Lines struct FuzzingOptions {
std::string ArtifactPrefix = "./"; std::string ArtifactPrefix = "./";
std::string ExactArtifactPath; std::string ExactArtifactPath;
bool SaveArtifacts = true; bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool OutputCSV = false; bool OutputCSV = false;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
}; };
Fuzzer(UserSuppliedFuzzer &USF, FuzzingOptions Options); Fuzzer(UserSuppliedFuzzer &USF, FuzzingOptions Options);
void AddToCorpus(const Unit &U) { Corpus.push_back(U); } void AddToCorpus(const Unit &U) { Corpus.push_back(U); UpdateCorpusDistribution(); }
size_t ChooseUnitIdxToMutate(); size_t ChooseUnitIdxToMutate();
const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; }; const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };
void Loop(); void Loop();
void Drill(); void Drill();
void ShuffleAndMinimize(); void ShuffleAndMinimize();
void InitializeTraceState(); void InitializeTraceState();
void AssignTaintLabels(uint8_t *Data, size_t Size); void AssignTaintLabels(uint8_t *Data, size_t Size);
size_t CorpusSize() const { return Corpus.size(); } size_t CorpusSize() const { return Corpus.size(); }
Show All 24 Lines private:
void MutateAndTestOne(); void MutateAndTestOne();
void ReportNewCoverage(const Unit &U); void ReportNewCoverage(const Unit &U);
bool RunOne(const Unit &U); bool RunOne(const Unit &U);
void RunOneAndUpdateCorpus(Unit &U); void RunOneAndUpdateCorpus(Unit &U);
void WriteToOutputCorpus(const Unit &U); void WriteToOutputCorpus(const Unit &U);
void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix); void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
void PrintStats(const char *Where, const char *End = "\n"); void PrintStats(const char *Where, const char *End = "\n");
void PrintStatusForNewUnit(const Unit &U); void PrintStatusForNewUnit(const Unit &U);
// Updates the probability distribution for the units in the corpus.
// Must be called whenever the corpus or unit weights are changed.
void UpdateCorpusDistribution();
void SyncCorpus(); void SyncCorpus();
size_t RecordBlockCoverage(); size_t RecordBlockCoverage();
size_t RecordCallerCalleeCoverage(); size_t RecordCallerCalleeCoverage();
void PrepareCoverageBeforeRun(); void PrepareCoverageBeforeRun();
bool CheckCoverageAfterRun(); bool CheckCoverageAfterRun();
Show All 23 Lines private:
// For UseCounters // For UseCounters
std::vector<uint8_t> CounterBitmap; std::vector<uint8_t> CounterBitmap;
size_t TotalBits() { // Slow. Call it only for printing stats. size_t TotalBits() { // Slow. Call it only for printing stats.
size_t Res = 0; size_t Res = 0;
for (auto x : CounterBitmap) Res += __builtin_popcount(x); for (auto x : CounterBitmap) Res += __builtin_popcount(x);
return Res; return Res;
} }
std::piecewise_constant_distribution<double> CorpusDistribution;
kccUnsubmitted
Not Done
ReplyInline Actions

We should not be using yet another random generator, we already have one.
Please use it. (USF.GetRand())

kcc: We should not be using yet another random generator, we already have one. Please use it. (USF.
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

USF.GetRand does not meet the requirements for UniformRandomNumberGenerator: http://en.cppreference.com/w/cpp/concept/UniformRandomNumberGenerator and that is needed to use std::piecewise_constant_distribution.

Should I change USF.GetRand definition to be more standard-compliant?

krasin: USF.GetRand does not meet the requirements for UniformRandomNumberGenerator: http://en.
kccUnsubmitted
Not Done
ReplyInline Actions

Can you *extend* it to be more standard-compliant?

kcc: Can you *extend* it to be more standard-compliant?
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

Done, but I have made an assumption about the max value of Rand(). I imply it's RAND_MAX.

If that could be not the case, the implementation is broken. Please, complain loudly, if so.

krasin: Done, but I have made an assumption about the max value of Rand(). I imply it's RAND_MAX. If…
UserSuppliedFuzzer &USF; UserSuppliedFuzzer &USF;
FuzzingOptions Options; FuzzingOptions Options;
system_clock::time_point ProcessStartTime = system_clock::now(); system_clock::time_point ProcessStartTime = system_clock::now();
system_clock::time_point LastExternalSync = system_clock::now(); system_clock::time_point LastExternalSync = system_clock::now();
system_clock::time_point UnitStartTime; system_clock::time_point UnitStartTime;
long TimeOfLongestUnitInSeconds = 0; long TimeOfLongestUnitInSeconds = 0;
long EpochOfLastReadOfOutputCorpus = 0; long EpochOfLastReadOfOutputCorpus = 0;
size_t LastRecordedBlockCoverage = 0; size_t LastRecordedBlockCoverage = 0;
Show All 20 Lines

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 157 Lines▼ Show 20 Linesvoid Fuzzer::RereadOutputCorpus() {
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("Reload: read %zd new units.\n", AdditionalCorpus.size()); Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());
for (auto &X : AdditionalCorpus) { for (auto &X : AdditionalCorpus) {
if (X.size() > (size_t)Options.MaxLen) if (X.size() > (size_t)Options.MaxLen)
X.resize(Options.MaxLen); X.resize(Options.MaxLen);
if (UnitHashesAddedToCorpus.insert(Hash(X)).second) { if (UnitHashesAddedToCorpus.insert(Hash(X)).second) {
if (RunOne(X)) { if (RunOne(X)) {
Corpus.push_back(X); Corpus.push_back(X);
UpdateCorpusDistribution();
PrintStats("RELOAD"); PrintStats("RELOAD");
} }
} }
} }
} }
void Fuzzer::ShuffleAndMinimize() { void Fuzzer::ShuffleAndMinimize() {
bool PreferSmall = (Options.PreferSmallDuringInitialShuffle == 1 || bool PreferSmall = (Options.PreferSmallDuringInitialShuffle == 1 ||
Show All 21 Lines for (size_t First = 0; First < 1; First++) {
if (RunOne(U)) { if (RunOne(U)) {
NewCorpus.push_back(U); NewCorpus.push_back(U);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", LastRecordedBlockCoverage, U.size()); Printf("NEW0: %zd L %zd\n", LastRecordedBlockCoverage, U.size());
} }
} }
} }
Corpus = NewCorpus; Corpus = NewCorpus;
UpdateCorpusDistribution();
for (auto &X : Corpus) for (auto &X : Corpus)
UnitHashesAddedToCorpus.insert(Hash(X)); UnitHashesAddedToCorpus.insert(Hash(X));
PrintStats("INITED"); PrintStats("INITED");
} }
bool Fuzzer::RunOne(const Unit &U) { bool Fuzzer::RunOne(const Unit &U) {
UnitStartTime = system_clock::now(); UnitStartTime = system_clock::now();
TotalNumberOfRuns++; TotalNumberOfRuns++;
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Lines if (Options.Verbosity) {
Printf(" L: %zd ", U.size()); Printf(" L: %zd ", U.size());
USF.GetMD().PrintMutationSequence(); USF.GetMD().PrintMutationSequence();
Printf("\n"); Printf("\n");
} }
} }
void Fuzzer::ReportNewCoverage(const Unit &U) { void Fuzzer::ReportNewCoverage(const Unit &U) {
Corpus.push_back(U); Corpus.push_back(U);
UpdateCorpusDistribution();
UnitHashesAddedToCorpus.insert(Hash(U)); UnitHashesAddedToCorpus.insert(Hash(U));
USF.GetMD().RecordSuccessfulMutationSequence(); USF.GetMD().RecordSuccessfulMutationSequence();
PrintStatusForNewUnit(U); PrintStatusForNewUnit(U);
WriteToOutputCorpus(U); WriteToOutputCorpus(U);
if (Options.ExitOnFirst) if (Options.ExitOnFirst)
exit(0); exit(0);
} }
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines if (i == 0)
StartTraceRecording(); StartTraceRecording();
RunOneAndUpdateCorpus(U); RunOneAndUpdateCorpus(U);
StopTraceRecording(); StopTraceRecording();
} }
} }
// Returns an index of random unit from the corpus to mutate. // Returns an index of random unit from the corpus to mutate.
// Hypothesis: units added to the corpus last are more likely to be interesting. // Hypothesis: units added to the corpus last are more likely to be interesting.
// This function gives more wieght to the more recent units. // This function gives more weight to the more recent units.
size_t Fuzzer::ChooseUnitIdxToMutate() { size_t Fuzzer::ChooseUnitIdxToMutate() {
size_t N = Corpus.size(); size_t Idx = static_cast<size_t>(CorpusDistribution(USF.GetRand()));
size_t Total = (N + 1) * N / 2; assert(Idx < Corpus.size());
size_t R = USF.GetRand()(Total); return Idx;
kccUnsubmitted
Not Done
ReplyInline Actions

please use an explicit cast operator.
Are you sure it will ever return the corner values (0 and N-1)?

kcc: please use an explicit cast operator. Are you sure it will ever return the corner values (0…
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

I've taken a closer look at the generated values. One bug found (not here, though).
This is what I get (histogram for a corpus of size 15)

16606 0
33392 1
49472 2
66160 3
82898 4
99791 5

116215 6
132234 7
149854 8
166098 9
183056 10
199628 11
216078 12
232118 13
248708 14

krasin: I've taken a closer look at the generated values. One bug found (not here, though). This is…
size_t IdxBeg = 0, IdxEnd = N;
// Binary search.
while (IdxEnd - IdxBeg >= 2) {
size_t Idx = IdxBeg + (IdxEnd - IdxBeg) / 2;
if (R > (Idx + 1) * Idx / 2)
IdxBeg = Idx;
else
IdxEnd = Idx;
}
assert(IdxBeg < N);
return IdxBeg;
} }
// Experimental search heuristic: drilling. // Experimental search heuristic: drilling.
// - Read, shuffle, execute and minimize the corpus. // - Read, shuffle, execute and minimize the corpus.
// - Choose one random unit. // - Choose one random unit.
// - Reset the coverage. // - Reset the coverage.
// - Start fuzzing as if the chosen unit was the only element of the corpus. // - Start fuzzing as if the chosen unit was the only element of the corpus.
// - When done, reset the coverage again. // - When done, reset the coverage again.
// - Merge the newly created corpus into the original one. // - Merge the newly created corpus into the original one.
void Fuzzer::Drill() { void Fuzzer::Drill() {
// The corpus is already read, shuffled, and minimized. // The corpus is already read, shuffled, and minimized.
assert(!Corpus.empty()); assert(!Corpus.empty());
Options.PrintNEW = false; // Don't print NEW status lines when drilling. Options.PrintNEW = false; // Don't print NEW status lines when drilling.
Unit U = ChooseUnitToMutate(); Unit U = ChooseUnitToMutate();
CHECK_WEAK_API_FUNCTION(__sanitizer_reset_coverage); CHECK_WEAK_API_FUNCTION(__sanitizer_reset_coverage);
__sanitizer_reset_coverage(); __sanitizer_reset_coverage();
std::vector<Unit> SavedCorpus; std::vector<Unit> SavedCorpus;
SavedCorpus.swap(Corpus); SavedCorpus.swap(Corpus);
Corpus.push_back(U); Corpus.push_back(U);
UpdateCorpusDistribution();
assert(Corpus.size() == 1); assert(Corpus.size() == 1);
RunOne(U); RunOne(U);
PrintStats("DRILL "); PrintStats("DRILL ");
std::string SavedOutputCorpusPath; // Don't write new units while drilling. std::string SavedOutputCorpusPath; // Don't write new units while drilling.
SavedOutputCorpusPath.swap(Options.OutputCorpus); SavedOutputCorpusPath.swap(Options.OutputCorpus);
Loop(); Loop();
__sanitizer_reset_coverage(); __sanitizer_reset_coverage();
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Linesvoid Fuzzer::SyncCorpus() {
auto Now = system_clock::now(); auto Now = system_clock::now();
if (duration_cast<seconds>(Now - LastExternalSync).count() < if (duration_cast<seconds>(Now - LastExternalSync).count() <
Options.SyncTimeout) Options.SyncTimeout)
return; return;
LastExternalSync = Now; LastExternalSync = Now;
ExecuteCommand(Options.SyncCommand + " " + Options.OutputCorpus); ExecuteCommand(Options.SyncCommand + " " + Options.OutputCorpus);
} }
void Fuzzer::UpdateCorpusDistribution() {
size_t N = Corpus.size();
kccUnsubmitted
Not Done
ReplyInline Actions

why do you need two vectors here, given that their values are the same?

please avoid sp many push backs, just create a properly sized vector.

the following loop looks like std::iota, please replace with such.

kcc: why do you need two vectors here, given that their values are the same? please avoid sp many…
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

why do you need two vectors here, given that their values are the same?

I need two vectors because one is for intervals and another one for weights.
They are coincidentally similar. That will not be the case, when dynamic weights are introduced.
See http://en.cppreference.com/w/cpp/numeric/random/piecewise_constant_distribution

please avoid sp many push backs, just create a properly sized vector.

Done. Thank you.

the following loop looks like std::iota, please replace with such.

Sorry, I don't understand the request. Can you please rephrase the request or give an example?

krasin: > why do you need two vectors here, given that their values are the same? I need two vectors…
kccUnsubmitted
Not Done
ReplyInline Actions

a loop like

for (size_t i = 0; i < Corpus.size(); i++)  x[i] = i + 1

can be replaced with
std::iota(x.begin(), x.end(), 1);

kcc: a loop like for (size_t i = 0; i < Corpus.size(); i++) x[i] = i + 1 can be replaced with…
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

ugh. Obscure!

Let me know, if you really want it.

krasin: ugh. Obscure! Let me know, if you really want it.
std::vector<double> Intervals(N+1);
std::vector<double> Weights(N);
std::iota(Intervals.begin(), Intervals.end(), 0);
std::iota(Weights.begin(), Weights.end(), 1);
kccUnsubmitted
Not Done
ReplyInline Actions

yep, iota would be nicer.
Also, the current code does not initialize Intervals[0]

kcc: yep, iota would be nicer. Also, the current code does not initialize Intervals[0]
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

yep, iota would be nicer.

Done

Also, the current code does not initialize Intervals[0]

explicit vector(size_type count) constructor initializes Intervals with all zeros.

krasin: > yep, iota would be nicer. Done >Also, the current code does not initialize Intervals[0]…
CorpusDistribution = std::piecewise_constant_distribution<double>(
Intervals.begin(), Intervals.end(), Weights.begin());
}
} // namespace fuzzer } // namespace fuzzer

lib/Fuzzer/test/FuzzerUnittest.cpp

#include "FuzzerInternal.h" #include "FuzzerInternal.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <set> #include <set>
using namespace fuzzer; using namespace fuzzer;
// For now, have LLVMFuzzerTestOneInput just to make it link. // For now, have LLVMFuzzerTestOneInput just to make it link.
// Later we may want to make unittests that actually call LLVMFuzzerTestOneInput. // Later we may want to make unittests that actually call LLVMFuzzerTestOneInput.
extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
abort(); abort();
} }
TEST(Fuzzer, CrossOver) { TEST(Fuzzer, CrossOver) {
FuzzerRandomLibc Rand(0); FuzzerRandomLibc Rand(0);
MutationDispatcher MD(Rand); MutationDispatcher MD(Rand);
Unit A({0, 1, 2}), B({5, 6, 7}); Unit A({0, 1, 2}), B({5, 6, 7});
Unit C; Unit C;
▲ Show 20 LinesShow All 377 Lines▼ Show 20 LinesTEST(FuzzerUtil, Base64) {
EXPECT_EQ("YWI=", Base64({'a', 'b'})); EXPECT_EQ("YWI=", Base64({'a', 'b'}));
EXPECT_EQ("eHk=", Base64({'x', 'y'})); EXPECT_EQ("eHk=", Base64({'x', 'y'}));
EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'})); EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'}));
EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'})); EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'}));
EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'})); EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'}));
EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'})); EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'}));
EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'})); EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));
} }
TEST(Corpus, Distribution) {
FuzzerRandomLibc Rand(0);
SimpleUserSuppliedFuzzer USF(&Rand, LLVMFuzzerTestOneInput);
Fuzzer::FuzzingOptions Options;
Fuzzer Fuzz(USF, Options);
size_t N = 10;
size_t TriesPerUnit = 1<<20;
kccUnsubmitted
Not Done
ReplyInline Actions

why cast from double from size_t.
Better just write 1 << 20.

kcc: why cast from double from size_t. Better just write 1 << 20.
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

Sorry, I don't understand which cast do you mean here. The function does not cast from double to size_t anywhere.

krasin: Sorry, I don't understand which cast do you mean here. The function does not cast from double…
kccUnsubmitted
Not Done
ReplyInline Actions

1E6 is a floating point constant

kcc: 1E6 is a floating point constant
krasinAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

Thank you. Golang has typeless constants (which get types at the time of assignment). I totally forgot that C does not. :)

krasin: Done. Thank you. Golang has typeless constants (which get types at the time of assignment). I…
for (size_t i = 0; i < N; i++) {
Fuzz.AddToCorpus(Unit{ static_cast<uint8_t>(i) });
}
std::vector<size_t> Hist(N);
for (size_t i = 0; i < N * TriesPerUnit; i++) {
Hist[Fuzz.ChooseUnitIdxToMutate()]++;
}
for (size_t i = 0; i < N; i++) {
// A weak sanity check that every unit gets invoked.
EXPECT_GT(Hist[i], TriesPerUnit / N / 3);
}
}