This is an archive of the discontinued LLVM Phabricator instance.

[libfuzzer] Refactoring coverage state-management code..
ClosedPublic

Authored by aizatsky on May 9 2016, 3:18 PM.

Details

Summary

It is now less state-dependent and will allow easier comparing of
coverages of different units.

Diff Detail

Event Timeline

aizatsky updated this revision to Diff 56644.May 9 2016, 3:18 PM
aizatsky retitled this revision from to [libfuzzer][WIP] extracting static coverage state to proper value object..
aizatsky updated this object.
aizatsky updated this revision to Diff 56769.May 10 2016, 11:33 AM

ready for review.

aizatsky retitled this revision from [libfuzzer][WIP] extracting static coverage state to proper value object. to [libfuzzer] Refactoring coverage state-management code...May 10 2016, 11:34 AM
aizatsky updated this object.
aizatsky added reviewers: kcc, vitalybuka.
aizatsky added a project: Restricted Project.
aizatsky added a subscriber: llvm-commits.
kcc edited edge metadata.May 10 2016, 1:50 PM

Correct me if I am wrong, but this change seems to add extra malloc call for every unit.
Don't do that.
Instead of creating a scratch copy on every execution we may want to have two copies: current and maximal.
But no mallocs, please.

lib/Fuzzer/FuzzerLoop.cpp
355–357

Will this cause extra memory allocations to happen for every execution of RunOne()?

lib/Fuzzer/FuzzerTracePC.h
1 ↗(On Diff #56769)

i-face? really?

I don't want to expose this in a header file.
I see why you did this (to have mergeable objects), but that might be a bad idea because of extra memory allocations.

aizatsky updated this revision to Diff 56823.May 10 2016, 2:56 PM
aizatsky marked an inline comment as done.
aizatsky edited edge metadata.

no additional malloc

Made sure that no additional allocations happen. PTAL.

lib/Fuzzer/FuzzerTracePC.h
1 ↗(On Diff #56769)

Trying to stay within 80 chars.

I don't really need this header. I had this in FuzzerInternal.h first. I'm happy to move this definition back. I simply presumed that you'd like to keep it separate.

aizatsky added inline comments.May 10 2016, 3:01 PM
lib/Fuzzer/FuzzerLoop.cpp
355–357

BTW all tests pass without this call, but you used to have it before. Do you want me to keep it?

kcc added inline comments.May 10 2016, 3:29 PM
lib/Fuzzer/FuzzerInternal.h
353

is this used?

lib/Fuzzer/FuzzerLoop.cpp
355–357

let's not make too many changes at the same time, leave it for now.

lib/Fuzzer/FuzzerTracePC.h
2 ↗(On Diff #56823)

No, this header is fine, I just don't like i-face. Just leave "Path tracer"

9 ↗(On Diff #56823)

Fix the comment (move from the cpp file)

25 ↗(On Diff #56823)

move the code to cpp file

32 ↗(On Diff #56823)

ditto

aizatsky updated this revision to Diff 56830.May 10 2016, 3:38 PM
aizatsky marked 5 inline comments as done.

review

All Done. PTAL.

lib/Fuzzer/FuzzerInternal.h
353

Not right now, but I used it several times for debugging. I'd like to keep it.

lib/Fuzzer/FuzzerLoop.cpp
355–357

Added comment.

kcc accepted this revision.May 10 2016, 3:43 PM
kcc edited edge metadata.

LGTM, but please test on at least one non-trivial target (other than tests) that is large and fast, to ensure we haven't missed any perf degradation.

Also, consider moving all coverage stuff from FuzzerLoop into a separate file (FuzzerCoverage) in a separate change.

This revision is now accepted and ready to land.May 10 2016, 3:43 PM

I don't see any performance difference. Tested on chromium's mp4_box_reader_fuzzer (166M binary).

Before:

$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 429 exec/s: 0
#429 INITED cov: 517 bits: 686 indir: 23 units: 120 exec/s: 0
#16384 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#32768 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#65536 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#131072 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#262144 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 4681
^C==32409== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 63.74s user 2.01s system 99% cpu 1:05.82 total

After:

$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 425 exec/s: 0
#425 INITED cov: 381 bits: 686 indir: 23 units: 120 exec/s: 0
#426 NEW cov: 411 bits: 686 indir: 25 units: 121 exec/s: 0 L: 157 MS: 1 InsertByte-
#4002 NEW cov: 411 bits: 686 indir: 25 units: 122 exec/s: 4002 L: 453 MS: 2 EraseByte-ShuffleBytes-
#4003 NEW cov: 412 bits: 686 indir: 25 units: 123 exec/s: 4003 L: 453 MS: 3 EraseByte-ShuffleBytes-ShuffleBytes-
#16384 pulse cov: 412 bits: 686 indir: 25 units: 123 exec/s: 5461
#30789 NEW cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4398 L: 187 MS: 3 ChangeByte-ChangeBit-EraseByte-
#32768 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#65536 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#131072 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
#262144 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
^C==29836== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 99.80s user 0.61s system 99% cpu 1:40.48 total

This revision was automatically updated to reflect the committed changes.