It is now less state-dependent and will allow easier comparing of
coverages of different units.
Details
Diff Detail
Event Timeline
Correct me if I am wrong, but this change seems to add extra malloc call for every unit.
Don't do that.
Instead of creating a scratch copy on every execution we may want to have two copies: current and maximal.
But no mallocs, please.
lib/Fuzzer/FuzzerLoop.cpp | ||
---|---|---|
401 | Will this cause extra memory allocations to happen for every execution of RunOne()? | |
lib/Fuzzer/FuzzerTracePC.h | ||
2 | i-face? really? I don't want to expose this in a header file. |
Made sure that no additional allocations happen. PTAL.
lib/Fuzzer/FuzzerTracePC.h | ||
---|---|---|
2 | Trying to stay within 80 chars. I don't really need this header. I had this in FuzzerInternal.h first. I'm happy to move this definition back. I simply presumed that you'd like to keep it separate. |
lib/Fuzzer/FuzzerLoop.cpp | ||
---|---|---|
401 | BTW all tests pass without this call, but you used to have it before. Do you want me to keep it? |
lib/Fuzzer/FuzzerInternal.h | ||
---|---|---|
321 | is this used? | |
lib/Fuzzer/FuzzerLoop.cpp | ||
401 | let's not make too many changes at the same time, leave it for now. | |
lib/Fuzzer/FuzzerTracePC.h | ||
2 | No, this header is fine, I just don't like i-face. Just leave "Path tracer" | |
9 | Fix the comment (move from the cpp file) | |
25 | move the code to cpp file | |
32 | ditto |
LGTM, but please test on at least one non-trivial target (other than tests) that is large and fast, to ensure we haven't missed any perf degradation.
Also, consider moving all coverage stuff from FuzzerLoop into a separate file (FuzzerCoverage) in a separate change.
I don't see any performance difference. Tested on chromium's mp4_box_reader_fuzzer (166M binary).
Before:
$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 429 exec/s: 0
#429 INITED cov: 517 bits: 686 indir: 23 units: 120 exec/s: 0
#16384 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#32768 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#65536 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#131072 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#262144 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 4681
^C==32409== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 63.74s user 2.01s system 99% cpu 1:05.82 total
After:
$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 425 exec/s: 0
#425 INITED cov: 381 bits: 686 indir: 23 units: 120 exec/s: 0
#426 NEW cov: 411 bits: 686 indir: 25 units: 121 exec/s: 0 L: 157 MS: 1 InsertByte-
#4002 NEW cov: 411 bits: 686 indir: 25 units: 122 exec/s: 4002 L: 453 MS: 2 EraseByte-ShuffleBytes-
#4003 NEW cov: 412 bits: 686 indir: 25 units: 123 exec/s: 4003 L: 453 MS: 3 EraseByte-ShuffleBytes-ShuffleBytes-
#16384 pulse cov: 412 bits: 686 indir: 25 units: 123 exec/s: 5461
#30789 NEW cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4398 L: 187 MS: 3 ChangeByte-ChangeBit-EraseByte-
#32768 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#65536 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#131072 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
#262144 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
^C==29836== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 99.80s user 0.61s system 99% cpu 1:40.48 total
is this used?