Page MenuHomePhabricator

[libFuzzer] Adds experimental flag -ngram that changes the fuzzer fitness function
Needs ReviewPublic

Authored by bshastry on Feb 23 2018, 2:00 AM.

Details

Reviewers
kcc
morehouse
Summary

At the moment, PC guards (CFG edge hit counters) are used to select interesting fuzzer mutations. This patch allows the user to specify an optional -ngram=k (an integer that defaults to 1 i.e., vanilla libFuzzer) that uses an XOR of "k" previous PC guards encountered for selecting interesting mutations.

Requires a/b testing to qualify merit of patch.

Diff Detail

Event Timeline

bshastry created this revision.Feb 23 2018, 2:00 AM
Herald added subscribers: Restricted Project, llvm-commits. · View Herald TranscriptFeb 23 2018, 2:00 AM
kcc added a comment.Feb 23 2018, 3:07 PM

I am indeed interested in experimenting with bounded path coverage, similar to this.
My prior experiments demonstrated some value but also huge corpus expansion (bad).
It might be worth submitting something like this to simplify further experiments.

FuzzerTracePC.cpp
380

By default, we don't use trace_pc_guard any more -- we have switched to the inline instrumentation https://clang.llvm.org/docs/SanitizerCoverage.html#inline-8bit-counters
So, this logic needs to be moved there. Consider trace_pc_guard is not used any more.

385

This is even less friendly to multi-threaded code than the current tracing.

387

please try to format the code as the rest of the code in these files.
Also, I recommend using clang-format on the changed lines (don't reformat the entire file, just the changes).

FuzzerTracePC.h
75

constants start with 'k'
e.g. kMaxNGram

88

Ngram = Min(N, kMaxNGram)

morehouse resigned from this revision.May 6 2019, 12:07 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMay 6 2019, 12:07 PM