This is an archive of the discontinued LLVM Phabricator instance.

Differential D49453

[libFuzzer] Create single template for visiting Inline8bitCounters
ClosedPublic

Authored by kevinwkt on Jul 17 2018, 2:03 PM.

Details

Reviewers
Dor1s
metzman
kcc
morehouse
Commits
rG42b54e81178a: [libFuzzer] Create single template for visiting Inline8bitCounters
rL337403: [libFuzzer] Create single template for visiting Inline8bitCounters
rCRT337403: [libFuzzer] Create single template for visiting Inline8bitCounters
Summary

Created IterateInline8bitCounters, a single template for visiting Inline8bitCounters (nested for loop)
Made InitializeUnstableCounters and UpdateUnstableCounters both send a lambda to IterateInline8bitCounters.

Patch by Kyungtak Woo (@kevinwkt).

Diff Detail

Event Timeline

kevinwkt created this revision.Jul 17 2018, 2:03 PM
kevinwkt added a reviewer: metzman.Jul 17 2018, 2:31 PM
Dor1s added a comment.Jul 17 2018, 2:44 PM

Left some minor comments, but I think it's fine to ask Matt or Kostya to take a look and address all the feedback altogether, just to avoid changing things back and forth if we have different opinions.

lib/fuzzer/FuzzerTracePC.cpp
68–69

I don't like getting an address of an array element, IMO Beg + j would be better, but let's see what the code owners think.

77

change beg to Beg

and actually it's not a "beginning" anymore, needs another name, maybe CounterPtr or just Counter.

86–89

beg -> Beg

lib/fuzzer/FuzzerTracePC.h
182

nit: not a language expert myself, but maybe this should be IterateOverInline8bitCounters. Current version LGTM as well.

metzman accepted this revision.Jul 17 2018, 2:49 PM

LGTM with Max's suggestions

This revision is now accepted and ready to land.Jul 17 2018, 2:49 PM
kevinwkt updated this revision to Diff 155975.Jul 17 2018, 2:58 PM
kevinwkt marked 2 inline comments as done.
kevinwkt added reviewers: kcc, morehouse.

Changed beg to Counter for both InitializeUnstableCounters and UpdateUnstableCounters.

morehouse added a comment.Jul 17 2018, 3:50 PM

Maybe change the callback signature to take i, j, and UnstableIdx instead. Then we can also use IterateInline8bitCounters from UpdateObservedPCs.

lib/fuzzer/FuzzerTracePC.cpp
68–69

Can we just pass Beg[j] instead?

kevinwkt updated this revision to Diff 155982.EditedJul 17 2018, 4:21 PM

PTAL
Changed callback signature from "UnstableIdx, &Beg[j]" to "i, j, UnstableIdx".
Modified UpdateObservedPCs to use the template function.

Did not use template function for case: NumGuards == NumPCsInPCTables because of initial check in template function.

morehouse added inline comments.Jul 17 2018, 4:32 PM
lib/fuzzer/FuzzerTracePC.cpp
62

Maybe this should be an assert.

63

Since we've generalized this function, we might want to change this variable to a more general name (e.g., CounterIdx).

kevinwkt updated this revision to Diff 155987.EditedJul 17 2018, 4:45 PM
kevinwkt marked 4 inline comments as done.

ptal
Changed UnstableIdx to CounterIdx.
Moved initial " NumInline8bitCounters && NumInline8bitCounters == NumPCsInPCTables" out of "IterateInline8bitCounters" to use it also in case: NumGuards == NumPCsInPCTables within UpdateObservedPCs().

morehouse added inline comments.Jul 18 2018, 9:15 AM
lib/fuzzer/FuzzerTracePC.cpp
209

I don't think this will work. IterateInline8bitCounters iterates over ModuleCounters, not Modules.

kevinwkt updated this revision to Diff 156093.Jul 18 2018, 9:21 AM

ptal: fixed
Reverted for when Guards are used.
UnstableIdx is still changed to CounterIdx

morehouse accepted this revision.Jul 18 2018, 9:27 AM
Dor1s updated this revision to Diff 156100.Jul 18 2018, 9:51 AM

Rebase and getting ready to land.

Herald added subscribers: Restricted Project, llvm-commits, delcypher. · View Herald TranscriptJul 18 2018, 9:51 AM
Dor1s edited the summary of this revision. (Show Details)Jul 18 2018, 9:52 AM
kevinwkt updated this revision to Diff 156101.Jul 18 2018, 9:57 AM
kevinwkt marked an inline comment as done.

Fixed syntax error causing CounterIdx error.

Closed by commit rCRT337403: [libFuzzer] Create single template for visiting Inline8bitCounters (authored by Dor1s). · Explain WhyJul 18 2018, 10:08 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
fuzzer/
3 lines
49 lines

Diff 156105

lib/fuzzer/FuzzerTracePC.h

Show First 20 LinesShow All 172 Lines▼ Show 20 Linesprivate:
size_t NumPCsInPCTables; size_t NumPCsInPCTables;
uint8_t *Counters() const; uint8_t *Counters() const;
uintptr_t *PCs() const; uintptr_t *PCs() const;
Set<uintptr_t> ObservedPCs; Set<uintptr_t> ObservedPCs;
Set<uintptr_t> ObservedFuncs; Set<uintptr_t> ObservedFuncs;
template <class Callback>
void IterateInline8bitCounters(Callback CB) const;
Dor1sUnsubmitted
Not Done
ReplyInline Actions

nit: not a language expert myself, but maybe this should be IterateOverInline8bitCounters. Current version LGTM as well.

Dor1s: nit: not a language expert myself, but maybe this should be `IterateOverInline8bitCounters`.
std::pair<size_t, size_t> FocusFunction = {-1, -1}; // Module and PC IDs. std::pair<size_t, size_t> FocusFunction = {-1, -1}; // Module and PC IDs.
ValueBitMap ValueProfileMap; ValueBitMap ValueProfileMap;
uintptr_t InitialStack; uintptr_t InitialStack;
}; };
template <class Callback> template <class Callback>
// void Callback(size_t FirstFeature, size_t Idx, uint8_t Value); // void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);
▲ Show 20 LinesShow All 112 LinesShow Last 20 Lines

lib/fuzzer/FuzzerTracePC.cpp

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines if (ObservedPCs.size())
return ObservedPCs.size(); return ObservedPCs.size();
size_t Res = 0; size_t Res = 0;
for (size_t i = 1, N = GetNumPCs(); i < N; i++) for (size_t i = 1, N = GetNumPCs(); i < N; i++)
if (PCs()[i]) if (PCs()[i])
Res++; Res++;
return Res; return Res;
} }
// Initializes unstable counters by copying Inline8bitCounters to unstable template<class CallBack>
// counters. void TracePC::IterateInline8bitCounters(CallBack CB) const {
void TracePC::InitializeUnstableCounters() {
if (NumInline8bitCounters && NumInline8bitCounters == NumPCsInPCTables) { if (NumInline8bitCounters && NumInline8bitCounters == NumPCsInPCTables) {
morehouseUnsubmitted
Done
ReplyInline Actions

Maybe this should be an assert.

morehouse: Maybe this should be an assert.
size_t UnstableIdx = 0; size_t CounterIdx = 0;
morehouseUnsubmitted
Done
ReplyInline Actions

Since we've generalized this function, we might want to change this variable to a more general name (e.g., CounterIdx).

morehouse: Since we've generalized this function, we might want to change this variable to a more general…
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) { for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {
uint8_t *Beg = ModuleCounters[i].Start; uint8_t *Beg = ModuleCounters[i].Start;
size_t Size = ModuleCounters[i].Stop - Beg; size_t Size = ModuleCounters[i].Stop - Beg;
assert(Size == (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start)); assert(Size == (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
for (size_t j = 0; j < Size; j++, UnstableIdx++) for (size_t j = 0; j < Size; j++, CounterIdx++)
if (UnstableCounters[UnstableIdx] != kUnstableCounter) CB(i, j, CounterIdx);
Dor1sUnsubmitted
Done
ReplyInline Actions

I don't like getting an address of an array element, IMO Beg + j would be better, but let's see what the code owners think.

Dor1s: I don't like getting an address of an array element, IMO `Beg + j` would be better, but let's…
morehouseUnsubmitted
Done
ReplyInline Actions

Can we just pass Beg[j] instead?

morehouse: Can we just pass `Beg[j]` instead?
UnstableCounters[UnstableIdx] = Beg[j]; }
} }
} }
// Initializes unstable counters by copying Inline8bitCounters to unstable
// counters.
void TracePC::InitializeUnstableCounters() {
IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
Dor1sUnsubmitted
Done
ReplyInline Actions

change beg to Beg

and actually it's not a "beginning" anymore, needs another name, maybe CounterPtr or just Counter.

Dor1s: change `beg` to `Beg` and actually it's not a "beginning" anymore, needs another name, maybe…
if (UnstableCounters[UnstableIdx] != kUnstableCounter)
UnstableCounters[UnstableIdx] = ModuleCounters[i].Start[j];
});
} }
// Compares the current counters with counters from previous runs // Compares the current counters with counters from previous runs
// and records differences as unstable edges. // and records differences as unstable edges.
void TracePC::UpdateUnstableCounters() { void TracePC::UpdateUnstableCounters() {
if (NumInline8bitCounters && NumInline8bitCounters == NumPCsInPCTables) { IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
size_t UnstableIdx = 0; if (ModuleCounters[i].Start[j] != UnstableCounters[UnstableIdx])
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {
uint8_t *Beg = ModuleCounters[i].Start;
size_t Size = ModuleCounters[i].Stop - Beg;
assert(Size == (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
for (size_t j = 0; j < Size; j++, UnstableIdx++)
if (Beg[j] != UnstableCounters[UnstableIdx])
UnstableCounters[UnstableIdx] = kUnstableCounter; UnstableCounters[UnstableIdx] = kUnstableCounter;
} });
Dor1sUnsubmitted
Done
ReplyInline Actions

beg -> Beg

Dor1s: `beg` -> `Beg`
}
} }
void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) { void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) {
if (Start == Stop) return; if (Start == Stop) return;
if (NumModulesWithInline8bitCounters && if (NumModulesWithInline8bitCounters &&
ModuleCounters[NumModulesWithInline8bitCounters-1].Start == Start) return; ModuleCounters[NumModulesWithInline8bitCounters-1].Start == Start) return;
assert(NumModulesWithInline8bitCounters < assert(NumModulesWithInline8bitCounters <
sizeof(ModuleCounters) / sizeof(ModuleCounters[0])); sizeof(ModuleCounters) / sizeof(ModuleCounters[0]));
▲ Show 20 LinesShow All 88 Lines▼ Show 20 Lines auto Observe = [&](const PCTableEntry &TE) {
if (TE.PCFlags & 1) if (TE.PCFlags & 1)
if (ObservedFuncs.insert(TE.PC).second && NumPrintNewFuncs) if (ObservedFuncs.insert(TE.PC).second && NumPrintNewFuncs)
CoveredFuncs.push_back(TE.PC); CoveredFuncs.push_back(TE.PC);
ObservePC(TE.PC); ObservePC(TE.PC);
}; };
if (NumPCsInPCTables) { if (NumPCsInPCTables) {
if (NumInline8bitCounters == NumPCsInPCTables) { if (NumInline8bitCounters == NumPCsInPCTables) {
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) { IterateInline8bitCounters([&](int i, int j, int CounterIdx) {
uint8_t *Beg = ModuleCounters[i].Start; if (ModuleCounters[i].Start[j])
size_t Size = ModuleCounters[i].Stop - Beg;
assert(Size ==
(size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
for (size_t j = 0; j < Size; j++)
if (Beg[j])
Observe(ModulePCTable[i].Start[j]); Observe(ModulePCTable[i].Start[j]);
} });
} else if (NumGuards == NumPCsInPCTables) { } else if (NumGuards == NumPCsInPCTables) {
size_t GuardIdx = 1; size_t GuardIdx = 1;
for (size_t i = 0; i < NumModules; i++) { for (size_t i = 0; i < NumModules; i++) {
uint32_t *Beg = Modules[i].Start; uint32_t *Beg = Modules[i].Start;
size_t Size = Modules[i].Stop - Beg; size_t Size = Modules[i].Stop - Beg;
assert(Size == assert(Size ==
(size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start)); (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
for (size_t j = 0; j < Size; j++, GuardIdx++) for (size_t j = 0; j < Size; j++, GuardIdx++)
if (Counters()[GuardIdx]) if (Counters()[GuardIdx])
Observe(ModulePCTable[i].Start[j]); Observe(ModulePCTable[i].Start[j]);
} }
} }
morehouseUnsubmitted
Done
ReplyInline Actions

I don't think this will work. IterateInline8bitCounters iterates over ModuleCounters, not Modules.

morehouse: I don't think this will work. `IterateInline8bitCounters` iterates over `ModuleCounters`, not…
} }
for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N; i++) { for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N; i++) {
Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size()); Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size());
PrintPC("%p %F %L", "%p", CoveredFuncs[i] + 1); PrintPC("%p %F %L", "%p", CoveredFuncs[i] + 1);
Printf("\n"); Printf("\n");
} }
} }
▲ Show 20 LinesShow All 450 LinesShow Last 20 Lines