This is an archive of the discontinued LLVM Phabricator instance.

Differential D49578

[libFuzzer] Handle unstable edges by poisoning unstable edges
AcceptedPublic

Authored by kevinwkt on Jul 19 2018, 5:09 PM.

Details

Reviewers
Dor1s
metzman
morehouse
Summary

Added a new mode within flag -handle_unstable for new unstable handling algorithm that does the following:

When you invalidate an edge in TracePC::UpdateUnstableCounters(), you increase a counter value.
Subtract the counter value from total number of new edges found for that input to get the total number of stable edges found.
Collect Features only if new stable edges are found.

This way we would be rewarding an input of finding a new edge only if that edge was deterministically found.

Diff Detail

Event Timeline

kevinwkt created this revision.Jul 19 2018, 5:09 PM
metzman added a comment.Jul 19 2018, 6:18 PM

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

lib/fuzzer/FuzzerLoop.cpp
500–501

Please don't make multi-line if-bodies without curly braces

kevinwkt added a comment.Jul 19 2018, 9:58 PM
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

This is Max's method of handling edges described before. (In the chromium bug website.)
This poisons an edge definitely since it won't give weight to a poisoned edge on future runs since it's feature has already been collected from what I remember.

metzman added a comment.Jul 20 2018, 6:44 AM
In D49578#1169329, @kevinwkt wrote:
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

This is Max's method of handling edges described before. (In the chromium bug website.)

Could you link me to this please?

This poisons an edge definitely since it won't give weight to a poisoned edge on future runs since it's feature has already been collected from what I remember.

It does? where? Suppose a testcase has two new edges one unstable and one stable so it gets added to the corpus. Then we find a smaller testcase with the same stable feature, but the unstable feature isn't removed. Under this method the first testcase stays in the corpus right?

kevinwkt added a comment.Jul 20 2018, 9:02 AM
In D49578#1169655, @metzman wrote:
In D49578#1169329, @kevinwkt wrote:
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

This is Max's method of handling edges described before. (In the chromium bug website.)

Could you link me to this please?

This poisons an edge definitely since it won't give weight to a poisoned edge on future runs since it's feature has already been collected from what I remember.

It does? where? Suppose a testcase has two new edges one unstable and one stable so it gets added to the corpus. Then we find a smaller testcase with the same stable feature, but the unstable feature isn't removed. Under this method the first testcase stays in the corpus right?

Yes, it would stay in the corpus.
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=854276

Dor1s added a comment.Jul 20 2018, 9:10 AM
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

I think that was sort of an advantage of the algorithm. We do not remove unstable features, so that any new inputs triggering them won't be considered as new at all, but we don't add such inputs to the corpus to prevent its explosion.

Kevin, we need a test for this one as well. Also, maybe let's focus on finishing the first implementation, as this CL depends on it, and you probably don't want to rebase it and resolve conflicts several times.

metzman requested changes to this revision.Jul 20 2018, 5:49 PM
In D49578#1169860, @Dor1s wrote:
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

I think that was sort of an advantage of the algorithm. We do not remove unstable features, so that any new inputs triggering them won't be considered as new at all, but we don't add such inputs to the corpus to prevent its explosion.

Kevin agreed with me offline that this doesn't prevent corpus growth and does something other than intended. We will think about what it does before proceeding.

This revision now requires changes to proceed.Jul 20 2018, 5:49 PM
Dor1s added a comment.Jul 20 2018, 7:37 PM
In D49578#1170815, @metzman wrote:
In D49578#1169860, @Dor1s wrote:
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

I think that was sort of an advantage of the algorithm. We do not remove unstable features, so that any new inputs triggering them won't be considered as new at all, but we don't add such inputs to the corpus to prevent its explosion.

Kevin agreed with me offline that this doesn't prevent corpus growth and does something other than intended. We will think about what it does before proceeding.

Ok, let's discuss on Monday. Looks like I'm missing something!

metzman added a comment.Jul 23 2018, 7:00 AM
In D49578#1170851, @Dor1s wrote:
In D49578#1170815, @metzman wrote:
In D49578#1169860, @Dor1s wrote:
In D49578#1169197, @metzman wrote:

I don't think this will work. This just subtracts the number of unstable edges without actually removing those features? Or do i misunderstand how this actually works?

I think that was sort of an advantage of the algorithm. We do not remove unstable features, so that any new inputs triggering them won't be considered as new at all, but we don't add such inputs to the corpus to prevent its explosion.

Kevin agreed with me offline that this doesn't prevent corpus growth and does something other than intended. We will think about what it does before proceeding.

Ok, let's discuss on Monday. Looks like I'm missing something!

I was incorrect in previous reply btw. It does prevent some kinds of corpus growth but not others.

kevinwkt updated this revision to Diff 156910.Jul 23 2018, 3:59 PM

PTAL

Created tests.

Dor1s added a comment.Jul 23 2018, 9:07 PM

Looks great! Left a couple comments + let's clean up the test. Since the test is specific for handle_unstable=3 mode, can we make it shorter, e.g. leave only 1 or 2 deterministic function, and so on. Also, let's rename the source file to HandleUnstablePoisonUnstableTest.cpp, the test file can be renamed to handle_unstable_poison_unstable.test for better readability.

lib/fuzzer/FuzzerLoop.cpp
463

no need to declare this variable here, move it to line 470, e.g. int NumNewUnstableEdges = ....

lib/fuzzer/FuzzerTracePC.cpp
86–87

let's make this condition the first one, so it would fit 2 lines, and then else if (UnstableMode == ZeroUnstable) case

kevinwkt updated this revision to Diff 157117.Jul 24 2018, 1:40 PM
kevinwkt marked an inline comment as done.

PTAL
Fixed Max's comments on variable declaration and initialization and moved tests into a single file.

Dor1s added a comment.Jul 24 2018, 3:48 PM

Can you re-phrase the CL description please, because it looks like a chat message I've sent to you in the past :)

lib/fuzzer/FuzzerInternal.h
70

I'm not a bit fan of using int type where values actually cannot be negative. IMO size_t is de facto standard type for unsigned values when you don't need a certain precision (e.g. uint32_t). Also, when unsure, always check the code around the project, e.g. https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/FuzzerCorpus.h#L28 uses size_t for features as well as execPerSec or getTotalNumberOfRuns a few lines above use size_t for another numerical value that cannot be negative. So, please use size_ instead of int here and in UpdateUnstableCounters.

lib/fuzzer/FuzzerLoop.cpp
517

This place is also a good hint regarding which type you should use.

lib/fuzzer/FuzzerTracePC.cpp
86–87

I think we can invert the condition and do return when it's true, just to decrease the indentation of the lines 88-95. Did Matt not accept that style in one of the past reviews?

lib/fuzzer/FuzzerTracePC.h
77–78

Looks like both FuzzerLoop and FuzzerDriver include FuzzerTracePC.h, so you can move this type definition outside of TracePC class and use it in functions accepting UnstableMode instead of int type.

test/fuzzer/HandleUnstableTest.cpp
47

Why we have 1000 here? Wouldn't things become deterministic after that?

52

is it left from local debugging or you want to have this in the test?

kevinwkt updated this revision to Diff 157175.Jul 24 2018, 5:11 PM
kevinwkt marked 5 inline comments as done.

Changed UpdateUnstableCounters to get rid of indentation.
Changed ints to size_ts.

2 questions, @metzman @Dor1s .

  1. For changing UnstableMode to UnstableOptions, FuzzerDriver and FuzzerLoop do include TracePC.h, but FuzzerOptions does not. Where would be the right place to cast the int from FuzzerOptions? Would it be fine to cast it right before it gets sent to CheckForUnstableCounters in RunOne? (inside FuzzerLoop)
  1. I did put 1000 for the tests with the purpose of a test starting as non deterministic but then turning deterministic. Because when it turns deterministic, collect features take all touched functions along with the new deterministic edge. (Hence it collects t0() in PoisonUnstable). Is this a bad practice? (printf() was for local debugging. Got erased.)
Dor1s added a comment.Jul 25 2018, 6:28 AM
In D49578#1174447, @kevinwkt wrote:

Changed UpdateUnstableCounters to get rid of indentation.
Changed ints to size_ts.

2 questions, @metzman @Dor1s .

  1. For changing UnstableMode to UnstableOptions, FuzzerDriver and FuzzerLoop do include TracePC.h, but FuzzerOptions does not. Where would be the right place to cast the int from FuzzerOptions? Would it be fine to cast it right before it gets sent to CheckForUnstableCounters in RunOne? (inside FuzzerLoop)

I think it's fine to move enum HandleUnstableOptions declaration into FuzzerOptions.h, it actually seems to be even better place to me than FuzzerTracePC.h.

  1. I did put 1000 for the tests with the purpose of a test starting as non deterministic but then turning deterministic. Because when it turns deterministic, collect features take all touched functions along with the new deterministic edge. (Hence it collects t0() in PoisonUnstable). Is this a bad practice? (printf() was for local debugging. Got erased.)

Hmmm, I see, thanks. Probably it's fine, but add a comment before if (c < 1000) { to clarify that.

kevinwkt updated this revision to Diff 157358.Jul 25 2018, 2:21 PM
kevinwkt marked 2 inline comments as done.

PTAL
Added comment before c < 1000
Moved enum to FuzzerOptions and included them on necessary files.

Dor1s added a subscriber: morehouse.Jul 25 2018, 4:36 PM
In D49578#1175799, @kevinwkt wrote:

PTAL
Added comment before c < 1000
Moved enum to FuzzerOptions and included them on necessary files.

I don't see the test source file anymore. Please add it and ask @morehouse to review.

test/fuzzer/handle-unstable.test
23–31

please fix the casing here and on line 33 to be consistent with line 48

kevinwkt updated this revision to Diff 157399.Jul 25 2018, 4:44 PM
kevinwkt marked 2 inline comments as done.

PTAL
Updated the syntax for test files.

kevinwkt added a reviewer: morehouse.Jul 25 2018, 4:45 PM
kevinwkt updated this revision to Diff 157400.Jul 25 2018, 4:54 PM

ptal
Fixed syntax again.

kevinwkt edited the summary of this revision. (Show Details)Jul 25 2018, 4:58 PM
metzman added a comment.Jul 25 2018, 5:00 PM
In D49578#1175061, @Dor1s wrote:
In D49578#1174447, @kevinwkt wrote:

Changed UpdateUnstableCounters to get rid of indentation.
Changed ints to size_ts.

2 questions, @metzman @Dor1s .

  1. For changing UnstableMode to UnstableOptions, FuzzerDriver and FuzzerLoop do include TracePC.h, but FuzzerOptions does not. Where would be the right place to cast the int from FuzzerOptions? Would it be fine to cast it right before it gets sent to CheckForUnstableCounters in RunOne? (inside FuzzerLoop)

I think it's fine to move enum HandleUnstableOptions declaration into FuzzerOptions.h, it actually seems to be even better place to me than FuzzerTracePC.h.

  1. I did put 1000 for the tests with the purpose of a test starting as non deterministic but then turning deterministic. Because when it turns deterministic, collect features take all touched functions along with the new deterministic edge. (Hence it collects t0() in PoisonUnstable). Is this a bad practice? (printf() was for local debugging. Got erased.)

Hmmm, I see, thanks. Probably it's fine, but add a comment before if (c < 1000) { to clarify that.

Agreed, I think this is fine. It's not really non-deterministic, it's just stateful from libFuzzer's point of view, so it's not like we are actually calling rand without a seed in a test.

The one thing I'd like to see added is a brief explanation of what 3 does in FuzzerFlagsDef, though I don't think it is 100% necessary, since this flag is very experimental and somewhat complicated to understand without knowing a lot about libFuzzer.

metzman accepted this revision.Jul 25 2018, 5:00 PM
This revision is now accepted and ready to land.Jul 25 2018, 5:00 PM
Dor1s edited subscribers, added: kcc, llvm-commits; removed: morehouse.Jul 25 2018, 5:29 PM
Dor1s added inline comments.
lib/fuzzer/FuzzerTracePC.cpp
91

Can you move this to line 89 please, and then have switch (UnstableMode) ? That way it would be slightly more readable and straightforward.

kevinwkt updated this revision to Diff 157411.Jul 25 2018, 5:45 PM

ptal
Fixed bug that was introduced.

metzman added a comment.Jul 25 2018, 5:47 PM

LGTM

kevinwkt marked an inline comment as done.Jul 25 2018, 5:47 PM
kevinwkt added inline comments.
lib/fuzzer/FuzzerTracePC.cpp
91

We are supposed to look for the amount of New Unstable Edges.
The way we do this is check if has already been marked as unstable before.
This is also the reason UnstableCounters[UnstableIdx].IsUnstable = true happens after the check.

This bug is now fixed.

Dor1s accepted this revision.Jul 25 2018, 10:59 PM

LGTM

lib/fuzzer/FuzzerFlags.def
120

Frankly, I don't understand this explanation... The problem might be on my side though, let's see what Matt thinks.

morehouse added a comment.Jul 26 2018, 9:42 AM

So this is basically the ZeroUnstable mode with one less pass over the counters?

lib/fuzzer/FuzzerDriver.cpp
627

This cast looks odd since we're comparing int to enum without a cast right before this. Probably just do implicit cast.

lib/fuzzer/FuzzerFlags.def
120

This confuses me too.

lib/fuzzer/FuzzerOptions.h
23

Might be cleaner to do something like

enum class UnstableMode {
  Disabled = 0,
  Min = 1,
  Zero = 2,
  Poison = 3,
};
Dor1s added inline comments.Jul 26 2018, 9:58 AM
lib/fuzzer/FuzzerDriver.cpp
627

That's what I though initially, but surprisingly, implicit cast doesn't work in that direction, only from enum to an integer!

Dor1s added inline comments.Jul 26 2018, 10:00 AM
lib/fuzzer/FuzzerDriver.cpp
627
$ cat test.cpp 

enum Enum {
  One = 1,
  Two = 2
};

int main(int argc, char* argv[]) {
  Enum E = argc;
  return 0;
}


$ clang++ test.cpp 
test.cpp:8:8: error: cannot initialize a variable of type 'Enum' with an lvalue of type 'int'
  Enum E = argc;
       ^   ~~~~
1 error generated.
kevinwkt marked an inline comment as done.Jul 26 2018, 10:11 AM
In D49578#1176909, @morehouse wrote:

So this is basically the ZeroUnstable mode with one less pass over the counters?

"ZeroUnstable" puts 0 in unstable edges and pretends it was never hit.
"PoisonUnstable" takes into account new unstable edges only if a new stable edge is also found.
This comes from the assumption that unstable edges should be given weight as long as a new deterministic edge is found to reward that input.
We only take into account new unstable edges (and not any unstable edge hit), since we believe that this "reward" for reaching that edge has been given to other inputs.

Hope this makes it a bit clearer.

morehouse added a comment.Jul 26 2018, 10:17 AM

Won't the result be the same? This mode will add an input to the corpus as long as there's at least one new stable edge. But so will ZeroUnstable.

kevinwkt added a comment.Jul 26 2018, 10:33 AM
In D49578#1176986, @morehouse wrote:

Won't the result be the same? This mode will add an input to the corpus as long as there's at least one new stable edge. But so will ZeroUnstable.

I think the adding to corpus will be similar (it will certainly start out the same way) but because you collect features of these unstable edges while in "Zero" you do not, corpus addition will be different the longer you run this.

morehouse added a comment.Jul 26 2018, 10:43 AM

Right. The biggest differences I see are

  1. If a new input exercises an edge stably while a previous input exercised that edge unstably, ZeroUnstable will add the new input while PoisonUnstable may not.
  2. If an input sometimes exercises an edge twice and sometimes not at all, ZeroUnstable won't add that input while PoisonUnstable will. This is because we record additional features for inputs that hit the same edge multiple times, but PoisonUnstable only subtracts one of those features from the total.

Do we expect this to perform better in some scenarios?

kevinwkt added a comment.Jul 26 2018, 10:57 AM
In D49578#1177033, @morehouse wrote:

Right. The biggest differences I see are

  1. If a new input exercises an edge stably while a previous input exercised that edge unstably, ZeroUnstable will add the new input while PoisonUnstable may not.
  2. If an input sometimes exercises an edge twice and sometimes not at all, ZeroUnstable won't add that input while PoisonUnstable will. This is because we record additional features for inputs that hit the same edge multiple times, but PoisonUnstable only subtracts one of those features from the total.

Do we expect this to perform better in some scenarios?

This is a way to handle unstableness at a small extent, by accepting unstable edges at certain scenarios.
We believe that this "handles unstableness" compared to normal libfuzzer, but its not as extreme as ZeroUnstable.
Since this is slightly faster than ZeroUnstable and we use poison the unstable which we assume will cause less inputs to be added to the corpus in the long run, we think this might produce an interesting result.

morehouse added a comment.Jul 26 2018, 11:21 AM

We need to update the summary and flag description then to make it clear what this new mode does.

kevinwkt updated this revision to Diff 157566.EditedJul 26 2018, 1:40 PM
kevinwkt marked 7 inline comments as done.

ptal
Changed to strictly typed enum, and changed names within enum.
Changed description for FuzzerFlag.

morehouse added a comment.Jul 27 2018, 12:21 PM

The current flag description still doesn't tell the whole story.

If we detect a new input has unstable edges, we're adding the unstable edges to the corpus features even if we don't add the input itself. This means any time an edge is found to be unstable, we completely ignore that edge forever. Even if a later input exercises the edge stably, we will not consider that edge again.

Is this intentional, or a bug in the implementation?

lib/fuzzer/FuzzerLoop.cpp
496

These casts are quite awkward. Maybe we should just keep Options.HandleUnstable as an int.

lib/fuzzer/FuzzerOptions.h
23

I don't really like these Start and End values, especially since 0 should probably be Disabled.

Dor1s added inline comments.Jul 27 2018, 2:13 PM
lib/fuzzer/FuzzerLoop.cpp
496

I sort of insisted on not using an int in there, but final decision would yours :)

morehouse added inline comments.Jul 27 2018, 2:15 PM
lib/fuzzer/FuzzerLoop.cpp
496

Similar libFuzzer options all use int, so at least for consistency I think we should use an int.

I would prefer to get @kcc's opinion in a separate refactoring patch if you would like to switch from ints to enums.

Dor1s added inline comments.Jul 27 2018, 2:28 PM
lib/fuzzer/FuzzerLoop.cpp
496

Yeah... but there isn't any other option that selects different modes. All of them are either boolean flags, integer values, or a close_fd_mask thing. Either way, I hope we'll choose the best strategy and delete the others in the upcoming weeks, so this option will become a boolean flag after all.

metzman resigned from this revision.Aug 21 2018, 7:15 PM
morehouse resigned from this revision.Aug 22 2018, 9:13 AM

Revision Contents

Diff 157566

lib/fuzzer/FuzzerDriver.cpp

Show All 9 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerCommand.h" #include "FuzzerCommand.h"
#include "FuzzerCorpus.h" #include "FuzzerCorpus.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include "FuzzerInterface.h" #include "FuzzerInterface.h"
#include "FuzzerInternal.h" #include "FuzzerInternal.h"
#include "FuzzerMutate.h" #include "FuzzerMutate.h"
#include "FuzzerOptions.h"
#include "FuzzerRandom.h" #include "FuzzerRandom.h"
#include "FuzzerShmem.h" #include "FuzzerShmem.h"
#include "FuzzerTracePC.h" #include "FuzzerTracePC.h"
#include <algorithm> #include <algorithm>
#include <atomic> #include <atomic>
#include <chrono> #include <chrono>
#include <cstdlib> #include <cstdlib>
#include <cstring> #include <cstring>
▲ Show 20 LinesShow All 588 Lines▼ Show 20 Lines Options.SaveArtifacts =
!DoPlainRun || Flags.minimize_crash_internal_step; !DoPlainRun || Flags.minimize_crash_internal_step;
Options.PrintNewCovPcs = Flags.print_pcs; Options.PrintNewCovPcs = Flags.print_pcs;
Options.PrintNewCovFuncs = Flags.print_funcs; Options.PrintNewCovFuncs = Flags.print_funcs;
Options.PrintFinalStats = Flags.print_final_stats; Options.PrintFinalStats = Flags.print_final_stats;
Options.PrintMutationStats = Flags.print_mutation_stats; Options.PrintMutationStats = Flags.print_mutation_stats;
Options.PrintCorpusStats = Flags.print_corpus_stats; Options.PrintCorpusStats = Flags.print_corpus_stats;
Options.PrintCoverage = Flags.print_coverage; Options.PrintCoverage = Flags.print_coverage;
Options.PrintUnstableStats = Flags.print_unstable_stats; Options.PrintUnstableStats = Flags.print_unstable_stats;
if (Flags.handle_unstable == TracePC::MinUnstable || if (Flags.handle_unstable > (int)UnstableMode::Start &&
Flags.handle_unstable == TracePC::ZeroUnstable) Flags.handle_unstable < (int)UnstableMode::End)
Options.HandleUnstable = Flags.handle_unstable; Options.HandleUnstable = static_cast<UnstableMode>(Flags.handle_unstable);
Options.DumpCoverage = Flags.dump_coverage; Options.DumpCoverage = Flags.dump_coverage;
if (Flags.exit_on_src_pos) if (Flags.exit_on_src_pos)
morehouseUnsubmitted
Done
ReplyInline Actions

This cast looks odd since we're comparing int to enum without a cast right before this. Probably just do implicit cast.

morehouse: This cast looks odd since we're comparing int to enum without a cast right before this.
Dor1sUnsubmitted
Done
ReplyInline Actions

That's what I though initially, but surprisingly, implicit cast doesn't work in that direction, only from enum to an integer!

Dor1s: That's what I though initially, but surprisingly, implicit cast doesn't work in that direction…
Dor1sUnsubmitted
Done
ReplyInline Actions
$ cat test.cpp 

enum Enum {
  One = 1,
  Two = 2
};

int main(int argc, char* argv[]) {
  Enum E = argc;
  return 0;
}


$ clang++ test.cpp 
test.cpp:8:8: error: cannot initialize a variable of type 'Enum' with an lvalue of type 'int'
  Enum E = argc;
       ^   ~~~~
1 error generated.
Dor1s: ``` $ cat test.cpp enum Enum { One = 1, Two = 2 }; int main(int argc, char* argv[]) {…
Options.ExitOnSrcPos = Flags.exit_on_src_pos; Options.ExitOnSrcPos = Flags.exit_on_src_pos;
if (Flags.exit_on_item) if (Flags.exit_on_item)
Options.ExitOnItem = Flags.exit_on_item; Options.ExitOnItem = Flags.exit_on_item;
if (Flags.focus_function) if (Flags.focus_function)
Options.FocusFunction = Flags.focus_function; Options.FocusFunction = Flags.focus_function;
if (Flags.data_flow_trace) if (Flags.data_flow_trace)
Options.DataFlowTrace = Flags.data_flow_trace; Options.DataFlowTrace = Flags.data_flow_trace;
▲ Show 20 LinesShow All 144 LinesShow Last 20 Lines

lib/fuzzer/FuzzerFlags.def

Show First 20 LinesShow All 110 Lines▼ Show 20 LinesFUZZER_FLAG_INT(dump_coverage, 0, "Deprecated."
" If 1, dump coverage information as a" " If 1, dump coverage information as a"
" .sancov file at exit.") " .sancov file at exit.")
FUZZER_FLAG_INT(handle_unstable, 0, "Experimental." FUZZER_FLAG_INT(handle_unstable, 0, "Experimental."
" Executes every input 3 times in total if a unique feature" " Executes every input 3 times in total if a unique feature"
" is found during the first execution." " is found during the first execution."
" If 1, we only use the minimum hit count from the 3 runs" " If 1, we only use the minimum hit count from the 3 runs"
" to determine whether an input is interesting." " to determine whether an input is interesting."
" If 2, we disregard edges that are found unstable for" " If 2, we disregard edges that are found unstable for"
" feature collection.") " feature collection."
" If 3, we collect features if a new stable edge is found."
Dor1sUnsubmitted
Done
ReplyInline Actions

Frankly, I don't understand this explanation... The problem might be on my side though, let's see what Matt thinks.

Dor1s: Frankly, I don't understand this explanation... The problem might be on my side though, let's…
morehouseUnsubmitted
Done
ReplyInline Actions

This confuses me too.

morehouse: This confuses me too.
" Unstable edges will only be taken into account if it is"
" found with a new stable edge.")
FUZZER_FLAG_INT(print_unstable_stats, 0, "Experimental." FUZZER_FLAG_INT(print_unstable_stats, 0, "Experimental."
" If 1, print unstable statistics at exit.") " If 1, print unstable statistics at exit.")
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.") FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.") FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.") FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.") FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.") FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.") FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
Show All 38 Lines

lib/fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 61 Lines▼ Show 20 Linespublic:
static void StaticAlarmCallback(); static void StaticAlarmCallback();
static void StaticCrashSignalCallback(); static void StaticCrashSignalCallback();
static void StaticExitCallback(); static void StaticExitCallback();
static void StaticInterruptCallback(); static void StaticInterruptCallback();
static void StaticFileSizeExceedCallback(); static void StaticFileSizeExceedCallback();
static void StaticGracefulExitCallback(); static void StaticGracefulExitCallback();
void ExecuteCallback(const uint8_t *Data, size_t Size); void ExecuteCallback(const uint8_t *Data, size_t Size);
void CheckForUnstableCounters(const uint8_t *Data, size_t Size); size_t CheckForUnstableCounters(const uint8_t *Data, size_t Size);
Dor1sUnsubmitted
Done
ReplyInline Actions

I'm not a bit fan of using int type where values actually cannot be negative. IMO size_t is de facto standard type for unsigned values when you don't need a certain precision (e.g. uint32_t). Also, when unsure, always check the code around the project, e.g. https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/FuzzerCorpus.h#L28 uses size_t for features as well as execPerSec or getTotalNumberOfRuns a few lines above use size_t for another numerical value that cannot be negative. So, please use size_ instead of int here and in UpdateUnstableCounters.

Dor1s: I'm not a bit fan of using `int` type where values actually cannot be negative. IMO `size_t` is…
bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false, bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
InputInfo *II = nullptr, bool *FoundUniqFeatures = nullptr); InputInfo *II = nullptr, bool *FoundUniqFeatures = nullptr);
// Merge Corpora[1:] into Corpora[0]. // Merge Corpora[1:] into Corpora[0].
void Merge(const Vector<std::string> &Corpora); void Merge(const Vector<std::string> &Corpora);
void CrashResistantMerge(const Vector<std::string> &Args, void CrashResistantMerge(const Vector<std::string> &Args,
const Vector<std::string> &Corpora, const Vector<std::string> &Corpora,
const char *CoverageSummaryInputPathOrNull, const char *CoverageSummaryInputPathOrNull,
▲ Show 20 LinesShow All 101 LinesShow Last 20 Lines

lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 443 Lines▼ Show 20 Linesvoid Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) {
if (TimeOfUnit > TimeOfLongestUnitInSeconds * 1.1 && if (TimeOfUnit > TimeOfLongestUnitInSeconds * 1.1 &&
TimeOfUnit >= Options.ReportSlowUnits) { TimeOfUnit >= Options.ReportSlowUnits) {
TimeOfLongestUnitInSeconds = TimeOfUnit; TimeOfLongestUnitInSeconds = TimeOfUnit;
Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds); Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);
WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-"); WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");
} }
} }
void Fuzzer::CheckForUnstableCounters(const uint8_t *Data, size_t Size) { size_t Fuzzer::CheckForUnstableCounters(const uint8_t *Data, size_t Size) {
auto CBSetupAndRun = [&]() { auto CBSetupAndRun = [&]() {
ScopedEnableMsanInterceptorChecks S; ScopedEnableMsanInterceptorChecks S;
UnitStartTime = system_clock::now(); UnitStartTime = system_clock::now();
TPC.ResetMaps(); TPC.ResetMaps();
RunningUserCallback = true; RunningUserCallback = true;
CB(Data, Size); CB(Data, Size);
RunningUserCallback = false; RunningUserCallback = false;
UnitStopTime = system_clock::now(); UnitStopTime = system_clock::now();
}; };
// Copy original run counters into our unstable counters // Copy original run counters into our unstable counters
Dor1sUnsubmitted
Done
ReplyInline Actions

no need to declare this variable here, move it to line 470, e.g. int NumNewUnstableEdges = ....

Dor1s: no need to declare this variable here, move it to line 470, e.g. `int NumNewUnstableEdges = ...
TPC.InitializeUnstableCounters(); TPC.InitializeUnstableCounters();
// First Rerun // First Rerun
CBSetupAndRun(); CBSetupAndRun();
size_t NumNewUnstableEdges =
TPC.UpdateUnstableCounters(Options.HandleUnstable); TPC.UpdateUnstableCounters(Options.HandleUnstable);
// Second Rerun // Second Rerun
CBSetupAndRun(); CBSetupAndRun();
TPC.UpdateUnstableCounters(Options.HandleUnstable); NumNewUnstableEdges += TPC.UpdateUnstableCounters(Options.HandleUnstable);
// Move minimum hit counts back to ModuleInline8bitCounters // Move minimum hit counts back to ModuleInline8bitCounters
if (Options.HandleUnstable == TracePC::MinUnstable || if (Options.HandleUnstable == UnstableMode::Min ||
Options.HandleUnstable == TracePC::ZeroUnstable) Options.HandleUnstable == UnstableMode::Zero)
TPC.ApplyUnstableCounters(); TPC.ApplyUnstableCounters();
return NumNewUnstableEdges;
} }
bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile, bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,
InputInfo *II, bool *FoundUniqFeatures) { InputInfo *II, bool *FoundUniqFeatures) {
if (!Size) if (!Size)
return false; return false;
ExecuteCallback(Data, Size); ExecuteCallback(Data, Size);
UniqFeatureSetTmp.clear(); UniqFeatureSetTmp.clear();
size_t FoundUniqFeaturesOfII = 0; size_t FoundUniqFeaturesOfII = 0;
size_t NumUpdatesBefore = Corpus.NumFeatureUpdates(); size_t NumUpdatesBefore = Corpus.NumFeatureUpdates();
bool NewFeaturesUnstable = false; bool NewFeaturesUnstable = false;
size_t NumNewUnstableEdges = 0;
if (Options.HandleUnstable || Options.PrintUnstableStats) { if ((int)Options.HandleUnstable || Options.PrintUnstableStats) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

These casts are quite awkward. Maybe we should just keep Options.HandleUnstable as an int.

morehouse: These casts are quite awkward. Maybe we should just keep `Options.HandleUnstable` as an int.
Dor1sUnsubmitted
Not Done
ReplyInline Actions

I sort of insisted on not using an int in there, but final decision would yours :)

Dor1s: I sort of insisted on not using an int in there, but final decision would yours :)
morehouseUnsubmitted
Not Done
ReplyInline Actions

Similar libFuzzer options all use int, so at least for consistency I think we should use an int.

I would prefer to get @kcc's opinion in a separate refactoring patch if you would like to switch from ints to enums.

morehouse: Similar libFuzzer options all use int, so at least for consistency I think we should use an int.
Dor1sUnsubmitted
Not Done
ReplyInline Actions

Yeah... but there isn't any other option that selects different modes. All of them are either boolean flags, integer values, or a close_fd_mask thing. Either way, I hope we'll choose the best strategy and delete the others in the upcoming weeks, so this option will become a boolean flag after all.

Dor1s: Yeah... but there isn't any other option that selects different modes. All of them are either…
TPC.CollectFeatures([&](size_t Feature) { TPC.CollectFeatures([&](size_t Feature) {
if (Corpus.IsFeatureNew(Feature, Size, Options.Shrink)) if (Corpus.IsFeatureNew(Feature, Size, Options.Shrink))
NewFeaturesUnstable = true; NewFeaturesUnstable = true;
}); });
if (NewFeaturesUnstable) if (NewFeaturesUnstable)
metzmanUnsubmitted
Done
ReplyInline Actions

Please don't make multi-line if-bodies without curly braces

metzman: Please don't make multi-line `if`-bodies without curly braces
CheckForUnstableCounters(Data, Size); NumNewUnstableEdges = CheckForUnstableCounters(Data, Size);
} }
TPC.CollectFeatures([&](size_t Feature) { TPC.CollectFeatures([&](size_t Feature) {
if (Corpus.AddFeature(Feature, Size, Options.Shrink)) if (Corpus.AddFeature(Feature, Size, Options.Shrink))
UniqFeatureSetTmp.push_back(Feature); UniqFeatureSetTmp.push_back(Feature);
if (Options.ReduceInputs && II) if (Options.ReduceInputs && II)
if (std::binary_search(II->UniqFeatureSet.begin(), if (std::binary_search(II->UniqFeatureSet.begin(),
II->UniqFeatureSet.end(), Feature)) II->UniqFeatureSet.end(), Feature))
FoundUniqFeaturesOfII++; FoundUniqFeaturesOfII++;
}); });
if (FoundUniqFeatures) if (FoundUniqFeatures)
*FoundUniqFeatures = FoundUniqFeaturesOfII; *FoundUniqFeatures = FoundUniqFeaturesOfII;
PrintPulseAndReportSlowInput(Data, Size); PrintPulseAndReportSlowInput(Data, Size);
size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore; size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
Dor1sUnsubmitted
Done
ReplyInline Actions

This place is also a good hint regarding which type you should use.

Dor1s: This place is also a good hint regarding which type you should use.
if (Options.HandleUnstable == UnstableMode::Poison) {
assert(NumNewFeatures >= NumNewUnstableEdges);
NumNewFeatures -= NumNewUnstableEdges;
}
if (NumNewFeatures) { if (NumNewFeatures) {
TPC.UpdateObservedPCs(); TPC.UpdateObservedPCs();
Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile, Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
TPC.ObservedFocusFunction(), UniqFeatureSetTmp, DFT, II); TPC.ObservedFocusFunction(), UniqFeatureSetTmp, DFT, II);
return true; return true;
} }
if (II && FoundUniqFeaturesOfII && if (II && FoundUniqFeaturesOfII &&
II->DataFlowTraceForFocusFunction.empty() && II->DataFlowTraceForFocusFunction.empty() &&
▲ Show 20 LinesShow All 388 LinesShow Last 20 Lines

lib/fuzzer/FuzzerOptions.h

Show All 9 Lines
#ifndef LLVM_FUZZER_OPTIONS_H #ifndef LLVM_FUZZER_OPTIONS_H
#define LLVM_FUZZER_OPTIONS_H #define LLVM_FUZZER_OPTIONS_H
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
namespace fuzzer { namespace fuzzer {
enum class UnstableMode {
Start = 0,
Min = 1,
Zero = 2,
Poison = 3,
End = 4,
morehouseUnsubmitted
Done
ReplyInline Actions

Might be cleaner to do something like

enum class UnstableMode {
  Disabled = 0,
  Min = 1,
  Zero = 2,
  Poison = 3,
};
morehouse: Might be cleaner to do something like ``` enum class UnstableMode { Disabled = 0, Min = 1…
morehouseUnsubmitted
Not Done
ReplyInline Actions

I don't really like these Start and End values, especially since 0 should probably be Disabled.

morehouse: I don't really like these `Start` and `End` values, especially since 0 should probably be…
};
struct FuzzingOptions { struct FuzzingOptions {
int Verbosity = 1; int Verbosity = 1;
size_t MaxLen = 0; size_t MaxLen = 0;
size_t LenControl = 1000; size_t LenControl = 1000;
int UnitTimeoutSec = 300; int UnitTimeoutSec = 300;
int TimeoutExitCode = 77; int TimeoutExitCode = 77;
int ErrorExitCode = 77; int ErrorExitCode = 77;
int MaxTotalTimeSec = 0; int MaxTotalTimeSec = 0;
Show All 25 Linesstruct FuzzingOptions {
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
int PrintNewCovFuncs = 0; int PrintNewCovFuncs = 0;
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool PrintMutationStats = false; bool PrintMutationStats = false;
bool PrintCorpusStats = false; bool PrintCorpusStats = false;
bool PrintCoverage = false; bool PrintCoverage = false;
bool PrintUnstableStats = false; bool PrintUnstableStats = false;
int HandleUnstable = 0; UnstableMode HandleUnstable = UnstableMode::Start;
bool DumpCoverage = false; bool DumpCoverage = false;
bool DetectLeaks = true; bool DetectLeaks = true;
int PurgeAllocatorIntervalSec = 1; int PurgeAllocatorIntervalSec = 1;
int TraceMalloc = 0; int TraceMalloc = 0;
bool HandleAbrt = false; bool HandleAbrt = false;
bool HandleBus = false; bool HandleBus = false;
bool HandleFpe = false; bool HandleFpe = false;
bool HandleIll = false; bool HandleIll = false;
Show All 11 Lines

lib/fuzzer/FuzzerTracePC.h

//===- FuzzerTracePC.h - Internal header for the Fuzzer ---------*- C++ -* ===// //===- FuzzerTracePC.h - Internal header for the Fuzzer ---------*- C++ -* ===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// fuzzer::TracePC // fuzzer::TracePC
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_FUZZER_TRACE_PC #ifndef LLVM_FUZZER_TRACE_PC
#define LLVM_FUZZER_TRACE_PC #define LLVM_FUZZER_TRACE_PC
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#include "FuzzerDictionary.h" #include "FuzzerDictionary.h"
#include "FuzzerOptions.h"
#include "FuzzerValueBitMap.h" #include "FuzzerValueBitMap.h"
#include <set> #include <set>
#include <unordered_map> #include <unordered_map>
namespace fuzzer { namespace fuzzer {
// TableOfRecentCompares (TORC) remembers the most recently performed // TableOfRecentCompares (TORC) remembers the most recently performed
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Linesstruct MemMemTable {
} }
}; };
class TracePC { class TracePC {
public: public:
static const size_t kNumPCs = 1 << 21; static const size_t kNumPCs = 1 << 21;
// How many bits of PC are used from __sanitizer_cov_trace_pc. // How many bits of PC are used from __sanitizer_cov_trace_pc.
static const size_t kTracePcBits = 18; static const size_t kTracePcBits = 18;
enum HandleUnstableOptions {
MinUnstable = 1,
ZeroUnstable = 2,
};
void HandleInit(uint32_t *Start, uint32_t *Stop); void HandleInit(uint32_t *Start, uint32_t *Stop);
Dor1sUnsubmitted
Done
ReplyInline Actions

Looks like both FuzzerLoop and FuzzerDriver include FuzzerTracePC.h, so you can move this type definition outside of TracePC class and use it in functions accepting UnstableMode instead of int type.

Dor1s: Looks like both FuzzerLoop and FuzzerDriver include FuzzerTracePC.h, so you can move this type…
void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop); void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop);
void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop); void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop);
void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee); void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
template <class T> void HandleCmp(uintptr_t PC, T Arg1, T Arg2); template <class T> void HandleCmp(uintptr_t PC, T Arg1, T Arg2);
size_t GetTotalPCCoverage(); size_t GetTotalPCCoverage();
void SetUseCounters(bool UC) { UseCounters = UC; } void SetUseCounters(bool UC) { UseCounters = UC; }
void SetUseValueProfileMask(uint32_t VPMask) { UseValueProfileMask = VPMask; } void SetUseValueProfileMask(uint32_t VPMask) { UseValueProfileMask = VPMask; }
void SetPrintNewPCs(bool P) { DoPrintNewPCs = P; } void SetPrintNewPCs(bool P) { DoPrintNewPCs = P; }
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines void ForEachObservedPC(CallBack CB) {
for (auto PC : ObservedPCs) for (auto PC : ObservedPCs)
CB(PC); CB(PC);
} }
void SetFocusFunction(const std::string &FuncName); void SetFocusFunction(const std::string &FuncName);
bool ObservedFocusFunction(); bool ObservedFocusFunction();
void InitializeUnstableCounters(); void InitializeUnstableCounters();
void UpdateUnstableCounters(int UnstableMode); size_t UpdateUnstableCounters(UnstableMode Mode);
void ApplyUnstableCounters(); void ApplyUnstableCounters();
private: private:
struct UnstableEdge { struct UnstableEdge {
uint8_t Counter; uint8_t Counter;
bool IsUnstable; bool IsUnstable;
}; };
▲ Show 20 LinesShow All 156 LinesShow Last 20 Lines

lib/fuzzer/FuzzerTracePC.cpp

Show First 20 LinesShow All 75 Lines▼ Show 20 Lines
void TracePC::InitializeUnstableCounters() { void TracePC::InitializeUnstableCounters() {
IterateInline8bitCounters([&](int i, int j, int UnstableIdx) { IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
UnstableCounters[UnstableIdx].Counter = ModuleCounters[i].Start[j]; UnstableCounters[UnstableIdx].Counter = ModuleCounters[i].Start[j];
}); });
} }
// Compares the current counters with counters from previous runs // Compares the current counters with counters from previous runs
// and records differences as unstable edges. // and records differences as unstable edges.
void TracePC::UpdateUnstableCounters(int UnstableMode) { size_t TracePC::UpdateUnstableCounters(UnstableMode Mode) {
size_t NumNewUnstableEdges = 0;
IterateInline8bitCounters([&](int i, int j, int UnstableIdx) { IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
if (ModuleCounters[i].Start[j] != UnstableCounters[UnstableIdx].Counter) { if (ModuleCounters[i].Start[j] == UnstableCounters[UnstableIdx].Counter)
Dor1sUnsubmitted
Done
ReplyInline Actions

let's make this condition the first one, so it would fit 2 lines, and then else if (UnstableMode == ZeroUnstable) case

Dor1s: let's make this condition the first one, so it would fit 2 lines, and then `else if…
Dor1sUnsubmitted
Done
ReplyInline Actions

I think we can invert the condition and do return when it's true, just to decrease the indentation of the lines 88-95. Did Matt not accept that style in one of the past reviews?

Dor1s: I think we can invert the condition and do `return` when it's true, just to decrease the…
return;
if (!UnstableCounters[UnstableIdx].IsUnstable)
NumNewUnstableEdges++;
UnstableCounters[UnstableIdx].IsUnstable = true; UnstableCounters[UnstableIdx].IsUnstable = true;
Dor1sUnsubmitted
Done
ReplyInline Actions

Can you move this to line 89 please, and then have switch (UnstableMode) ? That way it would be slightly more readable and straightforward.

Dor1s: Can you move this to line 89 please, and then have `switch (UnstableMode)` ? That way it would…
kevinwktAuthorUnsubmitted
Done
ReplyInline Actions

We are supposed to look for the amount of New Unstable Edges.
The way we do this is check if has already been marked as unstable before.
This is also the reason UnstableCounters[UnstableIdx].IsUnstable = true happens after the check.

This bug is now fixed.

kevinwkt: We are supposed to look for the amount of New Unstable Edges. The way we do this is check if…
if (UnstableMode == ZeroUnstable) if (Mode == UnstableMode::Zero)
UnstableCounters[UnstableIdx].Counter = 0; UnstableCounters[UnstableIdx].Counter = 0;
else if (UnstableMode == MinUnstable) else if (Mode == UnstableMode::Min)
UnstableCounters[UnstableIdx].Counter = std::min( UnstableCounters[UnstableIdx].Counter = std::min(
ModuleCounters[i].Start[j], UnstableCounters[UnstableIdx].Counter); ModuleCounters[i].Start[j], UnstableCounters[UnstableIdx].Counter);
}
}); });
return NumNewUnstableEdges;
} }
// Moves the minimum hit counts to ModuleCounters. // Moves the minimum hit counts to ModuleCounters.
void TracePC::ApplyUnstableCounters() { void TracePC::ApplyUnstableCounters() {
IterateInline8bitCounters([&](int i, int j, int UnstableIdx) { IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
ModuleCounters[i].Start[j] = UnstableCounters[UnstableIdx].Counter; ModuleCounters[i].Start[j] = UnstableCounters[UnstableIdx].Counter;
}); });
} }
▲ Show 20 LinesShow All 580 LinesShow Last 20 Lines

test/fuzzer/HandleUnstableTest.cpp

  • This file was added.
#include <assert.h>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
int x = 0;
int c = 0;
bool skip0 = false;
bool skip1 = false;
bool skip2 = false;
__attribute__((noinline)) void det0() { x++; }
__attribute__((noinline)) void det1() { x++; }
__attribute__((noinline)) void det2() { x++; }
__attribute__((noinline)) void ini0() { x++; }
__attribute__((noinline)) void ini1() { x++; }
__attribute__((noinline)) void ini2() { x++; }
__attribute__((noinline)) void t0() { x++; }
__attribute__((noinline)) void t1() { x++; }
__attribute__((noinline)) void t2() { x++; }
__attribute__((noinline)) void poison0() { x++; }
__attribute__((noinline)) void poison1() { x++; }
__attribute__((noinline)) void poison2() { x++; }
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size == 1 && Data[0] == 'A' && !skip0) {
skip0 = true;
ini0();
}
if (Size == 1 && Data[0] == 'B' && !skip1) {
skip1 = true;
ini1();
}
if (Size == 1 && Data[0] == 'C' && !skip2) {
skip2 = true;
ini2();
}
det0();
det1();
det2();
// c < 1000 on purpose so that when it enters the else condition, t0() gets
// collected since we detect new stable edge poison0().
Dor1sUnsubmitted
Done
ReplyInline Actions

Why we have 1000 here? Wouldn't things become deterministic after that?

Dor1s: Why we have 1000 here? Wouldn't things become deterministic after that?
if (c < 1000) {
switch (c % 3) {
case 0:
t0();
poison0();
Dor1sUnsubmitted
Done
ReplyInline Actions

is it left from local debugging or you want to have this in the test?

Dor1s: is it left from local debugging or you want to have this in the test?
break;
case 1:
t1();
poison1();
break;
case 2:
t2();
poison2();
break;
default:
assert(false);
}
} else {
poison0();
poison1();
poison2();
}
c++;
return 0;
}

test/fuzzer/handle-unstable.test

# Tests -handle_unstable # Tests -handle_unstable
UNSUPPORTED: aarch64 UNSUPPORTED: aarch64
RUN: %cpp_compiler %S/PrintUnstableStatsTest.cpp -o %t-HandleUnstableTest RUN: %cpp_compiler %S/HandleUnstableTest.cpp -o %t-HandleUnstableTest
; Normal ; Normal
RUN: %run %t-HandleUnstableTest -print_coverage=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=NORMAL RUN: %run %t-HandleUnstableTest -print_coverage=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=NORMAL
NORMAL-DAG: det0() NORMAL-DAG: det0()
NORMAL-DAG: det1() NORMAL-DAG: det1()
NORMAL-DAG: det2() NORMAL-DAG: det2()
NORMAL-DAG: det3()
NORMAL-DAG: det4()
NORMAL-DAG: ini0() NORMAL-DAG: ini0()
NORMAL-DAG: ini1() NORMAL-DAG: ini1()
NORMAL-DAG: ini2() NORMAL-DAG: ini2()
NORMAL-DAG: t0() NORMAL-DAG: t0()
NORMAL-DAG: t1() NORMAL-DAG: t1()
NORMAL-DAG: t2() NORMAL-DAG: t2()
NORMAL-DAG: t3()
NORMAL-DAG: t4()
; MinUnstable ; MinUnstable
RUN: %run %t-HandleUnstableTest -print_coverage=1 -handle_unstable=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=MIN run: %run %t-handleunstabletest -print_coverage=1 -handle_unstable=1 -runs=100000 2>&1 | filecheck %s --check-prefix=min
MIN-NOT: ini0()
MIN-NOT: ini1()
MIN-NOT: ini2()
MIN: det0() MIN: det0()
MIN: det1() MIN: det1()
MIN: det2() MIN: det2()
MIN: det3() MIN: poison0()
MIN: det4() MIN: poison1()
MIN: poison2()
MIN-NOT: ini0()
MIN-NOT: ini1()
MIN-NOT: ini2()
MIN-NOT: t0()
MIN-NOT: t1()
MIN-NOT: t2()
Dor1sUnsubmitted
Done
ReplyInline Actions

please fix the casing here and on line 33 to be consistent with line 48

Dor1s: please fix the casing here and on line 33 to be consistent with line 48
; ZeroUnstable ; ZeroUnstable
RUN: %run %t-HandleUnstableTest -print_coverage=1 -handle_unstable=2 -runs=1 2>&1 | FileCheck %s --check-prefix=ZERO run: %run %t-handleunstabletest -print_coverage=1 -handle_unstable=2 -runs=100000 2>&1 | filecheck %s --check-prefix=zero
ZERO-NOT: ini0()
ZERO-NOT: ini1()
ZERO-NOT: ini2()
ZERO: det0() ZERO: det0()
ZERO: det1() ZERO: det1()
ZERO: det2() ZERO: det2()
ZERO: det3() ZERO: poison0()
ZERO: det4() ZERO: poison1()
ZERO: poison2()
ZERO-NOT: ini0()
ZERO-NOT: ini1()
ZERO-NOT: ini2()
ZERO-NOT: t0()
ZERO-NOT: t1()
ZERO-NOT: t2()
; PoisonUnstable
RUN: %run %t-HandleUnstableTest -print_coverage=1 -handle_unstable=3 -runs=100000 2>&1 | FileCheck %s --check-prefix=POISON
POISON: det0()
POISON: det1()
POISON: det2()
; t0 is triggered because last iteration hits poison0() and it's next iterations always hit poison0() causing the input to collect t0() as well.
POISON: t0()
POISON: poison0()
POISON: poison1()
POISON: poison2()
POISON-NOT: {{\b}}t1()
POISON-NOT: {{\b}}t2()
POISON-NOT: ini0()
POISON-NOT: ini1()
POISON-NOT: ini2()