Please put some kind of explanation here.

Is this assertion useful?

Let's not use magic numbers. Please use a constant instead of 10,000.

Better not to clobber the original mutator. I would do:

if (UseMutationWeights)
  ...
else
  ...

instead of what we have here.

I think this should be SetMutationStats since it sets something rather than returns something.
I would also add a comment explaining what this method does since it changes the vector it accepts.

Although we use percentages in when printing stats, I'm not sure we need to do it here (and in other parts of this CL), since the only other thing that will see this number is your own code.

nit: Please add a period to the end of this comment and all others that are missing one.

I don't think I like the fact that 1 is the default weight. But maybe I misunderstand what its implications are.

I think because 1 is the default weight, a totally useless mutation would be weighted higher than a mutation that is useful less than 1/1000 times.

Less importantly:

Let's use a constant instead of 1 a magic number.

Also, I think it would be better if the body of this if were on its own line (for consistency with the else) but clang-format agrees with you.
I don't think you should change this unless matt or kcc says to.

I think the placement of this comment is awkward. Maybe put on the same line as else.

I'm somewhat unsure why we divide by SumOfStats, can you explain this to me please?

Think this loop can be eliminated and that SumOfWeights can be calculated in the previous loop.
Actually, won't it always be 1000?

Helpful comment! I think it can be improved in 2 ways:

1. Move it outside the function.
2. Change the order so that it says the main purpose first and then says what happens to lowest weighted mutations.

I don't think this line does what you want. Did you have any warnings compiling your code?

RandomMark and MutationWeights are both unsigned values so RandomMark - MutationWeights[i] will never be less than 0.
I think comparing them directly will work better than subtracting them (which I think is harder to understand).

Is the purpose of this to ensure that we return an index on the last iteration?
I need to think about this technique more but I am not sure it is fair (ie: things with equal weight have equal chance of being picked).

I would add an assert(false) so that it is obvious if it does happen.

IMO the word "Records" is better than "Gets" which implies something returned.
I also think this sentence is easier to understand with a comma after "coverage"

super nit: I think the language here can be slightly improved. Maybe this instead:

// Used to weight mutations based on usefulness.

I don't think MutationWeights should store size_t since it isn't really storing sizes.
This size_t seems to have infected a lot of other code in this CL so removing it will be nice.

I don't find it great to use UseMutationWeights to special case the case when we haven't assigned any weights yet.
It would be cleaner if GetMutationStats and AssignMutationWeights were called before any mutations happened, so that we don't need to special case but everything works as if we did.

How long does it take to do 100k runs? Does this UnitTest take long?

Also, what behavior does this test verify? The only thing I can tell is that weighted mutations doesn't crash anything.
I think it would be nice to have a test of something more substantial if possible.

I'm also unsure what three decimal places this comment is referring to. We don't round anywhere here do we?

Actually I think it is fair. But let's have a comment explaining how this technique works.

please format the line to be consistent with style of the rest of the file

why not static?

I think it may have a better name, maybe something like kUpdateMutationWeightRuns

Check the bool flag first, then check number of runs

Do we use this anywhere outside of MutationDispatcher::AssignMutationWeights? Looks like we don't, please use a local variable inside the function for that.

This won't use Mutate_CustomCrossOver, will it? We should probably use Mutators.size() here and debug what was the root cause of the test that was failing for you.

Mismatch with line 69

+1

That's not good, we should not loop through the array and implement our own weighted random selector, there are STL classes for that. See how corpus distribution is implemented, for an example: https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/FuzzerCorpus.h#L294

I think you can try std::discrete_distribution instead, it looks sufficient for our purpose.

+1

Please make this comment say explicitly that it modifies the argument it is passed.

Since this isn't a percentage anymore, the name UsefulPercentage needs to be updated.
Some general advice: After making suggested changes in a code review, you should go back through your code to see if it still makes sense, and then update it where the suggested changes have amde it necessary to do so.
Also, the parentheses don't do anything here.

SumOfStats can be calculated in the loop in SetMutationStats right?

How about instead of having a default usefulness stat of 0 and a default MutationWeight of 1 we just use 1/(100 * 1000) as the default stat.

Please leave a comment explaining why we are adding kDefaultMutationWeight here.
Also, since this else body is multiple lines, please put curly braces around it.
Another thing: let's use a const instead of magic number 1000.
Some general advice about code reviews: If a reviewer comments that a change should be made, you should go through your code and see if that same change needs to be made elsewhere.

nit: inner parentheses not actually needed.

Doesn't it always end up as 1000 (now 1000+Mutators.size()*kDefaultMutationWeight) at the end of the loop?

Also, if a reviewer leaves a question/comment that looks like it needs a response, (ie: not a request to change something) please reply to it instead of marking it Done.
It's impossible to properly review code if the author is unresponsive.
Even if the question was discussed offline (in this particular case it wasn't), it is good to summarized the answer when for reviewers who weren't in the offline conversation.
Do this for every question I have asked in this review.

Does this need to return a size_t?
Also, was this inspired by https://stackoverflow.com/a/1761646 ?

This comment is phrased somewhat differently from the others, maybe phrase it like so:
Returns the Index of a mutation...

Oversight on my end, not sure how I missed this so many times reading it. Stats should be cleared before these push_back instructions are executed.

It was suggested that SumOfStats be declared locally in AssignMutationWeights.

I feel like that works, it's close enough to zero to show basically minimal usefulness but isn't actually zero so it eliminates the case of me setting the default weight to 1.

We don't round anything, just when printing but even then that's just the format specifier rounding.

I divide by SumOfStats in order to normalize the numbers, since the usefulness percentages are ratios of themselves and not a total, the only way to determine which one is better than the other is by finding how much of the total usefulness each mutation accounts for.

Using discrete_distribution, I no longer need the SumOfWeights. And will do.

I had the original thought to decrement each mutation stat until it got to zero (we had discussed it in person). Then I realized it would not work in a case where the number of runs was not specified, so I got to searching and someone had the same problem I had (https://medium.com/@peterkellyonline/weighted-random-selection-3ff222917eb6). Inspired by this Medium post.

In MutateImpl, by default it uses Rand(Mutators.size()) to choose a Mutator index and Rand returns a size_t, hence my choice to also return size_t.

Please add a comment to explain the significance of 100 and 1000 (frankly i don't know what the purpose is of either since we don't actually round anything).

I like that you went to fix something based on comments you saw in on the review even if they weren't explicit.
But in general it's better not to refactor unrelated code in a CL. I'll accept it though.
This assignment statement is starting to look pretty bad, please make use a regular if else instead of ternary.

Repeating my previous comment:

why not static?

+1, what is it for?

nit: end the comment with a period

How will this work during first 10000 runs? Do we have a uniform distribution by default?

nit: "Returns" -> "Prints" or "Outputs"

It would be much safer to use Stats.size() here instead of Mutators.size() since you're using i to access elements in Stats, not in Mutators.

Move Printf call to the next line please. Also, this stat::... syntax is used for final stats. If we decide to print something during runtime, we should probably follow the style of the other log messages.

Again, overcomplication. We should start with some initial weights, and later on only overwrite those.

+1

Actually, that seems to be unnecessary complicated. Initially, we should have some default values in Stats. Probably zero, since none of the stats have been useful at that point. Later on, we should be able to overwrite default Stats value with a new one. That's it, there is no way we'll have to put the default value back.

Also, I don't find it good to check whether TotalCount is 0 or not on every run. Let's just initialize it with 1 in the very beginning, so it will never be 0 and it always will be safe to use that value as a divisor.

I don't understand why we need + kDefaultMutationWeight, as well as why we multiply the value by 1000.

This code is duplicated in MutationDispatcher::PrintMutationStats, can you please have it in a one place and call it from different places as needed.

I'd ask you to move SumOfStats += Stat; to the next line just to follow the style, but actually you should use std::accumulate instead of manual looping through the values.

It would be very inefficient to create a new random generator every time when we need to select an index. There is Random Rand(Seed); declared in the FuzzerDriver and I believe all the other code is using it, please use it as well.

Also, it's not the first time it looks like you've just copied the code from somewhere without even changing variable names to follow project's style. I guess, https://en.cppreference.com/w/cpp/numeric/random/discrete_distribution this time.

Also, please don't forget to run clang format before uploading a CL.

This is an overkill, we never change sizes of Mutators and MutationWeights from the very beginning of the fuzzing. If you want to assert that their sizes are equal, somewhere after FuzzerMutate.cpp:68 would be the best place, but that wouldn't make any sense since you've just called resize there. Just remove the assert and return SelectIndex(gen).

It is just there to represent a usefulness ratio that is near to but not entirely useless. So that it still gets weight instead of calculating to 0.

AssignMutationWeights is called initially and sets all the mutation weights to the default, therefore they would be all be weighted the same and have the same probability before 10k runs.

I add the default to ensure that mutations that are any amount more useful than the default get weighted higher in the distribution. No longer multiplying by 1000.

Real: 0m 0.157s
User: 0m 0.036s
Sys: 0m 0.076s

Can you leave a comment here about why we are starting with a UsefulCount and a TotalCount of 1?

Why do ChangeASCIIInt and ChangeBinInt start with a UsefulCount of 0 when everything else starts with 1?

I don't think we need to multiply by 1.0, right? I don't think it (or the parentheses) does anything, please remove them if I am correct.

Kode, I don't think this is what Max meant. I believe that here you need to use the rand obtained by calling GetRand.
It's possible, though unlikely, that not doing this was causing the test flakiness you were seeing before.
I would run the previously flaky test in a loop and ensure that the tests pass every time, since if there is any flake we don't know about, it will be more painful to get rid of later rather than now.

Amount of time LGTM.

That doesn't seem right to me. Let's say we have a tough target -- where it's hard to reach any new coverage. In fact, we have a lot of them, when we use a full corpus.

So, after running for a while, it finally finds a couple useful mutations, all of them get weights, say, 10^(-6) (again, totally possible), while all "useless" mutations get the default weight of 10^(-5). That would mean, "useless" mutations would be chosen much more often than "useful" ones.

IMO, the better approach would be something like what we've discussed in the past:

1. make random decision whether we use weighted mutations or default selection, 80% vs 20% should be fine. Once start testing, can change to 90 vs 10 or any other proportion
2. if weighted mutations was chosen, call WeightedIndex(); otherwise, use default case

That approach would be universal as it doesn't use any magic numbers which correspond to a particular target, as your 100*1000 can behave very differently with targets having different speed.

+1

That won't work well for all targets. If mutations stats are very low numbers, that default mutation weight constant will bias the selection towards more uniform distribution, rather than giving more favor to more useful mutations.

here and on line 603, what's the point of multiplying by 1.0?

Yes, don't create a new Random object, use an existing one from FuzzerDriver. That's crucial for keeping deterministic behavior, as Jonathan has pointed out.

I think it will be harder to determine if this technique is useful with the 80/20 strategy.
If the concern is that the weight is too high, why don't we use the smallest positive double as the default?

I think it will be harder to determine if this technique is useful with the 80/20 strategy.

Why will it be harder? That percentage would just control the factor of how strongly our strategy affects fuzzing process. We should still be able to see either a negative a positive impact. Changing the distribution (e.g. use 90/10 after 80/20) would multiple that impact a little bit.

If the concern is that the weight is too high, why don't we use the smallest positive double as the default?

I can't think of a value that would work well for both cases when useful mutations have stats like 10^(-3) and 10^(-6). We should avoid relying on anything that depends on fuzz targets speed / complexity of finding a new input. We already have magic threshold of 10000, let's not add more of those.

With my proposal it will be something like:

// Even when use weighted mutations, fallback to the default selection in 20% of cases.
if (Options.UseWeightedMutations && Rand(100) < 80) 
  M = &Mutators[WeightedIndex()];
else
  M = &Mutators[Rand(Mutators.size())];

@metzman @Dor1s PTAL. Made changes and ran tests. Test in question is no longer flaky (ran about 50 times) and ran two experiments locally. In both cases, the corpus grew more with the option enabled :) so maybe a good sign.

Both UsefulCount and TotalCount are uint64_t but Stats is a vector of doubles, so I multiply by 1.0 to make sure it gets calculated as double.

It's an obscure way to cast a value to another type. Please use static_cast<double>(Mutators[i].UsefulCount) instead.

"zero division" -> "division by zero"

add ", init with uniform weights distribution." to the comment please

Let's remove kDefaultMutationWeight variable, just use 1.0 here.

We should start with 0 values in Stats, remove kDefaultMutationStat and leave Stats.resize(Mutators.size() here.

Please do Mutator *M = nullptr; just to be safe in case there ever will be any bug and the pointer won't be initialized.

We should keep the distribution object inside of MutationDispatcher class and update it only every kUpdateMutationWeightRuns, not for every weighted index retrieval.

Let's rename this method to UpdateMutationStats, that name would make more sense.

This line and line 175 feel slightly inconsistent, both should be MutationWeights and MutationStats or just Weights and Stats. I'd prefer the latter, as we're already inside MutationDispatcher class and clearly deal with mutations here.

Actually, we don't need MutationWeights here, we need only the distribution. Could you please do the following:

1. Remove this MutationWeights member

2. Add Distribution member (also see my comment for WeightedIndex() function)

3. Rename MutationDispatcher::AssignMutationWeights() to MutationDispatcher::UpdateDistribution()

4. In MutationDispatcher::UpdateDistribution() create a local vector Weights and update it using Stats value as you do now

5. Update the Distribution using the Weights, e.g. see how it's done for the corpus distribution (FuzzerCorpus.h:294)

This variable is not needed until line 605. And may be not needed at all if we do an early return on line 603. Please declare it between lines 603 and 605.

We don't need to do this, just pass Mutators.size()to constructor of Vector<double> Weights. Default weight should be 0, so Vector<double> Weights(Mutators.size()); would be enough

use -> using

Maybe if (... && Rand(5)) would be simpler.

Is normalization necessary? I think discrete_distribution might do this internally.

I think you can do Distribution.param(Weights) rather than reconstructing. Might be faster.

What is the "most previous run"? Please clarify comment

Oh, right. Thanks for spotting, Matt! Kode, please remove lines 603-605 and try passing Stats to the distribution.

Does Distribution.param(Stats) work instead?

There's nothing inside UpdateMutationStats that refers to the number 10,000.

Maybe something like "Recalculates mutation stats based on latest run data."

This really only tests that there's no major regression with the flag on. If this flag performs better under some circumstances, we should add a test to demonstrate that.

Also, we can probably add this to fuzzer-mutationstats.test instead.

Please see other comment on Distribution.param(Weights).

One param function doesnt take arguments (returns a param_type object) and the other one sets the new params based on a passed in param_type object, but there would have to be another discrete_distribution object from which the param_type object would be obtained so I think that's why they do it this way in https://cs.corp.google.com/piper///depot/google3/third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerCorpus.h?rcl=206864844&l=294

Quite literally I would have to do Distribution.param(Distribution.param()) but I'm not sure that would update the distribution.

SumOfStats doesn't need to be calculated.

Matt, we needed SumOfStats to be non zero to ensure that we have at least some distribution. Until that moment is reached, we should be using the initial weights. I like this simplification though, but in that case we'll have to initialize UsefulCount with 1, so that initial Stats will be 1 / 1 for every mutation.

Either approach SGTM.