why not just 'double'?

Any chance to have a planer data structure here? (sorted array or some such)
Also, why size_t?
The feature is 4 bytes and the frequency can probably be 4 or even 2 bytes. (2 bytes is hard for alignment).

why is this public?
Also, why the g_ prefix?

do you need this?
the following line should take care of it

Please try to follow the coding style, i.e. capitalize the names:

Singletons

Also, the term Singleton may be a bit too overloaded.
How about

NumFeaturesCoveredByASingleInput

or some such?

try not to use constants like this.
At the very least, use

const size_t kSomething = 100;
..
if (xxx.size() > kSomething)

if there is any reason to play with different value, you may want to use a flag instead

Similar for 0xFF.

Probably, the best here is to replace these two constants with function parameters so that this function becomes unit-testable.
Which reminds me: please consider adding unit tests to the key functionality like this one.

This is the hotspot, right?
My guess is that using a hash map here causes most of the slowdown, need a faster data structure...
Need to think...
It will help if you have describe the algorithm in a comment.

a top-level comment explaining the computations would be nice

use () just in case, replace 10000 with kSomething
don't use random(), pass (Random &Rand) instead

why not

for (auto It : I->RareFeaturesFreqMap)

?

don't use libc's rand(), pass (Random &Rand) instead

does this have to be 8-byte per feature?

do you need this change?

Whether or not unorder_map, see top-level comment. If unordered_map, then uint32_t for keys and values should work.

g_NumExecutedMutations contains the total number of inputs generated. It is updated in FuzzerLoop.c in MutateAndTestOne. I can drop the g_ prefix.

We will pull these constants out as command line options.

Yes. This is the hot spot. However, most executions should exit in Line 337.
FeaturesFreqMap is an array. Don't think you can get much faster here.

Each entry is upper-bounded by the total number of generated inputs g_NumExecutedMutations which likely won't fit into uint32_t. That's why I chose size_t.

However, we really only need abundance information for features with an abundance below MostAbundant_RareFeature. If memory footprint is a concern, we can go down to uint16_t at the cost of an overflow check in the hot code in UpdateFeatureFrequency. See top-level comment for more details.

Unrelated. This is just fixing a problem where LibFuzzer prints REDUCE more often than it should.

yea, please drop g_.

Yea, I'd prefer uint16_t and a saturated add. Just to save some RAM

I'd prefer to not mix unrelated changes in one diff -- makes the code review quadratic.
Please contribute this one separately (I am not 100% sure I understand it)

it would be nice to manipulate this fields only with reasonable named methods

could you please initialize them?

It would be nice to rename variables in a such way that reader without background can understand what is going on.

please don't reuse variables like Y here
just declare as close as possible to first use, or even better with assignment

uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {}; instead of memsets
it would be nice do to the same for other arrays here, but in a separate patch

entropic -> focus_rare_features

Not sure how, it would be nice to rename sparse_energy_updates as something meaningful to libfuzzer user, to make it explain behavior change, not implementation details like now.

since this is a vector, I don't think we need to manually clear it in the destructor

nit: seems like log should be sufficient, as Energy is double, not long double

nit: I'd rather use auto or decltype(RareFeatures)::value_type to avoid type mismatch if we ever change RareFeatures definition and forget to change the type here

assuming this code gets executed quite often, and the order inside RareFeatures isn't important, we can avoid erase-remove and do something like:

RareFeatures[index_from_the_loop] = RareFeatures.back();
RareFeatures.resize(RareFeatures.size() - 1);

but the loop on line 269 would have to use index in the vector (from 1 to < RareFeatures.size()) instead of the iterator

feel free to ignore though, it's just a suggestion which may or may not be a good one :)

since we always do this, resize() in my suggestion above might not be even needed, but that's a minor thing

can this and the loop on the line 294 be combined?

please consider adding a comment why we skip inputs with zero energy

invert the condition to reduce indentation:

if (!II)
  return;

can do return after this line and avoid else with extra indentation below

what is 1 here? would it make sense to have a static const variable with a descriptive name, e.g. kDefaultSomething?

same point, what is 0? a constant with a descriptive name or (less preferred) comment would be really helpful for others who come to read the code in future

From the code below it seems like Energy represents entropy and the max value is 0, which we reduce depending on the actual feature frequencies. Is that correct understanding?

it seems like the Rand(kSparseEnergyUpdates) clause is applicable to the Entropic case only, is that correct? Do we really need it in the vanilla case?

could you please rewrite this in a more readable if-else form?

why 20? a constant with a descriptive name or a comment would be appreciated

so if there is at least one input that touches focus function, we will be always wasting time in this loop (starting on the line 472) and then falling back to the VanillaSchedule case? In such case I think we should just check Options.FocusFunction and use vanilla schedule if it's set, just because almost always there will be input(s) touching the focus function

does it always need update, even when new coverage wasn't observed?

With the subsequent push_back (Line 292), do you mean a swap and pop_back here?

We are setting the frequency of Idx32 to 1. Adding a comment.

Zero (0) is the default value for lower_bound as binary search over a vector of pairs. In this case, any value would work.

Yes, we estimate the entropy over the probabilities of the features in the neighborhood of the seed. Entropy is positive. The maximum entropy is logl(GlobalNumberOfFeatures).

Yes. kSparseEnergyUpdates should apply only for Entropic.

For II, the local feature frequencies have changed. So we schedule an update. However, it will only be updated when the distribution needs an update, and we do not set DistributionNeedsUpdate here.

please make field private and add access method if it's needed outside

DeleteFeatureFreq -> InputInfo::DeleteFeatureFreq

uint32_t MostAbundantRareFeatureIdx[2] = {}
or
just
MostAbundantRareFeatureIdx1
MostAbundantRareFeatureIdx2

InputInfo::UpdateFeatureFrequency

InputInfo::UpdateEnergy

"long double" is still there?

many of comments are marked as "Done" but I see no changes.

yes, swap and pop_back would have the same effect

sorry, I don't understand. Below are the code lines changing Energy value:

  II->Energy = 0.0;
  II->SumIncidence = 0;

  // Apply add-one smoothing to locally discovered features.
  for (auto F : II->FeatureFreqs) {
    size_t LocalIncidence = F.second + 1;
    Energy -= LocalIncidence * logl(LocalIncidence);
    SumIncidence += LocalIncidence;
  }

  <...>

  // Add a single locally abundant feature apply add-one smoothing.
  size_t AbdIncidence = II->NumExecutedMutations + 1;
  Energy -= AbdIncidence * logl(AbdIncidence);
  <...>

  // Normalize.
  if (SumIncidence != 0)
    Energy = (Energy / SumIncidence) + logl(SumIncidence);

  II->Energy = (double)Energy;
<...>
}

as I read this, I see that Energy should be negative in many cases?

Moved directly into the InputInfo struct.

Implemented your swap and pop_back idea. Cheers!

Sorry for the brevity. This is why II->Energy is positive. Entropy is computed as $-\sum_{i=1}^S p_i \log(p_i)$ where $p_i$ is the probability that fuzzing II generates an input that exercises feature $i$ and $S$ is the total number of rare features. We could estimate the probability $p_i$ as the proportion of generated inputs that exercise $i$, i.e., $\hat p_i = LocalIncidence_i / SumIncidence$. If you plug this proportion into the formula for entropy, you can compute entropy as $[-\sum_{i=1}^S LocalIncidence_i \log(LocalIncidence_i)] / SumIncidence + log(SumIncidence)$. While Energy is certainly negative before // Normalize., it is positive after.

Just drop me a DM. I'll send you the write up.

Yes, keeping maximum precision during the processing to minimize the cumulative FP arithmetic error, and downcast to double once the processing is done.

Tried to address all comments either inline or in the summary. In this case, I wrote

In D73776#1921184, @marcel wrote:

• We keep the entropic option, though. Hope this is okay.

this is new in the patch, is it?
While I completely understand why we'd want to use execution time as a signal for weights,
it makes fuzzing process non-reproducible with a given seed, which I consider pretty bad.
If we used 32- or 64- bit edge counters we could have substituted them for time, but alas, we use 8-bit ones.

I'm still worried about long double due to portability.
Do you actually "know" that it's critical to use long double here?

for consistency, please use the C++ interface for getting current time (as elsewhere in the code).
But see above about my comment on time in gneral.

this is new in the patch, is it?

Yes. Been playing with a few smaller tweaks to boost LF performance.

While I completely understand why we'd want to use execution time as a signal for weights,
it makes fuzzing process non-reproducible with a given seed, which I consider pretty bad.

Do you mean LibFuzzer should be fully deterministic when you start it with the same seed corpus (e.g., by fixing *the* random seed)? Currently, even without this patch I've been observing quite some variance in the coverage achieved over time. Happy to take it out, though, if this messes with the LF design principles.

You are right. After fixing frequencies to uint16_t, this can definitely be a double.

NeedsEnergyUpdate?

Lower
(use upper case)

Lower

I'd like to put these into a

struct EntropicOptions {
   bool Enabled;
   size_t EntropicFeatureFrequencyThreshold;
  ...
}

and pass such a struct (by value) to InputCorpus CTOR.
Of course, please match the names with those in Options

I'd prefer if these names were more descriptive (ok if longer) and have "entropic" in it.
E.g.

Entropic
EntropicFeatureFrequencyThreshold
EntropicNumberOfRarestFeatures

of course, make the command line parameters match

here and below: remove 'struct'.

When running 'ninja check-fuzzer' this test fails for me:

That's weird: why does the functionality change with Entropic off?

[5/9] Running Fuzzer unit tests
FAIL: LLVMFuzzer-Unittest :: ./Fuzzer-x86_64-Test/Corpus.Distribution (48 of 55)

• TEST 'LLVMFuzzer-Unittest :: ./Fuzzer-x86_64-Test/Corpus.Distribution' FAILED ****

Note: Google Test filter = Corpus.Distribution
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from Corpus
[ RUN ] Corpus.Distribution
/usr/local/google/home/kcc/llvm-project/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp:609: Failure
Expected: (Hist[i]) > (TriesPerUnit / N / 3), actual: 0 vs 2184
/usr/local/google/home/kcc/llvm-project/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp:609: Failure
Expected: (Hist[i]) > (TriesPerUnit / N / 3), actual: 0 vs 2184
/usr/local/google/home/kcc/llvm-project/compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp:609: Failure

Will a simpler syntax work, e.g.:

{1,3},
{2,3}

Instead of updating the corpus distribution every time it changes (e.g., FuzzerCorpus.h#L114 and FuzzerCorpus.h#L165), entropic schedules that update by setting a flag. For efficiency, only when (and just before) a new input is chosen, the corpus distribution is actually updated. I had this update in ChooseUnitToMutate which calls ChooseUnitIdxToMutate. Now moved the call to UpdateCorpusDistribution to ChooseUnitIdxToMutate (which is used by the test case).

All 40 fuzzer unit tests pass.