This is an archive of the discontinued LLVM Phabricator instance.

Differential D86954

[libFuzzer] Evenly select inputs to cross over with from the corpus regardless of the input's coverage.
ClosedPublic

Authored by dokyungs on Sep 1 2020, 9:29 AM.

Details

Reviewers
morehouse
hctim
kcc
Commits
rGb53243e19496: [libFuzzer] Evenly select inputs to cross over with from the corpus regardless…
Summary

This patch adds an option "cross_over_uniform_dist", which, if 1, utilizes all
inputs in the corpus for the crossover mutation. More specifically, this patch
uses a uniform distribution of all inputs in the corpus for the CrossOver input
selection. Note that input selection for mutation is still fully determined by
the scheduling policy (i.e., vanilla or Entropic); the uniform distribution only
applies to the secondary input selection, only for the crossover mutation of the
base input chosen by the scheduling policy. This way the corpus inputs that have
useful fragments in them, even though they are deprioritized by the scheduling
policy, have chances of getting mixed with other inputs that are prioritized and
selected as base input for mutation.

Diff Detail

Event Timeline

dokyungs created this revision.Sep 1 2020, 9:29 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2020, 9:29 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
dokyungs requested review of this revision.Sep 1 2020, 9:29 AM
dokyungs added inline comments.Sep 1 2020, 9:30 AM
compiler-rt/test/fuzzer/cross_over_uniform_dist.test
3

Will revisit this test after getting the keep seed patch upstreamed.

Harbormaster completed remote builds in B70250: Diff 289195.Sep 1 2020, 10:10 AM
morehouse added inline comments.Sep 1 2020, 10:48 AM
compiler-rt/lib/fuzzer/FuzzerFlags.def
32

Please also document when this is useful.

hctim added inline comments.Sep 1 2020, 11:15 AM
compiler-rt/lib/fuzzer/FuzzerCorpus.h
274–279

nit: short branch first:

if (!UniformDist)
  return ChooseUnitToMutate(Rand);
...
dokyungs updated this revision to Diff 289494.Sep 2 2020, 9:28 AM

Addressed comments.

dokyungs marked 2 inline comments as done.Sep 2 2020, 9:29 AM
Harbormaster completed remote builds in B70415: Diff 289494.Sep 2 2020, 10:13 AM
hctim accepted this revision.Sep 2 2020, 12:39 PM

LGTM (after the keep_seed patch lands)

This revision is now accepted and ready to land.Sep 2 2020, 12:39 PM
morehouse accepted this revision.Sep 2 2020, 5:28 PM

Please make sure the harbormaster test passes before landing.

dokyungs updated this revision to Diff 289749.Sep 3 2020, 9:38 AM

Fix cross_over_uniform_dist.test. If -cross_over_uniform_dist=1, it takes 766,756 execs to find the crash; if 0, it takes more than 2,000,000 execs to find the crash.

Harbormaster completed remote builds in B70549: Diff 289749.Sep 3 2020, 10:05 AM
dokyungs updated this revision to Diff 289754.Sep 3 2020, 10:19 AM

Try adding double-quotes around seed input string being echoed.

Harbormaster completed remote builds in B70554: Diff 289754.Sep 3 2020, 10:51 AM
dokyungs updated this revision to Diff 289782.Sep 3 2020, 12:04 PM

Adjust the test - make sure corpus/B input does not discover any more coverage than corpus/A, so that it's not scheduled for mutation even with -keep_seed=1. Only with uniform distribution. corpus/B has chances of getting crossed over with.

Harbormaster completed remote builds in B70570: Diff 289782.Sep 3 2020, 12:29 PM
This revision was landed with ongoing or failed builds.Sep 3 2020, 1:01 PM
Closed by commit rGb53243e19496: [libFuzzer] Evenly select inputs to cross over with from the corpus regardless… (authored by dokyungs). · Explain Why
This revision was automatically updated to reflect the committed changes.
dokyungs added a commit: rGb53243e19496: [libFuzzer] Evenly select inputs to cross over with from the corpus regardless….

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
9 lines
1 line
10 lines
7 lines
1 line
test/
fuzzer/
16 lines

Diff 289790

compiler-rt/lib/fuzzer/FuzzerCorpus.h

Show First 20 LinesShow All 264 Lines▼ Show 20 Linespublic:
bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); } bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
bool HasUnit(const std::string &H) { return Hashes.count(H); } bool HasUnit(const std::string &H) { return Hashes.count(H); }
InputInfo &ChooseUnitToMutate(Random &Rand) { InputInfo &ChooseUnitToMutate(Random &Rand) {
InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)]; InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)];
assert(!II.U.empty()); assert(!II.U.empty());
return II; return II;
} }
InputInfo &ChooseUnitToCrossOverWith(Random &Rand, bool UniformDist) {
if (!UniformDist) {
return ChooseUnitToMutate(Rand);
}
InputInfo &II = *Inputs[Rand(Inputs.size())];
assert(!II.U.empty());
return II;
hctimUnsubmitted
Done
ReplyInline Actions

nit: short branch first:

if (!UniformDist)
  return ChooseUnitToMutate(Rand);
...
hctim: nit: short branch first: ``` if (!UniformDist) return ChooseUnitToMutate(Rand); ... ```
}
// Returns an index of random unit from the corpus to mutate. // Returns an index of random unit from the corpus to mutate.
size_t ChooseUnitIdxToMutate(Random &Rand) { size_t ChooseUnitIdxToMutate(Random &Rand) {
UpdateCorpusDistribution(Rand); UpdateCorpusDistribution(Rand);
size_t Idx = static_cast<size_t>(CorpusDistribution(Rand)); size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));
assert(Idx < Inputs.size()); assert(Idx < Inputs.size());
return Idx; return Idx;
} }
▲ Show 20 LinesShow All 255 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 674 Lines▼ Show 20 Linesint FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
Options.UnitTimeoutSec = Flags.timeout; Options.UnitTimeoutSec = Flags.timeout;
Options.ErrorExitCode = Flags.error_exitcode; Options.ErrorExitCode = Flags.error_exitcode;
Options.TimeoutExitCode = Flags.timeout_exitcode; Options.TimeoutExitCode = Flags.timeout_exitcode;
Options.IgnoreTimeouts = Flags.ignore_timeouts; Options.IgnoreTimeouts = Flags.ignore_timeouts;
Options.IgnoreOOMs = Flags.ignore_ooms; Options.IgnoreOOMs = Flags.ignore_ooms;
Options.IgnoreCrashes = Flags.ignore_crashes; Options.IgnoreCrashes = Flags.ignore_crashes;
Options.MaxTotalTimeSec = Flags.max_total_time; Options.MaxTotalTimeSec = Flags.max_total_time;
Options.DoCrossOver = Flags.cross_over; Options.DoCrossOver = Flags.cross_over;
Options.CrossOverUniformDist = Flags.cross_over_uniform_dist;
Options.MutateDepth = Flags.mutate_depth; Options.MutateDepth = Flags.mutate_depth;
Options.ReduceDepth = Flags.reduce_depth; Options.ReduceDepth = Flags.reduce_depth;
Options.UseCounters = Flags.use_counters; Options.UseCounters = Flags.use_counters;
Options.UseMemmem = Flags.use_memmem; Options.UseMemmem = Flags.use_memmem;
Options.UseCmp = Flags.use_cmp; Options.UseCmp = Flags.use_cmp;
Options.UseValueProfile = Flags.use_value_profile; Options.UseValueProfile = Flags.use_value_profile;
Options.Shrink = Flags.shrink; Options.Shrink = Flags.shrink;
Options.ReduceInputs = Flags.reduce_inputs; Options.ReduceInputs = Flags.reduce_inputs;
▲ Show 20 LinesShow All 226 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerFlags.def

Show All 22 Lines
FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files " FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
"to use as an additional seed corpus. Alternatively, an \"@\" followed by " "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
"the name of a file containing the comma-separated list.") "the name of a file containing the comma-separated list.")
FUZZER_FLAG_INT(keep_seed, 0, "If 1, keep seed inputs in the corpus even if " FUZZER_FLAG_INT(keep_seed, 0, "If 1, keep seed inputs in the corpus even if "
"they do not produce new coverage. When used with |reduce_inputs==1|, the " "they do not produce new coverage. When used with |reduce_inputs==1|, the "
"seed inputs will never be reduced. This option can be useful when seeds are" "seed inputs will never be reduced. This option can be useful when seeds are"
"not properly formed for the fuzz target but still have useful snippets.") "not properly formed for the fuzz target but still have useful snippets.")
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.") FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG_INT(cross_over_uniform_dist, 0, "Experimental. If 1, use a "
"uniform probability distribution when choosing inputs to cross over with. "
morehouseUnsubmitted
Done
ReplyInline Actions

Please also document when this is useful.

morehouse: Please also document when this is useful.
"Some of the inputs in the corpus may never get chosen for mutation "
"depending on the input mutation scheduling policy. With this flag, all "
"inputs, regardless of the input mutation scheduling policy, can be chosen "
"as an input to cross over with. This can be particularly useful with "
"|keep_seed==1|; all the initial seed inputs, even though they do not "
"increase coverage because they are not properly formed, will still be "
"chosen as an input to cross over with.")
FUZZER_FLAG_INT(mutate_depth, 5, FUZZER_FLAG_INT(mutate_depth, 5,
"Apply this number of consecutive mutations to each input.") "Apply this number of consecutive mutations to each input.")
FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. " FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
"Reduce depth if mutations lose unique features") "Reduce depth if mutations lose unique features")
FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup") FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
FUZZER_FLAG_INT(prefer_small, 1, FUZZER_FLAG_INT(prefer_small, 1,
"If 1, always prefer smaller inputs during the corpus shuffle.") "If 1, always prefer smaller inputs during the corpus shuffle.")
FUZZER_FLAG_INT( FUZZER_FLAG_INT(
▲ Show 20 LinesShow All 139 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 660 Lines▼ Show 20 Lines if (EF->__lsan_do_recoverable_leak_check()) { // Leak is found, report it.
_Exit(Options.ErrorExitCode); // not exit() to disable lsan further on. _Exit(Options.ErrorExitCode); // not exit() to disable lsan further on.
} }
} }
void Fuzzer::MutateAndTestOne() { void Fuzzer::MutateAndTestOne() {
MD.StartMutationSequence(); MD.StartMutationSequence();
auto &II = Corpus.ChooseUnitToMutate(MD.GetRand()); auto &II = Corpus.ChooseUnitToMutate(MD.GetRand());
if (Options.DoCrossOver) if (Options.DoCrossOver) {
MD.SetCrossOverWith(&Corpus.ChooseUnitToMutate(MD.GetRand()).U); auto &CrossOverII = Corpus.ChooseUnitToCrossOverWith(
MD.GetRand(), Options.CrossOverUniformDist);
MD.SetCrossOverWith(&CrossOverII.U);
}
const auto &U = II.U; const auto &U = II.U;
memcpy(BaseSha1, II.Sha1, sizeof(BaseSha1)); memcpy(BaseSha1, II.Sha1, sizeof(BaseSha1));
assert(CurrentUnitData); assert(CurrentUnitData);
size_t Size = U.size(); size_t Size = U.size();
assert(Size <= MaxInputLen && "Oversized Unit"); assert(Size <= MaxInputLen && "Oversized Unit");
memcpy(CurrentUnitData, U.data(), Size); memcpy(CurrentUnitData, U.data(), Size);
assert(MaxMutationLen > 0); assert(MaxMutationLen > 0);
▲ Show 20 LinesShow All 200 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerOptions.h

Show All 25 Linesstruct FuzzingOptions {
int ErrorExitCode = 77; int ErrorExitCode = 77;
bool IgnoreTimeouts = true; bool IgnoreTimeouts = true;
bool IgnoreOOMs = true; bool IgnoreOOMs = true;
bool IgnoreCrashes = false; bool IgnoreCrashes = false;
int MaxTotalTimeSec = 0; int MaxTotalTimeSec = 0;
int RssLimitMb = 0; int RssLimitMb = 0;
int MallocLimitMb = 0; int MallocLimitMb = 0;
bool DoCrossOver = true; bool DoCrossOver = true;
bool CrossOverUniformDist = false;
int MutateDepth = 5; int MutateDepth = 5;
bool ReduceDepth = false; bool ReduceDepth = false;
bool UseCounters = false; bool UseCounters = false;
bool UseMemmem = true; bool UseMemmem = true;
bool UseCmp = false; bool UseCmp = false;
int UseValueProfile = false; int UseValueProfile = false;
bool Shrink = false; bool Shrink = false;
bool ReduceInputs = false; bool ReduceInputs = false;
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/cross_over_uniform_dist.test

  • This file was added.
REQUIRES: linux, x86_64
RUN: %cpp_compiler %S/KeepSeedTest.cpp -o %t-CrossOverUniformDistTest
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Will revisit this test after getting the keep seed patch upstreamed.

dokyungs: Will revisit this test after getting the keep seed patch upstreamed.
RUN: rm -rf %t-corpus
RUN: mkdir %t-corpus
RUN: echo -n "@SELECT" > %t-corpus/A
RUN: echo -n "@FROM WHERE" > %t-corpus/B
RUN: not %run %t-CrossOverUniformDistTest -keep_seed=1 -cross_over_uniform_dist=1 -seed=1 -runs=2000000 %t-corpus 2>&1 | FileCheck %s
CHECK: BINGO
RUN: rm -rf %t-corpus
RUN: mkdir %t-corpus
RUN: echo -n "@SELECT" > %t-corpus/A
RUN: echo -n "@FROM WHERE" > %t-corpus/B
RUN: %run %t-CrossOverUniformDistTest -keep_seed=1 -seed=1 -runs=2000000 %t-corpus 2>&1