[libfuzzer] simplified unit truncation; do not write trunc items to disc

aizatsky-chromium · aizatsky-chromium · commit b077d3fef227 · 2016-08-30T20:49:07.000Z
Differential Revision: https://reviews.llvm.org/D24049 llvm-svn: 280153
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp
@@ -33,7 +33,6 @@
 
 namespace fuzzer {
 static const size_t kMaxUnitSizeToPrint = 256;
-static const size_t TruncateMaxRuns = 1000;
 
 thread_local bool Fuzzer::IsMyThread;
 
@@ -371,39 +370,22 @@ void Fuzzer::ShuffleCorpus(UnitVector *V) {
 }
 
 // Tries random prefixes of corpus items.
-// Prefix length is chosen according to exponential distribution
-// to sample short lengths much more heavily.
 void Fuzzer::TruncateUnits(std::vector<Unit> *NewCorpus) {
-  size_t MaxCorpusLen = 0;
-  for (const auto &U : Corpus)
-    MaxCorpusLen = std::max(MaxCorpusLen, U.size());
-
-  if (MaxCorpusLen <= 1)
-    return;
+  std::vector<double> Fractions = {0.25, 0.5, 0.75, 1.0};
 
-  // 50% of exponential distribution is Log[2]/lambda.
-  // Choose lambda so that median is MaxCorpusLen / 2.
-  double Lambda = 2.0 * log(2.0) / static_cast<double>(MaxCorpusLen);
-  std::exponential_distribution<> Dist(Lambda);
-  std::vector<double> Sizes;
-  size_t TruncatePoints = std::max(1ul, TruncateMaxRuns / Corpus.size());
-  Sizes.reserve(TruncatePoints);
-  for (size_t I = 0; I < TruncatePoints; ++I) {
-    Sizes.push_back(Dist(MD.GetRand().Get_mt19937()) + 1);
-  }
-  std::sort(Sizes.begin(), Sizes.end());
-
-  for (size_t S : Sizes) {
+  size_t TruncInputs = 0;
+  for (double Fraction : Fractions) {
     for (const auto &U : Corpus) {
-      if (S < U.size() && RunOne(U.data(), S)) {
-        Unit U1(U.begin(), U.begin() + S);
-        NewCorpus->push_back(U1);
-        WriteToOutputCorpus(U1);
-        PrintStatusForNewUnit(U1);
-      }
+      uint64_t S = MD.GetRand()(U.size() * Fraction);
+      if (!S || !RunOne(U.data(), S))
+        continue;
+      TruncInputs++;
+      Unit U1(U.begin(), U.begin() + S);
+      NewCorpus->push_back(U1);
     }
   }
-  PrintStats("TRUNC  ");
+  if (TruncInputs)
+    Printf("\tINFO   TRUNC %zd units added to in-memory corpus\n", TruncInputs);
 }
 
 void Fuzzer::ShuffleAndMinimize() {
diff --git a/llvm/lib/Fuzzer/test/fuzzer-trunc.test b/llvm/lib/Fuzzer/test/fuzzer-trunc.test
@@ -2,9 +2,7 @@
 RUN: rm -rf FuzzerTruncateTestCORPUS
 RUN: mkdir FuzzerTruncateTestCORPUS
 RUN: echo "01234567890123456789012345678901234567890" > FuzzerTruncateTestCORPUS/unit1
-# Simply running a fuzzer won't produce new results
-RUN:   LLVMFuzzer-EmptyTest -seed=1 -runs=100 -truncate_units=0 ./FuzzerTruncateTestCORPUS
-# Truncating would create a new unit of length 1.
-RUN:   LLVMFuzzer-EmptyTest -seed=1 -runs=0 -truncate_units=1 ./FuzzerTruncateTestCORPUS
-RUN: find FuzzerTruncateTestCORPUS/b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
+RUN: LLVMFuzzer-EmptyTest -seed=1 -runs=0 -truncate_units=1 ./FuzzerTruncateTestCORPUS 2>&1 | FileCheck %s
 RUN: rm -rf FuzzerTruncateTestCORPUS
+
+CHECK: INFO   TRUNC 1 units added
