[libFuzzer] implement -focus_function=auto, to be used with Data Flow Traces

llvm-svn: 360378

3 files changed, 21 insertions, 4 deletions

diff --git a/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp b/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp
index 60de710e829..bf10df8d9b8 100644
--- a/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp
+++ b/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp
@@ -24,8 +24,16 @@ __attribute__((noinline)) void bad() {
 
 __attribute__((noinline)) void f0(IN in) {
   uint32_t x = in[5] + 251 * in[7] + 251 * 251 * in[9];
-  if (x == 'F' + 251 * 'U' + 251 * 251 * 'Z')
+  if (x == 'F' + 251 * 'U' + 251 * 251 * 'Z') {
+    // artificially inflate uncovered control in f0
+    // so that auto-focus is more likely to chose this function.
+    if (one == -1) {
+      if (one == 2) one = 1;    if (one == 3) one = 1;    if (one == 4) one = 1;
+      if (one == 5) one = 1;    if (one == 6) one = 1;    if (one == 7) one = 1;
+      if (one == 8) one = 1;    if (one == 9) one = 1;    if (one == 0) one = 1;
+    }
     bad();
+  }
 }
 
 __attribute__((noinline)) void fC(IN in) { if (in[2] == 'C') f0(in); }
diff --git a/compiler-rt/test/fuzzer/dataflow.test b/compiler-rt/test/fuzzer/dataflow.test
index 6f32c38a8fe..45e683a7864 100644
--- a/compiler-rt/test/fuzzer/dataflow.test
+++ b/compiler-rt/test/fuzzer/dataflow.test
@@ -92,11 +92,11 @@ RUN: %libfuzzer_src/scripts/collect_data_flow.py %t-ExplodeDFSanLabelsTestDF %t/
 RUN: rm -rf %t/OUT
 RUN: %libfuzzer_src/scripts/collect_data_flow.py %t-ThreeFunctionsTestDF %t/IN %t/OUT
 RUN: %t-ThreeFunctionsTest -data_flow_trace=%t/OUT -runs=0 -focus_function=Func2 2>&1 | FileCheck %s --check-prefix=USE_DATA_FLOW_TRACE
-USE_DATA_FLOW_TRACE: INFO: Focus function is set to 'Func2'
 USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: reading from {{.*}}/OUT
 USE_DATA_FLOW_TRACE-DAG: ca8eefe2fd5d6b32028f355fafa3e739a6bf5edc => |000001|
 USE_DATA_FLOW_TRACE-DAG: d28cb407e8e1a702c72d25473f0553d3ec172262 => |0000011|
 USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: 6 trace files, 3 functions, 2 traces with focus function
+USE_DATA_FLOW_TRACE: INFO: Focus function is set to 'Func2'
 
 # Test that we can run collect_data_flow on a long input (>2**16 bytes)
 RUN: rm -rf %t/OUT
diff --git a/compiler-rt/test/fuzzer/only-some-bytes.test b/compiler-rt/test/fuzzer/only-some-bytes.test
index 68d0a7266f7..87513bf5955 100644
--- a/compiler-rt/test/fuzzer/only-some-bytes.test
+++ b/compiler-rt/test/fuzzer/only-some-bytes.test
@@ -31,7 +31,16 @@ RUN: %t-Fuzz -focus_function=f0 -data_flow_trace=%t/IN_DFT -runs=100 %t/IN 2>&1
 HAVE_DFT: INFO: 1/{{.*}} inputs have the Data Flow Trace
 
 # Collect DFT, then use it.
-RUN: rm -rf %t/C  && mkdir %t/C &&  cp %t/IN/* %t/C
+RUN: rm -rf %t/C %t/C1  && mkdir %t/C %t/C1 &&  cp %t/IN/* %t/C
 RUN: rm -rf %t/C_DFT && %libfuzzer_src/scripts/collect_data_flow.py %t-DFT %t/C %t/C_DFT > /dev/null 2>&1
-RUN: not %t-Fuzz -focus_function=f0 -data_flow_trace=%t/C_DFT -seed=1 -runs=1000000 -use_value_profile=1 %t/C 2> %t/log
+RUN: not %t-Fuzz -focus_function=f0 -data_flow_trace=%t/C_DFT -seed=1 -runs=1000000 -use_value_profile=1 %t/C1 %t/C 2> %t/log
+RUN: grep BINGO %t/log
+
+# Test -focus_function=auto: run 50 times and verify that 'f0' is the most frequent focus function.
+RUN: %t-Fuzz -focus_function=auto -data_flow_trace=%t/C_DFT -runs=0 %t/C -jobs=50 2>&1 | grep AUTOFOCUS  | sort | uniq -c | sort -g -r | head -n 1 | FileCheck %s --check-prefix=AUTOFOCUS
+AUTOFOCUS: INFO: AUTOFOCUS: {{.*}} f0
+
+# Actually execute 50 fuzzing processes with a small number of runs, to test  -focus_function=auto for real.
+# We can not test data_flow_trace=auto in just a single run, because it may choose to focus on a wrong function.
+RUN: not %t-Fuzz -focus_function=auto -data_flow_trace=%t/C_DFT %t/C -jobs=50 -runs=200000 -use_value_profile=1 2> %t/log
 RUN: grep BINGO %t/log