[libFuzzer] add stats to the corpus; more refactoring

llvm-svn: 282121
author: Kostya Serebryany <kcc@google.com> 2016-09-21 22:42:17 +0000
committer: Kostya Serebryany <kcc@google.com> 2016-09-21 22:42:17 +0000
commit: 29bb6640759f55a7092963dca3ef0287a9f5d140 (patch)
tree: 6ed23cf0c51af0d35971870baf7f6b28980e8247 /llvm/lib/Fuzzer/FuzzerLoop.cpp
parent: 0509203952fa0e6c1073dab2d9cce1e3beabab9f (diff)
download: bcm5719-llvm-29bb6640759f55a7092963dca3ef0287a9f5d140.tar.gz
bcm5719-llvm-29bb6640759f55a7092963dca3ef0287a9f5d140.zip
1 files changed, 17 insertions, 23 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp
index 0edc21db3ac..78063085726 100644
--- a/llvm/lib/Fuzzer/FuzzerLoop.cpp
+++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp
@@ -10,6 +10,7 @@
 //===----------------------------------------------------------------------===//
 
 #include "FuzzerInternal.h"
+#include "FuzzerCorpus.h"
 #include "FuzzerMutate.h"
 #include "FuzzerTracePC.h"
 #include "FuzzerRandom.h"
@@ -157,8 +158,9 @@ void FreeHook(const volatile void *ptr) {
   AllocTracer.Frees++;
 }
 
-Fuzzer::Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options)
-    : CB(CB), MD(MD), Options(Options) {
+Fuzzer::Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
+               FuzzingOptions Options)
+    : CB(CB), Corpus(Corpus), MD(MD), Options(Options) {
   SetDeathCallback();
   InitializeTraceState();
   assert(!F);
@@ -337,6 +339,8 @@ void Fuzzer::PrintStats(const char *Where, const char *End) {
 void Fuzzer::PrintFinalStats() {
   if (Options.PrintCoverage)
     TPC.PrintCoverage();
+  if (Options.PrintCorpusStats)
+    Corpus.PrintStats();
   if (!Options.PrintFinalStats) return;
   size_t ExecPerSec = execPerSec();
   Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns);
@@ -353,14 +357,6 @@ void Fuzzer::SetMaxLen(size_t MaxLen) {
   Printf("INFO: -max_len is not provided, using %zd\n", Options.MaxLen);
 }
 
-void Fuzzer::ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) {
-  Printf("Loading corpus: %s\n", Path.c_str());
-  std::vector<Unit> V;
-  ReadDirToVectorOfUnits(Path.c_str(), &V, Epoch, MaxSize);
-  for (auto &U : V)
-    Corpus.push_back(U);
-}
-
 void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
   if (Options.OutputCorpus.empty() || !Options.Reload) return;
   std::vector<Unit> AdditionalCorpus;
@@ -373,7 +369,7 @@ void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
       X.resize(MaxSize);
     if (!Corpus.HasUnit(X)) {
       if (RunOne(X)) {
-        Corpus.push_back(X);
+        Corpus.AddToCorpus(X);
         PrintStats("RELOAD");
       }
     }
@@ -396,7 +392,7 @@ void Fuzzer::ShuffleAndMinimize(UnitVector *InitialCorpus) {
   for (const auto &U : *InitialCorpus) {
     bool NewCoverage = RunOne(U);
     if (!Options.PruneCorpus || NewCoverage) {
-      Corpus.push_back(U);
+      Corpus.AddToCorpus(U);
       if (Options.Verbosity >= 2)
         Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
     }
@@ -439,13 +435,6 @@ bool Fuzzer::RunOne(const uint8_t *Data, size_t Size) {
   return Res;
 }
 
-void Fuzzer::RunOneAndUpdateCorpus(const uint8_t *Data, size_t Size) {
-  if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
-    return;
-  if (RunOne(Data, Size))
-    ReportNewCoverage({Data, Data + Size});
-}
-
 size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
   assert(InFuzzingThread());
   *Data = CurrentUnitData;
@@ -539,8 +528,9 @@ void Fuzzer::PrintNewPCs() {
       PrintOneNewPC(PCs[i]);
 }
 
-void Fuzzer::ReportNewCoverage(const Unit &U) {
-  Corpus.push_back(U);
+void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) {
+  II->NumSuccessfullMutations++;
+  Corpus.AddToCorpus(U);
   MD.RecordSuccessfulMutationSequence();
   PrintStatusForNewUnit(U);
   WriteToOutputCorpus(U);
@@ -653,7 +643,7 @@ void Fuzzer::MutateAndTestOne() {
   LazyAllocateCurrentUnitData();
   MD.StartMutationSequence();
 
-  const auto &II = Corpus.ChooseUnitToMutate(MD.GetRand());
+  auto &II = Corpus.ChooseUnitToMutate(MD.GetRand());
   const auto &U = II.U;
   memcpy(BaseSha1, II.Sha1, sizeof(BaseSha1));
   assert(CurrentUnitData);
@@ -662,6 +652,8 @@ void Fuzzer::MutateAndTestOne() {
   memcpy(CurrentUnitData, U.data(), Size);
 
   for (int i = 0; i < Options.MutateDepth; i++) {
+    if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
+      break;
     size_t NewSize = 0;
     NewSize = MD.Mutate(CurrentUnitData, Size, Options.MaxLen);
     assert(NewSize > 0 && "Mutator returned empty unit");
@@ -669,7 +661,9 @@ void Fuzzer::MutateAndTestOne() {
     Size = NewSize;
     if (i == 0)
       StartTraceRecording();
-    RunOneAndUpdateCorpus(CurrentUnitData, Size);
+    II.NumExecutedMutations++;
+    if (RunOne(CurrentUnitData, Size))
+      ReportNewCoverage(&II, {CurrentUnitData, CurrentUnitData + Size});
     StopTraceRecording();
     TryDetectingAMemoryLeak(CurrentUnitData, Size,
                             /*DuringInitialCorpusExecution*/ false);
author	Kostya Serebryany <kcc@google.com>	2016-09-21 22:42:17 +0000
committer	Kostya Serebryany <kcc@google.com>	2016-09-21 22:42:17 +0000
commit	29bb6640759f55a7092963dca3ef0287a9f5d140 (patch)
tree	6ed23cf0c51af0d35971870baf7f6b28980e8247 /llvm/lib/Fuzzer/FuzzerLoop.cpp
parent	0509203952fa0e6c1073dab2d9cce1e3beabab9f (diff)
download	bcm5719-llvm-29bb6640759f55a7092963dca3ef0287a9f5d140.tar.gz bcm5719-llvm-29bb6640759f55a7092963dca3ef0287a9f5d140.zip