[lib/Fuzzer] change the way we use taint information for fuzzing. Now, we run a single unit and collect suggested mutations based on tracing+taint data, then apply the suggested mutations one by one. The previous scheme was slower and more complex.

llvm-svn: 236772
author: Kostya Serebryany <kcc@google.com> 2015-05-07 21:02:11 +0000
committer: Kostya Serebryany <kcc@google.com> 2015-05-07 21:02:11 +0000
commit: beb24c38e7927211cbb377053d5436cf1f5bb001 (patch)
tree: 2ac53f2e553d244f35afae0d242878a78f2faabe /llvm/lib/Fuzzer/FuzzerLoop.cpp
parent: 4878c87d5ea9fbe40c465f8b9cee01a6e333be88 (diff)
download: bcm5719-llvm-beb24c38e7927211cbb377053d5436cf1f5bb001.tar.gz
bcm5719-llvm-beb24c38e7927211cbb377053d5436cf1f5bb001.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp
index 57893e0f1fe..9d35384ecd5 100644
--- a/llvm/lib/Fuzzer/FuzzerLoop.cpp
+++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp
@@ -285,9 +285,14 @@ void Fuzzer::ReportNewCoverage(size_t NewCoverage, const Unit &U) {
 
 void Fuzzer::MutateAndTestOne(Unit *U) {
   for (int i = 0; i < Options.MutateDepth; i++) {
-    MutateWithDFSan(U);
+    StartTraceRecording();
     Mutate(U, Options.MaxLen);
     RunOneAndUpdateCorpus(*U);
+    size_t NumTraceBasedMutations = StopTraceRecording();
+    for (size_t j = 0; j < NumTraceBasedMutations; j++) {
+        ApplyTraceBasedMutation(j, U);
+        RunOneAndUpdateCorpus(*U);
+    }
   }
 }
author	Kostya Serebryany <kcc@google.com>	2015-05-07 21:02:11 +0000
committer	Kostya Serebryany <kcc@google.com>	2015-05-07 21:02:11 +0000
commit	beb24c38e7927211cbb377053d5436cf1f5bb001 (patch)
tree	2ac53f2e553d244f35afae0d242878a78f2faabe /llvm/lib/Fuzzer/FuzzerLoop.cpp
parent	4878c87d5ea9fbe40c465f8b9cee01a6e333be88 (diff)
download	bcm5719-llvm-beb24c38e7927211cbb377053d5436cf1f5bb001.tar.gz bcm5719-llvm-beb24c38e7927211cbb377053d5436cf1f5bb001.zip