diff options
| author | Kostya Serebryany <kcc@google.com> | 2016-10-15 01:00:24 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2016-10-15 01:00:24 +0000 |
| commit | f9b8e8b117bd9c8c989034027aca63a6e9b871f6 (patch) | |
| tree | f547cd38610dc72c532c1b07028304ce1752365c /llvm/lib | |
| parent | 961811c90661390431068d9e9d222e292620e0e0 (diff) | |
| download | bcm5719-llvm-f9b8e8b117bd9c8c989034027aca63a6e9b871f6.tar.gz bcm5719-llvm-f9b8e8b117bd9c8c989034027aca63a6e9b871f6.zip | |
[libFuzzer] better algorithm for -minimize_crash
llvm-svn: 284299
Diffstat (limited to 'llvm/lib')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerDriver.cpp | 2 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerInternal.h | 8 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerLoop.cpp | 20 |
3 files changed, 25 insertions, 5 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp index 78d73927cf6..5f9f9351ea2 100644 --- a/llvm/lib/Fuzzer/FuzzerDriver.cpp +++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp @@ -345,7 +345,7 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { Corpus->AddToCorpus(U, 0); F->SetMaxInputLen(U.size()); F->SetMaxMutationLen(U.size() - 1); - F->Loop(); + F->MinimizeCrashLoop(U); Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n"); exit(0); return 0; diff --git a/llvm/lib/Fuzzer/FuzzerInternal.h b/llvm/lib/Fuzzer/FuzzerInternal.h index 9ea5c96fe4b..a2f61283d4f 100644 --- a/llvm/lib/Fuzzer/FuzzerInternal.h +++ b/llvm/lib/Fuzzer/FuzzerInternal.h @@ -56,6 +56,7 @@ public: FuzzingOptions Options); ~Fuzzer(); void Loop(); + void MinimizeCrashLoop(const Unit &U); void ShuffleAndMinimize(UnitVector *V); void InitializeTraceState(); void RereadOutputCorpus(size_t MaxSize); @@ -64,6 +65,13 @@ public: return duration_cast<seconds>(system_clock::now() - ProcessStartTime) .count(); } + + bool TimedOut() { + return Options.MaxTotalTimeSec > 0 && + secondsSinceProcessStartUp() > + static_cast<size_t>(Options.MaxTotalTimeSec); + } + size_t execPerSec() { size_t Seconds = secondsSinceProcessStartUp(); return Seconds ? TotalNumberOfRuns / Seconds : 0; diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp index a8f640307fc..c5cf3090b81 100644 --- a/llvm/lib/Fuzzer/FuzzerLoop.cpp +++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp @@ -753,10 +753,7 @@ void Fuzzer::Loop() { } if (TotalNumberOfRuns >= Options.MaxNumberOfRuns) break; - if (Options.MaxTotalTimeSec > 0 && - secondsSinceProcessStartUp() > - static_cast<size_t>(Options.MaxTotalTimeSec)) - break; + if (TimedOut()) break; // Perform several mutations and runs. MutateAndTestOne(); } @@ -765,6 +762,21 @@ void Fuzzer::Loop() { MD.PrintRecommendedDictionary(); } +void Fuzzer::MinimizeCrashLoop(const Unit &U) { + if (U.size() <= 2) return; + while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) { + MD.StartMutationSequence(); + memcpy(CurrentUnitData, U.data(), U.size()); + for (int i = 0; i < Options.MutateDepth; i++) { + size_t NewSize = MD.Mutate(CurrentUnitData, U.size(), MaxMutationLen); + assert(NewSize > 0 && NewSize <= MaxMutationLen); + RunOne(CurrentUnitData, NewSize); + TryDetectingAMemoryLeak(CurrentUnitData, NewSize, + /*DuringInitialCorpusExecution*/ false); + } + } +} + } // namespace fuzzer extern "C" { |
