Options.ExitOnFirst = Flags.exit_on_first;
Options.UseCounters = Flags.use_counters;
Options.UseTraces = Flags.use_traces;
- Options.UseFullCoverageSet = Flags.use_full_coverage_set;
Options.PreferSmallDuringInitialShuffle =
Flags.prefer_small_during_initial_shuffle;
Options.Tokens = ReadTokensFile(Flags.deprecated_tokens);
"Example: ./fuzzer -save_minimized_corpus=1 NEW_EMPTY_DIR OLD_CORPUS")
FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters")
FUZZER_FLAG_INT(use_traces, 0, "Experimental: use instruction traces")
-FUZZER_FLAG_INT(use_full_coverage_set, 0,
- "Experimental: Maximize the number of different full"
- " coverage sets as opposed to maximizing the total coverage."
- " This is potentially MUCH slower, but may discover more paths.")
FUZZER_FLAG_INT(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
" this number of jobs in separate worker processes"
" with stdout/stderr redirected to fuzz-JOB.log.")
size_t RunOne(const Unit &U);
void RunOneAndUpdateCorpus(Unit &U);
size_t RunOneMaximizeTotalCoverage(const Unit &U);
- size_t RunOneMaximizeFullCoverageSet(const Unit &U);
size_t RunOneMaximizeCoveragePairs(const Unit &U);
void WriteToOutputCorpus(const Unit &U);
void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
std::vector<Unit> Corpus;
std::unordered_set<std::string> UnitHashesAddedToCorpus;
- std::unordered_set<uintptr_t> FullCoverageSets;
// For UseCounters
std::vector<uint8_t> CounterBitmap;
size_t Fuzzer::RunOne(const Unit &U) {
UnitStartTime = system_clock::now();
TotalNumberOfRuns++;
- size_t Res = 0;
- if (Options.UseFullCoverageSet)
- Res = RunOneMaximizeFullCoverageSet(U);
- else
- Res = RunOneMaximizeTotalCoverage(U);
+ size_t Res = RunOneMaximizeTotalCoverage(U);
auto UnitStopTime = system_clock::now();
auto TimeOfUnit =
duration_cast<seconds>(UnitStopTime - UnitStartTime).count();
ReportNewCoverage(RunOne(U), U);
}
-static uintptr_t HashOfArrayOfPCs(uintptr_t *PCs, uintptr_t NumPCs) {
- uintptr_t Res = 0;
- for (uintptr_t i = 0; i < NumPCs; i++) {
- Res = (Res + PCs[i]) * 7;
- }
- return Res;
-}
-
Unit Fuzzer::SubstituteTokens(const Unit &U) const {
Unit Res;
for (auto Idx : U) {
}
}
-// Experimental.
-// Fuly reset the current coverage state, run a single unit,
-// compute a hash function from the full coverage set,
-// return non-zero if the hash value is new.
-// This produces tons of new units and as is it's only suitable for small tests,
-// e.g. test/FullCoverageSetTest.cpp. FIXME: make it scale.
-size_t Fuzzer::RunOneMaximizeFullCoverageSet(const Unit &U) {
- __sanitizer_reset_coverage();
- ExecuteCallback(U);
- uintptr_t *PCs;
- uintptr_t NumPCs =__sanitizer_get_coverage_guards(&PCs);
- if (FullCoverageSets.insert(HashOfArrayOfPCs(PCs, NumPCs)).second)
- return FullCoverageSets.size();
- return 0;
-}
-
size_t Fuzzer::RunOneMaximizeTotalCoverage(const Unit &U) {
size_t NumCounters = __sanitizer_get_number_of_counters();
if (Options.UseCounters) {
RUN: not LLVMFuzzer-NullDerefTest 2>&1 | FileCheck %s --check-prefix=NullDerefTest
NullDerefTest: Test unit written to crash-
-RUN: not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s
+#not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s
-RUN: not LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_full_coverage_set=1 2>&1 | FileCheck %s
+#not LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_traces=1 2>&1 | FileCheck %s
RUN: not LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s
projects / oota-llvm.git / commitdiff