Options.MutateDepth = Flags.mutate_depth;
Options.ExitOnFirst = Flags.exit_on_first;
Options.UseFullCoverageSet = Flags.use_full_coverage_set;
+ Options.UseCoveragePairs = Flags.use_coverage_pairs;
Options.PreferSmallDuringInitialShuffle =
Flags.prefer_small_during_initial_shuffle;
if (Flags.runs >= 0)
int, save_minimized_corpus, 0,
"If 1, the minimized corpus is saved into the first input directory")
FUZZER_FLAG(int, use_full_coverage_set, 0,
- "Maximize the number of different full"
+ "Experimental: Maximize the number of different full"
" coverage sets as opposed to maximizing the total coverage."
" This is potentially MUCH slower, but may discover more paths.")
+FUZZER_FLAG(int, use_coverage_pairs, 0,
+ "Experimental: Maximize the number of different coverage pairs.")
FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
" this number of jobs in separate worker processes"
" with stdout/stderr redirected to fuzz-JOB.log.")
int MutateDepth = 5;
bool ExitOnFirst = false;
bool UseFullCoverageSet = false;
+ bool UseCoveragePairs = false;
int PreferSmallDuringInitialShuffle = -1;
size_t MaxNumberOfRuns = ULONG_MAX;
std::string OutputCorpus;
size_t RunOne(const Unit &U);
size_t RunOneMaximizeTotalCoverage(const Unit &U);
size_t RunOneMaximizeFullCoverageSet(const Unit &U);
+ size_t RunOneMaximizeCoveragePairs(const Unit &U);
void WriteToOutputCorpus(const Unit &U);
static void WriteToCrash(const Unit &U, const char *Prefix);
std::vector<Unit> Corpus;
std::unordered_set<uintptr_t> FullCoverageSets;
+ std::unordered_set<uint64_t> CoveragePairs;
UserCallback Callback;
FuzzingOptions Options;
system_clock::time_point ProcessStartTime = system_clock::now();
TotalNumberOfRuns++;
if (Options.UseFullCoverageSet)
return RunOneMaximizeFullCoverageSet(U);
+ if (Options.UseCoveragePairs)
+ return RunOneMaximizeCoveragePairs(U);
return RunOneMaximizeTotalCoverage(U);
}
return Res;
}
+// Experimental. Does not yet scale.
+// Fuly reset the current coverage state, run a single unit,
+// collect all coverage pairs and return non-zero if a new pair is observed.
+size_t Fuzzer::RunOneMaximizeCoveragePairs(const Unit &U) {
+ __sanitizer_reset_coverage();
+ Callback(U.data(), U.size());
+ uintptr_t *PCs;
+ uintptr_t NumPCs = __sanitizer_get_coverage_guards(&PCs);
+ bool HasNewPairs = false;
+ for (uintptr_t i = 0; i < NumPCs; i++) {
+ if (!PCs[i]) continue;
+ for (uintptr_t j = 0; j < NumPCs; j++) {
+ if (!PCs[j]) continue;
+ uint64_t Pair = (i << 32) | j;
+ HasNewPairs |= CoveragePairs.insert(Pair).second;
+ }
+ }
+ if (HasNewPairs)
+ return CoveragePairs.size();
+ return 0;
+}
+
+// Experimental.
// Fuly reset the current coverage state, run a single unit,
// compute a hash function from the full coverage set,
// return non-zero if the hash value is new.
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O0 -fsanitize-coverage=4")
set(Tests
+ FourIndependentBranchesTest
FullCoverageSetTest
InfiniteTest
NullDerefTest
--- /dev/null
+// Simple test for a fuzzer. The fuzzer must find the string "FUZZ".
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <iostream>
+
+extern "C" void TestOneInput(const uint8_t *Data, size_t Size) {
+ int bits = 0;
+ if (Size > 0 && Data[0] == 'F') bits |= 1;
+ if (Size > 1 && Data[1] == 'U') bits |= 2;
+ if (Size > 2 && Data[2] == 'Z') bits |= 4;
+ if (Size > 3 && Data[3] == 'Z') bits |= 8;
+ if (bits == 15) {
+ std::cerr << "BINGO!\n";
+ exit(1);
+ }
+}
+
RUN: not ./LLVMFuzzer-NullDerefTest 2>&1 | FileCheck %s --check-prefix=NullDerefTest
NullDerefTest: CRASHED; file written to crash-
-RUN: not ./LLVMFuzzer-FullCoverageSetTest -timeout=15 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s --check-prefix=FullCoverageSetTest
+RUN: not ./LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s --check-prefix=FullCoverageSetTest
FullCoverageSetTest: BINGO
+
+RUN: not ./LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_coverage_pairs=1 2>&1 | FileCheck %s --check-prefix=FourIndependentBranchesTest
+FourIndependentBranchesTest: BINGO