From f351bce7bdc72712bebb344800b231bb547ab681 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 2 Oct 2015 22:00:32 +0000 Subject: [PATCH 1/1] [libFuzzer] remove experimental flag and functionality git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@249194 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/FuzzerDriver.cpp | 1 - lib/Fuzzer/FuzzerFlags.def | 4 ---- lib/Fuzzer/FuzzerInternal.h | 2 -- lib/Fuzzer/FuzzerLoop.cpp | 30 +----------------------------- lib/Fuzzer/test/fuzzer.test | 4 ++-- 5 files changed, 3 insertions(+), 38 deletions(-) diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp index 4b9b57f27ea..b267a9bf039 100644 --- a/lib/Fuzzer/FuzzerDriver.cpp +++ b/lib/Fuzzer/FuzzerDriver.cpp @@ -255,7 +255,6 @@ int FuzzerDriver(const std::vector &Args, Options.ExitOnFirst = Flags.exit_on_first; Options.UseCounters = Flags.use_counters; Options.UseTraces = Flags.use_traces; - Options.UseFullCoverageSet = Flags.use_full_coverage_set; Options.PreferSmallDuringInitialShuffle = Flags.prefer_small_during_initial_shuffle; Options.Tokens = ReadTokensFile(Flags.deprecated_tokens); diff --git a/lib/Fuzzer/FuzzerFlags.def b/lib/Fuzzer/FuzzerFlags.def index 48ae220dee7..daf0882ce6f 100644 --- a/lib/Fuzzer/FuzzerFlags.def +++ b/lib/Fuzzer/FuzzerFlags.def @@ -37,10 +37,6 @@ FUZZER_FLAG_INT( "Example: ./fuzzer -save_minimized_corpus=1 NEW_EMPTY_DIR OLD_CORPUS") FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters") FUZZER_FLAG_INT(use_traces, 0, "Experimental: use instruction traces") -FUZZER_FLAG_INT(use_full_coverage_set, 0, - "Experimental: Maximize the number of different full" - " coverage sets as opposed to maximizing the total coverage." - " This is potentially MUCH slower, but may discover more paths.") FUZZER_FLAG_INT(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn" " this number of jobs in separate worker processes" " with stdout/stderr redirected to fuzz-JOB.log.") diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h index 8d4833f1d93..78e9c2208b6 100644 --- a/lib/Fuzzer/FuzzerInternal.h +++ b/lib/Fuzzer/FuzzerInternal.h @@ -125,7 +125,6 @@ class Fuzzer { size_t RunOne(const Unit &U); void RunOneAndUpdateCorpus(Unit &U); size_t RunOneMaximizeTotalCoverage(const Unit &U); - size_t RunOneMaximizeFullCoverageSet(const Unit &U); size_t RunOneMaximizeCoveragePairs(const Unit &U); void WriteToOutputCorpus(const Unit &U); void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix); @@ -155,7 +154,6 @@ class Fuzzer { std::vector Corpus; std::unordered_set UnitHashesAddedToCorpus; - std::unordered_set FullCoverageSets; // For UseCounters std::vector CounterBitmap; diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp index 6e04868fd40..62a47bf0581 100644 --- a/lib/Fuzzer/FuzzerLoop.cpp +++ b/lib/Fuzzer/FuzzerLoop.cpp @@ -156,11 +156,7 @@ void Fuzzer::ShuffleAndMinimize() { size_t Fuzzer::RunOne(const Unit &U) { UnitStartTime = system_clock::now(); TotalNumberOfRuns++; - size_t Res = 0; - if (Options.UseFullCoverageSet) - Res = RunOneMaximizeFullCoverageSet(U); - else - Res = RunOneMaximizeTotalCoverage(U); + size_t Res = RunOneMaximizeTotalCoverage(U); auto UnitStopTime = system_clock::now(); auto TimeOfUnit = duration_cast(UnitStopTime - UnitStartTime).count(); @@ -183,14 +179,6 @@ void Fuzzer::RunOneAndUpdateCorpus(Unit &U) { ReportNewCoverage(RunOne(U), U); } -static uintptr_t HashOfArrayOfPCs(uintptr_t *PCs, uintptr_t NumPCs) { - uintptr_t Res = 0; - for (uintptr_t i = 0; i < NumPCs; i++) { - Res = (Res + PCs[i]) * 7; - } - return Res; -} - Unit Fuzzer::SubstituteTokens(const Unit &U) const { Unit Res; for (auto Idx : U) { @@ -214,22 +202,6 @@ void Fuzzer::ExecuteCallback(const Unit &U) { } } -// Experimental. -// Fuly reset the current coverage state, run a single unit, -// compute a hash function from the full coverage set, -// return non-zero if the hash value is new. -// This produces tons of new units and as is it's only suitable for small tests, -// e.g. test/FullCoverageSetTest.cpp. FIXME: make it scale. -size_t Fuzzer::RunOneMaximizeFullCoverageSet(const Unit &U) { - __sanitizer_reset_coverage(); - ExecuteCallback(U); - uintptr_t *PCs; - uintptr_t NumPCs =__sanitizer_get_coverage_guards(&PCs); - if (FullCoverageSets.insert(HashOfArrayOfPCs(PCs, NumPCs)).second) - return FullCoverageSets.size(); - return 0; -} - size_t Fuzzer::RunOneMaximizeTotalCoverage(const Unit &U) { size_t NumCounters = __sanitizer_get_number_of_counters(); if (Options.UseCounters) { diff --git a/lib/Fuzzer/test/fuzzer.test b/lib/Fuzzer/test/fuzzer.test index 046c377206d..9bd3c71d3df 100644 --- a/lib/Fuzzer/test/fuzzer.test +++ b/lib/Fuzzer/test/fuzzer.test @@ -17,9 +17,9 @@ TimeoutTest: Test unit written to timeout- RUN: not LLVMFuzzer-NullDerefTest 2>&1 | FileCheck %s --check-prefix=NullDerefTest NullDerefTest: Test unit written to crash- -RUN: not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s +#not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s -RUN: not LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_full_coverage_set=1 2>&1 | FileCheck %s +#not LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_traces=1 2>&1 | FileCheck %s RUN: not LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s -- 2.34.1