[libFuzzer] change the strategy for -experimental_len_control to grow max_len slower

llvm-svn: 320531
2017-12-12 23:11:28 +00:00 · 2017-12-12 23:11:28 +00:00 · e9ed2327b6
parent 3cf695aa38
commit e9ed2327b6
5 changed files with 9 additions and 13 deletions
--- a/compiler-rt/lib/fuzzer/FuzzerInternal.h
+++ b/compiler-rt/lib/fuzzer/FuzzerInternal.h
@ -124,8 +124,6 @@ private:
  size_t NumberOfNewUnitsAdded = 0;

  size_t LastCorpusUpdateRun = 0;
-  system_clock::time_point LastCorpusUpdateTime = system_clock::now();
-

  bool HasMoreMallocsThanFrees = false;
  size_t NumberOfLeakDetectionAttempts = 0;
--- a/compiler-rt/lib/fuzzer/FuzzerLoop.cpp
+++ b/compiler-rt/lib/fuzzer/FuzzerLoop.cpp
@ -567,7 +567,6 @@ void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) {
  NumberOfNewUnitsAdded++;
  CheckExitOnSrcPosOrItem(); // Check only after the unit is saved to corpus.
  LastCorpusUpdateRun = TotalNumberOfRuns;
-  LastCorpusUpdateTime = system_clock::now();
 }

 // Tries detecting a memory leak on the particular input that we have just
@ -758,18 +757,15 @@ void Fuzzer::Loop(const Vector<std::string> &CorpusDirs) {
    // Update TmpMaxMutationLen
    if (Options.ExperimentalLenControl) {
      if (TmpMaxMutationLen < MaxMutationLen &&
-          (TotalNumberOfRuns - LastCorpusUpdateRun >
-               Options.ExperimentalLenControl &&
-           duration_cast<seconds>(Now - LastCorpusUpdateTime).count() >= 1)) {
-        LastCorpusUpdateRun = TotalNumberOfRuns;
-        LastCorpusUpdateTime = Now;
+          TotalNumberOfRuns - LastCorpusUpdateRun >
+              Options.ExperimentalLenControl * Log(TmpMaxMutationLen)) {
        TmpMaxMutationLen =
-            Min(MaxMutationLen,
-                TmpMaxMutationLen + Max(size_t(4), TmpMaxMutationLen / 8));
+            Min(MaxMutationLen, TmpMaxMutationLen + Log(TmpMaxMutationLen));
        if (TmpMaxMutationLen <= MaxMutationLen)
          Printf("#%zd\tTEMP_MAX_LEN: %zd (%zd %zd)\n", TotalNumberOfRuns,
                 TmpMaxMutationLen, Options.ExperimentalLenControl,
                 LastCorpusUpdateRun);
+        LastCorpusUpdateRun = TotalNumberOfRuns;
      }
    } else {
      TmpMaxMutationLen = MaxMutationLen;
--- a/compiler-rt/lib/fuzzer/FuzzerTracePC.h
+++ b/compiler-rt/lib/fuzzer/FuzzerTracePC.h
@ -276,7 +276,7 @@ void TracePC::CollectFeatures(Callback HandleFeature) const {

  // Step function, grows similar to 8 * Log_2(A).
  auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
-    uint32_t Log2 = 32 - __builtin_clz(A) - 1;
+    uint32_t Log2 = Log(A);
    if (Log2 < 3) return A;
    Log2 -= 3;
    return (Log2 + 1) * 8 + ((A >> Log2) & 7);
--- a/compiler-rt/lib/fuzzer/FuzzerUtil.h
+++ b/compiler-rt/lib/fuzzer/FuzzerUtil.h
@ -80,6 +80,8 @@ std::string SearchRegexCmd(const std::string &Regex);

 size_t SimpleFastHash(const uint8_t *Data, size_t Size);

+inline uint32_t Log(uint32_t X) { return 32 - __builtin_clz(X) - 1; }
+
 }  // namespace fuzzer

 #endif  // LLVM_FUZZER_UTIL_H
--- a/compiler-rt/test/fuzzer/trace-malloc-unbalanced.test
+++ b/compiler-rt/test/fuzzer/trace-malloc-unbalanced.test
@ -6,10 +6,10 @@ UNSUPPORTED: darwin

 RUN: %cpp_compiler %S/TraceMallocTest.cpp -o %t-TraceMallocTest

-RUN: %t-TraceMallocTest -seed=1 -trace_malloc=1 -runs=100 2>&1 | \
+RUN: %t-TraceMallocTest -seed=1 -trace_malloc=1 -runs=200 2>&1 | \
 RUN:    %libfuzzer_src/scripts/unbalanced_allocs.py --skip=5 | FileCheck %s

-RUN: %t-TraceMallocTest -seed=1 -trace_malloc=2 -runs=100 2>&1 | \
+RUN: %t-TraceMallocTest -seed=1 -trace_malloc=2 -runs=200 2>&1 | \
 RUN:    %libfuzzer_src/scripts/unbalanced_allocs.py --skip=5 | FileCheck %s --check-prefixes=CHECK,CHECK2

 CHECK: MallocFreeTracer: START