Options.UseCounters = Flags.use_counters;
Options.UseTraces = Flags.use_traces;
Options.UseFullCoverageSet = Flags.use_full_coverage_set;
- Options.UseCoveragePairs = Flags.use_coverage_pairs;
Options.PreferSmallDuringInitialShuffle =
Flags.prefer_small_during_initial_shuffle;
Options.Tokens = ReadTokensFile(Flags.tokens);
"Experimental: Maximize the number of different full"
" coverage sets as opposed to maximizing the total coverage."
" This is potentially MUCH slower, but may discover more paths.")
-FUZZER_FLAG_INT(use_coverage_pairs, 0,
- "Experimental: Maximize the number of different coverage pairs.")
FUZZER_FLAG_INT(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
" this number of jobs in separate worker processes"
" with stdout/stderr redirected to fuzz-JOB.log.")
bool UseCounters = false;
bool UseTraces = false;
bool UseFullCoverageSet = false;
- bool UseCoveragePairs = false;
bool Reload = true;
int PreferSmallDuringInitialShuffle = -1;
size_t MaxNumberOfRuns = ULONG_MAX;
std::vector<Unit> Corpus;
std::unordered_set<std::string> UnitHashesAddedToCorpus;
std::unordered_set<uintptr_t> FullCoverageSets;
- std::unordered_set<uint64_t> CoveragePairs;
// For UseCounters
std::vector<uint8_t> CounterBitmap;
size_t Res = 0;
if (Options.UseFullCoverageSet)
Res = RunOneMaximizeFullCoverageSet(U);
- else if (Options.UseCoveragePairs)
- Res = RunOneMaximizeCoveragePairs(U);
else
Res = RunOneMaximizeTotalCoverage(U);
auto UnitStopTime = system_clock::now();
}
}
-// Experimental. Does not yet scale.
-// Fuly reset the current coverage state, run a single unit,
-// collect all coverage pairs and return non-zero if a new pair is observed.
-size_t Fuzzer::RunOneMaximizeCoveragePairs(const Unit &U) {
- __sanitizer_reset_coverage();
- ExecuteCallback(U);
- uintptr_t *PCs;
- uintptr_t NumPCs = __sanitizer_get_coverage_guards(&PCs);
- bool HasNewPairs = false;
- for (uintptr_t i = 0; i < NumPCs; i++) {
- if (!PCs[i]) continue;
- for (uintptr_t j = 0; j < NumPCs; j++) {
- if (!PCs[j]) continue;
- uint64_t Pair = (i << 32) | j;
- HasNewPairs |= CoveragePairs.insert(Pair).second;
- }
- }
- if (HasNewPairs)
- return CoveragePairs.size();
- return 0;
-}
-
// Experimental.
// Fuly reset the current coverage state, run a single unit,
// compute a hash function from the full coverage set,
RUN: not ./LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s
-RUN: not ./LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_coverage_pairs=1 2>&1 | FileCheck %s
+RUN: not ./LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_full_coverage_set=1 2>&1 | FileCheck %s
RUN: not ./LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s
projects / platform / upstream / llvm.git / commitdiff