From 5a52a11ce49b11bbc4c3db71bea43a3bd3667a53 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Tue, 4 Oct 2016 01:51:44 +0000
Subject: [PATCH] [libFuzzer] change the probabilities so that we choose only
 the inputs that are known to be minimal inputs for at least one coverage
 feature (works only with -shrink=1 for now)

llvm-svn: 283178
---
 llvm/lib/Fuzzer/FuzzerCorpus.h | 15 ++++++++++++---
 llvm/lib/Fuzzer/build.sh       |  2 +-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/llvm/lib/Fuzzer/FuzzerCorpus.h b/llvm/lib/Fuzzer/FuzzerCorpus.h
index 802f700..3b76471 100644
--- a/llvm/lib/Fuzzer/FuzzerCorpus.h
+++ b/llvm/lib/Fuzzer/FuzzerCorpus.h
@@ -127,6 +127,7 @@ private:
       if (!Fe.SmallestElementSize ||
           Fe.SmallestElementSize > Size) {
         II.NumFeatures++;
+        CountingFeatures = true;
         if (Fe.SmallestElementSize > Size) {
           auto &OlderII = Inputs[Fe.SmallestElementIdx];
           assert(OlderII.NumFeatures > 0);
@@ -147,15 +148,22 @@ private:
   // Must be called whenever the corpus or unit weights are changed.
   void UpdateCorpusDistribution() {
     size_t N = Inputs.size();
-    std::vector<double> Intervals(N + 1);
-    std::vector<double> Weights(N);
+    Intervals.resize(N + 1);
+    Weights.resize(N);
     std::iota(Intervals.begin(), Intervals.end(), 0);
-    std::iota(Weights.begin(), Weights.end(), 1);
+    if (CountingFeatures)
+      for (size_t i = 0; i < N; i++)
+        Weights[i] = Inputs[i].NumFeatures * (i + 1);
+    else
+      std::iota(Weights.begin(), Weights.end(), 1);
     CorpusDistribution = std::piecewise_constant_distribution<double>(
         Intervals.begin(), Intervals.end(), Weights.begin());
   }
   std::piecewise_constant_distribution<double> CorpusDistribution;
 
+  std::vector<double> Intervals;
+  std::vector<double> Weights;
+
   std::unordered_set<std::string> Hashes;
   std::vector<InputInfo> Inputs;
 
@@ -164,6 +172,7 @@ private:
     size_t SmallestElementIdx;
     size_t SmallestElementSize;
   };
+  bool CountingFeatures = false;
   Feature FeatureSet[kFeatureSetSize];
 };
 
diff --git a/llvm/lib/Fuzzer/build.sh b/llvm/lib/Fuzzer/build.sh
index 92d7b8c..3cbe39d 100755
--- a/llvm/lib/Fuzzer/build.sh
+++ b/llvm/lib/Fuzzer/build.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 LIBFUZZER_SRC_DIR=$(dirname $0)
 for f in $LIBFUZZER_SRC_DIR/*.cpp; do
-  clang -O2 -std=c++11 $f -c &
+  clang -g -O2 -std=c++11 $f -c &
 done
 wait
 rm -f libFuzzer.a
-- 
2.7.4