From: Kostya Serebryany <kcc@google.com>
Date: Tue, 4 Oct 2016 01:51:44 +0000 (+0000)
Subject: [libFuzzer] change the probabilities so that we choose only the inputs that are known... 
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bd79a5935d0f77a222e8699788b64b1e1dda8b84;p=llvm

[libFuzzer] change the probabilities so that we choose only the inputs that are known to be minimal inputs for at least one coverage feature (works only with -shrink=1 for now)

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@283178 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/Fuzzer/FuzzerCorpus.h b/lib/Fuzzer/FuzzerCorpus.h
index 802f700f5c9..3b76471db6e 100644
--- a/lib/Fuzzer/FuzzerCorpus.h
+++ b/lib/Fuzzer/FuzzerCorpus.h
@@ -127,6 +127,7 @@ private:
       if (!Fe.SmallestElementSize ||
           Fe.SmallestElementSize > Size) {
         II.NumFeatures++;
+        CountingFeatures = true;
         if (Fe.SmallestElementSize > Size) {
           auto &OlderII = Inputs[Fe.SmallestElementIdx];
           assert(OlderII.NumFeatures > 0);
@@ -147,15 +148,22 @@ private:
   // Must be called whenever the corpus or unit weights are changed.
   void UpdateCorpusDistribution() {
     size_t N = Inputs.size();
-    std::vector<double> Intervals(N + 1);
-    std::vector<double> Weights(N);
+    Intervals.resize(N + 1);
+    Weights.resize(N);
     std::iota(Intervals.begin(), Intervals.end(), 0);
-    std::iota(Weights.begin(), Weights.end(), 1);
+    if (CountingFeatures)
+      for (size_t i = 0; i < N; i++)
+        Weights[i] = Inputs[i].NumFeatures * (i + 1);
+    else
+      std::iota(Weights.begin(), Weights.end(), 1);
     CorpusDistribution = std::piecewise_constant_distribution<double>(
         Intervals.begin(), Intervals.end(), Weights.begin());
   }
   std::piecewise_constant_distribution<double> CorpusDistribution;
 
+  std::vector<double> Intervals;
+  std::vector<double> Weights;
+
   std::unordered_set<std::string> Hashes;
   std::vector<InputInfo> Inputs;
 
@@ -164,6 +172,7 @@ private:
     size_t SmallestElementIdx;
     size_t SmallestElementSize;
   };
+  bool CountingFeatures = false;
   Feature FeatureSet[kFeatureSetSize];
 };
 
diff --git a/lib/Fuzzer/build.sh b/lib/Fuzzer/build.sh
index 92d7b8cdbf7..3cbe39dbebb 100755
--- a/lib/Fuzzer/build.sh
+++ b/lib/Fuzzer/build.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 LIBFUZZER_SRC_DIR=$(dirname $0)
 for f in $LIBFUZZER_SRC_DIR/*.cpp; do
-  clang -O2 -std=c++11 $f -c &
+  clang -g -O2 -std=c++11 $f -c &
 done
 wait
 rm -f libFuzzer.a