| Issue |
149942
|
| Summary |
Fuzzer: test case minimizer handles input size incorrectly for `mutate_depth > 1`
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
andyleiserson
|
This bug is in the `MinimizeCrashLoop` function here:
https://github.com/llvm/llvm-project/blob/354944d675c04c87bc0e9ebcca900148f5a344b8/compiler-rt/lib/fuzzer/FuzzerLoop.cpp#L919
On line 926, it passes `U.size()` to `MD.Mutate`. `U.size()` is the size of the unit at the start of the function, but after the call to `MD.Mutate`, there is a revised size in `NewSize`. If `mutate_depth` is not 1, passing `U.size()` to subsequent calls to the mutator is incorrect. This caused problems in my custom mutator, which was attempting to maintain certain properties of the input strings. I am able to work around the problem by setting `mutate_depth` to 1.
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
