8000 fuzz: Port correctness/cse fuzzer over to libfuzzer by nathaniel-brough · Pull Request #7543 · halide/Halide · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fuzz: Port correctness/cse fuzzer over to libfuzzer #7543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 2, 2023
Merged

fuzz: Port correctness/cse fuzzer over to libfuzzer #7543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion test/correctness/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@ tests(GROUPS correctness
fuse_gpu_threads.cpp
fused_where_inner_extent_is_zero.cpp
fuzz_bounds.cpp
fuzz_cse.cpp
fuzz_float_stores.cpp
gameoflife.cpp
gather.cpp
Expand Down
99 changes: 0 additions & 99 deletions test/correctness/fuzz_cse.cpp
8000
View file
Open in desktop

This file was deleted.

21 changes: 12 additions & 9 deletions test/fuzz/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
tests(GROUPS fuzz
SOURCES
simplify.cpp
cse.cpp
)


Expand All @@ -13,14 +14,16 @@ tests(GROUPS fuzz
set(LIB_FUZZING_ENGINE "$ENV{LIB_FUZZING_ENGINE}"
CACHE STRING "Compiler flags necessary to link the fuzzing engine of choice e.g. libfuzzer, afl etc.")

target_link_libraries(fuzz_simplify PRIVATE Halide::Halide)
foreach(fuzzer "fuzz_simplify" "fuzz_cse")
target_link_libraries(${fuzzer} PRIVATE Halide::Halide)

# Allow OSS-fuzz to manage flags directly
if (LIB_FUZZING_ENGINE)
target_link_libraries(fuzz_simplify PRIVATE "${LIB_FUZZING_ENGINE}")
else ()
# By default just build with address-sanitizers/libfuzzer for local testing
target_compile_options(fuzz_simplify PRIVATE -fsanitize=fuzzer-no-link,address)
target_link_options(fuzz_simplify PRIVATE -fsanitize=fuzzer,address)
endif ()
# Allow OSS-fuzz to manage flags directly
if (LIB_FUZZING_ENGINE)
target_link_libraries(${fuzzer} PRIVATE "${LIB_FUZZING_ENGINE}")
else ()
# By default just build with address-sanitizers/libfuzzer for local testing
target_compile_options(${fuzzer} PRIVATE -fsanitize=fuzzer-no-link,address)
target_link_options(${fuzzer} PRIVATE -fsanitize=fuzzer,address)
endif ()
endforeach()

87 changes: 87 additions & 0 deletions test/fuzz/cse.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
#include "Halide.h"

#include <fuzzer/FuzzedDataProvider.h>
#include <time.h>

using namespace Halide;
using namespace Halide::Internal;
using std::vector;

Expr random_expr(FuzzedDataProvider &fdp, int depth, vector<Expr> &exprs) {
if (depth <= 0) {
return fdp.ConsumeIntegralInRange<int>(-5, 4);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine #7546 origional rng() % 10 - 5

}

if (!exprs.empty() && fdp.ConsumeBool()) {
// Reuse an existing expression
return exprs[fdp.ConsumeIntegralInRange<size_t>(0, exprs.size() - 1)];
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, explicitly references size()-1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or better yet, use PickValueInArray()?

Copy link
Contributor Author
10000

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PickValueInArray doesn't work on vectors... see implementation although this is probably annoying enough that I might just create a PR with the LLVM project.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, I see, got it. (Not sure if LLVM change is worth the hassle, I gather that libfuzzer is unmaintained at this point as there are now bigger and better fuzzing engines)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(But could always just make a local PickValueInVector() wrapper to use in these tests, nice for clarity)

}

Expr next;
switch (fdp.ConsumeIntegralInRange<int>(0, 8)) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks ok.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the idea is that a value of 8 is intended to hit the default case, we should add a comment to that effect

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah that's what it looks like, I was mostly just attempting to replicate the original logic but while I'm at it I can probably make this clearer too.

case 0:
next = Var("x");
break;
case 1:
next = Var("y");
break;
case 2:
next = Var("z");
break;
case 3:
// Any binary op is equally good
next = random_expr(fdp, depth - 1, exprs);
next += random_expr(fdp, depth - 1, exprs);
break;
case 4: {
Expr a = random_expr(fdp, depth - 2, exprs);
Expr b = random_expr(fdp, depth - 2, exprs);
Expr c = random_expr(fdp, depth - 2, exprs);
Expr d = random_expr(fdp, depth - 2, exprs);
next = select(a > b, c, d);
break;
}
case 5: {
Expr a = random_expr(fdp, depth - 1, exprs);
Expr b = random_expr(fdp, depth - 1, exprs);
next = Let::make("x", a, b);
break;
}
case 6: {
Expr a = random_expr(fdp, depth - 1, exprs);
Expr b = random_expr(fdp, depth - 1, exprs);
next = Let::make("y", a, b);
break;
}
case 7: {
Expr a = random_expr(fdp, depth - 1, exprs);
Expr b = random_expr(fdp, depth - 1, exprs);
next = Let::make("z", a, b);
break;
}
default:
next = fdp.ConsumeIntegralInRange<int>(-5, 4);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks ok.

}
exprs.push_back(next);
return next;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
FuzzedDataProvider fdp(data, size);
vector<Expr> exprs;
Expr orig = random_expr(fdp, 5, exprs);

Expr csed = common_subexpression_elimination(orig);

Expr check = (orig == csed);
check = Let::make("x", 1, check);
check = Let::make("y", 2, check);
check = Let::make("z", 3, check);
Stmt check_stmt = uniquify_variable_names(Evaluate::make(check));
check = check_stmt.as<Evaluate>()->value;

// Don't use can_prove, because it recursively calls cse, which just confuses matters.
assert(is_const_one(simplify(check)));

return 0;
}
0