[WIP] Random weight and favored

[jiradeto]

This PR is basically a combination of random favored idea #4 and weight random selection #5.

[jiradeto]

I am setting up the fuzzbench experiment with the following fuzzers.

1. vanilla AFL
2. the latest setting of the random favored PR (increase_boost_inputs && base_weight_fac == 4.0 && max_weight_fac_decr == 3.75)
3. combination of random favored and weight random selection (this PR with the customzed values same as fuzzer no.2 — increase_boost_inputs && base_weight_fac == 4.0 && max_weight_fac_decr == 3.75)
4. combination of random favored and weight random selection (this PR with default parameters)

@wuestholz, could you please help to confirm that I have correct fuzzers for the evaluation?

[wuestholz]

@jiradeto Thanks! This will be a local experiment, right?

Did you already run an experiment to compare increase_boost_inputs with new_increase_boost_fast_seqs (from #4 (comment))? If not we should also include just the increase_boost_inputs configuration.

[jiradeto]

@jiradeto Thanks! This will be a local experiment, right?

@wuestholz, yes I mean the local experiment.

So, based on your your comment in another PR (#4 (comment)), I assume the current setting means the default value of increase_boost_inputs which is:

default && max_weight_fac_incr == 15.0

If this is the case, I will run local fuzzbench with the following fuzzers:

1. vanilla AFL
2. the increase_boost_inputs setting of the random favored PR (max_weight_fac_incr == 15.0)
3. combination of random favored and weight random selection (this PR with max_weight_fac_incr == 15.0)
4. combination of random favored and weight random selection (this PR with default parameters)

Could you please tell me if I am missing something?

[wuestholz]

@jiradeto Great! Thanks!

I think we don't need the fourth configuration.

Could you please also update this PR to make 15.0 the default value?

[wuestholz]

Let's add the following flags:

• DISABLE_WRS: disables weighted random selection
• DISABLE_RF: disables random favorites
• ENABLE_UF: enables uniformly random favorites (i.e., weight always 1)
• DISABLE_FAVS: disables favorites by considering every seed to be a favorite

[jiradeto]

• DISABLE_RF: disables random favorites

@wuestholz, does this mean that we disable both random weighted selection (PR #5) and uniformly random favorites (PR #4)?

[wuestholz]

• DISABLE_RF: disables random favorites

@wuestholz, does this mean that we disable both random weighted selection (PR #5) and uniformly random favorites (PR #4)?

@jiradeto No, just uniformly random favorites (PR #4).

[jiradeto]

• DISABLE_RF: disables random favorites

@wuestholz, does this mean that we disable both random weighted selection (PR #5) and uniformly random favorites (PR #4)?

@jiradeto No, just uniformly random favorites (PR #4).

@wuestholz OK, that makes sense.

But I am unsure when to use ENABLE_UF since the default weight is already set to 1.0 and untouched if additional parameters enable_throttle_inputs, enable_boost_fast_seqs, enable_boost_inputs are not enabled.

[wuestholz]

• DISABLE_RF: disables random favorites

@wuestholz, does this mean that we disable both random weighted selection (PR #5) and uniformly random favorites (PR #4)?

@jiradeto No, just uniformly random favorites (PR #4).

@wuestholz OK, that makes sense.

But I am unsure when to use ENABLE_UF since the default weight is already set to 1.0 and untouched if additional parameters enable_throttle_inputs, enable_boost_fast_seqs, enable_boost_inputs are not enabled.

@jiradeto I see. I suggest we replace enable_throttle_inputs, enable_boost_fast_seqs, and enable_boost_inputs with a single flag ENABLE_UF. When it is not set we will use enable_boost_fast_seqs and enable_boost_inputs.

We can probably remove the enable_throttle_inputs flag and the corresponding code.

[wuestholz]

@jiradeto Great! Thanks for the latest changes. There's only a small typo I noticed. I think we could try to set up a fuzzbench experiment with the following fuzzers:

1. afl (vanilla AFL)
2. afl_no_favs: DISABLE_WRS && DISABLE_RF && !ENABLE_UF && DISABLE_FAVS
3. afl_wrs_rf: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS
4. afl_rf: DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS
5. afl_rf_u: DISABLE_WRS && !DISABLE_RF && ENABLE_UF && !DISABLE_FAVS
6. afl_wrs: !DISABLE_WRS && DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS

Can you think of another setup that would be interesting?

[jiradeto]

@wuestholz. Thanks for your recommendation! May be we could also try with the following setting:

7. afl_rf_u_wrs: !DISABLE_WRS && !DISABLE_RF && ENABLE_UF && !DISABLE_FAVS

BTW, you mean the local fuzzbench experiment or the public one?

[wuestholz]

@jiradeto Sure, why not. :) Thanks!

I was thinking a public one.

[jiradeto]

@wuestholz, I feel that I'd rather at least have a local experiment result before I can go with the public one. Maybe we should start with the local experiment to see whether the above configurations behave properly?

[wuestholz]

@jiradeto Sure, that's also fine with me. 👍

[wuestholz]

@jiradeto As discussed, I would first do the following:

1. close [WIP] Increment probability over time for random params #8
2. merge [WIP] Assign probability for random params per seed #9
3. merge [WIP] Randomize fuzzing params with prob #7
4. close [WIP] No favorites #3, [WIP] Random favorites #4, and [WIP] Weighted random seed selection #5

Afterwards, it would be great if you could run a local experiment that compares the following:

1. afl (vanilla AFL)
2. afl_wrs_rf: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS && DISABLE_RP
3. afl_wrs_rf_u: !DISABLE_WRS && !DISABLE_RF && ENABLE_UF && !DISABLE_FAVS && DISABLE_RP
4. afl_wrs_rf_t: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS && DISABLE_RP && changes below

The changes for the last configuration are:

      if (!enable_uniformly_random_favorites) {
        // enable_boost_inputs
        double base_weight_fac_boost_inputs = 1.0;
        double max_weight_fac_incr = 7.0;
        double scale_fac_boost_inputs = 0.001;
        double num_selections = (double)q->num_fuzzed;
        weight *= base_weight_fac_boost_inputs + max_weight_fac_incr / (scale_fac_boost_inputs * num_selections + 1.0);

        // enable_boost_fast_seqs
        double base_weight_fac_boost_fast = 8.0;
        double max_weight_fac_decr = 7.0;
        double scale_fac_boost_fast = 0.005;
        double execs_per_sec = 1000000.0 / (double) q->exec_us;
        weight *= base_weight_fac_boost_fast - max_weight_fac_decr / (scale_fac_boost_fast*execs_per_sec + 1.0);
      }

[jiradeto]

@wuestholz thank you for your detailed guidance. The fuzzbench evaluation for the changes you requested is available and can access using the following links:

• bloaty
• sqlite
• libjpeg
• libxml
• freetype

[wuestholz]

@jiradeto Thanks a lot! Looks like it's slightly better. If you agree I suggest we update the code.