Unify the metadata handling between the Centipede builtin mutator and the adaptor mutator.

xinhaoyuan · copybara-github · commit 849140798659 · 2025-10-08T11:17:16.000-07:00
Also, use a class member of vector&lt;optional&lt;TORC&gt;&gt; instead of per-function vector&lt;unique_ptr&lt;TORC&gt;&gt; to reduce dynamic memory allocations.

Note that the mutation functions are still separate due to the differences that the builtin mutator supports crossover while the adaptor mutator generates init inputs at a small chance.

PiperOrigin-RevId: 816786388
diff --git a/centipede/BUILD b/centipede/BUILD
@@ -926,6 +926,7 @@ cc_library(
         "@abseil-cpp//absl/random",
         "@abseil-cpp//absl/types:span",
         "@com_google_fuzztest//common:defs",
+        "@com_google_fuzztest//common:logging",
         "@com_google_fuzztest//fuzztest:domain_core",
         "@com_google_fuzztest//fuzztest/internal:table_of_recent_compares",
     ],
diff --git a/centipede/fuzztest_mutator.cc b/centipede/fuzztest_mutator.cc
@@ -18,7 +18,9 @@
 #include <cstddef>
 #include <cstdint>
 #include <cstdlib>
+#include <cstring>
 #include <memory>
+#include <optional>
 #include <utility>
 #include <vector>
 
@@ -29,6 +31,7 @@
 #include "./centipede/knobs.h"
 #include "./centipede/mutation_input.h"
 #include "./common/defs.h"
+#include "./common/logging.h"
 #include "./fuzztest/domain_core.h"
 #include "./fuzztest/internal/table_of_recent_compares.h"
 
@@ -39,10 +42,48 @@ namespace {
 using MutatorDomainBase =
     decltype(fuzztest::VectorOf(fuzztest::Arbitrary<uint8_t>()));
 
+template <typename T>
+void InsertCmpEntryIntoIntegerDictionary(const uint8_t* a, const uint8_t* b,
+                                         TablesOfRecentCompares& cmp_tables) {
+  T a_int;
+  T b_int;
+  std::memcpy(&a_int, a, sizeof(T));
+  std::memcpy(&b_int, b, sizeof(T));
+  cmp_tables.GetMutable<sizeof(T)>().Insert(a_int, b_int);
+}
+
 }  // namespace
 
+void PopulateCmpEntries(const ExecutionMetadata& metadata,
+                        TablesOfRecentCompares& cmp_tables) {
+  // Size limits on the cmp entries to be populated.
+  static constexpr uint8_t kMaxCmpEntrySize = 15;
+  static constexpr uint8_t kMinCmpEntrySize = 2;
+
+  metadata.ForEachCmpEntry([&cmp_tables](fuzztest::internal::ByteSpan a,
+                                         fuzztest::internal::ByteSpan b) {
+    FUZZTEST_CHECK(a.size() == b.size())
+        << "cmp operands must have the same size";
+    const size_t size = a.size();
+    if (size < kMinCmpEntrySize) return;
+    if (size > kMaxCmpEntrySize) return;
+    if (size == 2) {
+      InsertCmpEntryIntoIntegerDictionary<uint16_t>(a.data(), b.data(),
+                                                    cmp_tables);
+    } else if (size == 4) {
+      InsertCmpEntryIntoIntegerDictionary<uint32_t>(a.data(), b.data(),
+                                                    cmp_tables);
+    } else if (size == 8) {
+      InsertCmpEntryIntoIntegerDictionary<uint64_t>(a.data(), b.data(),
+                                                    cmp_tables);
+    }
+    cmp_tables.GetMutable<0>().Insert(a.data(), b.data(), size);
+  });
+}
+
 struct FuzzTestMutator::MutationMetadata {
-  fuzztest::internal::TablesOfRecentCompares cmp_tables;
+  std::vector<std::optional<fuzztest::internal::TablesOfRecentCompares>>
+      cmp_tables;
 };
 
 class FuzzTestMutator::MutatorDomain : public MutatorDomainBase {
@@ -101,42 +142,36 @@ void FuzzTestMutator::CrossOver(ByteArray &data, const ByteArray &other) {
 std::vector<ByteArray> FuzzTestMutator::MutateMany(
     const std::vector<MutationInputRef> &inputs, size_t num_mutants) {
   if (inputs.empty()) abort();
-  // TODO(xinhaoyuan): Consider metadata in other inputs instead of always the
-  // first one.
-  SetMetadata(inputs[0].metadata != nullptr ? *inputs[0].metadata
-                                            : ExecutionMetadata());
+  auto& cmp_tables = mutation_metadata_->cmp_tables;
+  cmp_tables.resize(inputs.size());
   std::vector<ByteArray> mutants;
   mutants.reserve(num_mutants);
   for (int i = 0; i < num_mutants; ++i) {
-    auto mutant = inputs[absl::Uniform<size_t>(prng_, 0, inputs.size())].data;
+    auto index = absl::Uniform<size_t>(prng_, 0, inputs.size());
+    if (!cmp_tables[index].has_value() && inputs[index].metadata != nullptr) {
+      cmp_tables[index].emplace(/*compact=*/true);
+      PopulateCmpEntries(*inputs[index].metadata, *cmp_tables[index]);
+    }
+    auto mutant = inputs[index].data;
     if (mutant.size() > max_len_) mutant.resize(max_len_);
     if (knobs_.GenerateBool(knob_mutate_or_crossover, prng_())) {
       // Perform crossover with some other input. It may be the same input.
       const auto &other_input =
           inputs[absl::Uniform<size_t>(prng_, 0, inputs.size())].data;
       CrossOver(mutant, other_input);
     } else {
-      domain_->Mutate(mutant, prng_,
-                      {/*cmp_tables=*/&mutation_metadata_->cmp_tables},
-                      /*only_shrink=*/false);
+      domain_->Mutate(
+          mutant, prng_,
+          {/*cmp_tables=*/cmp_tables[index].has_value() ? &*cmp_tables[index]
+                                                        : nullptr},
+          /*only_shrink=*/false);
     }
     mutants.push_back(std::move(mutant));
   }
+  cmp_tables.clear();
   return mutants;
 }
 
-void FuzzTestMutator::SetMetadata(const ExecutionMetadata &metadata) {
-  metadata.ForEachCmpEntry([this](ByteSpan a, ByteSpan b) {
-    size_t size = a.size();
-    if (size < kMinCmpEntrySize) return;
-    if (size > kMaxCmpEntrySize) return;
-    // Use the memcmp table to avoid subtlety of the container domain mutation
-    // with integer tables. E.g. it won't insert integer comparison data.
-    mutation_metadata_->cmp_tables.GetMutable<0>().Insert(a.data(), b.data(),
-                                                          size);
-  });
-}
-
 bool FuzzTestMutator::set_max_len(size_t max_len) {
   max_len_ = max_len;
   domain_->WithMaxSize(max_len);
diff --git a/centipede/fuzztest_mutator.h b/centipede/fuzztest_mutator.h
@@ -24,9 +24,14 @@
 #include "./centipede/knobs.h"
 #include "./centipede/mutation_input.h"
 #include "./common/defs.h"
+#include "./fuzztest/internal/table_of_recent_compares.h"
 
 namespace fuzztest::internal {
 
+// Populates comparison entries in `metadata` to `cmp_tables`.
+void PopulateCmpEntries(const ExecutionMetadata& metadata,
+                        TablesOfRecentCompares& cmp_tables);
+
 // Mutator based on the FuzzTest std::vector domain.  It always
 // generates non-empty results, with a default limit on the mutant
 // size unless changed by `set_max_len`.
@@ -56,19 +61,12 @@ class FuzzTestMutator {
   struct MutationMetadata;
   class MutatorDomain;
 
-  // Propagates the execution `metadata` to the internal mutation dictionary.
-  void SetMetadata(const ExecutionMetadata& metadata);
-
   // The crossover algorithm based on the legacy ByteArrayMutator.
   // TODO(ussuri): Implement and use the domain level crossover.
   void CrossOverInsert(ByteArray &data, const ByteArray &other);
   void CrossOverOverwrite(ByteArray &data, const ByteArray &other);
   void CrossOver(ByteArray &data, const ByteArray &other);
 
-  // Size limits on the cmp entries to be used in mutation.
-  static constexpr uint8_t kMaxCmpEntrySize = 15;
-  static constexpr uint8_t kMinCmpEntrySize = 2;
-
   const Knobs &knobs_;
   Rng prng_;
   size_t max_len_ = 1000;
diff --git a/fuzztest/internal/BUILD b/fuzztest/internal/BUILD
@@ -77,6 +77,7 @@ cc_library(
         "@com_google_fuzztest//centipede:centipede_runner_no_main",
         "@com_google_fuzztest//centipede:environment",
         "@com_google_fuzztest//centipede:execution_metadata",
+        "@com_google_fuzztest//centipede:fuzztest_mutator",
         "@com_google_fuzztest//centipede:mutation_input",
         "@com_google_fuzztest//centipede:runner_result",
         "@com_google_fuzztest//centipede:stop",
diff --git a/fuzztest/internal/centipede_adaptor.cc b/fuzztest/internal/centipede_adaptor.cc
@@ -69,6 +69,7 @@
 #include "./centipede/centipede_interface.h"
 #include "./centipede/environment.h"
 #include "./centipede/execution_metadata.h"
+#include "./centipede/fuzztest_mutator.h"
 #include "./centipede/mutation_input.h"
 #include "./centipede/runner_interface.h"
 #include "./centipede/runner_result.h"
@@ -524,8 +525,8 @@ class CentipedeAdaptorRunnerCallbacks
               std::function<void(fuzztest::internal::ByteSpan)>
                   new_mutant_callback) override {
     if (inputs.empty()) return false;
-    std::vector<std::unique_ptr<TablesOfRecentCompares>> input_cmp_tables(
-        inputs.size());
+    cmp_tables.resize(inputs.size());
+    absl::Cleanup cmp_tables_cleaner = [this]() { cmp_tables.clear(); };
     for (size_t i = 0; i < num_mutants; ++i) {
       const auto choice = absl::Uniform<double>(prng_, 0, 1);
       std::string mutant_data;
@@ -546,14 +547,16 @@ class CentipedeAdaptorRunnerCallbacks
         }
         auto mutant = FuzzTestFuzzerImpl::Input{*std::move(parsed_origin)};
         if (runtime_.run_mode() == RunMode::kFuzz &&
-            input_cmp_tables[origin_index] == nullptr) {
-          input_cmp_tables[origin_index] =
-              std::make_unique<TablesOfRecentCompares>(/*compact=*/true);
-          PopulateMetadata(inputs[origin_index].metadata,
-                           *input_cmp_tables[origin_index]);
+            !cmp_tables[origin_index].has_value() &&
+            inputs[origin_index].metadata != nullptr) {
+          cmp_tables[origin_index].emplace(/*compact=*/true);
+          PopulateCmpEntries(*inputs[origin_index].metadata,
+                             *cmp_tables[origin_index]);
         }
-        fuzzer_impl_.MutateValue(mutant, prng_,
-                                 {input_cmp_tables[origin_index].get()});
+        fuzzer_impl_.MutateValue(
+            mutant, prng_,
+            {cmp_tables[origin_index].has_value() ? &*cmp_tables[origin_index]
+                                                  : nullptr});
         mutant_data =
             fuzzer_impl_.params_domain_.SerializeCorpus(mutant.args).ToString();
       }
@@ -566,49 +569,12 @@ class CentipedeAdaptorRunnerCallbacks
   ~CentipedeAdaptorRunnerCallbacks() override { runtime_.UnsetCurrentArgs(); }
 
  private:
-  template <typename T>
-  static void InsertCmpEntryIntoIntegerDictionary(
-      const uint8_t* a, const uint8_t* b, TablesOfRecentCompares& cmp_tables) {
-    T a_int;
-    T b_int;
-    memcpy(&a_int, a, sizeof(T));
-    memcpy(&b_int, b, sizeof(T));
-    cmp_tables.GetMutable<sizeof(T)>().Insert(a_int, b_int);
-  }
-
-  static void PopulateMetadata(
-      const fuzztest::internal::ExecutionMetadata* metadata,
-      TablesOfRecentCompares& cmp_tables) {
-    if (metadata == nullptr) return;
-    metadata->ForEachCmpEntry([&cmp_tables](fuzztest::internal::ByteSpan a,
-                                            fuzztest::internal::ByteSpan b) {
-      FUZZTEST_CHECK(a.size() == b.size())
-          << "cmp operands must have the same size";
-      const size_t size = a.size();
-      if (size < kMinCmpEntrySize) return;
-      if (size > kMaxCmpEntrySize) return;
-      if (size == 2) {
-        InsertCmpEntryIntoIntegerDictionary<uint16_t>(a.data(), b.data(),
-                                                      cmp_tables);
-      } else if (size == 4) {
-        InsertCmpEntryIntoIntegerDictionary<uint32_t>(a.data(), b.data(),
-                                                      cmp_tables);
-      } else if (size == 8) {
-        InsertCmpEntryIntoIntegerDictionary<uint64_t>(a.data(), b.data(),
-                                                      cmp_tables);
-      }
-      cmp_tables.GetMutable<0>().Insert(a.data(), b.data(), size);
-    });
-  }
-
-  // Size limits on the cmp entries to be used in mutation.
-  static constexpr uint8_t kMaxCmpEntrySize = 15;
-  static constexpr uint8_t kMinCmpEntrySize = 2;
-
   Runtime& runtime_;
   FuzzTestFuzzerImpl& fuzzer_impl_;
   const Configuration& configuration_;
   absl::BitGen prng_;
+  std::vector<std::optional<fuzztest::internal::TablesOfRecentCompares>>
+      cmp_tables;
 };
 
 namespace {
