News
Update on fuzzing with probabilities
Written on 22.11.2023 17:36 by Andreas Zeller
Hi everyone,
In today's lecture, I was puzzled to see that despite specifying a high probability for long numbers...
"<integer>": [("<digit><integer>", opts(prob=0.99)), "<digit>"],
... the fuzzer output would contain only one such long number, with the other <integer>s being single digits.
It turns out that this is on purpose, as the fuzzer limits the expansion length. As soon as the number of nonterminals reaches max_nonterminals, the fuzzer expands the remaining nonterminals with the shortest possible expansion (in our case, <digit>), disregarding all probabilities. You can override this behavior by passing a keyword parameter max_nonterminals to the fuzzer constructor, say max_nonterminals=100. But then you also may get very long expansions, taking some time.
If you want to follow the decisions made by the fuzzer, add log=True as a keyword parameter to the fuzzer constructor, and you'll be able to follow every step.
Enjoy fuzzing – Andreas Zeller