diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-07-22 11:55:51 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-07-25 13:12:57 +0000 |
| commit | 206f31df2861c47b13a8c05a105afa94bcc7106c (patch) | |
| tree | 2db151bd0bc6518f37feb5f9a573ed4aa6bad6c9 | |
| parent | d9a55b9ef2222758810552af591247198c3c1ee9 (diff) | |
pkg/fuzzer: tune parameters for snapshot mode
Tune number of deflake/minimize runs in snapshot more.
Presumably snapshot mode must be more stable and should
require fewer runs.
| -rw-r--r-- | pkg/fuzzer/fuzzer.go | 1 | ||||
| -rw-r--r-- | pkg/fuzzer/job.go | 25 | ||||
| -rw-r--r-- | syz-manager/manager.go | 1 |
3 files changed, 19 insertions, 8 deletions
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index 0b7af3c98..88e4a5965 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -168,6 +168,7 @@ type Config struct { Debug bool Corpus *corpus.Corpus Logf func(level int, msg string, args ...interface{}) + Snapshot bool Coverage bool FaultInjection bool Comparisons bool diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go index 99ff3c433..8586c6861 100644 --- a/pkg/fuzzer/job.go +++ b/pkg/fuzzer/job.go @@ -96,12 +96,13 @@ type triageCall struct { // of runs for the additional work. With 2/6 criteria, a program with 60% flakiness has // 96% chance to be kept in the corpus after retriage. const ( - deflakeNeedRuns = 3 - deflakeMaxRuns = 5 - deflakeNeedCorpusRuns = 2 - deflakeMinCorpusRuns = 4 - deflakeMaxCorpusRuns = 6 - deflakeTotalCorpusRuns = 20 + deflakeNeedRuns = 3 + deflakeMaxRuns = 5 + deflakeNeedCorpusRuns = 2 + deflakeMinCorpusRuns = 4 + deflakeMaxCorpusRuns = 6 + deflakeTotalCorpusRuns = 20 + deflakeNeedSnapshotRuns = 2 ) func (job *triageJob) execute(req *queue.Request, flags ProgFlags) *queue.Result { @@ -179,7 +180,9 @@ func (job *triageJob) handleCall(call int, info *triageCall) { func (job *triageJob) deflake(exec func(*queue.Request, ProgFlags) *queue.Result) (stop bool) { needRuns := deflakeNeedCorpusRuns - if job.flags&ProgFromCorpus == 0 { + if job.fuzzer.Config.Snapshot { + needRuns = deflakeNeedSnapshotRuns + } else if job.flags&ProgFromCorpus == 0 { needRuns = deflakeNeedRuns } prevTotalNewSignal := 0 @@ -249,6 +252,9 @@ func (job *triageJob) deflake(exec func(*queue.Request, ProgFlags) *queue.Result } func (job *triageJob) stopDeflake(run, needRuns int, noNewSignal bool) bool { + if job.fuzzer.Config.Snapshot { + return run >= needRuns+1 + } haveSignal := true for _, call := range job.calls { if !call.newSignal.IntersectsWith(call.signals[needRuns-1]) { @@ -286,7 +292,10 @@ func (job *triageJob) stopDeflake(run, needRuns int, noNewSignal bool) bool { } func (job *triageJob) minimize(call int, info *triageCall) (*prog.Prog, int) { - const minimizeAttempts = 3 + minimizeAttempts := 3 + if job.fuzzer.Config.Snapshot { + minimizeAttempts = 2 + } stop := false p, call := prog.Minimize(job.p, call, prog.MinimizeParams{}, func(p1 *prog.Prog, call1 int) bool { diff --git a/syz-manager/manager.go b/syz-manager/manager.go index 4b87efd2f..2360e4f53 100644 --- a/syz-manager/manager.go +++ b/syz-manager/manager.go @@ -1339,6 +1339,7 @@ func (mgr *Manager) MachineChecked(features flatrpc.Feature, enabledSyscalls map rnd := rand.New(rand.NewSource(time.Now().UnixNano())) fuzzerObj := fuzzer.NewFuzzer(context.Background(), &fuzzer.Config{ Corpus: mgr.corpus, + Snapshot: mgr.cfg.Snapshot, Coverage: mgr.cfg.Cover, FaultInjection: features&flatrpc.FeatureFault != 0, Comparisons: features&flatrpc.FeatureComparisons != 0, |