syz-fuzzer: don't send/check CallIndex for inputs

The call index check episodically fails:

2017/10/02 22:07:32 bad call index 1, calls 1, program:

under unknown circumstances. I've looked at the code again
and don't see where/how we can mess CallIndex.
Added a new test for minimization that especially checks resulting
CallIndex.
It would be good to understand what happens, but we don't have
any reproducers. CallIndex is actually unused at this point.
Manager only needs call name. So remove CallIndex entirely.

4 files changed, 25 insertions, 14 deletions

diff --git a/pkg/rpctype/rpctype.go b/pkg/rpctype/rpctype.go
index 78f8938f8..efe9e4c1d 100644
--- a/pkg/rpctype/rpctype.go
+++ b/pkg/rpctype/rpctype.go
@@ -6,11 +6,10 @@
 package rpctype
 
 type RpcInput struct {
-	Call      string
-	Prog      []byte
-	CallIndex int
-	Signal    []uint32
-	Cover     []uint32
+	Call   string
+	Prog   []byte
+	Signal []uint32
+	Cover  []uint32
 }
 
 type RpcCandidate struct {
diff --git a/prog/mutation.go b/prog/mutation.go
index ac6aa63fe..ca5cb8874 100644
--- a/prog/mutation.go
+++ b/prog/mutation.go
@@ -475,7 +475,7 @@ func Minimize(p0 *Prog, callIndex0 int, pred0 func(*Prog, int) bool, crash bool)
 
 	if callIndex0 != -1 {
 		if callIndex0 < 0 || callIndex0 >= len(p0.Calls) || name0 != p0.Calls[callIndex0].Meta.Name {
-			panic(fmt.Sprintf("bad call index after minimizatoin: ncalls=%v index=%v call=%v/%v",
+			panic(fmt.Sprintf("bad call index after minimization: ncalls=%v index=%v call=%v/%v",
 				len(p0.Calls), callIndex0, name0, p0.Calls[callIndex0].Meta.Name))
 		}
 	}
diff --git a/prog/mutation_test.go b/prog/mutation_test.go
index 4e9bb626a..1fe2da9eb 100644
--- a/prog/mutation_test.go
+++ b/prog/mutation_test.go
@@ -6,6 +6,7 @@ package prog
 import (
 	"bytes"
 	"fmt"
+	"math/rand"
 	"testing"
 )
 
@@ -310,3 +311,18 @@ func TestMinimizeRandom(t *testing.T) {
 		}, false)
 	}
 }
+
+func TestMinimizeCallIndex(t *testing.T) {
+	target, rs, iters := initTest(t)
+	r := rand.New(rs)
+	for i := 0; i < iters; i++ {
+		p := target.Generate(rs, 5, nil)
+		ci := r.Intn(len(p.Calls))
+		p1, ci1 := Minimize(p, ci, func(p1 *Prog, callIndex int) bool {
+			return r.Intn(2) == 0
+		}, r.Intn(2) == 0)
+		if ci1 < 0 || ci1 >= len(p1.Calls) || p.Calls[ci].Meta.Name != p1.Calls[ci1].Meta.Name {
+			t.Fatalf("bad call index after minimization")
+		}
+	}
+}
diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
index 955b561e2..613c57e1c 100644
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@@ -477,9 +477,6 @@ func addInput(inp RpcInput) {
 	if err != nil {
 		panic(err)
 	}
-	if inp.CallIndex < 0 || inp.CallIndex >= len(p.Calls) {
-		Fatalf("bad call index %v, calls %v, program:\n%s", inp.CallIndex, len(p.Calls), inp.Prog)
-	}
 	sig := hash.Hash(inp.Prog)
 	if _, ok := corpusHashes[sig]; !ok {
 		corpus = append(corpus, p)
@@ -599,11 +596,10 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 	a := &NewInputArgs{
 		Name: *flagName,
 		RpcInput: RpcInput{
-			Call:      call.CallName,
-			Prog:      data,
-			CallIndex: inp.call,
-			Signal:    []uint32(cover.Canonicalize(inp.signal)),
-			Cover:     []uint32(inputCover),
+			Call:   call.CallName,
+			Prog:   data,
+			Signal: []uint32(cover.Canonicalize(inp.signal)),
+			Cover:  []uint32(inputCover),
 		},
 	}
 	if err := manager.Call("Manager.NewInput", a, nil); err != nil {