diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2024-08-30 12:52:40 +0200 |
|---|---|---|
| committer | Aleksandr Nogikh <nogikh@google.com> | 2024-08-30 11:05:20 +0000 |
| commit | 3cb12728f957eec0a79ed1d53e0719fb1a772a6b (patch) | |
| tree | f0361fa08cfd9f3bf570f7f9c8d47e862c457bf0 | |
| parent | db150e23dfae69f02b0712803ebb12dce0283903 (diff) | |
syz-manager: re-smash a subset of the corpus on restart
We smash the program only once after we add it to the corpus, but
it can be that
1) It did not finish before the instance was restarted.
2) The fuzzing algorithms have become smarter over time.
3) That kernel code has changed over time.
It would be best to track it in pkg/db, but until it's capable
of that, let's just re-smash some corpus subset on each
syz-manager restart.
| -rw-r--r-- | syz-manager/manager.go | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/syz-manager/manager.go b/syz-manager/manager.go index 6657ed2f6..90aa4198a 100644 --- a/syz-manager/manager.go +++ b/syz-manager/manager.go @@ -664,8 +664,9 @@ func (mgr *Manager) loadCorpus() []fuzzer.Candidate { return len(candidates[i].Prog.Calls) < len(candidates[j].Prog.Calls) }) reminimized := reminimizeSubset(candidates) - log.Logf(0, "%-24v: %v (%v seeds), %d will be reminimized", - "corpus", len(candidates), seeds, reminimized) + resmashed := resmashSubset(candidates) + log.Logf(0, "%-24v: %v (%v seeds), %d to be reminimized, %d to be resmashed", + "corpus", len(candidates), seeds, reminimized, resmashed) return candidates } @@ -694,8 +695,30 @@ func reminimizeSubset(candidates []fuzzer.Candidate) int { reset := min(50, len(resetIndices), max(1, len(candidates)/100)) rnd := rand.New(rand.NewSource(time.Now().UnixNano())) for _, i := range rnd.Perm(len(resetIndices))[:reset] { - idx := resetIndices[i] - candidates[idx].Flags &= ^fuzzer.ProgMinimized + candidates[resetIndices[i]].Flags &= ^fuzzer.ProgMinimized + } + return reset +} + +// resmashSubset clears fuzzer.ProgSmashes for a subset of seeds. +// We smash the program only once after we add it to the corpus, but it can be that +// either it did not finish before the instance was restarted, or the fuzzing algorithms +// have become smarter over time, or just that kernel code changed over time. +// It would be best to track it in pkg/db, but until it's capable of that, let's just +// re-smash some corpus subset on each syz-manager restart. +func resmashSubset(candidates []fuzzer.Candidate) int { + var indices []int + for i, info := range candidates { + if info.Flags&fuzzer.ProgSmashed == 0 { + continue + } + indices = append(indices, i) + } + // Reset ProgSmashed for up to 0.5% of the seed programs. + reset := min(25, len(indices), max(1, len(candidates)/200)) + rnd := rand.New(rand.NewSource(time.Now().UnixNano())) + for _, i := range rnd.Perm(len(indices))[:reset] { + candidates[indices[i]].Flags &= ^fuzzer.ProgSmashed } return reset } |