syz-fuzzer: generates hints only for the call that gave new coverage

During smashing we know what call gave new coverage, so we can concentrate just on it. This helps to reduce amount of hints generated (we have too many of them).
author: Dmitry Vyukov <dvyukov@google.com> 2017-10-20 12:23:21 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2017-10-23 09:59:39 +0200
commit: 8fa0c867d4e4bbd97321b19ac11115fa7020570a (patch)
tree: 12d25a05dc84fa5ad849acecc78b8cf073ed3998
parent: 5044885ca2e3e8fd8a368cb497946d994d1bb1ad (diff)
4 files changed, 21 insertions, 22 deletions
diff --git a/prog/hints.go b/prog/hints.go
index 5a05d7f56..87b92229d 100644
--- a/prog/hints.go
+++ b/prog/hints.go
@@ -47,15 +47,14 @@ func (m CompMap) AddComp(arg1, arg2 uint64) {
 
 // Mutates the program using the comparison operands stored in compMaps.
 // For each of the mutants executes the exec callback.
-func (p *Prog) MutateWithHints(compMaps []CompMap, exec func(newP *Prog)) {
-	for i, c := range p.Calls {
-		if c.Meta == p.Target.MmapSyscall {
-			continue
-		}
-		foreachArg(c, func(arg, _ Arg, _ *[]Arg) {
-			generateHints(p, compMaps[i], c, arg, exec)
-		})
+func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(newP *Prog)) {
+	c := p.Calls[callIndex]
+	if c.Meta == p.Target.MmapSyscall {
+		return
 	}
+	foreachArg(c, func(arg, _ Arg, _ *[]Arg) {
+		generateHints(p, comps, c, arg, exec)
+	})
 }
 
 func generateHints(p *Prog, compMap CompMap, c *Call, arg Arg, exec func(p *Prog)) {
diff --git a/prog/hints_test.go b/prog/hints_test.go
index 31cc13889..9e5c88343 100644
--- a/prog/hints_test.go
+++ b/prog/hints_test.go
@@ -343,18 +343,17 @@ func TestHintsRandom(t *testing.T) {
 	r := newRand(target, rs)
 	for i := 0; i < iters; i++ {
 		p := target.Generate(rs, 5, nil)
-		comps := make([]CompMap, len(p.Calls))
 		for i, c := range p.Calls {
 			vals := extractValues(c)
 			for j := 0; j < 5; j++ {
 				vals[r.randInt()] = true
 			}
-			comps[i] = make(CompMap)
+			comps := make(CompMap)
 			for v := range vals {
-				comps[i].AddComp(v, r.randInt())
+				comps.AddComp(v, r.randInt())
 			}
+			p.MutateWithHints(i, comps, func(p1 *Prog) {})
 		}
-		p.MutateWithHints(comps, func(p1 *Prog) {})
 	}
 }
 
diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
index b336dea52..ea7b1fcff 100644
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@@ -502,7 +502,7 @@ func smashInput(pid int, env *ipc.Env, ct *prog.ChoiceTable, rs rand.Source, inp
 		execute(pid, env, p, false, false, false, false, &statExecSmash)
 	}
 	if compsSupported {
-		executeHintSeed(pid, env, inp.p)
+		executeHintSeed(pid, env, inp.p, inp.call)
 	}
 }
 
@@ -627,7 +627,7 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 	}
 }
 
-func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog) {
+func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog, call int) {
 	Logf(1, "#%v: collecting comparisons", pid)
 	// First execute the original program to dump comparisons from KCOV.
 	info := execute(pid, env, p, false, true, false, false, &statExecHintSeeds)
@@ -641,7 +641,7 @@ func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog) {
 	// Then mutate the initial program for every match between
 	// a syscall argument and a comparison operand.
 	// Execute each of such mutants to check if it gives new coverage.
-	p.MutateWithHints(compMaps, func(p *prog.Prog) {
+	p.MutateWithHints(call, compMaps[call], func(p *prog.Prog) {
 		Logf(1, "#%v: executing comparison hint", pid)
 		execute(pid, env, p, false, false, false, false, &statExecHints)
 	})
diff --git a/tools/syz-execprog/execprog.go b/tools/syz-execprog/execprog.go
index 9a9a1b48a..6c5df9ffd 100644
--- a/tools/syz-execprog/execprog.go
+++ b/tools/syz-execprog/execprog.go
@@ -179,7 +179,8 @@ func main() {
 					if *flagHints {
 						compMaps := ipc.GetCompMaps(info)
 						ncomps, ncandidates := 0, 0
-						for _, comps := range compMaps {
+						for i := range p.Calls {
+							comps := compMaps[i]
 							for v, args := range comps {
 								ncomps += len(args)
 								if *flagOutput == "stdout" {
@@ -190,13 +191,13 @@ func main() {
 									fmt.Printf("\n")
 								}
 							}
+							p.MutateWithHints(i, comps, func(p *prog.Prog) {
+								ncandidates++
+								if *flagOutput == "stdout" {
+									fmt.Printf("PROGRAM:\n%s\n", p.Serialize())
+								}
+							})
 						}
-						p.MutateWithHints(compMaps, func(p *prog.Prog) {
-							ncandidates++
-							if *flagOutput == "stdout" {
-								fmt.Printf("PROGRAM:\n%s\n", p.Serialize())
-							}
-						})
 						fmt.Printf("ncomps=%v ncandidates=%v\n", ncomps, ncandidates)
 					}
 					return true
author	Dmitry Vyukov <dvyukov@google.com>	2017-10-20 12:23:21 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2017-10-23 09:59:39 +0200
commit	8fa0c867d4e4bbd97321b19ac11115fa7020570a (patch)
tree	12d25a05dc84fa5ad849acecc78b8cf073ed3998
parent	5044885ca2e3e8fd8a368cb497946d994d1bb1ad (diff)