diff options
| author | Aleksandr Nogikh <nogikh@google.com> | 2024-10-20 22:49:41 +0200 |
|---|---|---|
| committer | Taras Madan <tarasmadan@google.com> | 2024-10-25 12:08:02 +0000 |
| commit | 945e91b794873481a34fe25de502ba96c8dc2a6b (patch) | |
| tree | 49b6acc301ee940b5eeb9469dedf941018910bd1 | |
| parent | 350e853bc999ed32f877a99d892144bfbc60d60c (diff) | |
pkg/fuzzer: add the PatchTest flag
When the option is set, more time is spent on "exec fuzz" and less time
is spent minimizing the programs.
| -rw-r--r-- | pkg/fuzzer/fuzzer.go | 12 | ||||
| -rw-r--r-- | pkg/fuzzer/job.go | 6 |
2 files changed, 15 insertions, 3 deletions
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index ba6d93651..3dac022ad 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -87,13 +87,20 @@ func newExecQueues(fuzzer *Fuzzer) execQueues { triageQueue: queue.DynamicOrder(), smashQueue: queue.Plain(), } + // Alternate smash jobs with exec/fuzz to spread attention to the wider area. + skipQueue := 3 + if fuzzer.Config.PatchTest { + // When we do patch fuzzing, we do not focus on finding and persisting + // new coverage that much, so it's reasonable to spend more time just + // mutating various corpus programs. + skipQueue = 2 + } // Sources are listed in the order, in which they will be polled. ret.source = queue.Order( ret.triageCandidateQueue, ret.candidateQueue, ret.triageQueue, - // Alternate smash jobs with exec/fuzz once in 3 times. - queue.Alternate(ret.smashQueue, 3), + queue.Alternate(ret.smashQueue, skipQueue), queue.Callback(fuzzer.genFuzz), ) return ret @@ -198,6 +205,7 @@ type Config struct { NoMutateCalls map[int]bool FetchRawCover bool NewInputFilter func(call string) bool + PatchTest bool } func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) { diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go index d1bac5054..8786d046d 100644 --- a/pkg/fuzzer/job.go +++ b/pkg/fuzzer/job.go @@ -348,7 +348,11 @@ func (job *triageJob) minimize(call int, info *triageCall) (*prog.Prog, int) { minimizeAttempts = 2 } stop := false - p, call := prog.Minimize(job.p, call, prog.MinimizeCorpus, func(p1 *prog.Prog, call1 int) bool { + mode := prog.MinimizeCorpus + if job.fuzzer.Config.PatchTest { + mode = prog.MinimizeCallsOnly + } + p, call := prog.Minimize(job.p, call, mode, func(p1 *prog.Prog, call1 int) bool { if stop { return false } |