diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-05-29 11:28:03 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-06-03 15:04:36 +0000 |
| commit | 2addfcda6297288cd48c399dfbef1f5752162011 (patch) | |
| tree | 30a7d6f2f7d3bea992ebe1c38e698d1862ec44be /pkg/fuzzer/fuzzer.go | |
| parent | f0e94da92f1381e56ecd1c28575aaac54cdfc79d (diff) | |
syz-manager: add corpus triage mode
Add corpus triage mode and support it in testbed.
This is useful to benchmark just the triage phase
w/o any subsequent fuzzing. First, fuzzing is more random.
Second, if triage duration is different in different versions,
then they will do different amount of fuzzing in fixed testbed time.
Diffstat (limited to 'pkg/fuzzer/fuzzer.go')
| -rw-r--r-- | pkg/fuzzer/fuzzer.go | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index 9ad218433..8be912139 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -76,7 +76,7 @@ type execQueues struct { func newExecQueues(fuzzer *Fuzzer) execQueues { ret := execQueues{ triageCandidateQueue: queue.DynamicOrder(), - candidateQueue: queue.PlainWithStat(fuzzer.StatCandidates), + candidateQueue: queue.Plain(), triageQueue: queue.DynamicOrder(), smashQueue: queue.Plain(), } @@ -92,6 +92,10 @@ func newExecQueues(fuzzer *Fuzzer) execQueues { return ret } +func (fuzzer *Fuzzer) CandidateTriageFinished() bool { + return fuzzer.statCandidates.Val()+fuzzer.statJobsTriageCandidate.Val() == 0 +} + func (fuzzer *Fuzzer) execute(executor queue.Executor, req *queue.Request) *queue.Result { return fuzzer.executeWithFlags(executor, req, 0) } @@ -130,6 +134,9 @@ func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags if res.Info != nil { fuzzer.statExecTime.Add(int(res.Info.Elapsed / 1e6)) } + if flags&progCandidate != 0 { + fuzzer.statCandidates.Add(-1) + } } type Config struct { @@ -161,11 +168,11 @@ func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call } fuzzer.Logf(2, "found new signal in call %d in %s", call, p) - queue := fuzzer.triageQueue + queue, stat := fuzzer.triageQueue, fuzzer.statJobsTriage if flags&progCandidate > 0 { - queue = fuzzer.triageCandidateQueue + queue, stat = fuzzer.triageCandidateQueue, fuzzer.statJobsTriageCandidate } - fuzzer.startJob(fuzzer.statJobsTriage, &triageJob{ + fuzzer.startJob(stat, &triageJob{ p: p.Clone(), call: call, info: info, @@ -243,6 +250,7 @@ type Candidate struct { } func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) { + fuzzer.statCandidates.Add(len(candidates)) for _, candidate := range candidates { req, flags := candidateRequest(fuzzer, candidate) fuzzer.enqueue(fuzzer.candidateQueue, req, flags) |