pkg/fuzzer: implement basic max signal rotation

Once in 15 minutes, drop 1000 elements of the pure max signal (that is, max signal minus corpus signal). It seems to have a positive effect on the total fuzzing performance.
author: Aleksandr Nogikh <nogikh@google.com> 2024-03-20 21:00:39 +0100
committer: Aleksandr Nogikh <nogikh@google.com> 2024-03-25 13:12:00 +0000
commit: f85e28d8a74848f34bdfb105079245c3d38ff9ae (patch)
tree: 4c03dec2a7aaf4238c007ca826b1c4f9b4658c49 /pkg/fuzzer/fuzzer_test.go
parent: 409ee912f2c4f07e3064b4e6f4a83e1f812531d8 (diff)
1 files changed, 63 insertions, 0 deletions
diff --git a/pkg/fuzzer/fuzzer_test.go b/pkg/fuzzer/fuzzer_test.go
index bd6d9a8fe..5c0920109 100644
--- a/pkg/fuzzer/fuzzer_test.go
+++ b/pkg/fuzzer/fuzzer_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/google/syzkaller/pkg/ipc"
 	"github.com/google/syzkaller/pkg/ipc/ipcconfig"
 	"github.com/google/syzkaller/pkg/rpctype"
+	"github.com/google/syzkaller/pkg/signal"
 	"github.com/google/syzkaller/pkg/testutil"
 	"github.com/google/syzkaller/prog"
 	"github.com/google/syzkaller/sys/targets"
@@ -116,6 +117,68 @@ func BenchmarkFuzzer(b *testing.B) {
 	})
 }
 
+func TestRotate(t *testing.T) {
+	target, err := prog.GetTarget(targets.TestOS, targets.TestArch64Fuzz)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	corpusObj := corpus.NewCorpus(ctx)
+	fuzzer := NewFuzzer(ctx, &Config{
+		Debug:    true,
+		Corpus:   corpusObj,
+		Coverage: true,
+		EnabledCalls: map[*prog.Syscall]bool{
+			target.SyscallMap["syz_compare"]: true,
+		},
+	}, rand.New(testutil.RandSource(t)), target)
+
+	fakeSignal := func(size int) signal.Signal {
+		var pc []uint32
+		for i := 0; i < size; i++ {
+			pc = append(pc, uint32(i))
+		}
+		return signal.FromRaw(pc, 0)
+	}
+
+	prog, err := target.Deserialize(
+		[]byte(`syz_compare(&AUTO="00000000", 0x4, &AUTO=@conditional={0x0, @void, @void}, AUTO)`),
+		prog.NonStrict)
+	assert.NoError(t, err)
+	corpusObj.Save(corpus.NewInput{
+		Prog:   prog,
+		Call:   0,
+		Signal: fakeSignal(100),
+	})
+	fuzzer.Cover.AddMaxSignal(fakeSignal(1000))
+
+	stats := fuzzer.Stats()
+	assert.Equal(t, 1000, stats.MaxSignal)
+	assert.Equal(t, 100, stats.Signal)
+
+	// Rotate some of the signal.
+	fuzzer.RotateMaxSignal(200)
+	stats = fuzzer.Stats()
+	assert.Equal(t, 800, stats.MaxSignal)
+	assert.Equal(t, 100, stats.Signal)
+
+	plus, minus := fuzzer.Cover.GrabSignalDelta()
+	assert.Equal(t, 0, plus.Len())
+	assert.Equal(t, 200, minus.Len())
+
+	// Rotate the rest.
+	fuzzer.RotateMaxSignal(1000)
+	stats = fuzzer.Stats()
+	assert.Equal(t, 100, stats.MaxSignal)
+	assert.Equal(t, 100, stats.Signal)
+	plus, minus = fuzzer.Cover.GrabSignalDelta()
+	assert.Equal(t, 0, plus.Len())
+	assert.Equal(t, 700, minus.Len())
+}
+
 // Based on the example from Go documentation.
 var crc32q = crc32.MakeTable(0xD5828281)
author	Aleksandr Nogikh <nogikh@google.com>	2024-03-20 21:00:39 +0100
committer	Aleksandr Nogikh <nogikh@google.com>	2024-03-25 13:12:00 +0000
commit	f85e28d8a74848f34bdfb105079245c3d38ff9ae (patch)
tree	4c03dec2a7aaf4238c007ca826b1c4f9b4658c49 /pkg/fuzzer/fuzzer_test.go
parent	409ee912f2c4f07e3064b4e6f4a83e1f812531d8 (diff)