diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-06-27 12:34:40 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-07-02 15:07:08 +0000 |
| commit | 6a2ff1acbd95b320444a729d9d281835be88ec66 (patch) | |
| tree | 03fd314126b66aa19341b6ec359243bb17c56688 /pkg/fuzzer/job.go | |
| parent | 3d475bc56886c8183b3189b762451095985b6c84 (diff) | |
pkg/fuzzer: optimize smash jobs
1. Run only 25 mutations during smash.
2. Run collide during normal fuzzing rather than during smashing.
3. Run hints and fault injection before random mutations
and order hints/fault injection jobs.
4. Random mutations still run round-robin w/o ordering
to give better diversity.
Diffstat (limited to 'pkg/fuzzer/job.go')
| -rw-r--r-- | pkg/fuzzer/job.go | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go index 0268172a9..d1397c5b2 100644 --- a/pkg/fuzzer/job.go +++ b/pkg/fuzzer/job.go @@ -123,8 +123,21 @@ func (job *triageJob) handleCall(call int, info *triageCall) { job.fuzzer.startJob(job.fuzzer.statJobsSmash, &smashJob{ exec: job.fuzzer.smashQueue, p: p.Clone(), - call: call, }) + if job.fuzzer.Config.Comparisons && call >= 0 { + job.fuzzer.startJob(job.fuzzer.statJobsHints, &hintsJob{ + exec: job.fuzzer.smashQueue, + p: p.Clone(), + call: call, + }) + } + if job.fuzzer.Config.FaultInjection && call >= 0 { + job.fuzzer.startJob(job.fuzzer.statJobsFaultInjection, &faultInjectionJob{ + exec: job.fuzzer.smashQueue, + p: p.Clone(), + call: call, + }) + } } job.fuzzer.Logf(2, "added new input for %v to the corpus: %s", callName, p) input := corpus.NewInput{ @@ -301,15 +314,8 @@ type smashJob struct { func (job *smashJob) run(fuzzer *Fuzzer) { fuzzer.Logf(2, "smashing the program %s (call=%d):", job.p, job.call) - if fuzzer.Config.Comparisons && job.call >= 0 { - fuzzer.startJob(fuzzer.statJobsHints, &hintsJob{ - exec: fuzzer.smashQueue, - p: job.p.Clone(), - call: job.call, - }) - } - const iters = 75 + const iters = 25 rnd := fuzzer.rand() for i := 0; i < iters; i++ { p := job.p.Clone() @@ -325,18 +331,6 @@ func (job *smashJob) run(fuzzer *Fuzzer) { if result.Stop() { return } - if fuzzer.Config.Collide { - result := fuzzer.execute(job.exec, &queue.Request{ - Prog: randomCollide(p, rnd), - Stat: fuzzer.statExecCollide, - }) - if result.Stop() { - return - } - } - } - if fuzzer.Config.FaultInjection && job.call >= 0 { - job.faultInjection(fuzzer) } } @@ -362,7 +356,13 @@ func randomCollide(origP *prog.Prog, rnd *rand.Rand) *prog.Prog { return p } -func (job *smashJob) faultInjection(fuzzer *Fuzzer) { +type faultInjectionJob struct { + exec queue.Executor + p *prog.Prog + call int +} + +func (job *faultInjectionJob) run(fuzzer *Fuzzer) { for nth := 1; nth <= 100; nth++ { fuzzer.Logf(2, "injecting fault into call %v, step %v", job.call, nth) |