diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2024-04-15 14:54:59 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2024-04-15 17:57:59 +0000 |
| commit | 0d592ce46ebc504d579c07e5bc3f7f3f2038c4cf (patch) | |
| tree | 8c942e9313a6d4c1e302e6aa55cd853d524f97db /pkg/fuzzer | |
| parent | e634f4672260dac9c086a06bfe10e4e3859c77a1 (diff) | |
pkg/fuzzer: fix signal filtering during minimization
This fixes 2 issues:
1. We still want to get new coverage for syscalls during minimization.
We run lots of new programs, and some of them can give new coverage.
2. The signal filter should apply only to the target syscall.
Other syscalls probably can't even reach any of that code.
So add SignalFilterCall field and combine new and filtered signal
for that call. Other calls just collect new coverage as usual.
Diffstat (limited to 'pkg/fuzzer')
| -rw-r--r-- | pkg/fuzzer/fuzzer.go | 8 | ||||
| -rw-r--r-- | pkg/fuzzer/job.go | 9 |
2 files changed, 12 insertions, 5 deletions
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index 2663d7b60..a5b338b13 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -89,7 +89,10 @@ type Request struct { NeedRawCover bool NeedSignal rpctype.SignalType NeedHints bool - SignalFilter signal.Signal // If specified, the resulting signal MAY be a subset of it. + // If specified, the resulting signal for call SignalFilterCall + // will include subset of it even if it's not new. + SignalFilter signal.Signal + SignalFilterCall int // Fields that are only relevant within pkg/fuzzer. flags ProgTypes stat *stats.Val @@ -249,6 +252,9 @@ func (fuzzer *Fuzzer) pushExec(req *Request, prio priority) { if req.NeedHints && (req.NeedCover || req.NeedSignal != rpctype.NoSignal) { panic("Request.NeedHints is mutually exclusive with other fields") } + if req.SignalFilter != nil && req.NeedSignal != rpctype.NewSignal { + panic("SignalFilter must be used with NewSignal") + } fuzzer.nextExec.push(&priorityQueueItem[*Request]{ value: req, prio: prio, }) diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go index ede1f1a57..b5bb2aab1 100644 --- a/pkg/fuzzer/job.go +++ b/pkg/fuzzer/job.go @@ -237,10 +237,11 @@ func (job *triageJob) minimize(fuzzer *Fuzzer, newSignal signal.Signal) (stop bo } for i := 0; i < minimizeAttempts; i++ { result := fuzzer.exec(job, &Request{ - Prog: p1, - NeedSignal: rpctype.AllSignal, - SignalFilter: newSignal, - stat: fuzzer.statExecMinimize, + Prog: p1, + NeedSignal: rpctype.NewSignal, + SignalFilter: newSignal, + SignalFilterCall: call1, + stat: fuzzer.statExecMinimize, }) if result.Stop { stop = true |