prog: restricts hints to at most 10 attempts per single kernel PC

We are getting too many generated candidates, the fuzzer may not keep up
with them at all (hints jobs keep growing infinitely). If a hint indeed came
from the input w/o transformation, then we should guess it on the first
attempt (or at least after few attempts). If it did not come from the input,
or came with a non-trivial transformation, then any number of attempts won't
help. So limit the total number of attempts (until the next restart).

2 files changed, 8 insertions, 5 deletions

diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go
index a2b2ef475..7ac8cba3e 100644
--- a/pkg/fuzzer/fuzzer.go
+++ b/pkg/fuzzer/fuzzer.go
@@ -24,10 +24,11 @@ type Fuzzer struct {
 	Config *Config
 	Cover  *Cover
 
-	ctx    context.Context
-	mu     sync.Mutex
-	rnd    *rand.Rand
-	target *prog.Target
+	ctx          context.Context
+	mu           sync.Mutex
+	rnd          *rand.Rand
+	target       *prog.Target
+	hintsLimiter prog.HintsLimiter
 
 	ct           *prog.ChoiceTable
 	ctProgs      int
diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go
index 93d1cc354..99ff3c433 100644
--- a/pkg/fuzzer/job.go
+++ b/pkg/fuzzer/job.go
@@ -456,7 +456,7 @@ func (job *hintsJob) run(fuzzer *Fuzzer) {
 		}
 		got := make(prog.CompMap)
 		for _, cmp := range result.Info.Calls[job.call].Comps {
-			got.AddComp(cmp.Op1, cmp.Op2)
+			got.Add(cmp.Pc, cmp.Op1, cmp.Op2, cmp.IsConst)
 		}
 		if i == 0 {
 			comps = got
@@ -465,6 +465,8 @@ func (job *hintsJob) run(fuzzer *Fuzzer) {
 		}
 	}
 
+	fuzzer.hintsLimiter.Limit(comps)
+
 	// Then mutate the initial program for every match between
 	// a syscall argument and a comparison operand.
 	// Execute each of such mutants to check if it gives new coverage.