all: determine patched symbols for focused fuzzing

Hash the code section of the individual symbols from vmlinux.o and use
it to determine the functions that changed their bodies between the base
and the patched build.

If the number of affected symbols is reasonable (<5%), fuzz it with the
highest priority.

2 files changed, 84 insertions, 11 deletions

diff --git a/pkg/manager/diff.go b/pkg/manager/diff.go
index 64d0af444..aa640515d 100644
--- a/pkg/manager/diff.go
+++ b/pkg/manager/diff.go
@@ -297,9 +297,9 @@ func (dc *diffContext) monitorPatchedCoverage(ctx context.Context) error {
 		return nil
 	}
 	focusAreaStats := dc.new.progsPerArea()
-	if focusAreaStats[modifiedArea]+focusAreaStats[includesArea] > 0 {
-		log.Logf(0, "fuzzer has reached the modified code (%d + %d), continuing fuzzing",
-			focusAreaStats[modifiedArea], focusAreaStats[includesArea])
+	if focusAreaStats[symbolsArea]+focusAreaStats[filesArea]+focusAreaStats[includesArea] > 0 {
+		log.Logf(0, "fuzzer has reached the modified code (%d + %d + %d), continuing fuzzing",
+			focusAreaStats[symbolsArea], focusAreaStats[filesArea], focusAreaStats[includesArea])
 		return nil
 	}
 	log.Logf(0, "fuzzer has not reached the modified code in %s, aborting",
@@ -721,18 +721,32 @@ func (rr *reproRunner) Run(ctx context.Context, r *repro.Result) {
 }
 
 const (
-	modifiedArea = "modified"
+	symbolsArea  = "symbols"
+	filesArea    = "files"
 	includesArea = "included"
 )
 
-func PatchFocusAreas(cfg *mgrconfig.Config, gitPatches [][]byte) {
+func PatchFocusAreas(cfg *mgrconfig.Config, gitPatches [][]byte, baseHashes, patchedHashes map[string]string) {
+	funcs := modifiedSymbols(baseHashes, patchedHashes)
+	if len(funcs) > 0 {
+		log.Logf(0, "adding modified_functions to focus areas: %q", funcs)
+		cfg.Experimental.FocusAreas = append(cfg.Experimental.FocusAreas,
+			mgrconfig.FocusArea{
+				Name: symbolsArea,
+				Filter: mgrconfig.CovFilterCfg{
+					Functions: funcs,
+				},
+				Weight: 6.0,
+			})
+	}
+
 	direct, transitive := affectedFiles(cfg, gitPatches)
 	if len(direct) > 0 {
 		sort.Strings(direct)
-		log.Logf(0, "adding directly modified files to focus_order: %q", direct)
+		log.Logf(0, "adding directly modified files to focus areas: %q", direct)
 		cfg.Experimental.FocusAreas = append(cfg.Experimental.FocusAreas,
 			mgrconfig.FocusArea{
-				Name: modifiedArea,
+				Name: filesArea,
 				Filter: mgrconfig.CovFilterCfg{
 					Files: direct,
 				},
@@ -742,7 +756,7 @@ func PatchFocusAreas(cfg *mgrconfig.Config, gitPatches [][]byte) {
 
 	if len(transitive) > 0 {
 		sort.Strings(transitive)
-		log.Logf(0, "adding transitively affected to focus_order: %q", transitive)
+		log.Logf(0, "adding transitively affected to focus areas: %q", transitive)
 		cfg.Experimental.FocusAreas = append(cfg.Experimental.FocusAreas,
 			mgrconfig.FocusArea{
 				Name: includesArea,
@@ -808,3 +822,21 @@ func affectedFiles(cfg *mgrconfig.Config, gitPatches [][]byte) (direct, transiti
 	}
 	return
 }
+
+// If there are too many different symbols, they are no longer specific enough.
+// Don't use them to focus the fuzzer.
+const modifiedSymbolThreshold = 0.05
+
+func modifiedSymbols(baseHashes, patchedHashes map[string]string) []string {
+	var ret []string
+	for name, hash := range patchedHashes {
+		if baseHash, ok := baseHashes[name]; !ok || baseHash != hash {
+			ret = append(ret, name)
+			if float64(len(ret)) > float64(len(patchedHashes))*modifiedSymbolThreshold {
+				return nil
+			}
+		}
+	}
+	sort.Strings(ret)
+	return ret
+}
diff --git a/pkg/manager/diff_test.go b/pkg/manager/diff_test.go
index f2408f13b..9e27dc288 100644
--- a/pkg/manager/diff_test.go
+++ b/pkg/manager/diff_test.go
@@ -4,6 +4,7 @@
 package manager
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/google/syzkaller/pkg/mgrconfig"
@@ -24,6 +25,10 @@ int main(void) { }`,
 		"c.c": `int main(void) { }`,
 	}))
 
+	baseHashes, patchedHashes := dummySymbolHashes(), dummySymbolHashes()
+	baseHashes["function"] = "hash1"
+	patchedHashes["function"] = "hash2"
+
 	PatchFocusAreas(cfg, [][]byte{
 		[]byte(`diff --git a/b.c b/b.c
 index 103167d..fbf7a68 100644
@@ -34,7 +39,7 @@ index 103167d..fbf7a68 100644
 \ No newline at end of file
 +int main(void) { return 1; }
 \ No newline at end of file`),
-		// Also, emulate an update to te header.h.
+		// Also, emulate an update to header.h.
 		[]byte(`diff --git a/header.h b/header.h
 index 103167d..fbf7a68 100644
 --- a/header.h
@@ -44,11 +49,18 @@ index 103167d..fbf7a68 100644
 \ No newline at end of file
 +Test2
 \ No newline at end of file`),
-	})
+	}, baseHashes, patchedHashes)
 
 	assert.Equal(t, []mgrconfig.FocusArea{
 		{
-			Name: modifiedArea,
+			Name: symbolsArea,
+			Filter: mgrconfig.CovFilterCfg{
+				Functions: []string{"function"},
+			},
+			Weight: 6.0,
+		},
+		{
+			Name: filesArea,
 			Filter: mgrconfig.CovFilterCfg{
 				Files: []string{"b.c", "header.h"},
 			},
@@ -66,3 +78,32 @@ index 103167d..fbf7a68 100644
 		},
 	}, cfg.Experimental.FocusAreas)
 }
+
+func dummySymbolHashes() map[string]string {
+	ret := map[string]string{}
+	for i := 0; i < 100; i++ {
+		ret[fmt.Sprint(i)] = fmt.Sprint(i)
+	}
+	return ret
+}
+
+func TestModifiedSymbols(t *testing.T) {
+	t.Run("too many changed", func(t *testing.T) {
+		ret := modifiedSymbols(map[string]string{
+			"functionA": "hash1",
+			"functionB": "hash2",
+		}, map[string]string{
+			"functionA": "hash1",
+			"functionB": "hash is not hash2",
+		})
+		assert.Empty(t, ret)
+	})
+	t.Run("less than threshold", func(t *testing.T) {
+		base, patched := dummySymbolHashes(), dummySymbolHashes()
+		base["function"] = "hash1"
+		patched["function"] = "hash2"
+		base["function2"] = "hash1"
+		patched["function2"] = "hash2"
+		assert.Equal(t, []string{"function", "function2"}, modifiedSymbols(base, patched))
+	})
+}