prog: rename target.SanitizeCall to Neutralize

We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.

Fixes #477
Fixes #502

9 files changed, 38 insertions, 21 deletions

diff --git a/prog/encoding.go b/prog/encoding.go
index 6bded49d5..9a06c6d4b 100644
--- a/prog/encoding.go
+++ b/prog/encoding.go
@@ -227,8 +227,8 @@ func (target *Target) Deserialize(data []byte, mode DeserializeMode) (*Prog, err
 	if p.autos != nil {
 		p.fixupAutos(prog)
 	}
-	for _, c := range prog.Calls {
-		target.SanitizeCall(c)
+	if err := prog.sanitize(mode == NonStrict); err != nil {
+		return nil, err
 	}
 	return prog, nil
 }
diff --git a/prog/generation.go b/prog/generation.go
index 1ceda4820..037801b75 100644
--- a/prog/generation.go
+++ b/prog/generation.go
@@ -29,6 +29,7 @@ func (target *Target) Generate(rs rand.Source, ncalls int, ct *ChoiceTable) *Pro
 	for len(p.Calls) > ncalls {
 		p.removeCall(ncalls - 1)
 	}
+	p.sanitizeFix()
 	p.debugValidate()
 	return p
 }
diff --git a/prog/hints.go b/prog/hints.go
index f7f9dc487..9a5675b1b 100644
--- a/prog/hints.go
+++ b/prog/hints.go
@@ -66,7 +66,12 @@ func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(p *Prog))
 	p = p.Clone()
 	c := p.Calls[callIndex]
 	execValidate := func() {
-		p.Target.SanitizeCall(c)
+		// Don't try to fix the candidate program.
+		// Assuming the original call was sanitized, we've got a bad call
+		// as the result of hint substitution, so just throw it away.
+		if p.Target.sanitize(c, false) != nil {
+			return
+		}
 		p.debugValidate()
 		exec(p)
 	}
diff --git a/prog/minimization.go b/prog/minimization.go
index 9a71dd067..93a986556 100644
--- a/prog/minimization.go
+++ b/prog/minimization.go
@@ -13,9 +13,7 @@ import (
 // the simplification attempt is committed and the process continues.
 func Minimize(p0 *Prog, callIndex0 int, crash bool, pred0 func(*Prog, int) bool) (*Prog, int) {
 	pred := func(p *Prog, callIndex int) bool {
-		for _, call := range p.Calls {
-			p.Target.SanitizeCall(call)
-		}
+		p.sanitizeFix()
 		p.debugValidate()
 		return pred0(p, callIndex)
 	}
diff --git a/prog/mutation.go b/prog/mutation.go
index 62acba586..5a1819569 100644
--- a/prog/mutation.go
+++ b/prog/mutation.go
@@ -49,9 +49,7 @@ func (p *Prog) Mutate(rs rand.Source, ncalls int, ct *ChoiceTable, corpus []*Pro
 			ok = ctx.removeCall()
 		}
 	}
-	for _, c := range p.Calls {
-		p.Target.SanitizeCall(c)
-	}
+	p.sanitizeFix()
 	p.debugValidate()
 	if got := len(p.Calls); got < 1 || got > ncalls {
 		panic(fmt.Sprintf("bad number of calls after mutation: %v, want [1, %v]", got, ncalls))
diff --git a/prog/prog.go b/prog/prog.go
index 575f0da9b..1600c0a28 100644
--- a/prog/prog.go
+++ b/prog/prog.go
@@ -387,3 +387,18 @@ func (p *Prog) removeCall(idx int) {
 	copy(p.Calls[idx:], p.Calls[idx+1:])
 	p.Calls = p.Calls[:len(p.Calls)-1]
 }
+
+func (p *Prog) sanitizeFix() {
+	if err := p.sanitize(true); err != nil {
+		panic(err)
+	}
+}
+
+func (p *Prog) sanitize(fix bool) error {
+	for _, c := range p.Calls {
+		if err := p.Target.sanitize(c, fix); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/prog/prog_test.go b/prog/prog_test.go
index 3a3577328..16a54e2d6 100644
--- a/prog/prog_test.go
+++ b/prog/prog_test.go
@@ -441,9 +441,7 @@ func TestSanitizeRandom(t *testing.T) {
 		for i := 0; i < iters; i++ {
 			p := target.Generate(rs, 10, nil)
 			s0 := string(p.Serialize())
-			for _, c := range p.Calls {
-				target.SanitizeCall(c)
-			}
+			p.sanitizeFix()
 			s1 := string(p.Serialize())
 			if s0 != s1 {
 				t.Fatalf("non-sanitized program or non-idempotent sanitize\nwas: %v\ngot: %v", s0, s1)
diff --git a/prog/rand.go b/prog/rand.go
index bf6d66e9a..8583fbdcb 100644
--- a/prog/rand.go
+++ b/prog/rand.go
@@ -561,11 +561,7 @@ func (r *randGen) generateParticularCall(s *state, meta *Syscall) (calls []*Call
 	}
 	c.Args, calls = r.generateArgs(s, meta.Args)
 	r.target.assignSizesCall(c)
-	calls = append(calls, c)
-	for _, c1 := range calls {
-		r.target.SanitizeCall(c1)
-	}
-	return calls
+	return append(calls, c)
 }
 
 // GenerateAllSyzProg generates a program that contains all pseudo syz_ calls for testing.
diff --git a/prog/target.go b/prog/target.go
index 69398a54d..b19645ea2 100644
--- a/prog/target.go
+++ b/prog/target.go
@@ -28,8 +28,9 @@ type Target struct {
 	// MakeMmap creates call that maps [addr, addr+size) memory range.
 	MakeMmap func(addr, size uint64) *Call
 
-	// SanitizeCall neutralizes harmful calls.
-	SanitizeCall func(c *Call)
+	// Neutralize neutralizes harmful calls by transforming them into non-harmful ones
+	// (e.g. an ioctl that turns off console output is turned into ioctl that turns on output).
+	Neutralize func(c *Call)
 
 	// AnnotateCall annotates a syscall invocation in C reproducers.
 	// The returned string will be placed inside a comment except for the
@@ -113,7 +114,7 @@ func AllTargets() []*Target {
 }
 
 func (target *Target) lazyInit() {
-	target.SanitizeCall = func(c *Call) {}
+	target.Neutralize = func(c *Call) {}
 	target.AnnotateCall = func(c ExecCall) string { return "" }
 	target.initTarget()
 	target.initArch(target)
@@ -165,6 +166,11 @@ func (target *Target) GetConst(name string) uint64 {
 	return v
 }
 
+func (target *Target) sanitize(c *Call, fix bool) error {
+	target.Neutralize(c)
+	return nil
+}
+
 func RestoreLinks(syscalls []*Syscall, resources []*ResourceDesc, structs []*KeyedStruct) {
 	restoreLinks(syscalls, resources, structs)
 }
@@ -277,7 +283,7 @@ func MakeProgGen(target *Target) *Builder {
 
 func (pg *Builder) Append(c *Call) error {
 	pg.target.assignSizesCall(c)
-	pg.target.SanitizeCall(c)
+	pg.target.sanitize(c, true)
 	pg.p.Calls = append(pg.p.Calls, c)
 	return nil
 }