aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--pkg/csource/csource_test.go2
-rw-r--r--pkg/fuzzer/job.go59
-rw-r--r--pkg/repro/repro.go31
-rw-r--r--prog/encoding_test.go2
-rw-r--r--prog/expr_test.go2
-rw-r--r--prog/minimization.go41
-rw-r--r--prog/minimization_test.go12
-rw-r--r--prog/prog_test.go2
-rw-r--r--prog/rand_test.go4
9 files changed, 77 insertions, 78 deletions
diff --git a/pkg/csource/csource_test.go b/pkg/csource/csource_test.go
index 7d67927a3..c97757d01 100644
--- a/pkg/csource/csource_test.go
+++ b/pkg/csource/csource_test.go
@@ -91,7 +91,7 @@ func testTarget(t *testing.T, target *prog.Target, full bool) {
opts = allOptionsSingle(target.OS)
opts = append(opts, ExecutorOpts)
} else {
- minimized, _ := prog.Minimize(syzProg, -1, prog.MinimizeParams{}, func(p *prog.Prog, call int) bool {
+ minimized, _ := prog.Minimize(syzProg, -1, prog.MinimizeCorpus, func(p *prog.Prog, call int) bool {
return len(p.Calls) == len(syzProg.Calls)
})
p.Calls = append(p.Calls, minimized.Calls...)
diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go
index 85d2dcfe6..7a89006f1 100644
--- a/pkg/fuzzer/job.go
+++ b/pkg/fuzzer/job.go
@@ -301,39 +301,38 @@ func (job *triageJob) minimize(call int, info *triageCall) (*prog.Prog, int) {
minimizeAttempts = 2
}
stop := false
- p, call := prog.Minimize(job.p, call, prog.MinimizeParams{},
- func(p1 *prog.Prog, call1 int) bool {
- if stop {
+ p, call := prog.Minimize(job.p, call, prog.MinimizeCorpus, func(p1 *prog.Prog, call1 int) bool {
+ if stop {
+ return false
+ }
+ var mergedSignal signal.Signal
+ for i := 0; i < minimizeAttempts; i++ {
+ result := job.execute(&queue.Request{
+ Prog: p1,
+ ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
+ ReturnAllSignal: []int{call1},
+ Stat: job.fuzzer.statExecMinimize,
+ }, 0)
+ if result.Stop() {
+ stop = true
return false
}
- var mergedSignal signal.Signal
- for i := 0; i < minimizeAttempts; i++ {
- result := job.execute(&queue.Request{
- Prog: p1,
- ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal),
- ReturnAllSignal: []int{call1},
- Stat: job.fuzzer.statExecMinimize,
- }, 0)
- if result.Stop() {
- stop = true
- return false
- }
- if !reexecutionSuccess(result.Info, info.errno, call1) {
- // The call was not executed or failed.
- continue
- }
- thisSignal := getSignalAndCover(p1, result.Info, call1)
- if mergedSignal.Len() == 0 {
- mergedSignal = thisSignal
- } else {
- mergedSignal.Merge(thisSignal)
- }
- if info.newStableSignal.Intersection(mergedSignal).Len() == info.newStableSignal.Len() {
- return true
- }
+ if !reexecutionSuccess(result.Info, info.errno, call1) {
+ // The call was not executed or failed.
+ continue
}
- return false
- })
+ thisSignal := getSignalAndCover(p1, result.Info, call1)
+ if mergedSignal.Len() == 0 {
+ mergedSignal = thisSignal
+ } else {
+ mergedSignal.Merge(thisSignal)
+ }
+ if info.newStableSignal.Intersection(mergedSignal).Len() == info.newStableSignal.Len() {
+ return true
+ }
+ }
+ return false
+ })
if stop {
return nil, 0
}
diff --git a/pkg/repro/repro.go b/pkg/repro/repro.go
index 5565460c2..2091d3c88 100644
--- a/pkg/repro/repro.go
+++ b/pkg/repro/repro.go
@@ -372,9 +372,7 @@ func (ctx *reproContext) concatenateProgs(entries []*prog.LogEntry, dur time.Dur
for i := 0; i < len(entries); i++ {
ctx.reproLogf(1, "minimizing program #%d before concatenation", i)
callsBefore := len(entries[i].P.Calls)
- entries[i].P, _ = prog.Minimize(entries[i].P, -1, prog.MinimizeParams{
- RemoveCallsOnly: true,
- },
+ entries[i].P, _ = prog.Minimize(entries[i].P, -1, prog.MinimizeCallsOnly,
func(p1 *prog.Prog, _ int) bool {
var newEntries []*prog.LogEntry
if i > 0 {
@@ -432,20 +430,19 @@ func (ctx *reproContext) minimizeProg(res *Result) (*Result, error) {
ctx.stats.MinimizeProgTime = time.Since(start)
}()
- res.Prog, _ = prog.Minimize(res.Prog, -1, prog.MinimizeParams{Light: true},
- func(p1 *prog.Prog, callIndex int) bool {
- if len(p1.Calls) == 0 {
- // We do want to keep at least one call, otherwise tools/syz-execprog
- // will immediately exit.
- return false
- }
- crashed, err := ctx.testProg(p1, res.Duration, res.Opts)
- if err != nil {
- ctx.reproLogf(0, "minimization failed with %v", err)
- return false
- }
- return crashed
- })
+ res.Prog, _ = prog.Minimize(res.Prog, -1, prog.MinimizeCrash, func(p1 *prog.Prog, callIndex int) bool {
+ if len(p1.Calls) == 0 {
+ // We do want to keep at least one call, otherwise tools/syz-execprog
+ // will immediately exit.
+ return false
+ }
+ crashed, err := ctx.testProg(p1, res.Duration, res.Opts)
+ if err != nil {
+ ctx.reproLogf(0, "minimization failed with %v", err)
+ return false
+ }
+ return crashed
+ })
return res, nil
}
diff --git a/prog/encoding_test.go b/prog/encoding_test.go
index 24c479948..a577c5be5 100644
--- a/prog/encoding_test.go
+++ b/prog/encoding_test.go
@@ -408,7 +408,7 @@ func TestSerializeDeserializeRandom(t *testing.T) {
if _, _, ok := testSerializeDeserialize(t, p0); ok {
continue
}
- p0, _ = Minimize(p0, -1, MinimizeParams{}, func(p1 *Prog, _ int) bool {
+ p0, _ = Minimize(p0, -1, MinimizeCorpus, func(p1 *Prog, _ int) bool {
_, _, ok := testSerializeDeserialize(t, p1)
return !ok
})
diff --git a/prog/expr_test.go b/prog/expr_test.go
index bdb4201dd..6b767cd11 100644
--- a/prog/expr_test.go
+++ b/prog/expr_test.go
@@ -186,7 +186,7 @@ func TestConditionalMinimize(t *testing.T) {
assert.NoError(tt, err)
p, err := target.Deserialize([]byte(test.input), Strict)
assert.NoError(tt, err)
- p1, _ := Minimize(p, 0, MinimizeParams{}, test.pred)
+ p1, _ := Minimize(p, 0, MinimizeCorpus, test.pred)
res := p1.Serialize()
assert.Equal(tt, test.output, strings.TrimSpace(string(res)))
})
diff --git a/prog/minimization.go b/prog/minimization.go
index 57999b397..935c18232 100644
--- a/prog/minimization.go
+++ b/prog/minimization.go
@@ -30,25 +30,24 @@ var (
"Total number of filename minimization attempts", stat.StackedGraph("minimize"))
)
-type MinimizeParams struct {
- // CallIndex was intentionally not included in this struct, since its
- // default value should be -1, while the default value of 0 would introduce a bug.
-
- // If RemoveCallsOnly is set to true, Minimize() focuses only on removing whole calls.
- RemoveCallsOnly bool
-
- // Light speeds up the minimization by
- // 1. Not removing array elements one by one.
- // 2. Not bisecting blobs too much.
- // 3. Not minimizing integer values.
- Light bool
-}
+type MinimizeMode int
+
+const (
+ // Minimize for inclusion into corpus.
+ // This generally tries to reduce number of arguments for future mutation.
+ MinimizeCorpus MinimizeMode = iota
+ // Minimize crash reproducer.
+ // This mode assumes each test is expensive (need to reboot), so tries fewer things.
+ MinimizeCrash
+ // Only try to remove calls.
+ MinimizeCallsOnly
+)
// Minimize minimizes program p into an equivalent program using the equivalence
// predicate pred. It iteratively generates simpler programs and asks pred
// whether it is equal to the original program or not. If it is equivalent then
// the simplification attempt is committed and the process continues.
-func Minimize(p0 *Prog, callIndex0 int, params MinimizeParams, pred0 func(*Prog, int) bool) (*Prog, int) {
+func Minimize(p0 *Prog, callIndex0 int, mode MinimizeMode, pred0 func(*Prog, int) bool) (*Prog, int) {
pred := func(p *Prog, callIndex int, what *stat.Val) bool {
what.Add(1)
p.sanitizeFix()
@@ -66,7 +65,7 @@ func Minimize(p0 *Prog, callIndex0 int, params MinimizeParams, pred0 func(*Prog,
// Try to remove all calls except the last one one-by-one.
p0, callIndex0 = removeCalls(p0, callIndex0, pred)
- if !params.RemoveCallsOnly {
+ if mode != MinimizeCallsOnly {
// Try to reset all call props to their default values.
p0 = resetCallProps(p0, callIndex0, pred)
@@ -79,7 +78,7 @@ func Minimize(p0 *Prog, callIndex0 int, params MinimizeParams, pred0 func(*Prog,
target: p0.Target,
p0: &p0,
callIndex0: callIndex0,
- params: params,
+ mode: mode,
pred: pred,
triedPaths: make(map[string]bool),
}
@@ -193,7 +192,7 @@ type minimizeArgsCtx struct {
p *Prog
call *Call
callIndex0 int
- params MinimizeParams
+ mode MinimizeMode
pred minimizePred
triedPaths map[string]bool
}
@@ -265,7 +264,7 @@ func (typ *ArrayType) minimize(ctx *minimizeArgsCtx, arg Arg, path string) bool
elem := a.Inner[i]
elemPath := fmt.Sprintf("%v-%v", path, i)
// Try to remove individual elements one-by-one.
- if !ctx.params.Light && !ctx.triedPaths[elemPath] &&
+ if ctx.mode == MinimizeCorpus && !ctx.triedPaths[elemPath] &&
(typ.Kind == ArrayRandLen ||
typ.Kind == ArrayRangeLen && uint64(len(a.Inner)) > typ.RangeBegin) {
ctx.triedPaths[elemPath] = true
@@ -308,7 +307,7 @@ func (typ *ProcType) minimize(ctx *minimizeArgsCtx, arg Arg, path string) bool {
func minimizeInt(ctx *minimizeArgsCtx, arg Arg, path string) bool {
// TODO: try to reset bits in ints
// TODO: try to set separate flags
- if ctx.params.Light {
+ if ctx.mode == MinimizeCrash {
return false
}
a := arg.(*ConstArg)
@@ -336,7 +335,7 @@ func minimizeInt(ctx *minimizeArgsCtx, arg Arg, path string) bool {
}
func (typ *ResourceType) minimize(ctx *minimizeArgsCtx, arg Arg, path string) bool {
- if ctx.params.Light {
+ if ctx.mode == MinimizeCrash {
return false
}
a := arg.(*ResultArg)
@@ -380,7 +379,7 @@ func (typ *BufferType) minimize(ctx *minimizeArgsCtx, arg Arg, path string) bool
ctx.target.assignSizesCall(ctx.call)
}
step /= 2
- if ctx.params.Light {
+ if ctx.mode == MinimizeCrash {
break
}
}
diff --git a/prog/minimization_test.go b/prog/minimization_test.go
index e0736206a..7862bcc01 100644
--- a/prog/minimization_test.go
+++ b/prog/minimization_test.go
@@ -251,7 +251,7 @@ func TestMinimize(t *testing.T) {
if err != nil {
t.Fatalf("failed to deserialize original program #%v: %v", ti, err)
}
- p1, ci := Minimize(p, test.callIndex, MinimizeParams{}, test.pred)
+ p1, ci := Minimize(p, test.callIndex, MinimizeCorpus, test.pred)
res := p1.Serialize()
if string(res) != test.result {
t.Fatalf("minimization produced wrong result #%v\norig:\n%v\nexpect:\n%v\ngot:\n%v",
@@ -270,10 +270,10 @@ func TestMinimizeRandom(t *testing.T) {
ct := target.DefaultChoiceTable()
r := rand.New(rs)
for i := 0; i < iters; i++ {
- for _, crash := range []bool{false, true} {
+ for _, mode := range []MinimizeMode{MinimizeCorpus, MinimizeCrash} {
p := target.Generate(rs, 5, ct)
copyP := p.Clone()
- minP, _ := Minimize(p, len(p.Calls)-1, MinimizeParams{Light: crash}, func(p1 *Prog, callIndex int) bool {
+ minP, _ := Minimize(p, len(p.Calls)-1, mode, func(p1 *Prog, callIndex int) bool {
if r.Intn(2) == 0 {
return false
}
@@ -296,7 +296,11 @@ func TestMinimizeCallIndex(t *testing.T) {
for i := 0; i < iters; i++ {
p := target.Generate(rs, 5, ct)
ci := r.Intn(len(p.Calls))
- p1, ci1 := Minimize(p, ci, MinimizeParams{Light: r.Intn(2) == 0}, func(p1 *Prog, callIndex int) bool {
+ mode := MinimizeCorpus
+ if r.Intn(2) == 0 {
+ mode = MinimizeCrash
+ }
+ p1, ci1 := Minimize(p, ci, mode, func(p1 *Prog, callIndex int) bool {
return r.Intn(2) == 0
})
if ci1 < 0 || ci1 >= len(p1.Calls) || p.Calls[ci].Meta.Name != p1.Calls[ci1].Meta.Name {
diff --git a/prog/prog_test.go b/prog/prog_test.go
index e6c7f4a2b..29f2aee5b 100644
--- a/prog/prog_test.go
+++ b/prog/prog_test.go
@@ -195,7 +195,7 @@ func testCrossTarget(t *testing.T, target *Target, crossTargets []*Target) {
testCrossArchProg(t, p, crossTargets)
p.Mutate(rs, 20, ct, nil, nil)
testCrossArchProg(t, p, crossTargets)
- p, _ = Minimize(p, -1, MinimizeParams{}, func(*Prog, int) bool {
+ p, _ = Minimize(p, -1, MinimizeCorpus, func(*Prog, int) bool {
return rs.Int63()%2 == 0
})
testCrossArchProg(t, p, crossTargets)
diff --git a/prog/rand_test.go b/prog/rand_test.go
index d1e963595..b165bd410 100644
--- a/prog/rand_test.go
+++ b/prog/rand_test.go
@@ -72,8 +72,8 @@ func generateProg(t *testing.T, target *Target, rs rand.Source, ct *ChoiceTable,
return limit > 0
})
}
- for _, crash := range []bool{false, true} {
- p, _ = Minimize(p, -1, MinimizeParams{Light: crash}, func(*Prog, int) bool {
+ for _, mode := range []MinimizeMode{MinimizeCorpus, MinimizeCrash} {
+ p, _ = Minimize(p, -1, mode, func(*Prog, int) bool {
return rs.Int63()%10 == 0
})
}
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 17:40:03 +0000