diff options
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/fuzzer/fuzzer.go | 34 | ||||
| -rw-r--r-- | pkg/fuzzer/job.go | 35 | ||||
| -rw-r--r-- | pkg/fuzzer/job_test.go | 4 |
3 files changed, 31 insertions, 42 deletions
diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index 8be912139..b0ceaf9c0 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -100,26 +100,26 @@ func (fuzzer *Fuzzer) execute(executor queue.Executor, req *queue.Request) *queu return fuzzer.executeWithFlags(executor, req, 0) } -func (fuzzer *Fuzzer) executeWithFlags(executor queue.Executor, req *queue.Request, flags ProgTypes) *queue.Result { +func (fuzzer *Fuzzer) executeWithFlags(executor queue.Executor, req *queue.Request, flags ProgFlags) *queue.Result { executor.Submit(req) res := req.Wait(fuzzer.ctx) fuzzer.processResult(req, res, flags) return res } -func (fuzzer *Fuzzer) prepare(req *queue.Request, flags ProgTypes) { +func (fuzzer *Fuzzer) prepare(req *queue.Request, flags ProgFlags) { req.OnDone(func(req *queue.Request, res *queue.Result) bool { fuzzer.processResult(req, res, flags) return true }) } -func (fuzzer *Fuzzer) enqueue(executor queue.Executor, req *queue.Request, flags ProgTypes) { +func (fuzzer *Fuzzer) enqueue(executor queue.Executor, req *queue.Request, flags ProgFlags) { fuzzer.prepare(req, flags) executor.Submit(req) } -func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags ProgTypes) { +func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags ProgFlags) { inTriage := flags&progInTriage > 0 // Triage individual calls. // We do it before unblocking the waiting threads because @@ -154,7 +154,7 @@ type Config struct { NewInputFilter func(call string) bool } -func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, flags ProgTypes) { +func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, flags ProgFlags) { if info == nil { return } @@ -243,17 +243,31 @@ func (fuzzer *Fuzzer) Logf(level int, msg string, args ...interface{}) { fuzzer.Config.Logf(level, msg, args...) } +type ProgFlags int + +const ( + ProgMinimized ProgFlags = 1 << iota + ProgSmashed + + progCandidate + progInTriage +) + type Candidate struct { - Prog *prog.Prog - Smashed bool - Minimized bool + Prog *prog.Prog + Flags ProgFlags } func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) { fuzzer.statCandidates.Add(len(candidates)) for _, candidate := range candidates { - req, flags := candidateRequest(fuzzer, candidate) - fuzzer.enqueue(fuzzer.candidateQueue, req, flags) + req := &queue.Request{ + Prog: candidate.Prog, + ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal), + Stat: fuzzer.statExecCandidate, + Important: true, + } + fuzzer.enqueue(fuzzer.candidateQueue, req, candidate.Flags|progCandidate) } } diff --git a/pkg/fuzzer/job.go b/pkg/fuzzer/job.go index 00c7c034b..9d51ec2d8 100644 --- a/pkg/fuzzer/job.go +++ b/pkg/fuzzer/job.go @@ -20,15 +20,6 @@ type job interface { run(fuzzer *Fuzzer) } -type ProgTypes int - -const ( - progCandidate ProgTypes = 1 << iota - progMinimized - progSmashed - progInTriage -) - func genProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request { p := fuzzer.target.Generate(rnd, prog.RecommendedCalls, @@ -59,22 +50,6 @@ func mutateProgRequest(fuzzer *Fuzzer, rnd *rand.Rand) *queue.Request { } } -func candidateRequest(fuzzer *Fuzzer, input Candidate) (*queue.Request, ProgTypes) { - flags := progCandidate - if input.Minimized { - flags |= progMinimized - } - if input.Smashed { - flags |= progSmashed - } - return &queue.Request{ - Prog: input.Prog, - ExecOpts: setFlags(flatrpc.ExecFlagCollectSignal), - Stat: fuzzer.statExecCandidate, - Important: true, - }, flags -} - // triageJob are programs for which we noticed potential new coverage during // first execution. But we are not sure yet if the coverage is real or not. // During triage we understand if these programs in fact give new coverage, @@ -84,12 +59,12 @@ type triageJob struct { call int info *flatrpc.CallInfo newSignal signal.Signal - flags ProgTypes + flags ProgFlags fuzzer *Fuzzer queue queue.Executor } -func (job *triageJob) execute(req *queue.Request, flags ProgTypes) *queue.Result { +func (job *triageJob) execute(req *queue.Request, flags ProgFlags) *queue.Result { req.Important = true // All triage executions are important. return job.fuzzer.executeWithFlags(job.queue, req, flags) } @@ -106,7 +81,7 @@ func (job *triageJob) run(fuzzer *Fuzzer) { if stop || info.newStableSignal.Empty() { return } - if job.flags&progMinimized == 0 { + if job.flags&ProgMinimized == 0 { stop = job.minimize(info.newStableSignal) if stop { return @@ -116,7 +91,7 @@ func (job *triageJob) run(fuzzer *Fuzzer) { return } fuzzer.Logf(2, "added new input for %v to the corpus: %s", callName, job.p) - if job.flags&progSmashed == 0 { + if job.flags&ProgSmashed == 0 { fuzzer.startJob(fuzzer.statJobsSmash, &smashJob{ p: job.p.Clone(), call: job.call, @@ -139,7 +114,7 @@ type deflakedCover struct { rawCover []uint64 } -func (job *triageJob) deflake(exec func(*queue.Request, ProgTypes) *queue.Result, stat *stats.Val, +func (job *triageJob) deflake(exec func(*queue.Request, ProgFlags) *queue.Result, stat *stats.Val, rawCover bool) (info deflakedCover, stop bool) { // As demonstrated in #4639, programs reproduce with a very high, but not 100% probability. // The triage algorithm must tolerate this, so let's pick the signal that is common diff --git a/pkg/fuzzer/job_test.go b/pkg/fuzzer/job_test.go index cbb99daec..c975d0128 100644 --- a/pkg/fuzzer/job_test.go +++ b/pkg/fuzzer/job_test.go @@ -29,7 +29,7 @@ func TestDeflakeFail(t *testing.T) { } run := 0 - ret, stop := testJob.deflake(func(_ *queue.Request, _ ProgTypes) *queue.Result { + ret, stop := testJob.deflake(func(_ *queue.Request, _ ProgFlags) *queue.Result { run++ // For first, we return 0 and 1. For second, 1 and 2. And so on. return fakeResult(0, []uint64{uint64(run), uint64(run + 1)}, []uint64{10, 20}) @@ -54,7 +54,7 @@ func TestDeflakeSuccess(t *testing.T) { newSignal: signal.FromRaw([]uint64{0, 1, 2}, 0), } run := 0 - ret, stop := testJob.deflake(func(_ *queue.Request, _ ProgTypes) *queue.Result { + ret, stop := testJob.deflake(func(_ *queue.Request, _ ProgFlags) *queue.Result { run++ switch run { case 1: |