From 354c3244659f5a81d9ccbdb4cddceeda30b90e9d Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Tue, 10 Oct 2017 10:41:27 +0200 Subject: syz-fuzzer: don't send/check CallIndex for inputs The call index check episodically fails: 2017/10/02 22:07:32 bad call index 1, calls 1, program: under unknown circumstances. I've looked at the code again and don't see where/how we can mess CallIndex. Added a new test for minimization that especially checks resulting CallIndex. It would be good to understand what happens, but we don't have any reproducers. CallIndex is actually unused at this point. Manager only needs call name. So remove CallIndex entirely. --- pkg/rpctype/rpctype.go | 9 ++++----- prog/mutation.go | 2 +- prog/mutation_test.go | 16 ++++++++++++++++ syz-fuzzer/fuzzer.go | 12 ++++-------- 4 files changed, 25 insertions(+), 14 deletions(-) diff --git a/pkg/rpctype/rpctype.go b/pkg/rpctype/rpctype.go index 78f8938f8..efe9e4c1d 100644 --- a/pkg/rpctype/rpctype.go +++ b/pkg/rpctype/rpctype.go @@ -6,11 +6,10 @@ package rpctype type RpcInput struct { - Call string - Prog []byte - CallIndex int - Signal []uint32 - Cover []uint32 + Call string + Prog []byte + Signal []uint32 + Cover []uint32 } type RpcCandidate struct { diff --git a/prog/mutation.go b/prog/mutation.go index ac6aa63fe..ca5cb8874 100644 --- a/prog/mutation.go +++ b/prog/mutation.go @@ -475,7 +475,7 @@ func Minimize(p0 *Prog, callIndex0 int, pred0 func(*Prog, int) bool, crash bool) if callIndex0 != -1 { if callIndex0 < 0 || callIndex0 >= len(p0.Calls) || name0 != p0.Calls[callIndex0].Meta.Name { - panic(fmt.Sprintf("bad call index after minimizatoin: ncalls=%v index=%v call=%v/%v", + panic(fmt.Sprintf("bad call index after minimization: ncalls=%v index=%v call=%v/%v", len(p0.Calls), callIndex0, name0, p0.Calls[callIndex0].Meta.Name)) } } diff --git a/prog/mutation_test.go b/prog/mutation_test.go index 4e9bb626a..1fe2da9eb 100644 --- a/prog/mutation_test.go +++ b/prog/mutation_test.go @@ -6,6 +6,7 @@ package prog import ( "bytes" "fmt" + "math/rand" "testing" ) @@ -310,3 +311,18 @@ func TestMinimizeRandom(t *testing.T) { }, false) } } + +func TestMinimizeCallIndex(t *testing.T) { + target, rs, iters := initTest(t) + r := rand.New(rs) + for i := 0; i < iters; i++ { + p := target.Generate(rs, 5, nil) + ci := r.Intn(len(p.Calls)) + p1, ci1 := Minimize(p, ci, func(p1 *Prog, callIndex int) bool { + return r.Intn(2) == 0 + }, r.Intn(2) == 0) + if ci1 < 0 || ci1 >= len(p1.Calls) || p.Calls[ci].Meta.Name != p1.Calls[ci1].Meta.Name { + t.Fatalf("bad call index after minimization") + } + } +} diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go index 955b561e2..613c57e1c 100644 --- a/syz-fuzzer/fuzzer.go +++ b/syz-fuzzer/fuzzer.go @@ -477,9 +477,6 @@ func addInput(inp RpcInput) { if err != nil { panic(err) } - if inp.CallIndex < 0 || inp.CallIndex >= len(p.Calls) { - Fatalf("bad call index %v, calls %v, program:\n%s", inp.CallIndex, len(p.Calls), inp.Prog) - } sig := hash.Hash(inp.Prog) if _, ok := corpusHashes[sig]; !ok { corpus = append(corpus, p) @@ -599,11 +596,10 @@ func triageInput(pid int, env *ipc.Env, inp Input) { a := &NewInputArgs{ Name: *flagName, RpcInput: RpcInput{ - Call: call.CallName, - Prog: data, - CallIndex: inp.call, - Signal: []uint32(cover.Canonicalize(inp.signal)), - Cover: []uint32(inputCover), + Call: call.CallName, + Prog: data, + Signal: []uint32(cover.Canonicalize(inp.signal)), + Cover: []uint32(inputCover), }, } if err := manager.Call("Manager.NewInput", a, nil); err != nil { -- cgit mrf-deployment