From 8fa0c867d4e4bbd97321b19ac11115fa7020570a Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Fri, 20 Oct 2017 12:23:21 +0200
Subject: syz-fuzzer: generates hints only for the call that gave new coverage

During smashing we know what call gave new coverage,
so we can concentrate just on it.
This helps to reduce amount of hints generated (we have too many of them).
---
 prog/hints.go                  | 15 +++++++--------
 prog/hints_test.go             |  7 +++----
 syz-fuzzer/fuzzer.go           |  6 +++---
 tools/syz-execprog/execprog.go | 15 ++++++++-------
 4 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/prog/hints.go b/prog/hints.go
index 5a05d7f56..87b92229d 100644
--- a/prog/hints.go
+++ b/prog/hints.go
@@ -47,15 +47,14 @@ func (m CompMap) AddComp(arg1, arg2 uint64) {
 
 // Mutates the program using the comparison operands stored in compMaps.
 // For each of the mutants executes the exec callback.
-func (p *Prog) MutateWithHints(compMaps []CompMap, exec func(newP *Prog)) {
-	for i, c := range p.Calls {
-		if c.Meta == p.Target.MmapSyscall {
-			continue
-		}
-		foreachArg(c, func(arg, _ Arg, _ *[]Arg) {
-			generateHints(p, compMaps[i], c, arg, exec)
-		})
+func (p *Prog) MutateWithHints(callIndex int, comps CompMap, exec func(newP *Prog)) {
+	c := p.Calls[callIndex]
+	if c.Meta == p.Target.MmapSyscall {
+		return
 	}
+	foreachArg(c, func(arg, _ Arg, _ *[]Arg) {
+		generateHints(p, comps, c, arg, exec)
+	})
 }
 
 func generateHints(p *Prog, compMap CompMap, c *Call, arg Arg, exec func(p *Prog)) {
diff --git a/prog/hints_test.go b/prog/hints_test.go
index 31cc13889..9e5c88343 100644
--- a/prog/hints_test.go
+++ b/prog/hints_test.go
@@ -343,18 +343,17 @@ func TestHintsRandom(t *testing.T) {
 	r := newRand(target, rs)
 	for i := 0; i < iters; i++ {
 		p := target.Generate(rs, 5, nil)
-		comps := make([]CompMap, len(p.Calls))
 		for i, c := range p.Calls {
 			vals := extractValues(c)
 			for j := 0; j < 5; j++ {
 				vals[r.randInt()] = true
 			}
-			comps[i] = make(CompMap)
+			comps := make(CompMap)
 			for v := range vals {
-				comps[i].AddComp(v, r.randInt())
+				comps.AddComp(v, r.randInt())
 			}
+			p.MutateWithHints(i, comps, func(p1 *Prog) {})
 		}
-		p.MutateWithHints(comps, func(p1 *Prog) {})
 	}
 }
 
diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
index b336dea52..ea7b1fcff 100644
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@@ -502,7 +502,7 @@ func smashInput(pid int, env *ipc.Env, ct *prog.ChoiceTable, rs rand.Source, inp
 		execute(pid, env, p, false, false, false, false, &statExecSmash)
 	}
 	if compsSupported {
-		executeHintSeed(pid, env, inp.p)
+		executeHintSeed(pid, env, inp.p, inp.call)
 	}
 }
 
@@ -627,7 +627,7 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 	}
 }
 
-func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog) {
+func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog, call int) {
 	Logf(1, "#%v: collecting comparisons", pid)
 	// First execute the original program to dump comparisons from KCOV.
 	info := execute(pid, env, p, false, true, false, false, &statExecHintSeeds)
@@ -641,7 +641,7 @@ func executeHintSeed(pid int, env *ipc.Env, p *prog.Prog) {
 	// Then mutate the initial program for every match between
 	// a syscall argument and a comparison operand.
 	// Execute each of such mutants to check if it gives new coverage.
-	p.MutateWithHints(compMaps, func(p *prog.Prog) {
+	p.MutateWithHints(call, compMaps[call], func(p *prog.Prog) {
 		Logf(1, "#%v: executing comparison hint", pid)
 		execute(pid, env, p, false, false, false, false, &statExecHints)
 	})
diff --git a/tools/syz-execprog/execprog.go b/tools/syz-execprog/execprog.go
index 9a9a1b48a..6c5df9ffd 100644
--- a/tools/syz-execprog/execprog.go
+++ b/tools/syz-execprog/execprog.go
@@ -179,7 +179,8 @@ func main() {
 					if *flagHints {
 						compMaps := ipc.GetCompMaps(info)
 						ncomps, ncandidates := 0, 0
-						for _, comps := range compMaps {
+						for i := range p.Calls {
+							comps := compMaps[i]
 							for v, args := range comps {
 								ncomps += len(args)
 								if *flagOutput == "stdout" {
@@ -190,13 +191,13 @@ func main() {
 									fmt.Printf("\n")
 								}
 							}
+							p.MutateWithHints(i, comps, func(p *prog.Prog) {
+								ncandidates++
+								if *flagOutput == "stdout" {
+									fmt.Printf("PROGRAM:\n%s\n", p.Serialize())
+								}
+							})
 						}
-						p.MutateWithHints(compMaps, func(p *prog.Prog) {
-							ncandidates++
-							if *flagOutput == "stdout" {
-								fmt.Printf("PROGRAM:\n%s\n", p.Serialize())
-							}
-						})
 						fmt.Printf("ncomps=%v ncandidates=%v\n", ncomps, ncandidates)
 					}
 					return true
-- 
cgit mrf-deployment