From b8cb4435c41161328335f7d07e3a714e1fceacc4 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 18 Jan 2017 16:24:07 +0100
Subject: syz-fuzzer: check for new coverage during minimization

There is no reason to not check for new coverage during minimization.
We execute new programs, and can well get new interesting programs with new coverage.
So do that. Since execute updates maxCover synchronously, we should not get any
kind of positive feedback loop due to that.
---
 syz-fuzzer/fuzzer.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
index 814986316..65916ce55 100644
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@@ -436,7 +436,7 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 
 	if !inp.minimized {
 		inp.p, inp.call = prog.Minimize(inp.p, inp.call, func(p1 *prog.Prog, call1 int) bool {
-			allCover := execute1(pid, env, p1, &statExecMinimize)
+			allCover := execute(pid, env, p1, false, &statExecMinimize)
 			coverMu.RLock()
 			defer coverMu.RUnlock()
 
@@ -471,7 +471,7 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 	corpusHashes[hash(data)] = struct{}{}
 }
 
-func execute(pid int, env *ipc.Env, p *prog.Prog, minimized bool, stat *uint64) {
+func execute(pid int, env *ipc.Env, p *prog.Prog, minimized bool, stat *uint64) []cover.Cover {
 	allCover := execute1(pid, env, p, stat)
 	coverMu.RLock()
 	defer coverMu.RUnlock()
@@ -500,6 +500,7 @@ func execute(pid int, env *ipc.Env, p *prog.Prog, minimized bool, stat *uint64)
 			triageMu.Unlock()
 		}
 	}
+	return allCover
 }
 
 var logMu sync.Mutex
-- 
cgit mrf-deployment