From 2addfcda6297288cd48c399dfbef1f5752162011 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Wed, 29 May 2024 11:28:03 +0200
Subject: syz-manager: add corpus triage mode

Add corpus triage mode and support it in testbed.
This is useful to benchmark just the triage phase
w/o any subsequent fuzzing. First, fuzzing is more random.
Second, if triage duration is different in different versions,
then they will do different amount of fuzzing in fixed testbed time.
---
 pkg/fuzzer/fuzzer.go | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'pkg/fuzzer/fuzzer.go')

diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go
index 9ad218433..8be912139 100644
--- a/pkg/fuzzer/fuzzer.go
+++ b/pkg/fuzzer/fuzzer.go
@@ -76,7 +76,7 @@ type execQueues struct {
 func newExecQueues(fuzzer *Fuzzer) execQueues {
 	ret := execQueues{
 		triageCandidateQueue: queue.DynamicOrder(),
-		candidateQueue:       queue.PlainWithStat(fuzzer.StatCandidates),
+		candidateQueue:       queue.Plain(),
 		triageQueue:          queue.DynamicOrder(),
 		smashQueue:           queue.Plain(),
 	}
@@ -92,6 +92,10 @@ func newExecQueues(fuzzer *Fuzzer) execQueues {
 	return ret
 }
 
+func (fuzzer *Fuzzer) CandidateTriageFinished() bool {
+	return fuzzer.statCandidates.Val()+fuzzer.statJobsTriageCandidate.Val() == 0
+}
+
 func (fuzzer *Fuzzer) execute(executor queue.Executor, req *queue.Request) *queue.Result {
 	return fuzzer.executeWithFlags(executor, req, 0)
 }
@@ -130,6 +134,9 @@ func (fuzzer *Fuzzer) processResult(req *queue.Request, res *queue.Result, flags
 	if res.Info != nil {
 		fuzzer.statExecTime.Add(int(res.Info.Elapsed / 1e6))
 	}
+	if flags&progCandidate != 0 {
+		fuzzer.statCandidates.Add(-1)
+	}
 }
 
 type Config struct {
@@ -161,11 +168,11 @@ func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call
 	}
 	fuzzer.Logf(2, "found new signal in call %d in %s", call, p)
 
-	queue := fuzzer.triageQueue
+	queue, stat := fuzzer.triageQueue, fuzzer.statJobsTriage
 	if flags&progCandidate > 0 {
-		queue = fuzzer.triageCandidateQueue
+		queue, stat = fuzzer.triageCandidateQueue, fuzzer.statJobsTriageCandidate
 	}
-	fuzzer.startJob(fuzzer.statJobsTriage, &triageJob{
+	fuzzer.startJob(stat, &triageJob{
 		p:         p.Clone(),
 		call:      call,
 		info:      info,
@@ -243,6 +250,7 @@ type Candidate struct {
 }
 
 func (fuzzer *Fuzzer) AddCandidates(candidates []Candidate) {
+	fuzzer.statCandidates.Add(len(candidates))
 	for _, candidate := range candidates {
 		req, flags := candidateRequest(fuzzer, candidate)
 		fuzzer.enqueue(fuzzer.candidateQueue, req, flags)
-- 
cgit mrf-deployment