From f85e28d8a74848f34bdfb105079245c3d38ff9ae Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Wed, 20 Mar 2024 21:00:39 +0100 Subject: pkg/fuzzer: implement basic max signal rotation Once in 15 minutes, drop 1000 elements of the pure max signal (that is, max signal minus corpus signal). It seems to have a positive effect on the total fuzzing performance. --- pkg/fuzzer/fuzzer_test.go | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) (limited to 'pkg/fuzzer/fuzzer_test.go') diff --git a/pkg/fuzzer/fuzzer_test.go b/pkg/fuzzer/fuzzer_test.go index bd6d9a8fe..5c0920109 100644 --- a/pkg/fuzzer/fuzzer_test.go +++ b/pkg/fuzzer/fuzzer_test.go @@ -23,6 +23,7 @@ import ( "github.com/google/syzkaller/pkg/ipc" "github.com/google/syzkaller/pkg/ipc/ipcconfig" "github.com/google/syzkaller/pkg/rpctype" + "github.com/google/syzkaller/pkg/signal" "github.com/google/syzkaller/pkg/testutil" "github.com/google/syzkaller/prog" "github.com/google/syzkaller/sys/targets" @@ -116,6 +117,68 @@ func BenchmarkFuzzer(b *testing.B) { }) } +func TestRotate(t *testing.T) { + target, err := prog.GetTarget(targets.TestOS, targets.TestArch64Fuzz) + if err != nil { + t.Fatal(err) + } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + corpusObj := corpus.NewCorpus(ctx) + fuzzer := NewFuzzer(ctx, &Config{ + Debug: true, + Corpus: corpusObj, + Coverage: true, + EnabledCalls: map[*prog.Syscall]bool{ + target.SyscallMap["syz_compare"]: true, + }, + }, rand.New(testutil.RandSource(t)), target) + + fakeSignal := func(size int) signal.Signal { + var pc []uint32 + for i := 0; i < size; i++ { + pc = append(pc, uint32(i)) + } + return signal.FromRaw(pc, 0) + } + + prog, err := target.Deserialize( + []byte(`syz_compare(&AUTO="00000000", 0x4, &AUTO=@conditional={0x0, @void, @void}, AUTO)`), + prog.NonStrict) + assert.NoError(t, err) + corpusObj.Save(corpus.NewInput{ + Prog: prog, + Call: 0, + Signal: fakeSignal(100), + }) + fuzzer.Cover.AddMaxSignal(fakeSignal(1000)) + + stats := fuzzer.Stats() + assert.Equal(t, 1000, stats.MaxSignal) + assert.Equal(t, 100, stats.Signal) + + // Rotate some of the signal. + fuzzer.RotateMaxSignal(200) + stats = fuzzer.Stats() + assert.Equal(t, 800, stats.MaxSignal) + assert.Equal(t, 100, stats.Signal) + + plus, minus := fuzzer.Cover.GrabSignalDelta() + assert.Equal(t, 0, plus.Len()) + assert.Equal(t, 200, minus.Len()) + + // Rotate the rest. + fuzzer.RotateMaxSignal(1000) + stats = fuzzer.Stats() + assert.Equal(t, 100, stats.MaxSignal) + assert.Equal(t, 100, stats.Signal) + plus, minus = fuzzer.Cover.GrabSignalDelta() + assert.Equal(t, 0, plus.Len()) + assert.Equal(t, 700, minus.Len()) +} + // Based on the example from Go documentation. var crc32q = crc32.MakeTable(0xD5828281) -- cgit mrf-deployment