From 07dedd50ee8834dbca4da7667e69e72b7d0565b9 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Thu, 27 Jun 2024 12:01:58 +0200 Subject: pkg/fuzzer: remove signal rotation Signal rotation is intended to make the fuzzer re-discover flaky coverage in non flaky way. However, taking into accout that we get effectively the same effect after each manager restart, and that the fuzzer is overloaded with triage/smash jobs, it does not look to be worth it. --- pkg/fuzzer/cover.go | 31 +++++------------------- pkg/fuzzer/fuzzer.go | 12 ---------- pkg/fuzzer/fuzzer_test.go | 60 ----------------------------------------------- pkg/fuzzer/job_test.go | 1 + 4 files changed, 7 insertions(+), 97 deletions(-) (limited to 'pkg/fuzzer') diff --git a/pkg/fuzzer/cover.go b/pkg/fuzzer/cover.go index c34a3b219..4421693b1 100644 --- a/pkg/fuzzer/cover.go +++ b/pkg/fuzzer/cover.go @@ -12,10 +12,9 @@ import ( // Cover keeps track of the signal known to the fuzzer. type Cover struct { - mu sync.RWMutex - maxSignal signal.Signal // max signal ever observed (including flakes) - newSignal signal.Signal // newly identified max signal - dropSignal signal.Signal // the newly dropped max signal + mu sync.RWMutex + maxSignal signal.Signal // max signal ever observed (including flakes) + newSignal signal.Signal // newly identified max signal } func newCover() *Cover { @@ -31,7 +30,6 @@ func (cover *Cover) AddMaxSignal(sign signal.Signal) { cover.mu.Lock() defer cover.mu.Unlock() cover.maxSignal.Merge(sign) - cover.dropSignal.Subtract(sign) } func (cover *Cover) addRawMaxSignal(signal []uint64, prio uint8) signal.Signal { @@ -43,36 +41,19 @@ func (cover *Cover) addRawMaxSignal(signal []uint64, prio uint8) signal.Signal { } cover.maxSignal.Merge(diff) cover.newSignal.Merge(diff) - cover.dropSignal.Subtract(diff) return diff } -func (cover *Cover) pureMaxSignal(corpus signal.Signal) signal.Signal { - cover.mu.RLock() - defer cover.mu.RUnlock() - return corpus.Diff(cover.maxSignal) -} - func (cover *Cover) CopyMaxSignal() signal.Signal { cover.mu.RLock() defer cover.mu.RUnlock() return cover.maxSignal.Copy() } -func (cover *Cover) GrabSignalDelta() (plus, minus signal.Signal) { +func (cover *Cover) GrabSignalDelta() signal.Signal { cover.mu.Lock() defer cover.mu.Unlock() - plus = cover.newSignal + plus := cover.newSignal cover.newSignal = nil - minus = cover.dropSignal - cover.dropSignal = nil - return -} - -func (cover *Cover) subtract(delta signal.Signal) { - cover.mu.Lock() - defer cover.mu.Unlock() - cover.maxSignal.Subtract(delta) - cover.newSignal.Subtract(delta) - cover.dropSignal.Merge(delta) + return plus } diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go index 09ce69c00..a2b2ef475 100644 --- a/pkg/fuzzer/fuzzer.go +++ b/pkg/fuzzer/fuzzer.go @@ -363,18 +363,6 @@ func (fuzzer *Fuzzer) logCurrentStats() { } } -func (fuzzer *Fuzzer) RotateMaxSignal(items int) { - corpusSignal := fuzzer.Config.Corpus.Signal() - pureMaxSignal := fuzzer.Cover.pureMaxSignal(corpusSignal) - if pureMaxSignal.Len() < items { - items = pureMaxSignal.Len() - } - fuzzer.Logf(1, "rotate %d max signal elements", items) - - delta := pureMaxSignal.RandomSubset(fuzzer.rand(), items) - fuzzer.Cover.subtract(delta) -} - func setFlags(execFlags flatrpc.ExecFlag) flatrpc.ExecOpts { return flatrpc.ExecOpts{ ExecFlags: execFlags, diff --git a/pkg/fuzzer/fuzzer_test.go b/pkg/fuzzer/fuzzer_test.go index 55ec09666..d8c532e1a 100644 --- a/pkg/fuzzer/fuzzer_test.go +++ b/pkg/fuzzer/fuzzer_test.go @@ -22,7 +22,6 @@ import ( "github.com/google/syzkaller/pkg/flatrpc" "github.com/google/syzkaller/pkg/fuzzer/queue" "github.com/google/syzkaller/pkg/rpcserver" - "github.com/google/syzkaller/pkg/signal" "github.com/google/syzkaller/pkg/testutil" "github.com/google/syzkaller/pkg/vminfo" "github.com/google/syzkaller/prog" @@ -121,65 +120,6 @@ func BenchmarkFuzzer(b *testing.B) { }) } -const anyTestProg = `syz_compare(&AUTO="00000000", 0x4, &AUTO=@conditional={0x0, @void, @void}, AUTO)` - -func TestRotate(t *testing.T) { - target, err := prog.GetTarget(targets.TestOS, targets.TestArch64Fuzz) - if err != nil { - t.Fatal(err) - } - - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - corpusObj := corpus.NewCorpus(ctx) - fuzzer := NewFuzzer(ctx, &Config{ - Debug: true, - Corpus: corpusObj, - Coverage: true, - EnabledCalls: map[*prog.Syscall]bool{ - target.SyscallMap["syz_compare"]: true, - }, - }, rand.New(testutil.RandSource(t)), target) - - fakeSignal := func(size int) signal.Signal { - var pc []uint64 - for i := 0; i < size; i++ { - pc = append(pc, uint64(i)) - } - return signal.FromRaw(pc, 0) - } - - prog, err := target.Deserialize([]byte(anyTestProg), prog.NonStrict) - assert.NoError(t, err) - corpusObj.Save(corpus.NewInput{ - Prog: prog, - Call: 0, - Signal: fakeSignal(100), - }) - fuzzer.Cover.AddMaxSignal(fakeSignal(1000)) - - assert.Equal(t, 1000, len(fuzzer.Cover.maxSignal)) - assert.Equal(t, 100, corpusObj.StatSignal.Val()) - - // Rotate some of the signal. - fuzzer.RotateMaxSignal(200) - assert.Equal(t, 800, len(fuzzer.Cover.maxSignal)) - assert.Equal(t, 100, corpusObj.StatSignal.Val()) - - plus, minus := fuzzer.Cover.GrabSignalDelta() - assert.Equal(t, 0, plus.Len()) - assert.Equal(t, 200, minus.Len()) - - // Rotate the rest. - fuzzer.RotateMaxSignal(1000) - assert.Equal(t, 100, len(fuzzer.Cover.maxSignal)) - assert.Equal(t, 100, corpusObj.StatSignal.Val()) - plus, minus = fuzzer.Cover.GrabSignalDelta() - assert.Equal(t, 0, plus.Len()) - assert.Equal(t, 700, minus.Len()) -} - // Based on the example from Go documentation. var crc32q = crc32.MakeTable(0xD5828281) diff --git a/pkg/fuzzer/job_test.go b/pkg/fuzzer/job_test.go index 8441c4142..122a50577 100644 --- a/pkg/fuzzer/job_test.go +++ b/pkg/fuzzer/job_test.go @@ -77,6 +77,7 @@ func TestDeflake(t *testing.T) { target, err := prog.GetTarget(targets.TestOS, targets.TestArch64Fuzz) assert.NoError(t, err) + const anyTestProg = `syz_compare(&AUTO="00000000", 0x4, &AUTO=@conditional={0x0, @void, @void}, AUTO)` prog, err := target.Deserialize([]byte(anyTestProg), prog.NonStrict) assert.NoError(t, err) -- cgit mrf-deployment