mangle/input: simplify input selection by not trusting the speed fact…

…or that much
devnexen · Jul 11, 2024 · f4d2962 · f4d2962
1 parent 26f1a84
commit f4d2962
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 26 deletions.
diff --git a/fuzz.c b/fuzz.c
@@ -126,6 +126,7 @@ static void fuzz_setDynamicMainState(run_t* run) {
             .fd            = -1,
             .timeExecUSecs = 1,
             .path          = "[DYNAMIC-0-SIZE]",
+            .timedout      = false,
             .data          = (uint8_t*)"",
         };
         dynfile_t* tmp_dynfile = run->dynfile;

diff --git a/honggfuzz.h b/honggfuzz.h
@@ -154,6 +154,7 @@ struct _dynfile_t {
     struct _dynfile_t* src;
     uint32_t           refs;
     fuzzState_t        phase;
+    bool               timedout;
     uint8_t*           data;
     TAILQ_ENTRY(_dynfile_t) pointers;
 };

diff --git a/input.c b/input.c
@@ -380,7 +380,8 @@ void input_addDynamicInput(run_t* run) {
     if (run->dynfile->src) {
         ATOMIC_POST_INC(run->dynfile->src->refs);
     }
-    dynfile->phase = fuzz_getState(run->global);
+    dynfile->phase    = fuzz_getState(run->global);
+    dynfile->timedout = run->tmOutSignaled;
     input_generateFileName(dynfile, NULL, dynfile->path);
 
     MX_SCOPED_RWLOCK_WRITE(&run->global->mutex.dynfileq);
@@ -459,17 +460,20 @@ static inline int input_speedFactor(run_t* run, dynfile_t* dynfile) {
     }
 }
 
-static inline int input_skipFactor(run_t* run, dynfile_t* dynfile, int* speed_factor) {
+static inline int input_skipFactor(run_t* run, dynfile_t* dynfile) {
     int penalty = 0;
 
 #if 1
-    {
-        *speed_factor = HF_CAP(input_speedFactor(run, dynfile), -10, 5);
-        penalty += *speed_factor;
+    if (dynfile->timedout) {
+        penalty += 50;
     }
 #endif
 
-#if 0
+#if 1
+    penalty -= HF_CAP(input_speedFactor(run, dynfile), -10, 10);
+#endif
+
+#if 1
     {
         /* Inputs with lower total coverage -> lower chance of being tested */
         static const int scaleMap[200] = {
@@ -531,7 +535,6 @@ bool input_prepareDynamicInput(run_t* run, bool needs_mangle) {
         LOG_F("The dynamic file corpus is empty. This shouldn't happen");
     }
 
-    int speed_factor = 0;
     for (;;) {
         MX_SCOPED_RWLOCK_WRITE(&run->global->mutex.dynfileq);
 
@@ -547,7 +550,7 @@ bool input_prepareDynamicInput(run_t* run, bool needs_mangle) {
         run->current                    = run->global->io.dynfileqCurrent;
         run->global->io.dynfileqCurrent = TAILQ_NEXT(run->global->io.dynfileqCurrent, pointers);
 
-        int skip_factor = input_skipFactor(run, run->current, &speed_factor);
+        int skip_factor = input_skipFactor(run, run->current);
         if (skip_factor <= 0) {
             run->triesLeft = -(skip_factor);
             break;
@@ -564,12 +567,13 @@ bool input_prepareDynamicInput(run_t* run, bool needs_mangle) {
     run->dynfile->src           = run->current;
     run->dynfile->refs          = 0;
     run->dynfile->phase         = fuzz_getState(run->global);
+    run->dynfile->timedout      = run->current->timedout;
     memcpy(run->dynfile->cov, run->current->cov, sizeof(run->dynfile->cov));
     snprintf(run->dynfile->path, sizeof(run->dynfile->path), "%s", run->current->path);
     memcpy(run->dynfile->data, run->current->data, run->current->size);
 
     if (needs_mangle) {
-        mangle_mangleContent(run, speed_factor);
+        mangle_mangleContent(run);
     }
 
     return true;
@@ -671,9 +675,11 @@ void input_enqueueDynamicInputs(honggfuzz_t* hfuzz) {
             .fd            = -1,
             .timeExecUSecs = 1,
             .path          = "",
+            .timedout      = false,
             .data          = dynamicFile,
         };
         tmp_run.timeStartedUSecs = util_timeNowUSecs() - 1;
+        tmp_run.tmOutSignaled    = false;
         memcpy(tmp_dynfile.path, dynamicInputFileName, PATH_MAX);
         tmp_run.dynfile = &tmp_dynfile;
         input_addDynamicInput(&tmp_run);
@@ -780,13 +786,14 @@ bool input_prepareStaticFile(run_t* run, bool rewind, bool needs_mangle) {
 
     input_setSize(run, fileSz);
     util_memsetInline(run->dynfile->cov, '\0', sizeof(run->dynfile->cov));
-    run->dynfile->idx   = 0;
-    run->dynfile->src   = NULL;
-    run->dynfile->refs  = 0;
-    run->dynfile->phase = fuzz_getState(run->global);
+    run->dynfile->idx      = 0;
+    run->dynfile->src      = NULL;
+    run->dynfile->refs     = 0;
+    run->dynfile->phase    = fuzz_getState(run->global);
+    run->dynfile->timedout = false;
 
     if (needs_mangle) {
-        mangle_mangleContent(run, /* slow_factor= */ 0);
+        mangle_mangleContent(run);
     }
 
     return true;

diff --git a/mangle.c b/mangle.c
@@ -842,7 +842,7 @@ static void mangle_Resize(run_t* run, bool printable) {
     }
 }
 
-void mangle_mangleContent(run_t* run, int speed_factor) {
+void mangle_mangleContent(run_t* run) {
     static void (*const mangleFuncs[])(run_t* run, bool printable) = {
         mangle_Shrink,
         mangle_Expand,
@@ -873,16 +873,7 @@ void mangle_mangleContent(run_t* run, int speed_factor) {
         mangle_Resize(run, /* printable= */ run->global->cfg.only_printable);
     }
 
-    uint64_t changesCnt = run->global->mutate.mutationsPerRun;
-
-    if (speed_factor < 5) {
-        changesCnt = util_rndGet(1, run->global->mutate.mutationsPerRun);
-    } else if (speed_factor < 10) {
-        changesCnt = run->global->mutate.mutationsPerRun;
-    } else {
-        changesCnt = HF_MIN(speed_factor, 10);
-        changesCnt = HF_MAX(changesCnt, (run->global->mutate.mutationsPerRun * 5));
-    }
+    const uint64_t changesCnt = util_rndGet(1, run->global->mutate.mutationsPerRun);
 
     /* If last coverage acquisition was more than 5 secs ago, use splicing more frequently */
     if ((time(NULL) - ATOMIC_GET(run->global->timing.lastCovUpdate)) > 5) {

diff --git a/mangle.h b/mangle.h
@@ -26,6 +26,6 @@
 
 #include "honggfuzz.h"
 
-extern void mangle_mangleContent(run_t* run, int speed_factor);
+extern void mangle_mangleContent(run_t* run);
 
 #endif