[dev.fuzz] internal/fuzz: count -fuzzminimizetime toward -fuzztime

Previously, when -fuzztime was given a number of executions like -fuzztime=100x, this was a count for each minimization independent of -fuzztime. Since there is no bound on the number of minimizations, this was not a meaningful limit. With this change, executions of the fuzz function during minimization count toward the -fuzztime global limit. Executions are further limited by -fuzzminimizetime. This change also counts executions during the coverage-only run and reports errors for those executions. There is no change when -fuzztime specifies a duration or when -fuzztime is not set. Change-Id: Ibcf1b1982f28b28f6625283aa03ce66d4de0a26d Reviewed-on: https://go-review.googlesource.com/c/go/+/342994 Trust: Jay Conrod <jayconrod@google.com> Trust: Katie Hockman <katie@golang.org> Run-TryBot: Jay Conrod <jayconrod@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
2025-04-05 13:07:36 +03:00 · 2021-08-06 16:15:48 -07:00 · 2021-08-06 16:15:48 -07:00 · 0234baf05d
commit 0234baf05d
parent 0f3e028032
2 changed files with 133 additions and 49 deletions
--- a/fuzz/fuzz.go
+++ b/fuzz/fuzz.go
@ -45,7 +45,8 @@ type CoordinateFuzzingOpts struct {

 	// MinimizeLimit is the maximum number of calls to the fuzz function to be
 	// made while minimizing after finding a crash. If zero, there will be
-	// no limit.
+	// no limit. Calls to the fuzz function made when minimizing also count
+	// toward Limit.
 	MinimizeLimit int64

 	// parallel is the number of worker processes to run in parallel. If zero,
@ -92,13 +93,6 @@ func CoordinateFuzzing(ctx context.Context, opts CoordinateFuzzingOpts) (err err
 		// Don't start more workers than we need.
 		opts.Parallel = int(opts.Limit)
 	}
-	canMinimize := false
-	for _, t := range opts.Types {
-		if isMinimizable(t) {
-			canMinimize = true
-			break
-		}
-	}

 	c, err := newCoordinator(opts)
 	if err != nil {
@ -199,17 +193,19 @@ func CoordinateFuzzing(ctx context.Context, opts CoordinateFuzzingOpts) (err err
 			}

 			if result.crasherMsg != "" {
-				if canMinimize && !result.minimized {
+				if c.canMinimize() && !result.minimizeAttempted {
+					if crashMinimizing {
+						// This crash is not minimized, and another crash is being minimized.
+						// Ignore this one and wait for the other one to finish.
+						break
+					}
 					// Found a crasher but haven't yet attempted to minimize it.
 					// Send it back to a worker for minimization. Disable inputC so
 					// other workers don't continue fuzzing.
-					if crashMinimizing {
-						break
-					}
 					crashMinimizing = true
 					inputC = nil
 					fmt.Fprintf(c.opts.Log, "found a crash, minimizing...\n")
-					c.minimizeC <- result
+					c.minimizeC <- c.minimizeInputForResult(result)
 				} else if !crashWritten {
 					// Found a crasher that's either minimized or not minimizable.
 					// Write to corpus and stop.
@ -402,9 +398,15 @@ type fuzzInput struct {
 	// values from this starting point.
 	entry CorpusEntry

-	// countRequested is the number of values to test. If non-zero, the worker
-	// will stop after testing this many values, if it hasn't already stopped.
-	countRequested int64
+	// timeout is the time to spend fuzzing variations of this input,
+	// not including starting or cleaning up.
+	timeout time.Duration
+
+	// limit is the maximum number of calls to the fuzz function the worker may
+	// make. The worker may make fewer calls, for example, if it finds an
+	// error early. If limit is zero, there is no limit on calls to the
+	// fuzz function.
+	limit int64

 	// coverageOnly indicates whether this input is for a coverage-only run. If
 	// true, the input should not be fuzzed.
@ -425,16 +427,16 @@ type fuzzResult struct {
 	// crasherMsg is an error message from a crash. It's "" if no crash was found.
 	crasherMsg string

-	// minimized is true if a worker attempted to minimize entry.
-	// Minimization may not have actually been completed.
-	minimized bool
+	// minimizeAttempted is true if the worker attempted to minimize this input.
+	// The worker may or may not have succeeded.
+	minimizeAttempted bool

 	// coverageData is set if the worker found new coverage.
 	coverageData []byte

-	// countRequested is the number of values the coordinator asked the worker
+	// limit is the number of values the coordinator asked the worker
 	// to test. 0 if there was no limit.
-	countRequested int64
+	limit int64

 	// count is the number of values the worker actually tested.
 	count int64
@ -446,6 +448,25 @@ type fuzzResult struct {
 	entryDuration time.Duration
 }

+type fuzzMinimizeInput struct {
+	// entry is an interesting value or crasher to minimize.
+	entry CorpusEntry
+
+	// crasherMsg is an error message from a crash. It's "" if no crash was found.
+	// If set, the worker will attempt to find a smaller input that also produces
+	// an error, though not necessarily the same error.
+	crasherMsg string
+
+	// limit is the maximum number of calls to the fuzz function the worker may
+	// make. The worker may make fewer calls, for example, if it can't reproduce
+	// an error. If limit is zero, there is no limit on calls to the fuzz function.
+	limit int64
+
+	// timeout is the time to spend minimizing this input.
+	// A zero timeout means no limit.
+	timeout time.Duration
+}
+
 // coordinator holds channels that workers can use to communicate with
 // the coordinator.
 type coordinator struct {
@ -461,7 +482,7 @@ type coordinator struct {

 	// minimizeC is sent values to minimize by the coordinator. Any worker may
 	// receive values from this channel. Workers send results to resultC.
-	minimizeC chan fuzzResult
+	minimizeC chan fuzzMinimizeInput

 	// resultC is sent results of fuzzing by workers. The coordinator
 	// receives these. Multiple types of messages are allowed.
@ -482,8 +503,8 @@ type coordinator struct {
 	// starting up or tearing down.
 	duration time.Duration

-	// countWaiting is the number of values the coordinator is currently waiting
-	// for workers to fuzz.
+	// countWaiting is the number of fuzzing executions the coordinator is
+	// waiting on workers to complete.
 	countWaiting int64

 	// corpus is a set of interesting values, including the seed corpus and
@ -495,6 +516,10 @@ type coordinator struct {
 	// which corpus value to send next (or generates something new).
 	corpusIndex int

+	// typesAreMinimizable is true if one or more of the types of fuzz function's
+	// parameters can be minimized.
+	typesAreMinimizable bool
+
 	// coverageMask aggregates coverage that was found for all inputs in the
 	// corpus. Each byte represents a single basic execution block. Each set bit
 	// within the byte indicates that an input has triggered that block at least
@ -530,11 +555,17 @@ func newCoordinator(opts CoordinateFuzzingOpts) (*coordinator, error) {
 		opts:          opts,
 		startTime:     time.Now(),
 		inputC:        make(chan fuzzInput),
-		minimizeC:     make(chan fuzzResult),
+		minimizeC:     make(chan fuzzMinimizeInput),
 		resultC:       make(chan fuzzResult),
 		corpus:        corpus,
 		covOnlyInputs: covOnlyInputs,
 	}
+	for _, t := range opts.Types {
+		if isMinimizable(t) {
+			c.typesAreMinimizable = true
+			break
+		}
+	}

 	covSize := len(coverage())
 	if covSize == 0 {
@ -555,9 +586,8 @@ func newCoordinator(opts CoordinateFuzzingOpts) (*coordinator, error) {
 }

 func (c *coordinator) updateStats(result fuzzResult) {
-	// Adjust total stats.
 	c.count += result.count
-	c.countWaiting -= result.countRequested
+	c.countWaiting -= result.limit
 	c.duration += result.totalDuration
 }

@ -584,6 +614,7 @@ func (c *coordinator) nextInput() (fuzzInput, bool) {
 		entry:            c.corpus.entries[c.corpusIndex],
 		interestingCount: c.interestingCount,
 		coverageData:     make([]byte, len(c.coverageMask)),
+		timeout:          workerFuzzDuration,
 	}
 	copy(input.coverageData, c.coverageMask)
 	c.corpusIndex = (c.corpusIndex + 1) % (len(c.corpus.entries))
@ -596,19 +627,50 @@ func (c *coordinator) nextInput() (fuzzInput, bool) {
 	}

 	if c.opts.Limit > 0 {
-		input.countRequested = c.opts.Limit / int64(c.opts.Parallel)
+		input.limit = c.opts.Limit / int64(c.opts.Parallel)
 		if c.opts.Limit%int64(c.opts.Parallel) > 0 {
-			input.countRequested++
+			input.limit++
 		}
 		remaining := c.opts.Limit - c.count - c.countWaiting
-		if input.countRequested > remaining {
-			input.countRequested = remaining
+		if input.limit > remaining {
+			input.limit = remaining
 		}
-		c.countWaiting += input.countRequested
+		c.countWaiting += input.limit
 	}
 	return input, true
 }

+// minimizeInputForResult returns an input for minimization based on the given
+// fuzzing result that either caused a failure or expanded coverage.
+func (c *coordinator) minimizeInputForResult(result fuzzResult) fuzzMinimizeInput {
+	input := fuzzMinimizeInput{
+		entry:      result.entry,
+		crasherMsg: result.crasherMsg,
+	}
+	input.limit = 0
+	if c.opts.MinimizeTimeout > 0 {
+		input.timeout = c.opts.MinimizeTimeout
+	}
+	if c.opts.MinimizeLimit > 0 {
+		input.limit = c.opts.MinimizeLimit
+	} else if c.opts.Limit > 0 {
+		if result.crasherMsg != "" {
+			input.limit = c.opts.Limit
+		} else {
+			input.limit = c.opts.Limit / int64(c.opts.Parallel)
+			if c.opts.Limit%int64(c.opts.Parallel) > 0 {
+				input.limit++
+			}
+		}
+	}
+	remaining := c.opts.Limit - c.count - c.countWaiting
+	if input.limit > remaining {
+		input.limit = remaining
+	}
+	c.countWaiting += input.limit
+	return input
+}
+
 func (c *coordinator) coverageOnlyRun() bool {
 	return c.covOnlyInputs > 0
 }
@ -629,6 +691,13 @@ func (c *coordinator) updateCoverage(newCoverage []byte) int {
 	return newBitCount
 }

+// canMinimize returns whether the coordinator should attempt to find smaller
+// inputs that reproduce a crash or new coverage.
+func (c *coordinator) canMinimize() bool {
+	return c.typesAreMinimizable &&
+		(c.opts.Limit == 0 || c.count+c.countWaiting < c.opts.Limit)
+}
+
 // readCache creates a combined corpus from seed values and values in the cache
 // (in GOCACHE/fuzz).
 //
--- a/fuzz/worker.go
+++ b/fuzz/worker.go
@ -151,7 +151,7 @@ func (w *worker) coordinate(ctx context.Context) error {

 		case input := <-w.coordinator.inputC:
 			// Received input from coordinator.
-			args := fuzzArgs{Limit: input.countRequested, Timeout: workerFuzzDuration, CoverageOnly: input.coverageOnly}
+			args := fuzzArgs{Limit: input.limit, Timeout: input.timeout, CoverageOnly: input.coverageOnly}
 			if interestingCount < input.interestingCount {
 				// The coordinator's coverage data has changed, so send the data
 				// to the client.
@ -191,7 +191,7 @@ func (w *worker) coordinate(ctx context.Context) error {
 				resp.Err = fmt.Sprintf("fuzzing process terminated unexpectedly: %v", w.waitErr)
 			}
 			result := fuzzResult{
-				countRequested: input.countRequested,
+				limit:         input.limit,
 				count:         resp.Count,
 				totalDuration: resp.TotalDuration,
 				entryDuration: resp.InterestingDuration,
@ -204,16 +204,20 @@ func (w *worker) coordinate(ctx context.Context) error {
 			}
 			w.coordinator.resultC <- result

-		case crasher := <-w.coordinator.minimizeC:
+		case input := <-w.coordinator.minimizeC:
 			// Received input to minimize from coordinator.
-			minRes, err := w.minimize(ctx, crasher)
+			result, err := w.minimize(ctx, input)
 			if err != nil {
 				// Failed to minimize. Send back the original crash.
 				fmt.Fprintln(w.coordinator.opts.Log, err)
-				minRes = crasher
-				minRes.minimized = true
+				result = fuzzResult{
+					entry:             input.entry,
+					crasherMsg:        input.crasherMsg,
+					minimizeAttempted: true,
+					limit:             input.limit,
 				}
-			w.coordinator.resultC <- minRes
+			}
+			w.coordinator.resultC <- result
 		}
 	}
 }
@ -224,19 +228,23 @@ func (w *worker) coordinate(ctx context.Context) error {
 //
 // TODO: support minimizing inputs that expand coverage in a specific way,
 // for example, by ensuring that an input activates a specific set of counters.
-func (w *worker) minimize(ctx context.Context, input fuzzResult) (min fuzzResult, err error) {
+func (w *worker) minimize(ctx context.Context, input fuzzMinimizeInput) (min fuzzResult, err error) {
 	if w.coordinator.opts.MinimizeTimeout != 0 {
 		var cancel func()
 		ctx, cancel = context.WithTimeout(ctx, w.coordinator.opts.MinimizeTimeout)
 		defer cancel()
 	}

-	min = input
-	min.minimized = true
+	min = fuzzResult{
+		entry:             input.entry,
+		crasherMsg:        input.crasherMsg,
+		minimizeAttempted: true,
+		limit:             input.limit,
+	}

 	args := minimizeArgs{
-		Limit:   w.coordinator.opts.MinimizeLimit,
-		Timeout: w.coordinator.opts.MinimizeTimeout,
+		Limit:   input.limit,
+		Timeout: input.timeout,
 	}
 	minEntry, resp, err := w.client.minimize(ctx, input.entry, args)
 	if err != nil {
@ -660,7 +668,14 @@ func (ws *workerServer) fuzz(ctx context.Context, args fuzzArgs) (resp fuzzRespo

 	if args.CoverageOnly {
 		fStart := time.Now()
-		ws.fuzzFn(CorpusEntry{Values: vals})
+		err := ws.fuzzFn(CorpusEntry{Values: vals})
+		if err != nil {
+			resp.Err = err.Error()
+			if resp.Err == "" {
+				resp.Err = "fuzz function failed with no output"
+			}
+			return resp
+		}
 		resp.InterestingDuration = time.Since(fStart)
 		resp.CoverageData = coverageSnapshot
 		return resp