internal/fuzz: implement better prioritization algorithm in fuzzing engine #46224
Labels
fuzz
Issues related to native fuzzing support
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
katiehockman
added
the
NeedsInvestigation
rsc
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, every item in the corpus is equally likely to be mutated by the fuzzing engine. The coordinator loops through each item in the corpus sequentially, and passes each one to a worker to be mutated.
However, we should consider more heavily prioritizing interesting inputs that were more recently discovered, rather than giving them equal weight to older corpus entries. go-fuzz runs a "smash" which "gives some minimal attention to every new input." https://github.com/dvyukov/go-fuzz/blob/master/go-fuzz/worker.go#L444
(from @rolandshoemaker)
The go-fuzz implementation of this is essentially the deterministic fuzzing stage of AFL, described in section 6 of https://lcamtuf.coredump.cx/afl/technical_details.txt. It definitely seems like a good idea, but I think an implementation requires figuring out a way to return multiple new inputs from the fuzz function since there are likely to be >1 new interesting inputs discovered (another option could be to return some kind of signal in the fuzzResponse that the deterministic stage didn't finish, and an indication of where in the stage it should be restarted from, but that seems overly complicated).
The text was updated successfully, but these errors were encountered: