syz-fuzzer: don't send/check CallIndex for inputs

The call index check episodically fails: 2017/10/02 22:07:32 bad call index 1, calls 1, program: under unknown circumstances. I've looked at the code again and don't see where/how we can mess CallIndex. Added a new test for minimization that especially checks resulting CallIndex. It would be good to understand what happens, but we don't have any reproducers. CallIndex is actually unused at this point. Manager only needs call name. So remove CallIndex entirely.
2025-02-11 14:36:04 +00:00 · 2017-10-10 10:41:27 +02:00 · 2017-10-10 10:41:27 +02:00 · 354c324465
commit 354c324465
parent 2ef9fcaf18
4 changed files with 25 additions and 14 deletions
--- a/pkg/rpctype/rpctype.go
+++ b/pkg/rpctype/rpctype.go
@ -6,11 +6,10 @@
 package rpctype

 type RpcInput struct {
-	Call      string
-	Prog      []byte
-	CallIndex int
-	Signal    []uint32
-	Cover     []uint32
+	Call   string
+	Prog   []byte
+	Signal []uint32
+	Cover  []uint32
 }

 type RpcCandidate struct {
--- a/prog/mutation.go
+++ b/prog/mutation.go
@ -475,7 +475,7 @@ func Minimize(p0 *Prog, callIndex0 int, pred0 func(*Prog, int) bool, crash bool)

 	if callIndex0 != -1 {
 		if callIndex0 < 0 || callIndex0 >= len(p0.Calls) || name0 != p0.Calls[callIndex0].Meta.Name {
-			panic(fmt.Sprintf("bad call index after minimizatoin: ncalls=%v index=%v call=%v/%v",
+			panic(fmt.Sprintf("bad call index after minimization: ncalls=%v index=%v call=%v/%v",
 				len(p0.Calls), callIndex0, name0, p0.Calls[callIndex0].Meta.Name))
 		}
 	}
--- a/prog/mutation_test.go
+++ b/prog/mutation_test.go
@ -6,6 +6,7 @@ package prog
 import (
 	"bytes"
 	"fmt"
+	"math/rand"
 	"testing"
 )

@ -310,3 +311,18 @@ func TestMinimizeRandom(t *testing.T) {
 		}, false)
 	}
 }
+
+func TestMinimizeCallIndex(t *testing.T) {
+	target, rs, iters := initTest(t)
+	r := rand.New(rs)
+	for i := 0; i < iters; i++ {
+		p := target.Generate(rs, 5, nil)
+		ci := r.Intn(len(p.Calls))
+		p1, ci1 := Minimize(p, ci, func(p1 *Prog, callIndex int) bool {
+			return r.Intn(2) == 0
+		}, r.Intn(2) == 0)
+		if ci1 < 0 || ci1 >= len(p1.Calls) || p.Calls[ci].Meta.Name != p1.Calls[ci1].Meta.Name {
+			t.Fatalf("bad call index after minimization")
+		}
+	}
+}
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@ -477,9 +477,6 @@ func addInput(inp RpcInput) {
 	if err != nil {
 		panic(err)
 	}
-	if inp.CallIndex < 0 || inp.CallIndex >= len(p.Calls) {
-		Fatalf("bad call index %v, calls %v, program:\n%s", inp.CallIndex, len(p.Calls), inp.Prog)
-	}
 	sig := hash.Hash(inp.Prog)
 	if _, ok := corpusHashes[sig]; !ok {
 		corpus = append(corpus, p)
@ -599,11 +596,10 @@ func triageInput(pid int, env *ipc.Env, inp Input) {
 	a := &NewInputArgs{
 		Name: *flagName,
 		RpcInput: RpcInput{
-			Call:      call.CallName,
-			Prog:      data,
-			CallIndex: inp.call,
-			Signal:    []uint32(cover.Canonicalize(inp.signal)),
-			Cover:     []uint32(inputCover),
+			Call:   call.CallName,
+			Prog:   data,
+			Signal: []uint32(cover.Canonicalize(inp.signal)),
+			Cover:  []uint32(inputCover),
 		},
 	}
 	if err := manager.Call("Manager.NewInput", a, nil); err != nil {