Introduce replaying fuzzer #2886
Conversation
|
This sounds very related to the calibration stage (?) |
|
Yes, but calibration stage only reports the diffs and doesn't prevent corpus explosion based on essentially duplicate entries. Additionally, it only works for map observers, where ReplayingFuzzer works for any observer. |
|
Do you have any idea if this can be implemented into the existing fuzzer.rs One thing we want to avoid is to having too much fuzzer.rs-variants with little difference across them. If you can do this, with Stages(i think this is possible with IfStage, Closure stage... etc), or without adding another |
Yes, but it would introduce a small performance penalty because I'd need to check on each execute_input if a struct value is equal to 1. The compiler may be able to optimize it away, but I'm not sure.
|
|
I have added a bunch more logic to deal with inconsistent inputs. Since we're re-running the entire observer/executor/feedback stack, performance should be negligible, but it makes it much more flexible. |
| @@ -82,6 +84,8 @@ pub enum DiffExitKind { | |||
| Oom, | |||
| /// The run timed out | |||
| Timeout, | |||
| /// The run reports inconsistent results | |||
| Inconsistent, | |||
There was a problem hiding this comment.
This is very special to your case, maybe explain where/when this is actually used?
Why in Diff btw?
(unrelated sidenote: We should add Result::Skip) that never stores to corpus
|
A few questions:
|
Because other stages (such as mutational stages) need it during their evaluation. It would also lead to code duplication since we'd have multiple implementations of the logic to prep observers, execute an input, check oberservers etc.
Maybe add this logic as a default implementation in the Edit: this doesn't actually work I don't think, since I still want a central place to toggle it on or off.
See above: yes, but it would include adding some data to the fuzzer struct and an single boolean check for each execution even for the existing mode. If that's something we're comfortable with, this would reduce like 80% of extra code. |
|
Can we make this a compile-time boolean / type? then it'll get optimized out anyway(?) I still believe the "correct" way to build this is with hooks that can run sub-stages, but I understand if that's too much refactoring |
Possible, yes. I'm not sure the added complexity is worth the performance diff though. Let me give it a go.
Not exactly sure what you mean. |
|
For example: the calibration stage should ideally run every time we add a new entry to the corpus, before continuing adding the testcase to the actual corpus. As a hook. So it wouldn't be a normal stage anymore but become part of every stage that adds to the corpus |
I have an unstable target regarding my observer values. There is very little I can do about this. One thing that helps is just repeatedly call the target until I'm somewhat sure which version is the correct one. This is what is happening here.
I know, more changes to fuzzer, but this makes sense neither in stages nor in the executor.
Ideally, one would be able to pass multiple handles (e.g. as a tuple_list), but I haven't quite figured out how to explain this to the compiler.