extremely unbalant distribution in mutation

Skip to first unread message


Sep 29, 2022, 12:40:29 PMSep 29
to syzkaller
Hi developers,

I'm new to Syzkaller and fuzzing the latest Linux kernel with it. The kernel is compiled with CONFIG_KCOV_ENABLE_COMPARISONS enabled. However, in the fuzzing process, I notice that MutateWithHints() in smashInput() (exec hint) occupies a fair number of mutation&execution while the number of  Mutation(exec fuzz) and Generation(exec fuzz)  is negligible. Syscall with long arguments, e.g. sys_mount_image, even requires thousands of MutateWithHints().

Here is my stats of 24-hours fuzzing:
  "corpus": 10941,
  "coverage": 138411,
  "crash types": 3,
  "crashes": 5,
  "exec candidate": 1325,
  "exec fuzz": 393,
  "exec gen": 59,
  "exec hints": 615488,
  "exec minimize": 559396,
  "exec seeds": 1555,
  "exec smash": 167608,
  "exec total": 1421041,
  "exec triage": 75218,
  "executor restarts": 115,
  "filtered coverage": 0,
  "fuzzing": 186705,
  "max signal": 237891,
  "new inputs": 18627,
  "rotated inputs": 4150,
  "signal": 202633,
  "suppressed": 0,
  "uptime": 91399,
  "vm restarts": 62

I have two questions:
1. Is it normal?
2. If it is not normal, how could I solve it?

Best regards for you

Dmitry Vyukov

Sep 30, 2022, 2:14:46 AMSep 30
to 许嘉诚, syzkaller
Hi Jiacheng,

This looks normal-ish (in the sense that we have a similar picture in our runs).
Also note that it will change over time. MutateWithHints is only
executed when new inputs are added to corpus, so you get more of them
initially. But over time as corpus saturates there should be fewer of

But having said that there are sure to be lots of things to improve as
well. For example, MutateWithHints heuristics/prioritization, or
delaying MutateWithHints and spreading them over time.
However I picked all lower hanging fruits that I knew of. So now I
can't point to any simple fixes and improving the logic requires one
to deep dive and understand what can be improved and how first.


Sep 30, 2022, 2:47:50 AMSep 30
to syzkaller
Thank you very much for the prompt reply and the details explanation
Reply all
Reply to author
0 new messages