google
diff --git a/‎pkg/manager/corpus.go‎
Lines changed: 0 additions & 89 deletions b/‎pkg/manager/corpus.go‎
Lines changed: 0 additions & 89 deletions
diff --git a/‎syz-manager/manager.go‎
Lines changed: 59 additions & 11 deletions b/‎syz-manager/manager.go‎
Lines changed: 59 additions & 11 deletions
diff --git a/‎syz-verifier/main.go‎
Lines changed: 6 additions & 14 deletions b/‎syz-verifier/main.go‎
Lines changed: 6 additions & 14 deletions
@@ -1032,20 +1032,68 @@ func (mgr *Manager) addNewCandidates(candidates []fuzzer.Candidate) {
 }
 
 func (mgr *Manager) minimizeCorpusLocked() {
-	cm := &manager.CorpusMinimizer{
-		Corpus:         mgr.corpus,
-		CorpusDB:       mgr.corpusDB,
-		Cover:          mgr.cfg.Cover,
-		LastMinCorpus:  mgr.lastMinCorpus,
-		SaturatedCalls: mgr.saturatedCalls,
-		DisabledHashes: mgr.disabledHashes,
-		PhaseCheck: func() bool {
-			return mgr.phase >= phaseTriagedCorpus
-		},
+	// Don't minimize corpus until we have triaged all inputs from it.
+	// During corpus triage it would happen very often since we are actively adding inputs,
+	// and presumably the persistent corpus was reasonably minimial, and we don't use it for fuzzing yet.
+	if mgr.phase < phaseTriagedCorpus {
+		return
+	}
+	currSize := mgr.corpus.StatProgs.Val()
+	if currSize <= mgr.lastMinCorpus*103/100 {
+		return
+	}
+	mgr.corpus.Minimize(mgr.cfg.Cover)
+	newSize := mgr.corpus.StatProgs.Val()
+
+	log.Logf(1, "minimized corpus: %v -> %v", currSize, newSize)
+	mgr.lastMinCorpus = newSize
+
+	// From time to time we get corpus explosion due to different reason:
+	// generic bugs, per-OS bugs, problems with fallback coverage, kcov bugs, etc.
+	// This has bad effect on the instance and especially on instances
+	// connected via hub. Do some per-syscall sanity checking to prevent this.
+	for call, info := range mgr.corpus.CallCover() {
+		if mgr.cfg.Cover {
+			// If we have less than 1K inputs per this call,
+			// accept all new inputs unconditionally.
+			if info.Count < 1000 {
+				continue
+			}
+			// If we have more than 3K already, don't accept any more.
+			// Between 1K and 3K look at amount of coverage we are getting from these programs.
+			// Empirically, real coverage for the most saturated syscalls is ~30-60
+			// per program (even when we have a thousand of them). For explosion
+			// case coverage tend to be much lower (~0.3-5 per program).
+			if info.Count < 3000 && len(info.Cover)/info.Count >= 10 {
+				continue
+			}
+		} else {
+			// If we don't have real coverage, signal is weak.
+			// If we have more than several hundreds, there is something wrong.
+			if info.Count < 300 {
+				continue
+			}
+		}
+		if mgr.saturatedCalls[call] {
+			continue
+		}
+		mgr.saturatedCalls[call] = true
+		log.Logf(0, "coverage for %v has saturated, not accepting more inputs", call)
 	}
+
 	mgr.corpusDBMu.Lock()
 	defer mgr.corpusDBMu.Unlock()
-	mgr.lastMinCorpus = cm.Minimize()
+	for key := range mgr.corpusDB.Records {
+		ok1 := mgr.corpus.Item(key) != nil
+		_, ok2 := mgr.disabledHashes[key]
+		if !ok1 && !ok2 {
+			mgr.corpusDB.Delete(key)
+		}
+	}
+	if err := mgr.corpusDB.Flush(); err != nil {
+		log.Fatalf("failed to save corpus database: %v", err)
+	}
+	mgr.corpusDB.BumpVersion(manager.CurrentDBVersion)
 }
 
 func setGuiltyFiles(crash *dashapi.Crash, report *report.Report) {
 
@@ -11,10 +11,8 @@ import (
 	"os"
 
 	"github.com/google/syzkaller/pkg/flatrpc"
-	"github.com/google/syzkaller/pkg/fuzzer"
 	"github.com/google/syzkaller/pkg/fuzzer/queue"
 	"github.com/google/syzkaller/pkg/log"
-	"github.com/google/syzkaller/pkg/manager"
 	"github.com/google/syzkaller/pkg/mgrconfig"
 	"github.com/google/syzkaller/pkg/osutil"
 	"github.com/google/syzkaller/pkg/report"
@@ -39,8 +37,6 @@ func Setup(name string, cfg *mgrconfig.Config, debug bool) (*Kernel, error) {
 		cfg:             cfg,
 		crashes:         make(chan *report.Report, 128),
 		servStats:       rpcserver.NewNamedStats(name),
-		candidates:      make(chan []fuzzer.Candidate),
-		reportGenerator: manager.ReportGeneratorCache(cfg),
 		enabledSyscalls: make(chan map[*prog.Syscall]bool, 1),
 		features:        make(chan flatrpc.Feature, 1),
 	}
@@ -75,8 +71,7 @@ func main() {
 	var cfgs tool.CfgsFlag
 	flag.Var(&cfgs, "configs", "[MANDATORY] list of at least two kernel-specific comma-sepatated configuration files")
 	flagDebug := flag.Bool("debug", false, "dump all VM output to console")
-	// flagAddress := flag.String("address", "127.0.0.1:8080", "http address for monitoring")
-	// flagReruns := flag.Int("rerun", 3, "number of time program is rerun when a mismatch is found")
+	flagCorpus := flag.String("corpus", "", "path to corpus.db file (default: <workdir>/corpus.db)")
 	flag.Parse()
 
 	kernels := make([]*Kernel, len(cfgs))
@@ -101,13 +96,11 @@ func main() {
 		os.Exit(1)
 	}
 	workdir := kernels[0].cfg.Workdir
-	reqMaxSignal := make(chan int, len(kernels))
 	sources := make(map[int]*queue.PlainQueue)
 	for idx, kernel := range kernels {
 		if kernel.cfg.Workdir != workdir {
 			log.Fatalf("all kernel configurations must have the same workdir, got %q and %q", workdir, kernel.cfg.Workdir)
 		}
-		kernel.reqMaxSignal = reqMaxSignal
 		sources[idx] = queue.Plain()
 		kernel.source = sources[idx]
 	}
@@ -117,12 +110,11 @@ func main() {
 	log.Logf(0, "initialized %d sources", len(sources))
 
 	vrf := &Verifier{
-		kernels:        kernels,
-		cfg:            kernels[0].cfg, // for now take the first kernel's config
-		corpusPreload:  make(chan []fuzzer.Candidate),
-		disabledHashes: make(map[string]struct{}),
-		target:         kernels[0].cfg.Target,
-		sources:        sources,
+		kernels:    kernels,
+		cfg:        kernels[0].cfg, // for now take the first kernel's config
+		target:     kernels[0].cfg.Target,
+		sources:    sources,
+		corpusPath: *flagCorpus,
 	}
 
 	ctx := vm.ShutdownCtx()