runtime: Do not track map key comparisons per key

fmeum · fmeum · commit 52863e83aeac · 2023-09-10T13:55:05.000+02:00
With a dynamic map, this very quickly overflows the feature table and
stalls fuzzer progress due to the rapidly increasing feature count for
distinct keys.

In the future, we may be able to detect static keys and reenable this
more fine-grained tracking.
diff --git a/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java b/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java
@@ -816,12 +816,10 @@ public static void mapGet(
     }
     // Modify the hook ID so that compares against distinct valid keys are traced separately.
     if (lowerBoundKey != null) {
-      TraceDataFlowNativeCallbacks.traceGenericCmp(
-          currentKey, lowerBoundKey, hookId + lowerBoundKey.hashCode());
+      TraceDataFlowNativeCallbacks.traceGenericCmp(currentKey, lowerBoundKey, hookId);
     }
     if (upperBoundKey != null) {
-      TraceDataFlowNativeCallbacks.traceGenericCmp(
-          currentKey, upperBoundKey, hookId + upperBoundKey.hashCode());
+      TraceDataFlowNativeCallbacks.traceGenericCmp(currentKey, upperBoundKey, 31 * hookId + 11);
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -816,12 +816,10 @@ public static void mapGet(`
`816`	`816`	`}`
`817`	`817`	`// Modify the hook ID so that compares against distinct valid keys are traced separately.`
`818`	`818`	`if (lowerBoundKey != null) {`
`819`		`- TraceDataFlowNativeCallbacks.traceGenericCmp(`
`820`		`- currentKey, lowerBoundKey, hookId + lowerBoundKey.hashCode());`
	`819`	`+ TraceDataFlowNativeCallbacks.traceGenericCmp(currentKey, lowerBoundKey, hookId);`
`821`	`820`	`}`
`822`	`821`	`if (upperBoundKey != null) {`
`823`		`- TraceDataFlowNativeCallbacks.traceGenericCmp(`
`824`		`- currentKey, upperBoundKey, hookId + upperBoundKey.hashCode());`
	`822`	`+ TraceDataFlowNativeCallbacks.traceGenericCmp(currentKey, upperBoundKey, 31 * hookId + 11);`
`825`	`823`	`}`
`826`	`824`	`}`
`827`	`825`