The current system does not exploit combining good inputs to generate potentially better test programs.
In Genetic Programming, 2 (or more) programs are combined to form a new program. For a particular domain, the crossover function may be specific to the problem domain. In the case here, it might make sense to focus on input/output points of each test program:
Crossover of 2 programs could then cut each program at points where one produced an output of a type A, and the other consumed an input of type A. Most types in Syzkaller should be resources, but can also be more complex generated types such as structs.
An initial version could simply select 2 or more test programs at random, but eventually we could move closer towards a more principled GA/GP selection/crossover/mutation/repeat process. Prerequisites for this include having a domain-specific fitness computation and crossover (this task).
melver
commented
5 years ago
The current system does not exploit combining good inputs to generate potentially better test programs.
In Genetic Programming, 2 (or more) programs are combined to form a new program. For a particular domain, the crossover function may be specific to the problem domain. In the case here, it might make sense to focus on input/output points of each test program: