changes to prompts and tools for fog

Author: Zia-Rashid

Sources/Agentic_System/prompts/FoG-prompts/code_analyzer.txt

@@ -15,7 +15,7 @@ In the first stage you should query your tool calls to figure out information ab
 V8 compiler in the specific code regions that were provided to you. Make sure the information
 is as recent as possible. In this stage you should build an initial understanding of the 
 code region. Make sure to look out for security-related issues in the code and optimize your 
-analysis around them.
+analysis around them. PRIORITIZE CONCRETE REGRESSION ARTIFACTS, JS/FUZZIL CORPUS BEHAVIOR, AND `search_chromium_issues_rag_hybrid` RESULTS WHEN FORMING YOUR UNDERSTANDING OF WHY A TARGET MATTERS. PUBLIC DOCS ARE SECONDARY AND SHOULD MOSTLY HELP CLARIFY TERMINOLOGY OR ARCHITECTURE.
 
 ## STAGE 2 
 
@@ -24,8 +24,8 @@ YOU must provide this JSON and cannot skip any elements:
 
 JSON WITH EXAMPLE (DO NOT COPY WORDING/FORMATTING, JUST THE GENERAL CONCEPT OF THE EXAMPLES)
 {
-    TASK: "[Please go about finding the specific code sections related to the X code region provided. Please make sure you target func-1, idea/concepts-1, func-N, Idea-N, Concept-N]"
-    REASON: "[The reason for finding these specific code sections related to the X code region are ... . Please provide specific reasoning to direct V8search.]"
+    TASK: "[Please go about finding the specific code sections related to the X code region provided. Please make sure you target func-1, idea/concepts-1, func-N, Idea-N, Concept-N, WITH EMPHASIS ON THE CONCRETE FAILURE MODE / REGRESSION HYPOTHESIS WE ARE TRYING TO EXPLAIN.]"
+    REASON: "[The reason for finding these specific code sections related to the X code region are ... . Please provide specific reasoning to direct V8search. TIE THIS TO OBSERVED JS/FUZZIL BEHAVIOR, EXECUTION DETAILS, AND/OR CHROMIUM ISSUE EVIDENCE RATHER THAN JUST SAYING THE AREA IS GENERALLY IMPORTANT.]"
 }
 
 YOU CAN ONLY CALL v8_search at most 4 times TOTAL FOR ALL STAGES !!! PLEASE USE YOUR CALLS WELL !!!!
@@ -38,6 +38,7 @@ to actually find interesting functions. Make sure as you are interpreting the co
 and why they are interesting. If you are unsure, please re-query v8_search with the same JSON TASK, but this time make sure to include IDs 
 as well as code specifics as needed. If you perform additional queries, MAKE SURE TO BE VERY, VERY GRANULAR AND SPECIFIC. YOU MUST KNOW EXACTLY 
 WHAT YOU ARE LOOKING FOR. DO NOT JUST SEND THE SAME "TASK" TO THE V8_search agent. QUERY THE agent memory AND FORMULATE THE V8_search TASK PARTIALLY BASED ON THE RESULTS. 
+WHEN POSSIBLE, USE `search_chromium_issues_rag_hybrid` TO HELP NARROW THE FAILURE HYPOTHESIS OR TO FIND MORE SPECIFIC LANGUAGE ABOUT THE BEHAVIOR YOU ARE TRYING TO EXPLAIN.
 
 YOU CAN ONLY CALL v8_search at most 4 times TOTAL FOR ALL STAGES !!! PLEASE USE YOUR CALLS WELL !!!!
 
@@ -54,8 +55,8 @@ from the code reviewer to help guide your path to interesting functions that cor
 Here is the JSON object that you MUST send to code reviewer:
 
 {
-    GOAL: "[INSERT THE CODE REGION WE ARE INTERESTED IN AND WHY WE'RE INTERESTED IN IT]"
-    FULL ANSWER: "[PLEASE ADD A FULL EXPLANATION AND THE IDENTIFIED INTERESTING CODE BLOCKS]"
+    GOAL: "[INSERT THE CODE REGION WE ARE INTERESTED IN AND WHY WE'RE INTERESTED IN IT; THIS SHOULD NAME THE CONCRETE BEHAVIOR, FAILURE MODE, OR ISSUE-BACKED HYPOTHESIS RATHER THAN ONLY A BROAD SUBSYSTEM]"
+    FULL ANSWER: "[PLEASE ADD A FULL EXPLANATION AND THE IDENTIFIED INTERESTING CODE BLOCKS, INCLUDING HOW THEY RELATE TO THE JS/FUZZIL CORPUS, EXECUTION DETAILS, AND ANY RELEVANT CHROMIUM ISSUE EVIDENCE]"
 }
 
 ## STAGE 5
@@ -73,4 +74,3 @@ Here is the JSON object that you MUST send to the root manager / parent agent:
     ANALYSIS: "[YOUR ANALYSIS OF THE RELATION BETWEEN THE INTERESTING CODE BLOCKS AND JAVASCRIPT PROGRAMS IN THE CORPUS]"
 }
 
-

Sources/Agentic_System/prompts/FoG-prompts/compiler.txt

@@ -62,6 +62,7 @@ For each compilation error identified:
 2. Use `swift_read_file` to examine relevant source files showing correct implementations, using `line_start` and `line_end` for large files
 3. Use `swift_glob_search` to locate definition files for ProgramBuilder APIs
 4. Compare the failing code against working examples in the codebase
+4.5. WHEN THE FAILURE LOOKS LIKE API OR CLOSURE-SHAPE UNCERTAINTY, FIND AT LEAST ONE EXACT OR NEAR-EXACT REPOSITORY EXAMPLE OF THAT PATTERN BEFORE DECIDING HOW TO FIX IT
 5. Develop a fix strategy that preserves the core fuzzing logic
 6. Create a detailed plan for each fix with specific line numbers and changes
 
@@ -139,6 +140,7 @@ When fixing compilation errors:
 - Fix integration issues by examining how other templates are added
 - Preserve the original intent and structure of the fuzzing strategy
 - Always justify each fix by referencing working code in the codebase
+- IF A PARTICULAR API SHAPE CANNOT BE CONFIRMED, PREFER A NEARBY PROVEN PATTERN THAT PRESERVES THE TARGETING IDEA INSTEAD OF INVENTING A NEW SWIFT SURFACE
 
 ## COMMON COMPILATION ISSUES TO CHECK
 

Sources/Agentic_System/prompts/FoG-prompts/pick_section.txt

@@ -6,8 +6,10 @@ YOU WILL BE CREATING A FUZZING PROGRAM TEMPLATE FOR FUZZILLI. ALL YOU NEED TO DO
 A GOOD TARGET. YOU DON'T NEED ANY SPECIFIC FUNCTIONS, JUST GENERAL CODE REGIONS.
 
 DO NOT PICK SOMETHING TOO GENERAL LIKE "MAGLEV". YOU NEED SOMETHING MORE SPECIFIC LIKE MAGLEV GRAPH BUILDER (THIS IS JUST AN EXAMPLE).
+PREFER TARGETS THAT ARE ANCHORED TO CONCRETE REGRESSION EVIDENCE, CHROMIUM ISSUE REPORTS, EXECUTION ARTIFACTS, OR SPECIFIC JS/FUZZIL CORPUS BEHAVIOR. DO NOT PICK A TARGET JUST BECAUSE A PUBLIC DOC OR BLOG POST SAYS A COMPONENT IS IMPORTANT.
 
 PLEASE USE THE TOOLS PROVIDED TO YOU TO SEARCH THE PROVIDED JSON FILES CONTAINING REGRESSIONS FROM V8 WITH THEIR ASSOCIATED FUZZIL AND JS. 
+WHEN AVAILABLE, TREAT `search_chromium_issues_rag_hybrid` AS A HIGH-VALUE SOURCE OF DETAILED TARGET IDEAS, FAILURE MODES, AND SPECIFIC CODE PATH HYPOTHESES.
 
 
 
@@ -22,20 +24,21 @@ DO NOT RERUN "get_js_entry_data_by_name" on the entry you got from a get_random_
 ## STAGE 1
 ANALYZE THE DATA ENTRY EXECUTION INFORMATION AND TRY TO THEN SEARCH FOR ADJACENT JS AND FUZZIL CODE USING search_js_file_name_by_pattern. 
 TRY TO CONNECT EXECUTION INFORMATION FROM THE RANDOM DATA ENTRY WITH PARTS OF THE V8 CODE BASE, YOU CAN USE THE VECTOR RAG DATABASE 
-QUERIES TO HELP YOU FIND USEFUL KEY WORDS AND IDEAS. USE `search_v8_source_rag_hybrid` OR `search_knowledge_base_hybrid` FOR THIS. 
+QUERIES TO HELP YOU FIND USEFUL KEY WORDS AND IDEAS. PRIORITIZE `search_chromium_issues_rag_hybrid` AND THE REGRESSION CORPUS FOR THIS, THEN USE `search_v8_source_rag_hybrid` TO MAP THE IDEA TO CONCRETE FILES / FUNCTIONS. USE `search_knowledge_base_hybrid` MAINLY TO CLARIFY TERMINOLOGY OR BACKGROUND, NOT AS THE PRIMARY REASON TO CHOOSE A TARGET.
 
 ## STAGE 2
 AFTER THAT PLEASE USE THE get_js_entry_data_by_name IN ORDER TO FIGURE OUT THE INTERNAL V8 EXECUTION INFORMATION 
 
 ## STAGE 3
-IN THIS STAGE YOU CAN NOW USE search_knowledge_base_hybrid AND get_knowledge_doc ON TOP OF get_js_entry_data_by_name WITH THE 
+IN THIS STAGE YOU CAN NOW USE search_chromium_issues_rag_hybrid, search_knowledge_base_hybrid, AND get_knowledge_doc ON TOP OF get_js_entry_data_by_name WITH THE 
 GOAL OF FIGURING OUT A "CODE REGION" OF V8 THAT IS MEANINGFULLY EXPLOITABLE. USE THE EXECUTION DATA FROM THE DATA ENTRIES
-IN COMBINATION WITH THE ASSOCIATED JS AND FUZZIL TO CHOOSE THE CODE REGION.
+IN COMBINATION WITH THE ASSOCIATED JS, FUZZIL, AND ANY RELEVANT CHROMIUM ISSUE EVIDENCE TO CHOOSE THE CODE REGION. IF YOU USE `get_knowledge_doc`, PAGE THROUGH IT WITH `chunk_offset`, `max_chunks`, AND `max_total_lines` RATHER THAN REQUESTING TOO MUCH CONTEXT AT ONCE.
+PUBLIC DOCS CAN HELP EXPLAIN A CONCEPT, BUT THEY SHOULD RARELY BE THE MAIN JUSTIFICATION FOR THE TARGET. YOUR MAIN JUSTIFICATION SHOULD COME FROM REGRESSION ARTIFACTS, ISSUE DETAILS, OR SPECIFIC EXECUTION BEHAVIOR.
 
 ## STAGE 4
 PLEASE KEEP REPEATING STAGES 1-3 UNTIL YOU HAVE A CONCRETE IDEA OF WHICH CODE REGION YOU WOULD LIKE TO TARGET. YOU SHOULD BE ABLE TO 
 MAKE A STRONG DEFENSE OF WHY YOU PICKED THIS CODE SECTIONS FROM THE EXECUTION DATA AND HOW ITS RELEVANT TO TARGETING USEFUL JIT/VULNERABLE 
-CODE PATHS IN THE V8 CODEBASE.
+CODE PATHS IN THE V8 CODEBASE. A STRONG DEFENSE NAMES SPECIFIC FAILURE MODES, MAP TRANSITIONS, COMPILATION STATES, PROPERTY LOOKUP CASES, DEOPT CONDITIONS, OR OTHER CONCRETE BEHAVIORS RATHER THAN JUST A BROAD SUBSYSTEM LABEL.
 
 ## STAGE 5
 
@@ -46,10 +49,8 @@ relay the information to your sub agent.
 
 Here is the JSON object THAT YOU MUST FOLLOW please make sure to include all sections and send this back to your manager:
 {
-    CODE REGION: "[THE SPECIFIC CODE REGION CHOSEN BASED ON THE RESULTS OF YOUR TOOL CALLS]"
-    SUMMARY_OF_CODE_REGION: "[COMPLEX HOLISTIC SUMMARY OF THE CODE REGION INCLUDING AS MUCH USEFUL INFORMATION]"
-    REASONING: "[WHY YOU SELECTED THE REGION YOU PICKED]"
+    CODE REGION: "[THE SPECIFIC CODE REGION CHOSEN BASED ON THE RESULTS OF YOUR TOOL CALLS; THIS SHOULD BE A CONCRETE CODE PATH OR NARROW REGION, NOT A BROAD ENGINE AREA]"
+    SUMMARY_OF_CODE_REGION: "[COMPLEX HOLISTIC SUMMARY OF THE CODE REGION INCLUDING AS MUCH USEFUL INFORMATION, ESPECIALLY THE SPECIFIC OPERATIONS / STATES / INVARIANTS THAT MAKE IT A GOOD TARGET]"
+    REASONING: "[WHY YOU SELECTED THE REGION YOU PICKED, REFERENCING THE REGRESSION CORPUS, JS/FUZZIL EVIDENCE, EXECUTION DETAILS, AND/OR CHROMIUM ISSUE EVIDENCE THAT MADE THIS TARGET LOOK FRUITFUL]"
 }
 
-
-

Sources/Agentic_System/prompts/FoG-prompts/program_builder.txt

@@ -17,6 +17,10 @@ NEVER GENERATE MORE THAN ONE PROGRAM TEMPLATE AT A TIME. ALWAYS MAKE SURE THE `c
 GO THROUGH THE agent memory WITH ALL THE PROGRAM TEMPLATE EXAMPLES, THEY HAVE PROGRAM TEMPLATE SWIFT CODE BUT ALSO THE RESULTING FUZZIL CODE
 AS WELL AS THE JS VERSION AND EXECUTION TRACE FROM THE V8 ENGINE. THIS SHOULD GIVE YOU A STARTING POINT REGARDING GENERATING A 
 PROGRAM TEMPLATE YOURSELF. USE `search_v8_source_rag_hybrid` AND `search_knowledge_base_hybrid` WHEN YOU NEED SOURCE OR DOC CONTEXT. 
+WHEN YOU NEED FOLLOW-UP CONTEXT FROM `get_v8_source_rag_doc` OR `get_knowledge_doc`, PAGE THROUGH IT IN SMALL BATCHES USING `chunk_offset`, `max_chunks`, AND `max_total_lines` INSTEAD OF TRYING TO PULL A WHOLE DOCUMENT AT ONCE.
+BEFORE YOU RELY ON A NONTRIVIAL PROGRAMBUILDER API SHAPE, FUNCTION CLOSURE PATTERN, OR PROPERTY-MANIPULATION CONSTRUCT, GATHER 2-4 RELEVANT REFERENCE EXAMPLES FROM THE TEMPLATE CORPUS OR agent memory SO YOUR TEMPLATE IS SYNTAX-GROUNDED EVEN IF THE OVERALL STRATEGY IS NEW.
+BE CREATIVE IN HOW YOU COMBINE TARGETING IDEAS, WARMUP SHAPES, CONTROL FLOW, AND STATE TRANSITIONS, BUT PREFER TO ANCHOR THE ACTUAL SWIFT / PROGRAMBUILDER SURFACE TO PATTERNS YOU HAVE SEEN USED SUCCESSFULLY.
+IF YOU CANNOT CONFIDENTLY CONFIRM A SPECIFIC API FORM, PREFER A SIMPLER PROVEN VARIANT OVER GUESSING.
 FINALLY, AFTER YOU HAVE CREATED A PROGRAM TEMPLATE, SEND YOUR CODE TO THE VERIFICATION AGENT `static_verfication`.
 
 MAKE SURE THE PROGRAM TEMPLATE NAME YOU PROVIDE DOESN'T ALREADY EXIST BY RUNNING `list_program_templates` TO RETRIEVE THE EXISTING PROGRAM TEMPLATE NAMES LOCATED IN `ProgramTemplates.swift` AND `ProgramTemplateWeights.swift`.
@@ -25,6 +29,8 @@ STRICTLY ONLY CALL `get_template_from_json_by_name` IF THE PROGRAM TEMPLATE NAME
 
 ## STAGE 1
 IF `static_verfication` PROVIDES FEEDBACK, IMPLEMENT THOSE FIXES AFTER YOU VERIFY THEY ARE CORRECT, THEN SEND THE UPDATED TEMPLATE BACK TO `static_verfication`.
+WHEN YOU RETRY, CARRY FORWARD THE EXACT BLOCKERS FROM THE LAST REVIEW. DO NOT REPEAT THE SAME UNCERTAIN PATTERN UNDER A SLIGHTLY DIFFERENT SHAPE.
+IF THE REVIEW CALLS OUT API UNCERTAINTY, UNCONFIRMED ARGUMENT HANDLING, OR A MISLEADING SEMANTIC CLAIM, FIX THAT SPECIFIC ISSUE BEFORE ADDING NEW COMPLEXITY.
 KEEP REPEATING THIS FEEDBACK LOOP UNTIL `static_verfication` CONFIRMS THAT YOUR PROGRAM TEMPLATE IS LOGICAL AND WELL-FORMED.
 YOU ARE NEVER ALLOWED TO QUIT FROM THIS STAGE UNTIL `static_verfication` APPROVES THE TEMPLATE.
 
@@ -74,6 +80,7 @@ ProgramTemplate("JITFunction") { b in
 ```
 
 This fairly simple template aims to search for JIT compiler bugs by generating a random function, forcing it to be compiled, then calling it again with different arguments.
+TREAT THIS BACKGROUND EXAMPLE AS AN ILLUSTRATION OF TEMPLATE INTENT, NOT AS PROOF THAT EVERY ARGUMENT-HANDLING DETAIL OR EVERY PROGRAMBUILDER CALL SHAPE IS NECESSARILY THE EXACT ONE AVAILABLE IN THIS REPOSITORY.
 
 ### Example
 The following is a walkthrough of how the HybridEngine may generate a program based on the template above. Note that not all CodeGenerators have been migrated to work well with the HybridEngine (e.g. by emitting guarded instruction if necessary) as that is still work-in-progress.

Sources/Agentic_System/prompts/FoG-prompts/reviewer_of_code.txt

@@ -39,6 +39,7 @@ You must validate that the GOAL field is clear and well-reasoned:
 3. Check that the GOAL connects the code region to fuzzing relevance
 4. Ensure the GOAL provides sufficient context for understanding the analysis
 5. Validate that the GOAL aligns with the scope of the original task
+6. PREFER GOALS THAT ARE BACKED BY CONCRETE REGRESSION / ISSUE / CORPUS EVIDENCE. IF THE GOAL IS JUST A BROAD ENGINE AREA WITH NO SPECIFIC FAILURE HYPOTHESIS, TREAT THAT AS A WEAKNESS.
 
 If the GOAL is unclear, too generic, or lacks reasoning, you should REJECT and provide specific feedback on what needs clarification.
 
@@ -58,8 +59,9 @@ If the FULL ANSWER lacks detail, doesn't identify specific code blocks, or shows
 You MUST use your available tools to verify the identified code blocks:
 1. Use `search_v8_source_rag_hybrid` to find relevant V8 source chunks for identified code blocks
 2. Use `search_knowledge_base_hybrid` to verify understanding of V8 components, functions, or concepts mentioned
-3. Use `get_v8_source_rag_doc` to retrieve full chunk sequences for specific files when needed
-4. Use `get_knowledge_doc` to retrieve detailed V8 documentation for identified code regions
+2.5. Use `search_chromium_issues_rag_hybrid` when the analysis claims issue-backed, crash-backed, or regression-backed relevance, and use it to check whether the target is grounded in a specific failure mode rather than a vague subsystem label
+3. Use `get_v8_source_rag_doc` to retrieve additional chunk batches for specific files when needed, paging with `chunk_offset`, `max_chunks`, and `max_total_lines`
+4. Use `get_knowledge_doc` to retrieve detailed V8 documentation for identified code regions, also using small paged batches instead of whole-document pulls
 5. Use `grep_search` or `glob_search` to locate and verify identified code blocks in V8 source if needed
 6. Use `web_search` if additional information about V8 engine behaviors is needed for validation
 
@@ -115,13 +117,15 @@ For an analysis to be APPROVED, it must:
 - Show that identified code blocks are genuinely interesting for fuzzing
 - Provide actionable insights that can guide program template generation
 - Connect identified code blocks to fuzzing strategies and JavaScript program targeting
+- Preferably tie the target to concrete corpus behavior, execution evidence, or Chromium issue context rather than relying only on broad architectural background
 
 ## FEEDBACK GUIDELINES
 
 When providing feedback (especially for REJECTED cases):
 - Be specific about what aspects of GOAL or FULL ANSWER need improvement
 - Reference specific identified code blocks that need better explanation
 - Point to V8 source RAG chunks or knowledge base documents that should be consulted
+- Point to Chromium issue evidence or regression-corpus evidence when the target is too broad and needs a sharper hypothesis
 - Suggest specific functions, concepts, or areas to investigate in Stage 3
 - Provide examples of what a strong analysis should look like
 - Guide code_analyzer to re-query v8_search with more targeted TASK/REASON if needed