syz-fuzzer: extend diagnostics for execution of disabled syscalls

For debugging of: https://groups.google.com/g/syzkaller/c/fBDU5arcOTE/m/-XCcN0HxAQAJ
author: Dmitry Vyukov <dvyukov@google.com> 2021-04-26 10:19:59 +0200
committer: Dmitry Vyukov <dvyukov@google.com> 2021-04-26 10:53:47 +0200
commit: e60b7df17cbe2ad01e7f75b3e515bf0e26c56edb (patch)
tree: a22e5a7ab6daf63bf5286c411193f29ca9ec7e4b
parent: 2a82f1b39f0c4d6c8c45fe4baf7cdd555c9e4af8 (diff)
4 files changed, 29 insertions, 11 deletions
diff --git a/syz-fuzzer/fuzzer.go b/syz-fuzzer/fuzzer.go
index 634ac491f..9d327fe9e 100644
--- a/syz-fuzzer/fuzzer.go
+++ b/syz-fuzzer/fuzzer.go
@@ -60,7 +60,8 @@ type Fuzzer struct {
 	maxSignal    signal.Signal // max signal ever observed including flakes
 	newSignal    signal.Signal // diff of maxSignal since last sync with master
 
-	logMu sync.Mutex
+	checkResult *rpctype.CheckArgs
+	logMu       sync.Mutex
 }
 
 type FuzzerSnapshot struct {
@@ -261,6 +262,7 @@ func main() {
 		faultInjectionEnabled:    r.CheckResult.Features[host.FeatureFault].Enabled,
 		comparisonTracingEnabled: r.CheckResult.Features[host.FeatureComparisons].Enabled,
 		corpusHashes:             make(map[hash.Sig]struct{}),
+		checkResult:              r.CheckResult,
 	}
 	gateCallback := fuzzer.useBugFrames(r, *flagProcs)
 	fuzzer.gate = ipc.NewGate(2**flagProcs, gateCallback)
diff --git a/syz-fuzzer/proc.go b/syz-fuzzer/proc.go
index 0d1d4c134..84f214cec 100644
--- a/syz-fuzzer/proc.go
+++ b/syz-fuzzer/proc.go
@@ -280,12 +280,7 @@ func (proc *Proc) executeRaw(opts *ipc.ExecOpts, p *prog.Prog, stat Stat) *ipc.P
 	if opts.Flags&ipc.FlagDedupCover == 0 {
 		log.Fatalf("dedup cover is not enabled")
 	}
-	for _, call := range p.Calls {
-		if !proc.fuzzer.choiceTable.Enabled(call.Meta.ID) {
-			fmt.Printf("executing disabled syscall %v\n", call.Meta.Name)
-			panic("disabled syscall")
-		}
-	}
+	proc.checkDisabledCalls(p)
 
 	// Limit concurrency window and do leak checking once in a while.
 	ticket := proc.fuzzer.gate.Enter()
@@ -315,6 +310,25 @@ func (proc *Proc) executeRaw(opts *ipc.ExecOpts, p *prog.Prog, stat Stat) *ipc.P
 	}
 }
 
+func (proc *Proc) checkDisabledCalls(p *prog.Prog) {
+	for _, call := range p.Calls {
+		if !proc.fuzzer.choiceTable.Enabled(call.Meta.ID) {
+			fmt.Printf("executing disabled syscall %v [%v]\n", call.Meta.Name, call.Meta.ID)
+			sandbox := ipc.FlagsToSandbox(proc.fuzzer.config.Flags)
+			fmt.Printf("check result for sandbox=%v:\n", sandbox)
+			for _, id := range proc.fuzzer.checkResult.EnabledCalls[sandbox] {
+				meta := proc.fuzzer.target.Syscalls[id]
+				fmt.Printf("  %v [%v]\n", meta.Name, meta.ID)
+			}
+			fmt.Printf("choice table:\n")
+			for i, meta := range proc.fuzzer.target.Syscalls {
+				fmt.Printf("  #%v: %v [%v]: enabled=%v\n", i, meta.Name, meta.ID, proc.fuzzer.choiceTable.Enabled(meta.ID))
+			}
+			panic("disabled syscall")
+		}
+	}
+}
+
 func (proc *Proc) logProgram(opts *ipc.ExecOpts, p *prog.Prog) {
 	if proc.fuzzer.outputType == OutputNone {
 		return
diff --git a/syz-fuzzer/testing.go b/syz-fuzzer/testing.go
index a8d119d92..ff5940bfe 100644
--- a/syz-fuzzer/testing.go
+++ b/syz-fuzzer/testing.go
@@ -225,9 +225,9 @@ func checkRevisions(args *checkArgs) error {
 		return fmt.Errorf("mismatching fuzzer/executor system call descriptions: %v vs %v",
 			args.target.Revision, vers[2])
 	}
-	if args.targetRevision != "" && args.targetRevision != args.target.Revision {
-		return fmt.Errorf("mismatching manager/fuzzer system call descriptions: %v vs %v",
-			args.targetRevision, args.target.Revision)
+	if args.target.Revision != args.targetRevision {
+		return fmt.Errorf("mismatching fuzzer/manager system call descriptions: %v vs %v",
+			args.target.Revision, args.targetRevision)
 	}
 	return nil
 }
diff --git a/syz-manager/html.go b/syz-manager/html.go
index 7ed971c2a..5a4cb9784 100644
--- a/syz-manager/html.go
+++ b/syz-manager/html.go
@@ -93,6 +93,7 @@ func (mgr *Manager) httpSyscalls(w http.ResponseWriter, r *http.Request) {
 	for c, cc := range mgr.collectSyscallInfo() {
 		data.Calls = append(data.Calls, UICallType{
 			Name:   c,
+			ID:     mgr.target.SyscallMap[c].ID,
 			Inputs: cc.count,
 			Cover:  len(cc.cov),
 		})
@@ -676,6 +677,7 @@ type UIStat struct {
 
 type UICallType struct {
 	Name   string
+	ID     int
 	Inputs int
 	Cover  int
 }
@@ -771,7 +773,7 @@ var syscallsTemplate = html.CreatePage(`
 	</tr>
 	{{range $c := $.Calls}}
 	<tr>
-		<td>{{$c.Name}}</td>
+		<td>{{$c.Name}} [{{$c.ID}}]</td>
 		<td><a href='/corpus?call={{$c.Name}}'>{{$c.Inputs}}</a></td>
 		<td><a href='/cover?call={{$c.Name}}'>{{$c.Cover}}</a></td>
 		<td><a href='/prio?call={{$c.Name}}'>prio</a></td>
author	Dmitry Vyukov <dvyukov@google.com>	2021-04-26 10:19:59 +0200
committer	Dmitry Vyukov <dvyukov@google.com>	2021-04-26 10:53:47 +0200
commit	e60b7df17cbe2ad01e7f75b3e515bf0e26c56edb (patch)
tree	a22e5a7ab6daf63bf5286c411193f29ca9ec7e4b
parent	2a82f1b39f0c4d6c8c45fe4baf7cdd555c9e4af8 (diff)