aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* pkg/corpus: increase the priority of programs that were rarely selectedcorpusfixGrigory Bazilevich7 hours2-1/+31
|
* syz-manager: information about probability-only inputs in dbGrigory Bazilevich7 hours4-5/+19
|
* pkg/corpus: upgrade corpus minimization algorithmGrigory Bazilevich8 hours3-4/+49
|
* pkg/fuzzer,pkg/corpus: detection and preservation of programs with ↵Grigory Bazilevich8 hours4-40/+78
| | | | probability coverage
* pkg/signal: new utility methodsGrigory Bazilevich8 hours1-0/+39
|
* pkg/corpus: update Programs List priority storageGrigory Bazilevich2026-02-155-17/+171
| | | | | | | | | | | Static prefix sums have been replaced with a Fenwick tree. In the current syzkaller, program priority was set based on a Signal received by a single system call. This commit allows priority to be changed dynamically, making it possible to maintain priority based on Signals from all system calls. Signed-off-by: Grigory Bazilevich <g.bazilevich@ispras.ru>
* pkg/aflow: ask LLM to call several tools at the same timeDmitry Vyukov2026-01-202-3/+10
| | | | This seems to help a bit with number of round-trips.
* pkg/aflow: cache disk usage in CacheDmitry Vyukov2026-01-201-10/+36
| | | | | | Calculating total disk usage of all cache entries can take very long time for large caches (needs to stat all files). This is especially problematic for tools/syz-aflow. Cache disk usage in the meta file.
* pkg/aflow/action/kernel: keep build files that codesearch will needDmitry Vyukov2026-01-202-8/+26
| | | | | We currently duplicate list of source extensions in the build action and codesearch tool. Unify the lists.
* pkg/aflow: add BadCallErrorDmitry Vyukov2026-01-2015-83/+195
| | | | | | | | | | The error allows tools to communicate that an error is not an infrastructure error that must fail the whole workflow, but rather a bad tool invocation by an LLM (e.g. asking for a non-existent file contents). Previously in the codesearcher tool we used a separate Missing bool to communicate that. With the error everything just becomes cleaner and nicer. The errors also allows all other tools to communicate any errors to the LLM when the normal results cannot be provided and don't make sense.
* pkg/codesearch: add read-file commandDmitry Vyukov2026-01-207-0/+66
| | | | Just provides full file contents as last resort.
* pkg/codesearch: add dir-index commandDmitry Vyukov2026-01-2012-0/+140
| | | | | dir-index provides a list of subdirectories and files in the given directory in the source tree.
* pkg/aflow: handle common LLM mis-behaviors wrt tool callingDmitry Vyukov2026-01-206-19/+302
| | | | | | | | | | | | | Gracefully handle (reply to LLM with error): - incorrect tool name - incorrect tool arg type - missing tool arg Silently handle: - more than one call to set-results - excessive tool args Fixes #6604
* pkg/aflow: handle model quota errorsDmitry Vyukov2026-01-206-11/+132
| | | | | | | | Detect model quota violations (assumed to be RPD). Make syz-agent not request jobs that use the model until the next quota reset time. Fixes #6573
* pkg/aflow: make LLM model per-agent rather than per-flowDmitry Vyukov2026-01-2021-100/+127
| | | | | | Having LLM model per-agent is even more flexible than per-flow. We can have some more complex tasks during patch generation with the most elaborate model, but also some simpler ones with less elaborate models.
* dashboard/config/linux: regenerateTaras Madan2026-01-2046-1863/+3527
|
* dashboard/config/linux: enable more configsTaras Madan2026-01-202-0/+5
| | | | | | 1. DEBUG_GENERIC_PT. 2. DEBUG_XARRAY. 3. PHY_GOOGLE_USB.
* dashboard/config/linux/bits: enable DEBUG_BUGVERBOSE_DETAILEDTaras Madan2026-01-201-0/+1
| | | | Closes #6595.
* dashboard/config/linux: update to v6.19-rc5Taras Madan2026-01-2011-18/+33
|
* tools/clang/codesearch: fix a typoFlorent Revest2026-01-201-1/+1
|
* tools/clang/codesearch: support building with makeFlorent Revest2026-01-202-2/+12
| | | | | | | | | | | | | Currently, clang tools are built by copying their code into a llvm-project repository and adding build rule to LLVM's CMake. This allows pinning a specific LLVM hash which is convenient but it's also a bit painful to copy code across repositories. This adds a rule to make that can build syz-codesearch with a simple g++ invocation that uses llvm-config to get the LLVM compiler and linker flags and hardcodes some clang libraries to link against since I could not find a better way. (llvm-config does not have "components" for clang)
* tools/clang/codesearch: support building with -Wchanges-meaningFlorent Revest2026-01-201-11/+11
| | | | | | | | | | | | | | | | When compiling with the changes-meaning flag, syz-codesearch gets a bunch of errors such as this one: codesearch.cpp:30:15: error: declaration of ‘clang::SourceRange MacroDef::SourceRange’ changes meaning of ‘SourceRange’ [-Wchanges-meaning] 30 | SourceRange SourceRange; // soruce range of the value | ^~~~~~~~~~~ codesearch.cpp:30:3: note: used here to mean ‘class clang::SourceRange’ 30 | SourceRange SourceRange; // soruce range of the value | ^~~~~~~~~~~ Let's iron them out early before the code base grows too reliant on this pattern.
* tools/docker/syzbot: set llvm-link as an alias for llvm-link-21Pimyn Girgis2026-01-201-0/+1
| | | | Fixes a build error for android-6.12 where llvm-link is not found.
* executor: sys/linux: SYZOS: add AMD VMLOAD and VMSAVE primitivesAlexander Potapenko2026-01-203-0/+45
| | | | | | | | | | | | This patch introduces SYZOS_API_NESTED_AMD_VMLOAD and SYZOS_API_NESTED_AMD_VMSAVE. These primitives allow the L1 guest to execute the VMLOAD and VMSAVE instructions, which load/store additional guest state (FS, GS, TR, LDTR, etc.) to/from the VMCB specified by the 'vm_id' argument. This stresses the KVM L0 instruction emulator, which must validate the L1-provided physical address in RAX and perform the state transfer.
* executor, sys/linux, pkg: enable syz_kvm_setup_cpu for riscv646eanut2026-01-207-1/+223
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements syz_kvm_setup_cpu for riscv64 architecture. The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code as parameters. Additional parameters (ntext, flags, opts, nopt) are included for interface consistency with other architectures but are currently unused on riscv64. Implementation: - Set up guest memory via KVM_SET_USER_MEMORY_REGION - Copy guest code to guest memory - Initialize guest registers to enable code execution in S-mode - Return 0 on success, -1 on failure Testing: A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/ to verify basic functionality. Known limitations: - ifuzz is not yet compatible with riscv64. Temporary workaround: set text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig for riscv64 to ensure generateText and mutateText work correctly. This patch also adds support for KVM_GET_ONE_REG ioctl.
* pkg/subsystem: regenerate Linux subsystemsAleksandr Nogikh2026-01-203-2672/+3476
|
* pkg/subsystem: adjust the wildcard matching rulesAleksandr Nogikh2026-01-202-4/+6
| | | | | | | | Contrary to the description on top of MAINTAINERS, many F: records that point to folders actually don't end with / or /*. The get_maintainer.pl script already tolerates this, so let's do the same.
* pkg/subsystem: export debug infoAleksandr Nogikh2026-01-209-43/+125
| | | | | | | | Make it possible to print more debugging information when (re)generating a subsystem list. Include parent inference details to the source code itself and add a -debug flag to list the source files assigned to each subsystem.
* vm/adb: don't check for ret code on adb shell rebootSebastian Ene2026-01-201-1/+10
| | | | | | | | | Prevent the fuzzer from entering in an infinte loop of device reboots when the adb shell reboot command returns with an error code. Fixes: #6598 Signed-off-by: Sebastian Ene <sebastianene@google.com>
* pkg/aflow: retry LLM requests on transient errorsDmitry Vyukov2026-01-191-1/+20
| | | | Update #6573
* executor: sys/linux: SYZOS: add AMD SET_INTERCEPT primitiveAlexander Potapenko2026-01-193-0/+80
| | | | | | | | | | | | | | | This patch introduces SYZOS_API_NESTED_AMD_SET_INTERCEPT to SYZOS. This primitive enables the fuzzer to surgically modify intercept vectors in the AMD VMCB (Virtual Machine Control Block) Control Area. It implements a read-modify-write operation on 32-bit VMCB offsets, allowing the L1 hypervisor (SYZOS) to deterministically set or clear specific intercept bits (e.g., for RDTSC, HLT, or exceptions) for the L2 guest. This capability allows syzkaller to systematically explore KVM's nested SVM emulation logic by toggling intercepts on and off, rather than relying on static defaults or random memory corruption.
* vm/adb: use the correct path for debugfsSebastian Ene2026-01-191-1/+1
| | | | | | | | | | Probe for the debugfs rootdir instead of the kcov sub-path to prevent the fuzzer from entering in device reboot loop in case the android device doesn't support kcov. Fixes: #6600 Signed-off-by: Sebastian Ene <sebastianene@google.com>
* pkg/aflow: add ability to generate several candidate replies for LLM agentsDmitry Vyukov2026-01-196-74/+497
| | | | | | | | | Add LLMAgent.Candidates parameter. If set to a value N>1, then the agent is invoked N times, and all outputs become slices. The results can be later aggregated by another agent, as shown in the test.
* dashboard/app: don't treat memcache.ErrNotStored as an errorDmitry Vyukov2026-01-191-1/+1
| | | | | We have a bunch of "failed to throttle: memcache: item not stored" errors in logs. It seems that the cache item is evicted before we do CompareAndSwap.
* all: reformat C/C++ filesDmitry Vyukov2026-01-1936-471/+578
|
* Makefile: format all C/C++ filesDmitry Vyukov2026-01-191-6/+7
| | | | | | Switch to exclude-list instead of an explicit list of C/C++ files to format. We episodically forget to add new files. With exclude-list it's impossible to forget.
* pkg/updater: fix autoupdateDmitry Vyukov2026-01-191-6/+9
| | | | | | Start update goroutine even in the case of early returns in UpdateOnStart. Fixes #6619
* pkg/vcs: be more strict in BaseForDiffAleksandr Nogikh2026-01-162-6/+41
| | | | | | | | | | Do not tolerate unknown blob hashes - it means that we are unable to find the correct base commit given the repository. Explicitly ignore newly added files - we definitely won't find their hashes. Explicitly skip malformed patches that won't have any blob hashes - otherwise we could end up with too many candidates and waste too much time.
* sys/linux/test: update after syz_kvm_assert_syzos_uexit API changeAlexander Potapenko2026-01-1640-74/+74
| | | | | | | This patch updates all relevant regression tests in sys/linux/test/ to align with the API change introduced in syz_kvm_assert_syzos_uexit. The syz_kvm_assert_syzos_uexit syscall now requires the VCPU file descriptor as its first argument.
* executor: sys/linux: Add VCPU fd to `syz_kvm_assert_syzos_uexit`Alexander Potapenko2026-01-165-16/+79
| | | | | | | | Enhance the debugging capabilities of C reproducers by passing the VCPU file descriptor to the syz_kvm_assert_syzos_uexit function. With access to the VCPU fd, the function can now dump the VCPU's register state upon assertion failure, providing critical context for debugging guest execution issues.
* pkg/aflow: add notion of flow errorsDmitry Vyukov2026-01-164-4/+29
| | | | | | | | | | Flow errors denote failure of the flow itself, rather than an infrastructure error. A flow errors mean an expected condition in the flow when it cannot continue, and cannot produce expected outputs. For example, if we are doing something with the kernel, but the kernel build fails. Flow errors shouldn't be flagged in Fixes #6610
* dashboard/app: filter out few more problems in errors logsDmitry Vyukov2026-01-161-1/+9
|
* dashboard: fix manuallyUpstreamedAleksandr Nogikh2026-01-153-0/+22
| | | | | The function returned incorrect result when the reporting stage of interest was completely skipped and never reported.
* dashboard/config: update Android 6.12Aleksandr Nogikh2026-01-155-181/+62
| | | | | | Use the latest available revision and disable ANDROID_BINDER_IPC - as of now, it's no longer possible to compile in both C and Rust versions at the same time.
* dashboard/config: regenerate Linux configsAleksandr Nogikh2026-01-1578-426/+861
| | | | | No extra changes, just a newer Docker container to minimize noise in the following commits.
* dashboard/app: slightly improve coverage report wordingDmitry Vyukov2026-01-153-5/+6
| | | | | Use the proper namespace name to show. +few minor tweaks
* pkg/gce: vm/gce: allow specifying instance tags in manager configAlexander Potapenko2026-01-152-3/+5
| | | | | | | | | | | | GCE instance tags can be used for various purposes, such as applying network firewall rules or filtering VMs for scheduling onto specific hosts. To support these use cases, syzkaller needs the ability to set instance tags during VM creation. This patch introduces a new tags field to the gce VM configuration that allows users to specify a list of tags to be attached to GCE instances created by syz-manager.
* pkg/aflow: expect CitationMetadataDmitry Vyukov2026-01-151-3/+3
| | | | | | | | | | | | | | CitationMetadata may be present in replies sometimes. CitationMetadata is a specific field in the Gemini API's response object that alerts you when the model has directly quoted or closely derived content from a specific source, such as a book, website, or open-source code repository. We've got the following error: syz-agent: unexpected reply fields ({Content:0xc0058eb4a0 CitationMetadata:0xc0094009a8 FinishMessage: TokenCount:0 FinishReason:STOP AvgLogprobs:0 GroundingMetadata:<nil> Index:0 LogprobsResult:<nil> SafetyRatings:[] URLContextMetadata:<nil>})
* dashboard: add a manuallyUpstreamed helperAleksandr Nogikh2026-01-153-0/+98
| | | | | | | | | | This helper function can be used in the reporting filtering rules to skip certain reporting stages depending on whether the previous stage(s) have been manually upstreamed. Add tests that it does have the intended effect. Cc #6554.
* dashboard/app: show crash report on AI job pageDmitry Vyukov2026-01-152-6/+26
|
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 14:15:49 +0000