| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
What we need is the category for "matched unknown KASAN bug".
This king on bugs should be recategorised.
The final goal is to keep this category empty.
|
| |
|
|
| |
We want to prioritize KASAN bugs differently.
|
| | |
|
| |
|
|
|
|
|
| |
These have been the cause of too many invalid bisection results
recently.
This is the first step towards the more universal approach of #5414.
|
| |
|
|
| |
Only select them as relevant if there are not other crash types.
|
| |
|
|
|
|
|
| |
Currently we have HeadCommit function that returns info
about the HEAD commit. Change it to a more flexible Commit
function that can return info about any commit.
This will be used in future changes.
|
| |
|
|
|
|
| |
This unifies the build() and clean() interfaces such that if a custom
compiler or make binary is provided in the manager or bisection config,
they can be taken into account by the clean() interface.
|
| |
|
|
|
|
|
| |
Handle SIGKILL (exit code = 137) on osutil.Run() during Linux kernel image
building and return build.InfraError without reporting.
Fixes: https://github.com/google/syzkaller/issues/5317
|
| |
|
|
|
|
|
|
|
| |
The "1 crashed, 9 OK" cases are a frequent reason of invalid bisection
results on syzbot.
Let's define a cutoff for a BisectBad verdict and use it to prevent such
obvious outliers. We cannot safely declare such results as BisectGood
either, so let's return BisectSkip in this case.
|
| |
|
|
|
|
|
|
|
|
| |
For older bugs (or for bugs on stable trees), our cause bisection
strategy times out while trying to iterate over all reachable tags.
Try to be smarter and only take a subset of them, thus limiting the time
we spend detecting the bug-free release.
Closes #3376.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Consider the following situation: we're fix bisecting an lts bug on the
mainline tree. Reproducer works on lts HEAD, but does not crash the
mainline.
If the bug was not introduced in the mainline, but it's a purely lts
bug, bisection would currently end up pointing to the mainline HEAD
(in #4123, we assume env.commit to be a commit on the tree we're
currently bisecting, otherwise we'd always hit the same merge base
commit).
Let's first determine 100% correct bisection range on the mainline tree
by testing that both the HEAD does not crash (we already do) and by
testing that the new starting commit (=merge base) can be crashed by the
reproducer.
|
| |
|
|
|
|
|
|
| |
For cause bisections, don't require Kernel.Commit to be reachable from
Kernel.Branch. We can start cause bisections from any existing commit.
This should help with linux-next bisections, where no older HEADs are
ever reachable from each new `master`.
|
| |
|
|
|
|
|
|
|
|
| |
Merge history is quite complicated in the 500-600 range. Depending on
randomly selected `git bisect skip` values, output might be different.
If 500 is randomly selected, it will not be among skipped values. If 650
is selected first, it excludes 500.
Use the 600-700 range instead. It's stable.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If there's a merge from a branch that was based on a much older
revision, it's likely that it does not YET contain the bug. If we don't
consider this possibility, we're likely to get invalid fix bisection
results for bugs that existed only for a short period of time.
For every fix bisection step, determine first whether the guilty
revision is reachable from it. Cache resuls to speed up processing.
See #4117.
|
| |
|
|
|
|
|
|
|
| |
Currently we assume that a bug is present in all revisions before the
culprit one (or, alternatively, in all revisions after it).
The reality is more complicated, so let's split culprit into introduced
and fixCommit. Use commit titles instead of numbers as it provides more
flexibility.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Estimate reproducer's flakiness more carefully, as it can help us get
better results.
During config minimization, do not let reproducibility drop too low.
For each test() run, estimate our confidence in the result. For now,
only consider the false negative case: if we got no crashes, it's likely
that the bug is there, but the reproducer was not lucky enough. Given an
estimate of reproduction likelihood, we can easily calculate the chance
of an invalid result: (1-probability)^runs.
Combine all individual test() confidences into Result.Confidence. If the
resulting Confidence is too low, ignore the bisection result.
|
| |
|
|
|
| |
After the previous change, pkg/bisect is unable to bisect SYZFATAL
errors. Fix the bug in the logic and add a test.
|
| |
|
|
|
|
|
|
|
| |
There are cases when a crash, even though it didn't occur during boot
and image testing phases, still should not be counted during bisection.
Otherwise we risk diverting the whole process in the wrong direction.
One of such problem classes is getting SYZFATAL errors when we are not
bisecting a SYZFATAL crash.
|
| |
|
|
|
|
|
|
|
| |
This will later help in adjusting kernel configuration.
Also, adjust how test() determines the crash report: pick the one with
the most frequent type. Earlier we were taking the last crash report,
but this seems to have a bias towards the crashes that take longer to
appear (e.g. rcu stalls).
|
| |
|
|
|
|
|
|
|
| |
1) For the good verdict, demand a certain minimum number of good runs to
be present.
2) For the bad verdict, demand that at least 50% of runs did not fail
with boot/image test error.
Refactor the code and add tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current code only supports fix/cause bisections when the known bad
commit is reachable from Kernel.Repo/Kernel.Branch.
Add a CrossTree parameter to pkg/bisect. If it's set to true and we're
doing a fix bisection, the bisection algorithm first operates with the
original commit message (i.e. checks that it indeed crashes the kernel
and performs config minimization), but the actual bisection starts from
the merge base of Commit and Branch.
We could have calculated the merge base outside of pkg/bisect and just
started the algorithm from that merge base, but there's a problem:
there's no guarantee that the kernel will build/boot with a syzbot
config at the merge base. So we take the commit known to work well and
then assume that the bug is also present on the merge base commit. If it
were not present, we wouldn't have found a fix commit from Branch
anyway.
|
| |
|
|
|
|
| |
There's not much sense to continue the bisection if something in the
testing infrastructure got broken. Indicate it with the InfraError
error.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Background info:
When a bisection is started, we only know the kernel commit on which
syzkaller encountered the crash. Before the actual bisection begins,
bisect() needs to find a good commit. Then we can bisect between them.
For fix bisections bisect() tests HEAD. If HEAD doesn't have the bug
the fixing commit must be somewhere in the middle. For cause bisection
we test a number of old releases, starting with the newest release.
Both this commit range search and the actual bisection later use test()
to build the kernel and run the reproducer.
During actual bisections we invoke test() for every step. If any test()
invocation returns a non nil error, the bisection it was called from
is aborted. Any non-fatal errors should be signaled via the testResult
returned from test(). For this reason a build/boot failure does not
return an error. Instead testResult.verdict will be vcs.BisectSkip.
The Problem:
Given the following call stack:
bisect() -> commitRange() -> commitRangeFor{Fix,Cause}() -> test()
Previously we reported fix bisections, where HEAD was build broken and
cause bisections where all tested releases were build broken as
inconclusive.
This is confusing for users. For fix bisections it looks like the
fixing commit is either the commit from the original crash or HEAD.
For cause bisections it looks like the breaking commit is either the
original commit or the commit of the oldest tested release. Neither
is correct.
For fix bisections we see this, when the HEAD of a tested branch is
build broken. When this happens all attempted fix bisections will get
nonsense results. For cause bisections we see this, when changes to the
bisection compilers or test rootfs cause us to not be able to build or
boot very old kernels.
These inconclusive bisection results will not be retried automatically
and we don't have an easy way to clear them.
The Solution:
For fix bisections: Retry the bisection later. If HEAD is completely
broken we will know, because fuzzing will stop.
For cause bisections: Mark the bisection as failed. The result is
unlikely to change in the future without intervention by the syzbot
admins. Users won't bother looking at those bisections and the
dashboard already has code to mass-retry failed bisections.
- In test(): Populate testResult.rep with a meaningful report before
returning, after build/boot failures.
- In bisect(): Explicitly check the testResult.verdict of the last
commit tested in commitRange(), instead of using testResult.rep==nil
as an oracle for aborting the bisection.
- In bisect(): Don't return an inconclusive result when build/boot
failures prevent us from finding a commit range to bisect between.
|
| | |
|
| |
|
|
|
|
| |
Previously we only used the linter from the syz-ci config when building
the kernel for regular fuzzing. We were missing some plumbing to have
this setting reach patch testing and bisection jobs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When bisecting a breaking commit, syzkaller starts the bisection from
the commit recorded in the last crash for the given bug. Previously the
bisection was aborted should the commit no longer exist in the repo.
Now we try to reidentify the breaking commit. For git pretty much the
best we can do is to search a commit reachable from HEAD with the same
title. Other VCS systems might have something better.
Syzkaller will still first validate that the start commit is indeed
broken in the way it expects. This prevents syzkaller from getting
confused should we accidentally pick a completely unrelated commit.
|
| |
|
|
|
| |
This might help get more insight into patch testing failures, especially
for old bugs.
|
| |
|
|
|
|
| |
Currently syzbot only saves a log if there was a build/test error.
Closes #3185
|
| |
|
|
|
|
|
|
|
| |
This commit replaces all `ioutil.TempDir` with `t.TempDir` in tests.
The directory created by `t.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Default compilers are specified in the OS- and platform-dependent logic.
It is more convenient to extract info about them during the kernel build
itself, rather than during the manager object initialization.
Apply the necessary changes throughout the code that is involved in
building the kernels and processing information about this process.
|
| |
|
|
|
| |
Store config options identified using DebugTracer. Also change bisection
and configuration minimization code to use new DebugTracer.
|
| |
|
|
|
|
| |
These are widely used with the config as the refactoring shows.
This removes a bunch of unnecessary code.
Also fixes a number of bugs where we confused Arch with VMArch.
|
| |
|
|
|
|
| |
Users should not be concerned with the internal derived fields.
Move all derived fields into a separate struct before adding more.
This leaves config.go as a better documentation for end users.
|
| |
|
|
|
| |
On first test (original commit) bump up number of tests always.
Also bump up number of tests if observing more good results than bad.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the new kconfig.Minimize for config minization
instead of the config-bisect.pl script.
This is mostly just deleting code.
Also update tests:
- minimization is now supposed to test the baseline config
(update "testos" stub accordingly)
- minimization is not supposed to return a config that does not build
(a reasonable config minimization procedure can't arrive to such config),
remove test that tests this
Update #2171
|
| |
|
|
|
|
|
|
|
|
| |
The pkg/vcs code assumed that we fully manage the repo
within an autonomous program. In particular it tried
to repair any errors by dropping and re-creating the repo.
This does not work well for command-line tools that work
with a user-provided repo. Add OptPrecious for such uses.
Update #2171
|
| |
|
|
|
|
| |
Add option to use ccache in kernel builds.
Signed-off-by: Jouni Hogander <jouni.hoegander@partner.bmw.de>
|
| |
|
|
| |
Update #1876
|
| |
|
|
|
|
| |
Config minimization did not update test results for the starting commit.
Test result for the starting commit still refered to the original config,
not the minimized config that was actually used during bisection.
|
| |
|
|
|
|
|
| |
Change a test to actually produce a new config as it is supposed
to do during config minimization and check the resulting config.
Add a regression test for the bug where we committed a broken config.
|
| |
|
|
|
|
| |
One of main outputs of the config minimization is the new config,
but tests don't do any single check of it.
Check the resulting config (is it correct in all cases?).
|
| |
|
|
|
|
|
| |
Ignoring errors is bad. It leads to silent failures.
If there is some particular error condition that is expected
to happen and we want to ignore, we need to ignore that one only
rather than all potenital errors in the whole process.
|
| | |
|
| |
|
|
| |
Currently we crash with nil deref in this special case.
|
| |
|
|
|
|
|
|
|
| |
Implement Linux kernel configuration bisection. Use bisected minimalistic
configuration in commit bisection. Utilizes config_bisect.pl script from Linux
kernel tree in bisection.
Modify syz-bisect to read in kernel.baseline_config. This is used as a "good"
configuration when bisection is run.
|
| |
|
|
| |
Checks for too long functions (based on lines and statements).
|
| |
|
|
|
|
| |
Creating new repos takes majority of test time.
Reuse them across tests.
With GOMAXPROCS=2 (CI) this speeds up tests from 33 sec to 7 secs.
|
| |
|
|
| |
Fixes #1527
|
| |
|
|
| |
Update #1527
|
