| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
It allows to reduce parameters count for some functions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Lint started warning about duplicate "gvisor" const in pkg/cover.
Add gvisor/starnix consts to sys/targets package to avoid duplication.
|
| |
|
|
|
|
| |
Now that PCs are 64-bit we don't need RestorePC callback.
Now we can just use PreviousInstructionPC, which does not require
creation of ReportGenerator.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
In preparation for pkg/host removal.
Nothing in pkg/host uses KernelModule, and pkg/cover
is effectively the only user of KernelModule.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we memorize all coverage points twice:
as a slice and as a map.
The map also contains __sanitizer_cov_trace_cmp PCs,
but I think that's wrong, it should contain only
__sanitizer_cov_trace_pc callbacks.
We were careful to put as least pressure on the GC as possible
by keeping all PCs as a dense allCoverPoints slice and subslicing it
in all symbol/compilation unit objects.
Don't duplicate coverage points in the map and just use the same slice
we store for other purposes.
|
| | |
|
| |
|
|
|
|
| |
jsonl is new-line-new-json format.
It is good for streaming because you can read data line-by-line.
This pipeline will stream a lot eventually (x00 megabytes).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source files for Pixel devices are split between the common AOSP kernel
(path/to/kernel/aosp) and the device-specific drivers residing in a
separate dir (path/to/kernel/private/google-modules for Android 14
and path/to/kernel/gs/google-modules for older Android versions).
See https://source.android.com/docs/setup/build/building-pixel-kernels
for details.
Android build system may reference these dirs in various ways, for which
syzkaller cannot always understand where it should look for the source.
The newly introduced android_split_build flags handles the problem by adding a
list of "delimiters" used when normalizing the kernel source paths.
If the path contains any of such delimiters, then everything preceding the last
delimiter in the path is replaced with the contents of "kernel_src" from the
manager config.
By default we only support "/aosp/" and "/private/" corresponding to
modern Android systems as delimiters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Because GCC < 14 may tail-call coverage callbacks, the described check
is not performed for binaries which mention GCC in their .comment
section.
Also adjust text expectations in pkg/cover/report_test.go, so that
non-GCC targets check for PCs matching the callbacks.
See https://github.com/google/syzkaller/issues/4447 for more details.
|
| | |
|
| |
|
|
|
|
|
| |
This reverts commit 3392690e404b6ba5022825d33259bc2e9e89eb53.
x86 bots are unable to generate coverage reports, because they actually
have coverage PCs without matching callbacks.
|
| |
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Also adjust text expectations in pkg/cover/report_test.go, as inexact
coverage will result in an error now.
|
| | |
|
| |
|
|
|
|
| |
I have invested time deduplicating code between the two formats. As the
go modules for Mach-O and ELF don't share types, I had to re-wrap some
information or move code to format specific functions though.
|
| |
|
|
|
|
|
| |
Make module discovery convert host.KernelModule to backend.Module.
Also error if we have modules on non-Linux
and make it possible to return errors from module discovery.
|
| |
|
|
|
|
| |
We already find symbol for every PC in lazySymbolize.
We can just use that to map PCs to modules instead
of the additional modules sorting/searching.
|
| |
|
|
|
| |
We don't have any other modules.
Move definition below Impl, KernelModule is not the most important thing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Both elf.go and gvisor.go are compiled into the same package,
so GroupPCsByModule callback gets installed for gvisor as well.
Move all modules-related logic into backend.
Splitting by modules is the only modules-related part
left in the common code. Move it into backend.
This make Modules field unnecessary in the backend.Impl.
Also move assignment to frame.Module to symbolize,
reduces overall code size.
|
| |
|
|
|
|
|
|
|
|
| |
Pass modules as []host.KernelModule to cover.MakeReportGenerator.
This avoids make(map) in callers that don't pass modules.
Store modules as []*KernelModule.
This avoids clumsy assignments to the map to update Path
and allows to store modules as *KernelModule rather than by name
(we are not scripting, pointer is more flexible and handy representation).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PCs returned for dynamic loaded module (DLKM) is not
parsed in coverage page, these PCs are dropped.
The commit is to use DLKM modules' load address and symbol file
to restore the PC and show coverage data of DLKM.
Introduced new config module_obj to specify module directories.
Example of config:
"module_obj": [
"module_path1"
"module_path2"
]
For linux target, before Manager.Connect run, load addresses are
getting from /proc/modules in order to group PCs into modules.
And so, if modules are under kernel_obj or module_obj dir,
their addresses and paths can be generated automatically.
kernel_obj is searched before module_obj dir and the first found
ko object is always used.
Also note that kaslr needs to be disabled.
|
| |
|
|
| |
This reverts commit 69a06ca2b532ff4021a43fdead4e2ac1452a44c0.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PC returned for dynamic loaded module (DLKM) is not
parsed in coverage page.
So the commit is to use DLKM modules' load address
to restore the PC and show coverage data of DLKM.
As the load address is written in cfg file, so kaslr
needs to be disabled.
And for linux target, load address is getting from
/proc/modules during instance setup.
For either manual or auto address setting case,
name and path are needed in config kernel_modules, where
name is module name on target.
path is module unstripped object path on host.
addr is decimal value of module load address on target.
Example of config:
"kernel_modules": [
{
"name": "nf_nat",
"path": "/usr/src/linux-source/net/netfilter/nf_nat.ko",
"addr": 18446744072637911040
}
]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If coverage filter is enabled, executor filters comparisons based on PCs.
But we don't include comparison callback PCs in the filter,
so most of them will be falsely filtered away.
Add comparison callback PCs to symbols and compile units and use
both when creating coverage filter. But still use only coverage
PCs while generating coverage reports.
Reported-by: Kaipeng Zeng
Link: https://groups.google.com/g/syzkaller/c/mD0wv-A2wno/m/v1ntQbTUAwAJ
|
| | |
|
| |
|
|
|
|
|
| |
Currently we only support compiler middle/backenend coverage
where we can map coverage points to source line.
Support better frontend coverage where coverage points map
to source code ranges start line:col - end line:col.
|
| |
|
|
|
| |
gvisor will need some custom logic there,
so make it part of backend.
|
| |
|
|
|
|
|
| |
Better encapsulate all of this logic instead of exposing
raw .text offset and a bunch of functions.
Also allows to support gvisor coverage where PCs don't
need to be rewound to previous instruction.
|
| |
|
|
|
|
|
| |
Move this logic out of syz-manager.
It's too low level for manager and we have
everything necessary to obtain it in pkg/cover
without shelling out to readelf and parsing output.
|
| |
|
|
|
|
| |
This looks more natural.
All users duplicate logic of creating object file path,
and then pkg/cover second guesses object dir back.
|
| |
|
|
|
| |
This will be needed for gVisor reports,
the target is "linux" but VM type is "gvisor".
|
| |
|
