| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This is a faster way to find all coverage points.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
| |
objdump prints absolute addresses for coverage points of core kernel.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
| |
The 'attrName' is often an absolute path for out-of-tree modules.
This commit avoids redundant path concatenation when 'attrName'
is already absolute, enabling developers to view coverage correctly
in the web UI.
|
| |
|
|
|
|
|
|
|
|
| |
Rust compilation units are different from C in that a single compilation
unit includes multiple source files, but we still need to tell which PC
range belong to which source file.
Infer that information from the LineEntry structures.
Cc #6000.
|
| |
|
|
| |
It allows to reduce parameters count for some functions.
|
| |
|
|
| |
To simplify interface Read*Symbols were moved out from symbolizer.Symbolizer.
|
| | |
|
| |
|
|
| |
There is no need to init arch every loop iteration.
|
| | |
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix linter reported issue with "err != nil" is always true and add
"this check suggests that the pointer can be nil" to the exclusion rules
as the false-positives due to non-standard/standard package's Fatalf()
exiting.
```
$ make lint
bin/golangci-lint run ./...
pkg/cover/backend/dwarf.go:180:8: SA4023: this comparison is always true
if err != nil {
^
sys/fuchsia/fidlgen/main.go:24:5: SA5011(related information): this check suggests that the pointer can be nil
if target == nil {
tools/syz-declextract/run.go:95:6: SA5011(related information): this check suggests that the pointer can be nil
if parse == nil {
^
tools/syz-declextract/run.go:234:5: SA5011(related information): this check suggests that the pointer can be nil
if netlinkUnionParsed == nil {
^
prog/encodingexec_test.go:60:6: SA5011(related information): this check suggests that the pointer can be nil
if c == nil {
^
sys/fuchsia/fidlgen/main.go:24:5: SA5011(related information): this check suggests that the pointer can be nil
if target == nil {
^
pkg/compiler/compiler_test.go:339:5: SA5011(related information): this check suggests that the pointer can be nil
if p == nil {
^
pkg/compiler/compiler_test.go:379:5: SA5011(related information): this check suggests that the pointer can be nil
if p == nil {
^
pkg/ast/parser_test.go:32:7: SA5011(related information): this check suggests that the pointer can be nil
if desc == nil {
^
pkg/ast/parser_test.go:37:7: SA5011(related information): this check suggests that the pointer can be nil
if desc2 == nil {
^
pkg/report/report_test.go:308:5: SA5011(related information): this check suggests that the pointer can be nil
if rep == nil {
^
pkg/bisect/bisect_test.go:205:5: SA5011(related information): this check suggests that the pointer can be nil
if sc == nil {
^
make: *** [Makefile:293: lint] Error 1
```
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
we use offset to symbolize pc for module,
while use absolute pc for core kernel.
Fix by removing base address from module only.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
For modules, init_module and cleanup_module might have the same
sym.Start even these symbols are for different sections.
Although we can keep symbols only in .text sections, there
are still some symbols having the same Start.
Looking forward a better way, but currently to get constant
output in buildSymbols, keep only one symbol incase there
are other symbols having the same Start.
|
| | |
|
| | |
|
| |
|
|
|
| |
It's not safe to append to slice from multiple goroutines.
Either using chan or lock can get constant result.
|
| | |
|
| |
|
|
|
|
| |
Now that PCs are 64-bit we don't need RestorePC callback.
Now we can just use PreviousInstructionPC, which does not require
creation of ReportGenerator.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
In preparation for pkg/host removal.
Nothing in pkg/host uses KernelModule, and pkg/cover
is effectively the only user of KernelModule.
|
| |
|
|
|
|
|
|
| |
Intern/deduplicate file/func strings created during symbolization.
There are lots and lots of duplicates.
In my local run syz-manager heap size jumps from 1.9G to 4.0G
are requesting /cover?jsonl=1 without this change, and from
1.9G to 2.9G with this change.
|
| |
|
|
|
| |
dwarf.go already detects if kcov is broken and need to provide this bit
for the check in report.go, so just use this bit in the test as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we memorize all coverage points twice:
as a slice and as a map.
The map also contains __sanitizer_cov_trace_cmp PCs,
but I think that's wrong, it should contain only
__sanitizer_cov_trace_pc callbacks.
We were careful to put as least pressure on the GC as possible
by keeping all PCs as a dense allCoverPoints slice and subslicing it
in all symbol/compilation unit objects.
Don't duplicate coverage points in the map and just use the same slice
we store for other purposes.
|
| |
|
|
|
| |
This makes code easier to read top-down in the natural order
and Go does not require the inverted declaration order like C/C++.
|
| | |
|
| |
|
|
|
|
| |
jsonl is new-line-new-json format.
It is good for streaming because you can read data line-by-line.
This pipeline will stream a lot eventually (x00 megabytes).
|
| |
|
|
|
|
| |
Since commit 971a0f14c5cf6 ("pkg/host: get module .text address from
/sys/module") getModuleOffset() is not used by anyone, so it should be
safe to delete it.
|
| |
|
|
|
|
|
| |
On ARM64 we used to incorrectly parse BL instructions, which may start
with bytes 0x94 to 0x97. Rework the Arch struct to encapsulate the
arch-specific call instruction check and simplify readCoverPoints().
Also add some tests.
|
| |
|
|
|
|
|
|
|
|
|
| |
Certain ARM64 builds continued reporting errors about coverage points
not matching __sanitizer_cov_trace_pc calls. It turned out such coverage
originated from calls to ____sanitizer_cov_trace_pc_veneer functions
that are inserted by the linker to extend the range of BL instructions
(limited by +/-128M).
Add support for __funcname_veneer functions to ELF to make sure this
coverage is correctly attributed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source files for Pixel devices are split between the common AOSP kernel
(path/to/kernel/aosp) and the device-specific drivers residing in a
separate dir (path/to/kernel/private/google-modules for Android 14
and path/to/kernel/gs/google-modules for older Android versions).
See https://source.android.com/docs/setup/build/building-pixel-kernels
for details.
Android build system may reference these dirs in various ways, for which
syzkaller cannot always understand where it should look for the source.
The newly introduced android_split_build flags handles the problem by adding a
list of "delimiters" used when normalizing the kernel source paths.
If the path contains any of such delimiters, then everything preceding the last
delimiter in the path is replaced with the contents of "kernel_src" from the
manager config.
By default we only support "/aosp/" and "/private/" corresponding to
modern Android systems as delimiters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Because GCC < 14 may tail-call coverage callbacks, the described check
is not performed for binaries which mention GCC in their .comment
section.
Also adjust text expectations in pkg/cover/report_test.go, so that
non-GCC targets check for PCs matching the callbacks.
See https://github.com/google/syzkaller/issues/4447 for more details.
|
| |
|
|
|
|
| |
According to golangci-lint, cyclomatic complexity of makeDWARFUnsafe()
is on the fence. Reduce it by factoring out some code into
processModule(). No functional change.
|
| | |
|
| |
|
|
|
|
|
| |
This reverts commit 3392690e404b6ba5022825d33259bc2e9e89eb53.
x86 bots are unable to generate coverage reports, because they actually
have coverage PCs without matching callbacks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modules' .text sections are not necessarily loaded at the address shown
in /proc/modules. If there are other non-init code sections preceding them
in the ELF binary, .text is loaded at non-zero address.
For example, for a module with the following sections:
Idx Name Size VMA LMA File off Algn
...
5 .plt 00000001 0000000000000000 0000000000000000 00000500 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
6 .init.ddplt 00000001 0000000000000000 0000000000000000 00000501 2**0
CONTENTS, ALLOC, LOAD, READONLY, CODE
7 .text.ftrace_trampoline 00000001 0000000000000000 0000000000000000 00000502 2**0
CONTENTS, ALLOC, LOAD, READONLY, CODE
8 .hyp.text 00002000 0000000000000000 0000000000000000 00001000 2**12
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
...
13 .text 00001aac 0000000000000000 0000000000000000 00005048 2**2
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
the base address displayed in /proc/modules points to the beginning of
.plt, and other sections have the following offsets:
.init.plt - ignored
.text.ftrace_trampoline - 0x1
.hyp.text - 0x1000
.text - 0x3000
This patch calculates the offset of the .text section and uses it to
adjust the address obtained from /proc/modules.
|
| |
|
|
|
| |
Adjusting the module pc by 0x18 is a poorly documented hack that relies
on the fixed .plt size. Remove it in favor of a more flexible solution.
|
| |
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Also adjust text expectations in pkg/cover/report_test.go, as inexact
coverage will result in an error now.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The arguments `objDir`and `srcDir` of cleanPath() are absolute paths, see
osutil.Abs() calls in:
* syz-cover: tools/syz-cover/syz-cover.go
* syz-manager: pkg/mgrconfig/load.go
However, when the `path` argument is not absolute, the first two checks
of cleanPath (when file is built in path or when file was moved from
builDir to srcDir) always evaluate to false.
Instead use absolute path for those checks.
|
| | |
|
| |
|
|
|
|
| |
We don't have much info about the case where the fix up was needed,
nor we have any tests, but based on the existing comment it seems
that the fix up should be applied only the kernel contains .plt section.
|
| |
|
|
| |
To simplify passing and adding new fields.
|
| |
|
|
|
|
|
|
|
|
| |
That is a more reasonable place for it.
Backend.RestorePC also has access to more info about the kernel,
so can do a more precise check.
Also I suspect this fixes coverage filter in presence of the fix up.
I think fix up should happen before coverage filtering in fixUpPCs,
but it was done after so was probably not working.
|
| |
|
|
|
|
|
|
|
|
| |
GCC11 uses DWARF 5 format by default, which is not supported by go1.14 -
the Go version recommended by our documentation. This was fixed in
go1.16, but that version is not yet in the official stable Debian
packages.
Recover from such panic and return a meaningful error. This should help
the users to resolve the problem themselves.
|
| | |
|
