| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
This is a faster way to find all coverage points.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
| |
objdump prints absolute addresses for coverage points of core kernel.
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
|
|
| |
The 'attrName' is often an absolute path for out-of-tree modules.
This commit avoids redundant path concatenation when 'attrName'
is already absolute, enabling developers to view coverage correctly
in the web UI.
|
| |
|
|
|
|
|
|
|
|
| |
Rust compilation units are different from C in that a single compilation
unit includes multiple source files, but we still need to tell which PC
range belong to which source file.
Infer that information from the LineEntry structures.
Cc #6000.
|
| | |
|
| |
|
|
| |
It allows to reduce parameters count for some functions.
|
| |
|
|
| |
To simplify interface Read*Symbols were moved out from symbolizer.Symbolizer.
|
| | |
|
| |
|
|
| |
There is no need to init arch every loop iteration.
|
| | |
|
| |
|
|
|
|
|
|
| |
filepath.Walk calls os.Lstat for every file or directory to retrieve os.FileInfo.
filepath.WalkDir avoids unnecessary system calls since it provides a fs.DirEntry,
which includes file type information without requiring a stat call.
This improves performance by reducing redundant system calls.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix linter reported issue with "err != nil" is always true and add
"this check suggests that the pointer can be nil" to the exclusion rules
as the false-positives due to non-standard/standard package's Fatalf()
exiting.
```
$ make lint
bin/golangci-lint run ./...
pkg/cover/backend/dwarf.go:180:8: SA4023: this comparison is always true
if err != nil {
^
sys/fuchsia/fidlgen/main.go:24:5: SA5011(related information): this check suggests that the pointer can be nil
if target == nil {
tools/syz-declextract/run.go:95:6: SA5011(related information): this check suggests that the pointer can be nil
if parse == nil {
^
tools/syz-declextract/run.go:234:5: SA5011(related information): this check suggests that the pointer can be nil
if netlinkUnionParsed == nil {
^
prog/encodingexec_test.go:60:6: SA5011(related information): this check suggests that the pointer can be nil
if c == nil {
^
sys/fuchsia/fidlgen/main.go:24:5: SA5011(related information): this check suggests that the pointer can be nil
if target == nil {
^
pkg/compiler/compiler_test.go:339:5: SA5011(related information): this check suggests that the pointer can be nil
if p == nil {
^
pkg/compiler/compiler_test.go:379:5: SA5011(related information): this check suggests that the pointer can be nil
if p == nil {
^
pkg/ast/parser_test.go:32:7: SA5011(related information): this check suggests that the pointer can be nil
if desc == nil {
^
pkg/ast/parser_test.go:37:7: SA5011(related information): this check suggests that the pointer can be nil
if desc2 == nil {
^
pkg/report/report_test.go:308:5: SA5011(related information): this check suggests that the pointer can be nil
if rep == nil {
^
pkg/bisect/bisect_test.go:205:5: SA5011(related information): this check suggests that the pointer can be nil
if sc == nil {
^
make: *** [Makefile:293: lint] Error 1
```
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
we use offset to symbolize pc for module,
while use absolute pc for core kernel.
Fix by removing base address from module only.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Module size from /proc/modules is bigger than that from .text size in elf.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
For modules, init_module and cleanup_module might have the same
sym.Start even these symbols are for different sections.
Although we can keep symbols only in .text sections, there
are still some symbols having the same Start.
Looking forward a better way, but currently to get constant
output in buildSymbols, keep only one symbol incase there
are other symbols having the same Start.
|
| | |
|
| | |
|
| |
|
|
|
| |
It's not safe to append to slice from multiple goroutines.
Either using chan or lock can get constant result.
|
| | |
|
| | |
|
| |
|
|
|
| |
Lint started warning about duplicate "gvisor" const in pkg/cover.
Add gvisor/starnix consts to sys/targets package to avoid duplication.
|
| |
|
|
|
|
| |
Now that PCs are 64-bit we don't need RestorePC callback.
Now we can just use PreviousInstructionPC, which does not require
creation of ReportGenerator.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
In preparation for pkg/host removal.
Nothing in pkg/host uses KernelModule, and pkg/cover
is effectively the only user of KernelModule.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
|
|
| |
Intern/deduplicate file/func strings created during symbolization.
There are lots and lots of duplicates.
In my local run syz-manager heap size jumps from 1.9G to 4.0G
are requesting /cover?jsonl=1 without this change, and from
1.9G to 2.9G with this change.
|
| |
|
|
|
| |
dwarf.go already detects if kcov is broken and need to provide this bit
for the check in report.go, so just use this bit in the test as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we memorize all coverage points twice:
as a slice and as a map.
The map also contains __sanitizer_cov_trace_cmp PCs,
but I think that's wrong, it should contain only
__sanitizer_cov_trace_pc callbacks.
We were careful to put as least pressure on the GC as possible
by keeping all PCs as a dense allCoverPoints slice and subslicing it
in all symbol/compilation unit objects.
Don't duplicate coverage points in the map and just use the same slice
we store for other purposes.
|
| |
|
|
|
| |
This makes code easier to read top-down in the natural order
and Go does not require the inverted declaration order like C/C++.
|
| | |
|
| |
|
|
|
|
| |
jsonl is new-line-new-json format.
It is good for streaming because you can read data line-by-line.
This pipeline will stream a lot eventually (x00 megabytes).
|
| |
|
|
|
|
| |
Since commit 971a0f14c5cf6 ("pkg/host: get module .text address from
/sys/module") getModuleOffset() is not used by anyone, so it should be
safe to delete it.
|
| |
|
|
|
|
|
| |
On ARM64 we used to incorrectly parse BL instructions, which may start
with bytes 0x94 to 0x97. Rework the Arch struct to encapsulate the
arch-specific call instruction check and simplify readCoverPoints().
Also add some tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The address from /proc/modules is not necessarily the address of .text,
e.g., can be the address of .plt.
If available, fix up the module address using the address from
/sys/module/<module-name>/sections/.text
This patch was originally uploaded to
https://github.com/google/syzkaller/pull/4025.
Additions to the original patch:
- fix lint warnings
- adjust the module size to account for the diff between the module
address and .text address
Signed-off-by: Alexander Potapenko <glider@google.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Certain ARM64 builds continued reporting errors about coverage points
not matching __sanitizer_cov_trace_pc calls. It turned out such coverage
originated from calls to ____sanitizer_cov_trace_pc_veneer functions
that are inserted by the linker to extend the range of BL instructions
(limited by +/-128M).
Add support for __funcname_veneer functions to ELF to make sure this
coverage is correctly attributed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source files for Pixel devices are split between the common AOSP kernel
(path/to/kernel/aosp) and the device-specific drivers residing in a
separate dir (path/to/kernel/private/google-modules for Android 14
and path/to/kernel/gs/google-modules for older Android versions).
See https://source.android.com/docs/setup/build/building-pixel-kernels
for details.
Android build system may reference these dirs in various ways, for which
syzkaller cannot always understand where it should look for the source.
The newly introduced android_split_build flags handles the problem by adding a
list of "delimiters" used when normalizing the kernel source paths.
If the path contains any of such delimiters, then everything preceding the last
delimiter in the path is replaced with the contents of "kernel_src" from the
manager config.
By default we only support "/aosp/" and "/private/" corresponding to
modern Android systems as delimiters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Because GCC < 14 may tail-call coverage callbacks, the described check
is not performed for binaries which mention GCC in their .comment
section.
Also adjust text expectations in pkg/cover/report_test.go, so that
non-GCC targets check for PCs matching the callbacks.
See https://github.com/google/syzkaller/issues/4447 for more details.
|
| |
|
|
|
|
| |
According to golangci-lint, cyclomatic complexity of makeDWARFUnsafe()
is on the fence. Reduce it by factoring out some code into
processModule(). No functional change.
|
| | |
|
| |
|
|
|
|
|
| |
This reverts commit 3392690e404b6ba5022825d33259bc2e9e89eb53.
x86 bots are unable to generate coverage reports, because they actually
have coverage PCs without matching callbacks.
|
