| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Add coverage percent for kernel interfaces.
The current data is generated with Mar coverage report
on kernel commit 1e7857b28020ba57ca7fdafae7ac855ba326c697.
|
| |
|
|
|
|
|
|
| |
Currently it's only possible to understand total number of uncovered
blocks in a function (implicitly defined by Instrumented field).
This does not allow to render coverage data, nor do detailed analysis
on line level. Export detailed info about both covered and uncovered blocks.
This allows to e.g. calculate coverage percent for kernel interfaces.
|
| |
|
|
| |
Humans read top-down rather than zigzag.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some sub paths may not be covered due to hardware configuration, or lack
of interest. This patch allows them to be excluded from the stats. This
can be convenient if the excluded paths are deep in the hierarchy:
{
"name": "sound",
"path": [
"techpack/audio",
"-techpack/audio/asoc/aaa/bbb"
"-techpack/audio/asoc/aaa/ccc"
]
}
|
| | |
|
| |
|
|
|
| |
The export is quite big but is generated fast.
Every line is a valid json object representing the single program coverage.
|
| |
|
|
| |
Typo fix introduced the var name shadowing thus it is easier to remove the intermediate var.
|
| | |
|
| |
|
|
| |
Reads from this map return Progs, not PCs.
|
| | |
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The beginnings of the weighted filter were added in 2020,
but never materialized. Remove them to simplify code.
The weighted filter allows to have uint32 weight for every PC in the filter,
but we always use just 0/1 (present/not present).
|
| |
|
|
|
|
|
|
| |
Rename CoverHandlerParams to HandlerParams.
Everything in cover package is Cover-something,
adding cover prefix to everything is excessive.
And cover.CoverHandlerParams.CoverFilter is way more cover
I am ready to handle. Filter is just fine.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
These numbers seem confusing to syzkaller users.
If there's demand for them, we may consider re-enabling the calculation
under some extra syzkaller config parameter.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
coverage
When coverage points returned by kcov do not have corresponding coverage
callbacks, this may indicate a problem with irrelevant signal being used
for fuzzing. Therefore, by default syz-manager reports errors and does
not show the coverage report in this case.
However, these errors can be annoying when onboarding new platforms, so
we let the users disable them by passing the ?force=1 URL parameter.
|
| |
|
|
|
|
|
|
|
|
|
| |
prepareFileMap does more work than we need and leads to incorrect hit counts.
prepareFileMap produces hit counts per source line (for source reports),
but jsonl exports data based on coverage callbacks, not source lines.
So if we have 2 callbacks on the same line, we will double count them
(both will have hit count 2). If we calculate total percent later
based on that data, it will be wrong.
Use simpler calculation based on PCs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we memorize all coverage points twice:
as a slice and as a map.
The map also contains __sanitizer_cov_trace_cmp PCs,
but I think that's wrong, it should contain only
__sanitizer_cov_trace_pc callbacks.
We were careful to put as least pressure on the GC as possible
by keeping all PCs as a dense allCoverPoints slice and subslicing it
in all symbol/compilation unit objects.
Don't duplicate coverage points in the map and just use the same slice
we store for other purposes.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
jsonl is new-line-new-json format.
It is good for streaming because you can read data line-by-line.
This pipeline will stream a lot eventually (x00 megabytes).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Debugging coverage point validation warnings may require looking at
specific addresses, which are not printed anywhere. Add a URL parameter
that can be passed to prepareFileMap() to print a more meaningful error
message.
Also factor out the error message code from prepareFileMap() to reduce
its cyclomatic complexity.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a `json` CLI flag that allows for writing out a JSON file with the
following coverage information.
* Module
* Filename
* Covered source lines
* Uncovered source lines
* Both source lines
This can be used to view syzkaller coverage information on other source
browsing/viewing tools.
Usage:
$ ./syz-cover -kernel_obj <path/to/vmlinux> -json <output_json> rawcover
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
That is a more reasonable place for it.
Backend.RestorePC also has access to more info about the kernel,
so can do a more precise check.
Also I suspect this fixes coverage filter in presence of the fix up.
I think fix up should happen before coverage filtering in fixUpPCs,
but it was done after so was probably not working.
|
| | |
|
| |
|
| |
Fix /rawcoverfiles missing argument
|
| |
|
|
| |
Fix by using array indexing and fixup kernel PCs only.
|
| |
|
|
|
| |
The result is not updated because it modifies the deep copy variable prog.
Fix this by using array indexing.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When we click on PC value in coverage page with the source code opened,
there was no option to go back to file src code.
Added a close button to hide (display:none) the syz description,
and bring back the last file source code view.
Fixes #2867
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Issue: #2495
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mgrconfig used to be "leaf" package that can be imported by anything.
Recently it started importing pkg/cover for Subsystem definition.
It leads to the following import cycle if I try to import
pkg/host from pkg/cover:
package github.com/google/syzkaller/pkg/bisect
imports github.com/google/syzkaller/pkg/build
imports github.com/google/syzkaller/pkg/mgrconfig
imports github.com/google/syzkaller/pkg/cover
imports github.com/google/syzkaller/pkg/host
imports github.com/google/syzkaller/pkg/csource
imports github.com/google/syzkaller/pkg/mgrconfig:
import cycle not allowed
Move Subsystem into pkg/mgrconfig itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* pkg/cover, syz-manager: show coverage summary
The funccover or cover page is not easy for statistic purpose.
So add /cover?type=rawfiles to show coverage based on each file.
And /cover?type=table page to show coverage for group of components.
If driver_path_map.json exists, /cover?type=table can show component coverage.
Format example:
{
"all": [ "/" ],
"audio": [
"/techpack/audio/asoc",
"/techpack/audio/dsp",
"/techpack/audio/ipc",
"/sound/core"
]
}
If driver_path_map.json not exist, it will show one line summary.
* pkg/cover: use subsystem naming
* syz-manager: use /subsystemcover and /filecover
* pkg/cover: use subsystem from config
* pkg/mgrconfig: add kernel_subsystem
* pkg/cover, tools/syz-cover: fix make test
* all: fix presumit errors
* pkg/cover, syz-manager: fix subsystem
|
| | |
|
