| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
It allows to reduce parameters count for some functions.
|
| | |
|
| | |
|
| |
|
|
|
| |
The export is quite big but is generated fast.
Every line is a valid json object representing the single program coverage.
|
| | |
|
| |
|
|
| |
Reads from this map return Progs, not PCs.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
In preparation for pkg/host removal.
Nothing in pkg/host uses KernelModule, and pkg/cover
is effectively the only user of KernelModule.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
coverage
When coverage points returned by kcov do not have corresponding coverage
callbacks, this may indicate a problem with irrelevant signal being used
for fuzzing. Therefore, by default syz-manager reports errors and does
not show the coverage report in this case.
However, these errors can be annoying when onboarding new platforms, so
we let the users disable them by passing the ?force=1 URL parameter.
|
| |
|
|
|
|
|
|
|
|
|
| |
prepareFileMap does more work than we need and leads to incorrect hit counts.
prepareFileMap produces hit counts per source line (for source reports),
but jsonl exports data based on coverage callbacks, not source lines.
So if we have 2 callbacks on the same line, we will double count them
(both will have hit count 2). If we calculate total percent later
based on that data, it will be wrong.
Use simpler calculation based on PCs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we memorize all coverage points twice:
as a slice and as a map.
The map also contains __sanitizer_cov_trace_cmp PCs,
but I think that's wrong, it should contain only
__sanitizer_cov_trace_pc callbacks.
We were careful to put as least pressure on the GC as possible
by keeping all PCs as a dense allCoverPoints slice and subslicing it
in all symbol/compilation unit objects.
Don't duplicate coverage points in the map and just use the same slice
we store for other purposes.
|
| |
|
|
|
| |
This makes code easier to read top-down in the natural order
and Go does not require the inverted declaration order like C/C++.
|
| | |
|
| |
|
|
|
|
| |
jsonl is new-line-new-json format.
It is good for streaming because you can read data line-by-line.
This pipeline will stream a lot eventually (x00 megabytes).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Debugging coverage point validation warnings may require looking at
specific addresses, which are not printed anywhere. Add a URL parameter
that can be passed to prepareFileMap() to print a more meaningful error
message.
Also factor out the error message code from prepareFileMap() to reduce
its cyclomatic complexity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source files for Pixel devices are split between the common AOSP kernel
(path/to/kernel/aosp) and the device-specific drivers residing in a
separate dir (path/to/kernel/private/google-modules for Android 14
and path/to/kernel/gs/google-modules for older Android versions).
See https://source.android.com/docs/setup/build/building-pixel-kernels
for details.
Android build system may reference these dirs in various ways, for which
syzkaller cannot always understand where it should look for the source.
The newly introduced android_split_build flags handles the problem by adding a
list of "delimiters" used when normalizing the kernel source paths.
If the path contains any of such delimiters, then everything preceding the last
delimiter in the path is replaced with the contents of "kernel_src" from the
manager config.
By default we only support "/aosp/" and "/private/" corresponding to
modern Android systems as delimiters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Because GCC < 14 may tail-call coverage callbacks, the described check
is not performed for binaries which mention GCC in their .comment
section.
Also adjust text expectations in pkg/cover/report_test.go, so that
non-GCC targets check for PCs matching the callbacks.
See https://github.com/google/syzkaller/issues/4447 for more details.
|
| | |
|
| |
|
|
|
|
|
| |
This reverts commit 3392690e404b6ba5022825d33259bc2e9e89eb53.
x86 bots are unable to generate coverage reports, because they actually
have coverage PCs without matching callbacks.
|
| |
|
|
|
|
|
|
|
|
| |
In the case some modules' addresses are off, certain kernel addresses
returned by kcov may not have corresponding coverage callbacks in the
.ko files. Keep an additional map in the backend to verify those
addresses and report an error if that is the case.
Also adjust text expectations in pkg/cover/report_test.go, as inexact
coverage will result in an error now.
|
| |
|
|
| |
Change-Id: I839fbc94c02da62cadee99a44b4f7c520e35a0dd
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Make module discovery convert host.KernelModule to backend.Module.
Also error if we have modules on non-Linux
and make it possible to return errors from module discovery.
|
| |
|
|
|
|
| |
We already find symbol for every PC in lazySymbolize.
We can just use that to map PCs to modules instead
of the additional modules sorting/searching.
|
| |
|
|
|
| |
We don't have any other modules.
Move definition below Impl, KernelModule is not the most important thing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Both elf.go and gvisor.go are compiled into the same package,
so GroupPCsByModule callback gets installed for gvisor as well.
Move all modules-related logic into backend.
Splitting by modules is the only modules-related part
left in the common code. Move it into backend.
This make Modules field unnecessary in the backend.Impl.
Also move assignment to frame.Module to symbolize,
reduces overall code size.
|
| |
|
|
|
|
|
|
|
|
| |
Pass modules as []host.KernelModule to cover.MakeReportGenerator.
This avoids make(map) in callers that don't pass modules.
Store modules as []*KernelModule.
This avoids clumsy assignments to the map to update Path
and allows to store modules as *KernelModule rather than by name
(we are not scripting, pointer is more flexible and handy representation).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mgrconfig used to be "leaf" package that can be imported by anything.
Recently it started importing pkg/cover for Subsystem definition.
It leads to the following import cycle if I try to import
pkg/host from pkg/cover:
package github.com/google/syzkaller/pkg/bisect
imports github.com/google/syzkaller/pkg/build
imports github.com/google/syzkaller/pkg/mgrconfig
imports github.com/google/syzkaller/pkg/cover
imports github.com/google/syzkaller/pkg/host
imports github.com/google/syzkaller/pkg/csource
imports github.com/google/syzkaller/pkg/mgrconfig:
import cycle not allowed
Move Subsystem into pkg/mgrconfig itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PCs returned for dynamic loaded module (DLKM) is not
parsed in coverage page, these PCs are dropped.
The commit is to use DLKM modules' load address and symbol file
to restore the PC and show coverage data of DLKM.
Introduced new config module_obj to specify module directories.
Example of config:
"module_obj": [
"module_path1"
"module_path2"
]
For linux target, before Manager.Connect run, load addresses are
getting from /proc/modules in order to group PCs into modules.
And so, if modules are under kernel_obj or module_obj dir,
their addresses and paths can be generated automatically.
kernel_obj is searched before module_obj dir and the first found
ko object is always used.
Also note that kaslr needs to be disabled.
|
| |
|
|
| |
This reverts commit 69a06ca2b532ff4021a43fdead4e2ac1452a44c0.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PC returned for dynamic loaded module (DLKM) is not
parsed in coverage page.
So the commit is to use DLKM modules' load address
to restore the PC and show coverage data of DLKM.
As the load address is written in cfg file, so kaslr
needs to be disabled.
And for linux target, load address is getting from
/proc/modules during instance setup.
For either manual or auto address setting case,
name and path are needed in config kernel_modules, where
name is module name on target.
path is module unstripped object path on host.
addr is decimal value of module load address on target.
Example of config:
"kernel_modules": [
{
"name": "nf_nat",
"path": "/usr/src/linux-source/net/netfilter/nf_nat.ko",
"addr": 18446744072637911040
}
]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* pkg/cover, syz-manager: show coverage summary
The funccover or cover page is not easy for statistic purpose.
So add /cover?type=rawfiles to show coverage based on each file.
And /cover?type=table page to show coverage for group of components.
If driver_path_map.json exists, /cover?type=table can show component coverage.
Format example:
{
"all": [ "/" ],
"audio": [
"/techpack/audio/asoc",
"/techpack/audio/dsp",
"/techpack/audio/ipc",
"/sound/core"
]
}
If driver_path_map.json not exist, it will show one line summary.
* pkg/cover: use subsystem naming
* syz-manager: use /subsystemcover and /filecover
* pkg/cover: use subsystem from config
* pkg/mgrconfig: add kernel_subsystem
* pkg/cover, tools/syz-cover: fix make test
* all: fix presumit errors
* pkg/cover, syz-manager: fix subsystem
|
| |
|
|
|
|
|
| |
Currently we only support compiler middle/backenend coverage
where we can map coverage points to source line.
Support better frontend coverage where coverage points map
to source code ranges start line:col - end line:col.
|
| |
|
|
|
| |
gvisor will need some custom logic there,
so make it part of backend.
|
| |
|
|
|
| |
This will allow to support gvisor coverage where PCs
don't need to be rewound to the previous instruction.
|
| |
|
|
| |
Avoid global variables and implicit dependencies on previous initialization.
|
| |
|
|
|
|
|
| |
Better encapsulate all of this logic instead of exposing
raw .text offset and a bunch of functions.
Also allows to support gvisor coverage where PCs don't
need to be rewound to previous instruction.
|
| |
|
|
|
|
| |
This looks more natural.
All users duplicate logic of creating object file path,
and then pkg/cover second guesses object dir back.
|
| |
|
|
|
| |
This will be needed for gVisor reports,
the target is "linux" but VM type is "gvisor".
|
| | |
|
| |
|
|
|
|
|
| |
Refactor coverage filer code to make it more clear what
produces and consumes what data.
Check that target supports shmem.
No other functional changes intended.
|
| | |
|
