| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
The structure of arguments passed into syscalls is often hard to parse
since it is memcpy'd into mmap'd regions. Structural relations are often
lost in translation, resulting in reproducers that take longer for a
developer to understand.
This patch adds functionality for parsing syscall arguments semantically and
emitting a structured and human-readable comment which is inserted before each
syscall in the resulting C-source.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
syscall() is a variadic function, so we need to be careful when passing
const values in there without specifying their type.
For -1, we did not specify it, and on 64 bit architectures the de facto
passed value was 0xFFFFFFFF instead of 0xFFFFFFFFFFFFFFFF. Fix it and
add a test.
Closes #5921.
|
| | |
|
| |
|
|
|
|
| |
TestExecutorMacros"
This reverts commit 1763a1862f3468b4b1a5cedef9d61ddd8d0e58e8.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All callers shouldn't control lots of internal details of minimization
(if we have more params, that's just more variations to test,
and we don't have more, params is just a more convoluted way to say
if we minimize for corpus or a crash).
2 bools also allow to express 4 options, but only 3 make sense.
Also when I see MinimizeParams{} in the code, it's unclear what it means.
Replace params with mode.
And potentially "crash" minimization is not "light", it's just different.
E.g. we can simplify int arguments for reproducers (esp in snapshot mode),
but we don't need that for corpus.
|
| |
|
|
| |
Add an explicit parameter to only run call removal.
|
| |
|
|
|
|
|
| |
go:embed is a more modern way to do this and it does
not require a special Makefile step.
Since go:embed cannot use paths that contains "..",
the actual embeding is moved to executor package.
|
| |
|
|
|
| |
Fix checking of Logf, it has string in 0-th arg.
Add checking of t.Errorf/Fatalf.
|
| |
|
|
|
|
|
| |
This factorizes const arguments into the shortest flags OR bitmask
possible so they are easy to read. E.g:
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul
|
| |
|
|
|
|
|
|
|
| |
This annotates syscall arguments so they are easier to read without
having to pull out the syscall's man page. E.g:
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, ...
Signed-off-by: Florent Revest <revest@chromium.org>
|
| |
|
|
|
|
|
|
|
|
| |
There seem to be a lot of unclear dependencies between pseudo syscall
code and global methods. By testing them only together we have little
chance to detect these problems because implementations can indiretly
help one another.
In addition to existing tests, also compile all pseudo syscalls
independently.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was introduced in 4620c2d9bc4f ("sys/targets: take DataOffset
from reference targets").
Example of the problem on s390x
-------------------------------
--- FAIL: TestSource (0.00s)
--- FAIL: TestSource/1 (0.00s)
csource_test.go:221: input:
csource2(&AUTO="12345678")
csource3(&AUTO)
csource4(&AUTO)
csource5(&AUTO)
csource6(&AUTO)
want:
NONFAILING(memcpy((void*)0x20000040, "\x12\x34\x56\x78", 4));
syscall(SYS_csource2, 0x20000040ul);
NONFAILING(memset((void*)0x20000080, 0, 10));
syscall(SYS_csource3, 0x20000080ul);
NONFAILING(memset((void*)0x200000c0, 48, 10));
syscall(SYS_csource4, 0x200000c0ul);
NONFAILING(memcpy((void*)0x20000100, "0101010101", 10));
syscall(SYS_csource5, 0x20000100ul);
NONFAILING(memcpy((void*)0x20000140, "101010101010", 12));
syscall(SYS_csource6, 0x20000140ul);
got:
NONFAILING(memcpy((void*)0xfffff040, "\x12\x34\x56\x78", 4));
syscall(SYS_csource2, 0xfffff040ul);
NONFAILING(memset((void*)0xfffff080, 0, 10));
syscall(SYS_csource3, 0xfffff080ul);
NONFAILING(memset((void*)0xfffff0c0, 48, 10));
syscall(SYS_csource4, 0xfffff0c0ul);
NONFAILING(memcpy((void*)0xfffff100, "0101010101", 10));
syscall(SYS_csource5, 0xfffff100ul);
NONFAILING(memcpy((void*)0xfffff140, "101010101010", 12));
syscall(SYS_csource6, 0xfffff140ul);
FAIL
coverage: 79.6% of statements
FAIL github.com/google/syzkaller/pkg/csource 9.930s
Fixes: 4620c2d9bc4f ("sys/targets: take DataOffset from reference targets")
Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
|
| |
|
|
|
| |
The code to send rand source is dublicated in several packages.
Move it to testutil package.
|
| |
|
|
|
| |
The extension point allows to setup the test process in a custom way
without overwriting any of the existing files.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| |
|
|
|
|
|
|
| |
Add package with RaceEnabled const that can be used in test
to skip long tests in race mode.
Switch existing tests to use the new package.
Update #2886
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently csource skips calls at the very last moment, which has an
unpleasant consequence - if we make choice of enabled defines depend on
the individual calls or call properties, we may end up with defined yet
unused functions.
The perfect solution would be to untie
syz_emit_ethernet/syz_extract_tcp_res and NetInjection, and also to
untie VhciInjection and syz_emit_vhci.
For the time being, move these checks to the very beginning of csource
processing, so that these calls could be removed before we construct our
defines.
Adjust pkg/csource/csource_test.go to better cover fault injection
generation problems.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
| |
HandleSegv can radically increase compilation time/memory consumption on large programs.
For example, for one program captured from this test enabling HandleSegv increases
compilation time from 1.94s to 104.73s and memory consumption from 136MB to 8116MB.
This leads to CI failures on #2688.
Don't enable HandleSegv in short tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
| |
Add some tests that verify source we get for various programs.
Update #1070
|
| |
|
|
|
|
|
| |
Need to check arch requirement early as some programs
may fail to deserialize on some arches due to missing syscalls.
See discussion on #2380.
Also support negative arch requirements (-arch=amd64).
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
| |
syz_mount_image tests are very large and TestSysTests takes too long.
syz-imagegen that generates them does some of this testing
(Deserialize/SerializeForExec).
|
| |
|
|
|
|
|
| |
Move the test from pkg/csource to executor/
in order to be able to (1) run it on *.cc files,
(2) run on unprocessed *.h files, (3) produce line numbers.
Add a check for missed space after //.
|
| |
|
|
|
|
|
|
|
| |
1. We don't generally use /* */ block comments,
few precedents we have are inconsistent with the rest of the code.
2. pkg/csource does not strip them from the resulting code.
Remove the cases we have and add a test to prevent new ones being added.
|
| |
|
|
| |
Points to bad empty lines very precisely.
|
| |
|
|
|
|
| |
Tests run for too long.
1. Check only 1 arch per OS in short mode.
2. Dedup options. Turns out we generated 2x duplicates in allOptionsSingle.
|
| |
|
|
|
|
|
|
|
| |
Renamed Target.BrokenCrossCompiler to Target.BrokenCompiler and
Target.CrossCFlags to Target.CFlags
"Everything in Target is about Cross now."
Signed-off-by: Alexander Potapenko <glider@google.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
In preparation to running some tests as github actions.
Both Travis and Github define CI env var, while TRAVIS is, well,
too Travis-specific.
Update #1699
|
| |
|
|
|
| |
Update #477
Update #502
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Detect when compiler is present, but is not functioning
(can't build a simple program, common for Linux distros).
2. Be more strict with skipping tests due to missing/broken compilers on CI
(on CI they should work, so fail loudly if not).
3. Dedup this logic across syz-env and pkg/csource tests.
4. Add better error reporting for syz-env.
Fixes #1606
|
| |
|
|
|
|
|
| |
We print whole reproducer programs on failure,
if lots of programs fail, this results in thousands
of lines of output, which is esp bad on travis.
Limit amount of output.
|
| | |
|
| | |
|
| |
|
|
|
| |
Test presence of a working compiler before running any tests for a target.
This helps to make tests pass even if some cross-compilers are not installed properly.
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenBSD instance failed with:
--- FAIL: TestSysTests (12.50s)
--- FAIL: TestSysTests/linux/386 (0.16s)
csource_test.go:145: failed to generate C source for ../../sys/linux/test/binder: cpp failed: exec: "cant-build-linux-on-openbsd": executable file not found in $PATH
...
Skip unsupported cross-builds in TestSysTests.
|
| |
|
|
|
|
| |
Running sys/*/test programs requires real machines and kernels for each OS.
We can't do that in unit tests, but at least try to deserialize these programs
so that they don't get rotten.
|
| |
|
|
| |
This hacky way to install 386 packages seems to unbreak executor build.
|
| |
|
|
| |
arm build seems to work now on Travis since we switched to xenial.
|
| |
|
|
| |
Update #977
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The added test triggers warnings like these:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
^~~~~
cc1: all warnings being treated as errors
<stdin>: In function ‘syz_open_procfs.constprop’:
<stdin>:530:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:532:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
<stdin>:534:41: error: ‘%s’ directive argument is null [-Werror=format-truncation=]
<stdin>:85:110: note: in definition of macro ‘NONFAILING’
Use volatile for all arguments of syz_ functions to prevent
compiler from treating the arguments as constants in reproducers.
Popped up during bisection that used a repro that previously worked.
Update #501
|
| |
|
|
|
| |
Don't use random seed on travis as it produces flaky coverage reports,
and probably generally better for CI setting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I think I misinterpreted the error that episodically happens on ci:
collect2: error: ld terminated with signal 11 [Segmentation fault], core dumped
compiler invocation: aarch64-linux-gnu-gcc [-Wall -Werror -O1 -g -o /tmp/syz-executor570589071 -pthread -DGOOS_linux=1 -DGOARCH_arm64=1 -x c - -static]
as OOM, but they all involve aarch64-linux-gnu-gcc:
https://travis-ci.org/google/syzkaller/jobs/461827347
https://travis-ci.org/google/syzkaller/jobs/460226110
https://travis-ci.org/google/syzkaller/jobs/463564291
So I guess the problem can be with the arm64 toolchain that just crashes randomly.
|
