| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
ex. f3 field has logic or operator in if condition:
conditional_struct {
mask int32
f1 field1 (if[value[mask] & FIELD_FLAG1])
f2 int64 (if[value[mask] & FIELD_FLAG2])
f3 int64 (if[value[mask] == FIELD_FLAG1 || value[mask] == FIELD_FLAG2])
} [packed]
|
| |
|
|
| |
Instead of printing the full program, enable per-job logs.
|
| |
|
|
|
|
|
| |
Signal rotation is intended to make the fuzzer re-discover flaky coverage
in non flaky way. However, taking into accout that we get effectively
the same effect after each manager restart, and that the fuzzer is overloaded
with triage/smash jobs, it does not look to be worth it.
|
| |
|
|
|
|
|
| |
During deflake/minimization we have 1 target call that should be handled specially:
during triage we want all signal, during minimization we want new+target signal.
For the rest of the calls we can do normal handling: collect new signal
and start triage if we see any new signal.
|
| |
|
|
| |
It can be large and we need just errno. Store just it.
|
| |
|
|
|
| |
Convert tests to table tests to avoid duplication
and make it easier to add new tests.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. Use the initial signal as the first attempt,
this should reduce total number of runs by 1 in common case.
2. Update max signal on each attempt.
If should eliminate additional runs later.
3. Update the signal we are chasing after each attempt.
It's possible that we won't get any of the orignal new signal,
but instead will get some other stable new signal.
|
| |
|
|
|
|
|
|
|
| |
The next commit will add another Candidate flag.
Candidate flags duplicate progTypes enum, so to avoid conversions
of one to another use progTypes in Candidate struct directly.
Rename progTypes to progFlags since multiple can be set,
so this is effectively flags rather than a single type.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taken some arm64 devices for example:
kaslr_offset is diff at bits 12-40, and kernel modules are loaded at 2GB space,
so we have `ffffffd342e10000 T _stext` where uppper 32bit is ffffffd3. However,
if we check modules range, the 1st module is loaded at 0xffffffd2eeb2a000,
while the last module is loaded at 0xffffffd2f42c4000.
We can see the upper 32bits are diff for core kernel and modules.
If we use current 32bits for covered PC, we will get wrong module address
recovered.
So we need to move to 64bit cover and signal:
- change cover/sig to 64bit to fit for syz-executor change
- remove kernel upper base logic as kernel upper base is not a constant when
kaslr enabled for core kernel and modules.
- remove unused pcBase
|
| |
|
|
|
|
| |
Switch to flatrpc.ProgInfo.
Note: this disables syz-runtest and syz-verifier.
|
| |
|
|
| |
For now, only ProgTypes is enough.
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of relying on a fuzzer-internal priority queue, utilize
stackable layers of request-generating steps.
Move the functionality to a separate pkg/fuzzer/queue package.
The pkg/fuzzer/queue package can be reused to add extra processing
layers on top of the fuzzing and to combine machine checking and fuzzing
execution pipelines.
|
| |
|
|
|
|
| |
We don't want to reach just any stable signal, we know the specific new
signal that we target. The previous approach might have reduced the
efficiency of the new deflake() approach.
|
| |
|
|
|
|
|
| |
Add ability for each package to create and export own stats.
Each stat is self-contained, describes how it should be presented,
and there is not need to copy them from one package to another.
Stats also keep historical data and allow building graphs over time.
|
|
|
Demand that at least 3 out of 5 runs share common signal.
Exit early if it's not feasible.
|
