| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
probability coverage
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| | |
|
| |
|
|
|
|
|
| |
Introduce a KFuzzTest mode for the fuzzer so that a smaller number of
recommended calls can be used if we are fuzzing KFuzzTest targets.
Signed-off-by: Ethan Graham <ethangraham@google.com>
|
| |
|
|
|
|
|
| |
Copy everything that might be important during execution on other
kernels/VM pools. Add a test to verify it.
The functionality is actively used to clone requests in the diff fuzzer.
|
| |
|
|
|
|
|
|
| |
Ensure that corpus and signal are non-zero after the bugs have been
found.
Fix coverage configuration - the test was de facto running on a fallback
coverage.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Track the right moment to start bug reproductions more exactly:
1) Either once 90% of the corpus is triaged (*).
2) Or once we are past 50% of the time dedicated for fuzzing.
Whatever happens earlier.
(*) The last percents are usually quite slow and they bring much less
covered PCs that all the previous ones.
|
| |
|
|
| |
Otherwise it's hard to understand in error messages what 1/2/3 mean.
|
| |
|
|
|
|
|
|
|
|
| |
The Clone() we do at the beginning of the handleCall() function is
unnecessary and may even confuse the people wo read and modify the code
(see #5878).
For all the jobs we start below, we anyway do another Clone() of the
program. The corpus also does not assume that the programs in it will be
modified elsewhere.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
On context abortion, return a special error.
On the pkg/rpcserver side, recognize and process it.
|
| |
|
|
|
| |
Accept context as a function argument.
Split out the code that creates a syz-executor process instance.
|
| |
|
|
| |
It should hopefully let us debug #5674.
|
| |
|
|
|
| |
Whenever the status is set, also include the reason. It should help
easier debug execution and machine check time problems.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We query globs for 2 reasons:
1. Expand glob types in syscall descriptions.
2. Dynamic file probing for automatic descriptions generation.
In both of these contexts are are interested in files
that will be present during test program execution
(rather than normal unsandboxed execution).
For example, some files may not be accessible to test programs
after pivot root. On the other hand, we create and link
some additional files for the test program that don't
normally exist.
Add a new request type for querying of globs that are
executed in the test program context.
|
| |
|
|
|
| |
If the overflows happen often, it's bad.
Add visibility into this.
|
| |
|
|
|
|
|
|
|
|
|
| |
ex. f3 field has logic or operator in if condition:
conditional_struct {
mask int32
f1 field1 (if[value[mask] & FIELD_FLAG1])
f2 int64 (if[value[mask] & FIELD_FLAG2])
f3 int64 (if[value[mask] == FIELD_FLAG1 || value[mask] == FIELD_FLAG2])
} [packed]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the prototype version of the patch series fuzzing functionality
based on the syzkaller fuzzing engine.
The tool takes two syzkaller configs -- one for the base kernel, one for
the patched kernel. Optionally the patch itself can be also provided.
syz-diff will consider a bug patched-only if:
1) It happened while fuzzing the patched kernel.
2) It was never observed on the base kernel.
3) The tool found a repro on the patched kernel.
4) The repro did not crash the base kernel.
|
| |
|
|
|
| |
When the option is set, more time is spent on "exec fuzz" and less time
is spent minimizing the programs.
|
| |
|
|
| |
This will enable its reuse.
|
| |
|
|
|
| |
It will enable collecting statistics for several simultaneous RPCServer
objects.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we kill hanged processes and consider the corresponding test finished.
We don't kill/wait for the actual test subprocess (we don't know its pid to kill,
and waiting will presumably hang). This has 2 problems:
1. If the hanged process causes "task hung" report, we can't reproduce it,
since the test finished too long ago (manager thinks its finished and
discards the request).
2. The test process still consumed per-pid resources.
Explicitly detect and handle such cases:
Manager keeps these hanged tests forever,
and we assign a new proc id for future processes
(don't reuse the hanged one).
|
| |
|
|
| |
This will let us gain even more insight into what the fuzzer is doing.
|
| |
|
|
|
|
| |
Specify the exact call that is being minimized.
Print new signal delta if it's small (these are most suspicious kinds of
triage jobs).
|
| |
|
|
| |
Instead of printing the full program, enable per-job logs.
|
| |
|
|
| |
This will let us understand better what exactly the fuzzer was doing.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All callers shouldn't control lots of internal details of minimization
(if we have more params, that's just more variations to test,
and we don't have more, params is just a more convoluted way to say
if we minimize for corpus or a crash).
2 bools also allow to express 4 options, but only 3 make sense.
Also when I see MinimizeParams{} in the code, it's unclear what it means.
Replace params with mode.
And potentially "crash" minimization is not "light", it's just different.
E.g. we can simplify int arguments for reproducers (esp in snapshot mode),
but we don't need that for corpus.
|
| |
|
|
| |
Distribute triage requests to different VMs.
|
| |
|
|
|
|
| |
Tune number of deflake/minimize runs in snapshot more.
Presumably snapshot mode must be more stable and should
require fewer runs.
|
| |
|
|
|
| |
These stats will be needed for snapshot mode that does not use rpcserver.
Move them from pkg/rpcserver to pkg/fuzzer/queue.
|
| |
|
|
|
|
|
|
| |
Go package names should generally be singular form:
https://go.dev/blog/package-names
https://rakyll.org/style-packages
https://groups.google.com/g/golang-nuts/c/buBwLar1gNw
|
| |
|
|
|
|
| |
New is more idiomatic name and is shorter
(lines where stats.Create is used are usually long,
so making them a bit shorter is good).
|
| |
|
|
|
|
|
|
|
| |
We are getting too many generated candidates, the fuzzer may not keep up
with them at all (hints jobs keep growing infinitely). If a hint indeed came
from the input w/o transformation, then we should guess it on the first
attempt (or at least after few attempts). If it did not come from the input,
or came with a non-trivial transformation, then any number of attempts won't
help. So limit the total number of attempts (until the next restart).
|
| |
|
|
|
| |
Use 2/6 criteria during corpus triage.
See the large added comment for details.
|
| |
|
|
|
| |
If we have found new signal for several calls of the same programs,
triage them in paralllel.
|
| |
|
|
|
|
| |
During deflake(), we look at the unions of the signal from multiple
iterations. Let's do the same in minimize(), it would be more
consistent.
|
| |
|
|
|
|
| |
Hints can produce insane amounts of candidates (up to 30K).
So run deflaking one more time, even if it reduces amount
of candidates by few percents, it's still profitable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we can get either:
WARNING: DATA RACE
Read at 0x00c0018fe1e0 by goroutine 11:
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).run()
pkg/fuzzer/fuzzer_test.go:183 +0x62a
github.com/google/syzkaller/pkg/fuzzer.TestFuzz()
pkg/fuzzer/fuzzer_test.go:86 +0xa96
testing.tRunner()
testing/testing.go:1595 +0x238
testing.(*T).Run.func1()
testing/testing.go:1648 +0x44
Previous write at 0x00c0018fe1e0 by goroutine 36:
runtime.mapassign_faststr()
runtime/map_faststr.go:203 +0x0
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone()
pkg/fuzzer/fuzzer_test.go:210 +0x404
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone-fm()
<autogenerated>:1 +0x47
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).Next.(*Request).OnDone.func1()
pkg/fuzzer/queue/queue.go:62 +0xa1
github.com/google/syzkaller/pkg/fuzzer/queue.(*retryer).Next.(*Request).OnDone.func1()
pkg/fuzzer/queue/queue.go:68 +0xbe
github.com/google/syzkaller/pkg/fuzzer/queue.(*Request).Done()
pkg/fuzzer/queue/queue.go:74 +0x66
github.com/google/syzkaller/pkg/rpcserver.(*Runner).handleExecResult()
pkg/rpcserver/runner.go:262 +0x554
github.com/google/syzkaller/pkg/rpcserver.(*Runner).connectionLoop()
pkg/rpcserver/runner.go:103 +0x495
github.com/google/syzkaller/pkg/rpcserver.(*Server).connectionLoop()
pkg/rpcserver/rpcserver.go:371 +0x18a
github.com/google/syzkaller/pkg/rpcserver.(*Server).handleConn()
pkg/rpcserver/rpcserver.go:261 +0x6ac
github.com/google/syzkaller/pkg/rpcserver.(*Server).handleConn-fm()
<autogenerated>:1 +0x3d
github.com/google/syzkaller/pkg/flatrpc.ListenAndServe.func1.1()
pkg/flatrpc/conn.go:54 +0x2ac
Or:
panic: Log in goroutine after TestFuzz has completed: CRASH: second bug
goroutine 69 [running]:
testing.(*common).logDepth(0xc0017c24e0, {0xc00070c0d8, 0x11}, 0x3)
testing/testing.go:1029 +0x6d4
testing.(*common).log(...)
testing/testing.go:1011
testing.(*common).Logf(0xc0017c24e0, {0x1365b2d, 0x9}, {0xc001aac930, 0x1, 0x1})
testing/testing.go:1062 +0xa5
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone(0xc001a222a0, 0x10ace5d?, 0xc00073c870)
pkg/fuzzer/fuzzer_test.go:205 +0x23a
github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).Next.(*Request).OnDone.func1(0xc004745080, 0xc00073c870)
pkg/fuzzer/queue/queue.go:72 +0xa8
github.com/google/syzkaller/pkg/fuzzer/queue.(*retryer).Next.(*Request).OnDone.func1(0xc004745080, 0xc00073c870)
pkg/fuzzer/queue/queue.go:78 +0xc5
github.com/google/syzkaller/pkg/fuzzer/queue.(*Request).Done(0xc004745080, 0xc00073c870)
pkg/fuzzer/queue/queue.go:84 +0x74
github.com/google/syzkaller/pkg/rpcserver.(*Runner).handleExecResult(0xc0019ec000, 0xc00072bbc0)
pkg/rpcserver/runner.go:265 +0x5b5
github.com/google/syzkaller/pkg/rpcserver.(*Runner).connectionLoop(0xc0019ec000)
/home/dvyukov/go/src/github
|
| |
|
|
|
|
|
| |
Signal rotation is intended to make the fuzzer re-discover flaky coverage
in non flaky way. However, taking into accout that we get effectively
the same effect after each manager restart, and that the fuzzer is overloaded
with triage/smash jobs, it does not look to be worth it.
|
| |
|
|
|
|
|
|
|
| |
1. Run only 25 mutations during smash.
2. Run collide during normal fuzzing rather than during smashing.
3. Run hints and fault injection before random mutations
and order hints/fault injection jobs.
4. Random mutations still run round-robin w/o ordering
to give better diversity.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
| |
Let exec smash describe purely the mutation part of the smash job.
Introduce a separate stat for fault injection executions.
|
| |
|
|
|
|
|
| |
During deflake/minimization we have 1 target call that should be handled specially:
during triage we want all signal, during minimization we want new+target signal.
For the rest of the calls we can do normal handling: collect new signal
and start triage if we see any new signal.
|
| |
|
|
| |
It can be large and we need just errno. Store just it.
|
