| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Collect code coverage for test programs.
This is likley to be needed for #6878 and seed generation workflow.
For now it's not wired into any workflow/tool and is not tested.
But this should provide most of the plumbing to wire it up.
|
| |
|
|
|
|
| |
This will prevent duplication of the same logic later. Specifically, it
will be needed when rerunning reproducers in syz-cluster and potentially
when aggregating the results of multiple reproducer runs in syz-agent.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If the crash dumps are enabled, collect one crash dump per each crash
when fuzzing locally.
Optionally also collect crash dumps in pkg/instance's Test().
Inspired by Chenxi Huang's downstream changes to syzkaller.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All repros and jobs that use syz rerpos are broken for linux/amd64/386 since Mar 2022 with:
SYZFAIL: failed to recv rpc
aborting RPC server: mismatching manager/executor arches: amd64 vs 386
The problem is that ExecProgInstance.RunSyzProgFile passes sysTarget.Arch
(which is VMArch) to syz-execprog, so it expects executor to be amd64.
Restore the orignal logic.
|
| |
|
|
| |
Any is the preferred over interface{} now in Go.
|
| |
|
|
|
| |
We return pointers rather than structs directly,
this is important if the errors are casted.
|
| |
|
|
|
|
|
|
| |
Semaphore is a very low-level primitive type,
while pkg/instance is a very high-level package with lots of deps.
Semaphore does not belong there, and may lead to cyclic deps
if we use it more. Move it to pkg/osutil. It's not really OS-specific,
but we don't have a better package.
|
| |
|
|
|
| |
After this change it fits more naturally into the Go's error
functionality.
|
| |
|
|
|
|
|
|
|
|
| |
Enable external abortion of the instance creation process. This is
especially useful for the qemu case where we retry the creation/boot up
to 1000 times, which can take significant time (e.g. it timeouts
syz-cluster pods on unstable kernels).
The context can be further propagated to WaitForSSH, but that requires
another quite significant vm/ refactoring.
|
| |
|
|
|
| |
The err variable is from the open call, it cannot be VerboseError. Use
retErr instead.
|
| | |
|
| |
|
|
|
|
|
|
| |
Include a bit more info into the bug reports.
The change is motivated by inactionable "image testing failed w/o kernel
bug" errors like this:
https://syzkaller.appspot.com/text?tag=CrashLog&x=17acec42580000
|
| |
|
|
| |
We used the wrong name for the optional argument.
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
|
|
|
|
|
|
| |
Since #6123, the ability to run syz reproducers with Sandbox="" is also
relevant for pkg/repro.
Instead of patching the value at Env.Test(), do it right before
the syz-execprog's invocation.
Closes #6137.
|
| |
|
|
| |
It allows to use context as a single termination signal source.
|
| |
|
|
| |
New code will be limited to max 7 function params.
|
| |
|
|
|
| |
go install golang.org/x/tools/cmd/deadcode@latest
deadcode -test ./...
|
| |
|
|
|
|
|
| |
Move the logic from syz-ci to pkg/instance to make it reusable.
In case of a failure without a crash report, report the issue as a
SYZFATAL crash instead of just printing to the error log.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
| |
In some build environments (notably Yocto), syzkaller host and target
binaries end up in separate packages for each built architecture, which
are then shipped with the respective image/SDK.
Add the "Execprog/ExecutorBinOnTarget" and "StraceBinOnTarget" options
to the manager config, which when set expects the respective binaries to
be shipped with the target image and does not attempt to copy them from
the host.
|
| |
|
|
|
|
|
|
|
|
| |
Refactor pkg/repro to accept a context.Context object. This will make it
look more similar to other package interfaces and will eventually let us
abort currently running repro jobs without having to shut down the whole
application.
Simplify the code by factoring out the parameters common both to RunSyzRepro()
and RunCRepro().
|
| |
|
|
|
|
| |
This unifies the build() and clean() interfaces such that if a custom
compiler or make binary is provided in the manager or bisection config,
they can be taken into account by the clean() interface.
|
| |
|
|
|
|
| |
Certain environments might need a specific make command or wrap make
calls with extra logic. This lets users provide a path to a custom make
binary.
|
| |
|
|
| |
Reduce the number of arguments by using a csource.Option value directly.
|
| |
|
|
|
|
| |
This makes it possible to skip certain machine
checks depending on the VM type, as syz-manager
already does.
|
| |
|
|
| |
Add calls to Close() from all locations that call Create().
|
| |
|
|
|
|
|
| |
Our largest timeout is 6 minutes, so anything between 1.5 minutes and 6
ended up having a 9 minute timeout. That's too much.
Consider the time it actually took to crash the kernel.
|
| |
|
|
| |
The latter is a better suitable name.
|
| |
|
|
|
| |
The parameter defines the maximum number of CPUs involved in the kernel
build process.
|
| |
|
|
|
| |
We should not be setting FuzzingVMs to a value below the overall VM
count.
|
| |
|
|
|
|
|
| |
Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer.
Also restore syz-runtest functionality in the manager.
Update #4917 (sets most signal handlers to SIG_IGN)
|
| |
|
|
|
|
|
|
| |
We currently panic if the syz reproducer was not provided, but it's
actually a valid situation - it happens if we perform patch testing for
build/boot/test errors.
Closes #4907.
|
| |
|
|
|
| |
When we rewrite syz-fuzzer in C++ flag parsing will be painful,
so send as many parameters to syz-fuzzer in RPC rather than as flags.
|
| |
|
|
| |
It's not used anymore.
|
| |
|
|
|
|
|
|
|
|
|
| |
When we accept new kernels for fuzzing we need more extensive testing,
but syz-ci switched to using syz-manager for this purpose.
Now instance testing is used only for bisection and patch testing,
which does not need such extensive image testing (it may even harm).
So just run a simple program as a testing.
It also uses the same features as the target reproducer,
so e.g. if the reproducer does not use wifi, we won't test it,
which reduces changes of unrelated kernel bugs.
|
| |
|
|
|
|
|
| |
We don't really need to overwrite it.
For syz programs, don't ignore non-zero exit codes. This should enable
syzkaller to find reproducers for "lost connection" bugs.
|
| |
|
|
| |
Switch to flatrpc.ExecOpts.
|
| |
|
|
|
|
| |
Remove things that are only needed for target VM communication:
conditional compression, timeout scaling, traffic stats.
To minimize diffs when we switch target VM communication to flatrpc.
|
| |
|
|
|
|
|
|
|
| |
syz-runtest effectively implemented the same execute program/return result
mechanism we use now for normal fuzzing.
So extend the general mechanism to allow collecting output/errors,
repeating program, and executing a precompiled binary as a test.
And switch syz-runtest to the general mechanism.
This removes another chunk of code from syz-fuzzer.
|
| |
|
|
|
|
| |
Move all ExecOpts logic from the fuzzer to the manager.
This makes the fuzzer simpler and will allow to vary
options across requests.
|
| |
|
|
|
|
| |
All callers of Run always call MonitorExecution right after it.
Combine these 2 methods. This allows to hide some implementation
details and simplify users of vm package.
|
| |
|
|
|
|
|
|
| |
RPC compression take up to 10% of CPU time in profiles,
but it's unlikely to be beneficial for local VM runs
(we are mostly copying memory in this case).
Enable RPC compression based on the VM type
(local VM don't use it, remove machines use it).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the cases where we do not / cannot sandbox individual prog executions
well enough, some share of progs end up being dependent on the
previously accumulated state of the whole VM.
As the result,
* We lose 5-10% of coverage/signal on every instance restart.
* A share of our corpus programs do not actually trigger the coverage
they were thought to reliably trigger.
This significantly affects fuzzing efficiency and prevents syzkaller
from accumulating bigger and better corpus over multiple runs.
Let's see if the situation becomes better if we restart syz-executor
before most of prog executions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (e.g. gVisor instances using host's network namespace)
attempts to bind() all syz-fuzzer processes to the same port result in
conflicts and fuzzing breakages.
Refactor the code to enable custom pprof configuration depending on the
vm type.
For now, just disable pprof endpoints for gVisor VMs. Once we actually
need the feature there, we can generate custom ports for every gVisor
VM.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The test() code is used for reproducer generation and kernel bisections,
we don't need symoblized reports there.
Instead of retuning an error, just print a log message.
|
| |
|
|
|
| |
This will help avoid a circular dependency pkg/vcs -> pkg/report ->
pkg/vcs.
|
