| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Currently it's held during the whole job processing, which can take too
long.
Adjust it so that it's only taken when we really begin to build the
kernel or syzkaller.
|
| | |
|
| |
|
|
|
|
| |
Previously we only used the linter from the syz-ci config when building
the kernel for regular fuzzing. We were missing some plumbing to have
this setting reach patch testing and bisection jobs.
|
| |
|
|
| |
syz-manager: introduce a new setting 'sandbox_arg' (#3263)
|
| |
|
|
|
| |
This might help get more insight into patch testing failures, especially
for old bugs.
|
| |
|
|
|
|
|
|
| |
That method was not assumed to take ownership of the instance. This
can lead to double-closing of it during bisection/patch testing, and
therefore to panic().
Closes #3210.
|
| |
|
|
|
|
| |
Currently syzbot only saves a log if there was a build/test error.
Closes #3185
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix these crashes:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xd430ae]
goroutine 875 [running]:
github.com/google/syzkaller/pkg/instance.(*inst).testRepro.func1(...)
pkg/instance/instance.go:371
github.com/google/syzkaller/pkg/instance.(*inst).testRepro(0xc0005a2c80)
pkg/instance/instance.go:396 +0x26e
github.com/google/syzkaller/pkg/instance.(*inst).test(0xc0005a2c80)
pkg/instance/instance.go:293 +0xf2
github.com/google/syzkaller/pkg/instance.(*env).Test.func1()
pkg/instance/instance.go:237 +0x26
created by github.com/google/syzkaller/pkg/instance.(*env).Test
pkg/instance/instance.go:237 +0x1d7
syz-ci.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
|
| |
|
|
|
|
|
|
| |
If `strace_bin` is specified, syzkaller will invoke a reproducer with it
and save the output. This should help in debugging.
If syz-manager is attached to a dashboard, upload the strace-powered output
and report.
|
| |
|
|
|
| |
Also update syz-crush to save RawOutput instead of output from the
Report.
|
| |
|
|
|
|
|
|
|
|
| |
Previously it was copypasted in pkg/instance, pkg/repro,
tools/syz-crash. Use the single implementation instead.
Also, this commit fixes a bug - the previous code always set collide to
true while reproducing a bug, which led to an immediate syz-exexprog's
exit. As a result, newer bugs with .syz repro only were never actually
reproduced on #syz test requests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Syzbot tests patches with -collide=true in order to trigger more bugs,
but now that -collide flag is deprecated, this no longer makes sense.
Moreover, it actually prevents the testing of bugs with syz repro now -
syz-execprog immediately exits due to -collide=true and env.Test()
accepts it as a normal outcome.
Set -collide=true only for those bugs, where collide was set to true by
the reproducer (and therefore syzkaller at that revision supported it).
Don't exit from syz-execprog immediately if -collide is set to true.
This will prevent such bugs from happening later and make the problem
more visible.
This was initially part of #3083, but seems to be more urgent to merge,
so pushing it as a separate PR.
|
| |
|
|
|
|
|
|
| |
Otherwise we get problems while testing patches for older syzkaller
versions, which didn't support optional arguments.
Adjust tests so that problems with how OldFuzzerCmd handles such
arguments could be seen.
|
| |
|
|
|
|
|
|
|
| |
Raw coverage might be important when e.g. analysing the origins of
out-of-place coverage in coverage reports or understanding why the
fuzzer could not reach deeper code.
If "raw_cover" is set to true, syzkaller will remember unsorted and
unduplicated coverage (PCs) for each its corpus program.
|
| |
|
|
|
|
| |
The method already has too many arguments, which complicates the further
addition of new features. Introduce FuzzerCmdArgs structure to overcome
the problem.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we use go1.16+, but sometimes syz-ci still has to compile and run
old syzkaller revisions, which were not meant to be compiled with modern
Go.
In particular, this leads to the following errors:
syzkaller build failed: failed to run ["make" "target"]: exit status 2
tools/syz-make/make.go:14:2: no required module provides package
github.com/google/syzkaller/pkg/osutil: go.mod file not found in
current directory or any parent directory; see 'go help modules'
tools/syz-make/make.go:15:2: no required module provides package
github.com/google/syzkaller/sys/targets: go.mod file not found in
current directory or any parent directory; see 'go help modules'
Makefile:39: *** syz-make failed. Stop.
Fix this by adding GO111MODULE=auto to the environment variables.
Reported-by: Taylor R Campbell <riastradh@netbsd.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
|
| |
Currently syzkaller only applies its suppressions regexps to the oops message
itself and a small number of its preceding bytes. A case has been reported
(#2685), where it was important to analyse a bigger portion of output data.
Pass the whole log and a starting position to the `Report.Parse` method
separately instead of passing an already cut log there. Adjust use cases of
the `Report.Parse` method to handle its new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
|
|
|
| |
Default compilers are specified in the OS- and platform-dependent logic.
It is more convenient to extract info about them during the kernel build
itself, rather than during the manager object initialization.
Apply the necessary changes throughout the code that is involved in
building the kernels and processing information about this process.
|
| |
|
|
|
|
|
|
|
|
| |
The struct pkg.build.Params is currently primarily passed on as a
pointer, which leads make it hard to see the places, where it can
(and should) actually be modified.
Make it all more explicit by only passing pointer references to objects
of this type when the object is expected to be modified by the function.
In fact, at this moment there are no such situations.
|
| |
|
|
| |
environment for each program
|
| |
|
|
| |
These can be used to disable threaded execution and collision mode for program's system calls.
|
| |
|
|
| |
This function creates the command for starting a runner with the provided command line arguments.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
|
|
|
| |
Everything in syzkaller is syz-something, it's pointless to add syz prefix
to everything and unnecessary increases clutter. Remove the prefix.
Also, rename ExecutorCmd in target to ExecutorBin to make it consistent
with mgrconfig and ExecprogBin/FuzzerBin.
|
| |
|
|
|
|
| |
These are widely used with the config as the refactoring shows.
This removes a bunch of unnecessary code.
Also fixes a number of bugs where we confused Arch with VMArch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
| |
Add option to use ccache in kernel builds.
Signed-off-by: Jouni Hogander <jouni.hoegander@partner.bmw.de>
|
| |
|
|
|
| |
For debugging of:
https://groups.google.com/forum/#!topic/syzkaller-bugs/2lgvlHd8t1c
|
| |
|
|
|
| |
SkipPos is what pkg/instance needs,
but also will be needed for ParseAll.
|
| |
|
|
|
|
| |
Currenlty only syz file is taken into account when testing.
Use also c source file if available. Still use syz as a "main"
reproducer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a new attribute to syzkaller targets that tells
syzkaller how to invoke the syz-executor command.
Some systems, like Fuchsia, are now building syz-executor as part of the
build, and there is no need to copy it over, or to run it from `/tmp`.
In fact, that might stop working at some time in the future in Fuchsia.
All places that used to copy syz-executor into the target machine will
now check for the SyzExecutorCmd flag, and won't copy it if the flag is
set.
|
| |
|
|
|
|
|
| |
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
|
| |
|
|
|
|
|
|
| |
Detect bisection to merge commits and to commits that don't affect
kernel binary (comments, other arches, whitespaces, etc).
Such bisections are not reported in emails (but shown on web).
Update #1271
|
| |
|
|
|
|
|
| |
Add optional build signature for images, currently only implemented for linux.
This can be used in bisection process to detect changes that does not affect kernel.
Update #1271
|
| |
|
|
|
|
|
| |
Image takes too many arguments, so we need to do lots of forwarding,
adding new argumnets is painful and most OSes are not interested
in lots of arguments.
Combine all arguments into a params struct.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(note: incomplete change)
Refactor existing code as follows:
* Move reusable test utility functions from git_repo_test.go to
pkg/vcs/test_util.go and make them exported.
* Split Run() into Run()+runImpl().
* Change type of bisect.go:env.inst to `instance.BuilderTester`.
Change usage inside syz-testbuild/testbuild.go accordingly.
* Move most of linux.PreviousReleaseTags() into vcs/git.go as
git.previousReleaseTags().
* Allow build.CompilerIdentity to be mocked.
Introduce the following changes:
* instance.BuilderTester is an interface with methods
BuildSyzkaller()
BuildKernel()
Test()
NewEnv() now returns this interface.
* type testEnv implements instance.BuilderTester.
* type testBuilder implements builder interface. Add a entry into table
inside pkg/build/build.go:getBuilder() to return testBuilder object.
|
| |
|
|
|
|
|
|
|
| |
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
|
| |
|
|
|
| |
To avoid conflicts with programs that import both syzkaller packages
and github.com/golang/glog which also defines -v flag.
|
| |
|
|
|
|
| |
In several places we do special handling for some crash types.
Currently we compare report title with magic strings,
which is error-prone. Add explicit Type to reports.
|
| |
|
|
|
| |
vmConfig value is interface{}, not string.
So compare with nil and assign int.
|
| |
|
|
|
|
| |
* pkg/instance: break the line to appease linter
* fix up format
|
| |
|
|
|
| |
.config is linux-ism. We have a convention that kernel config
is copied to kernel.config file. Use it.
|
| |
|
|
|
| |
If a manager has less then 10 VMs override it to 10 for bisection.
If a manager has only 1 VM, bisection won't end well.
|
| |
|
|
|
|
|
|
|
| |
We are seeing some flakes during bisection and image testing.
Hard to tell what's the root cause because they are episodic.
But using non-preemptible VMs for bisection and image testing
looks good on all fronts.
Update #501
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running bisection using an older repro failed with:
<stdin>: In function ‘syz_mount_image.constprop’:
<stdin>:298:3: error: argument 1 null where non-null expected [-Werror=nonnull]
In file included from <stdin>:26:0:
/usr/include/x86_64-linux-gnu/sys/stat.h:320:12: note: in a call to function ‘mkdir’ declared here
extern int mkdir (const char *__path, __mode_t __mode)
Let's be safe and ignore warnings during repro/bisect.
Everything that runs during tests still has all warnings.
Update #501
|
| |
|
|
|
|
|
| |
Currently we truncate output up to rep.EndPos after unexpected reboot.
But report sets EndPos to the _last_ report in output,
so if there are any other errors they are all skipped after
truncation to EndPos. Truncate just one line instead.
|
