| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
TitleToCrashType is a simple function with no heavy dependencies
that is used by the dashboard app.
Currnetly we have to import pkg/report into dashboard/app,
and this package has lots of heavy deps (symbolizer, demangler,
coverage report generation, etc).
Move TitleToCrashType to pkg/report/crash (where it arguably belongs anyway).
|
| |
|
|
| |
Send only the first report to dashboard.
|
| |
|
|
|
| |
1. func Run optionally accepts the opts.
2. Some refactoring, more comments.
|
| |
|
|
| |
./tools/syz-env bin/golangci-lint run ./... --fix
|
| | |
|
| | |
|
| |
|
|
|
|
| |
setExecutorInfo is closer to Report.
Distinguish reportType and defaultReportType
Make setter a Report member function.
|
| |
|
|
|
|
|
| |
We need to look for the error type after the "rust_kernel: panicked"
line.
Ignore some common irrelevant frames.
|
| |
|
|
|
|
|
|
| |
Do demangling as a part of Symbolize() processing.
Add a TestSymbolize test to verify the results.
Fix old report_test.go bugs to better react to the -update flags.
Closes #6035.
|
| |
|
|
|
| |
It will help avoid bug duplication in case of adding new prefixes to
strip.
|
| |
|
|
| |
It allows to reduce parameters count for some functions.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
| |
Sometimes it may happen that we only get part of the string. Let's
suppress the report both for the specific error message and for ALSA in
general.
|
| |
|
|
|
| |
For Linux bugs, extract the proc id and the prog id from the crash
report.
|
| | |
|
| |
|
|
|
| |
Lint started warning about duplicate "gvisor" const in pkg/cover.
Add gvisor/starnix consts to sys/targets package to avoid duplication.
|
| |
|
|
|
| |
Add smoke testing mode to manager and use it in syz-ci
instead of pkg/instance which uses syz-fuzzer binary.
|
| |
|
|
|
| |
These are susceptible to potentially very long lines in the input.
Direct splitting by \n is more reliable.
|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| |
|
|
|
| |
Until we have figured out a way to solve #4495, let's just truncate
repro logs before sending them over the dashboard API.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a "fatal error:" bug is reported, this usually means that syzkaller
itself had a memory corruption (except in the gVisor fuzzing case where
this could be an actual bug in gVisor)
Most likely, this is due to a kernel that went wild and corrupted the
syzkaller address space, but in that case the exact details of what part
of the runtime failed are rarely relevant.
This gathers all these go runtime errors under one umbrella so they are
easier to track. Except for gVisor on which the logic is kept the same
as existing.
Add three test cases to the linux reporting:
- 705 (equivalent to the current all/report/7) to make sure Go OOO are
suppressed (they have a different title now but still get suppressed)
- 706 (equivalent to the current all/report/8) to make sure that ALSA
"fatal errors" are not handled as Go fatal errors
- 707 (new) to make sure that reports like
https://syzkaller.appspot.com/bug?extid=3f00d7083c52713ba3b0 are
re-named to "go runtime error"
|
| | |
|
| |
|
|
| |
It refers to SYZFAIL and SYZFATAL errors.
|
| |
|
|
|
| |
This will help avoid a circular dependency pkg/vcs -> pkg/report ->
pkg/vcs.
|
| |
|
|
| |
Amend oops and oopsFormat to contain report type.
|
| |
|
|
| |
Make it string -- it will be easier and cause less code duplication.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Background info:
When a bisection is started, we only know the kernel commit on which
syzkaller encountered the crash. Before the actual bisection begins,
bisect() needs to find a good commit. Then we can bisect between them.
For fix bisections bisect() tests HEAD. If HEAD doesn't have the bug
the fixing commit must be somewhere in the middle. For cause bisection
we test a number of old releases, starting with the newest release.
Both this commit range search and the actual bisection later use test()
to build the kernel and run the reproducer.
During actual bisections we invoke test() for every step. If any test()
invocation returns a non nil error, the bisection it was called from
is aborted. Any non-fatal errors should be signaled via the testResult
returned from test(). For this reason a build/boot failure does not
return an error. Instead testResult.verdict will be vcs.BisectSkip.
The Problem:
Given the following call stack:
bisect() -> commitRange() -> commitRangeFor{Fix,Cause}() -> test()
Previously we reported fix bisections, where HEAD was build broken and
cause bisections where all tested releases were build broken as
inconclusive.
This is confusing for users. For fix bisections it looks like the
fixing commit is either the commit from the original crash or HEAD.
For cause bisections it looks like the breaking commit is either the
original commit or the commit of the oldest tested release. Neither
is correct.
For fix bisections we see this, when the HEAD of a tested branch is
build broken. When this happens all attempted fix bisections will get
nonsense results. For cause bisections we see this, when changes to the
bisection compilers or test rootfs cause us to not be able to build or
boot very old kernels.
These inconclusive bisection results will not be retried automatically
and we don't have an easy way to clear them.
The Solution:
For fix bisections: Retry the bisection later. If HEAD is completely
broken we will know, because fuzzing will stop.
For cause bisections: Mark the bisection as failed. The result is
unlikely to change in the future without intervention by the syzbot
admins. Users won't bother looking at those bisections and the
dashboard already has code to mass-retry failed bisections.
- In test(): Populate testResult.rep with a meaningful report before
returning, after build/boot failures.
- In bisect(): Explicitly check the testResult.verdict of the last
commit tested in commitRange(), instead of using testResult.rep==nil
as an oracle for aborting the bisection.
- In bisect(): Don't return an inconclusive result when build/boot
failures prevent us from finding a commit range to bisect between.
|
| |
|
|
|
| |
Of course something in the kernel prints "fatal error"
and it's not a kernel bug.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This several small improvements:
1. Move these patterns into the common part.
We run Go code on (almost) all OSes and error messages
are the same for all of them.
2. Detect "fatal error:" as a bug as well.
This is what I currently see from Go 1.20 runtime,
but we don't recognize it, so these reports probably
go into "lost connection" bucket now (bad).
3. Add a pattern for panic(ENOMEM) message.
pkg/image/compression_optimized.go can produce it
on mmap failure.
4. Add tests.
|
| |
|
|
|
|
|
|
| |
We cannot unfortunately just substitute Report and invoke Symbolize(),
because in this case a non-emtpy reportPrefixLen may lead to `panic:
runtime error: slice bounds out`.
Create a special external method in the pkg/report package.
|
| |
|
|
|
|
|
| |
This commit adds a new VM for fuzzing starnix.
The VM will boot a fuchsia image using the `ffx` tool and will connect to an adb server inside it. Fuzzing will be done using HostFuzzer mode due to some features not being implemented yet in starnix. Once this is possible, fuzzing will be performed without HostFuzzer mode.
Co-authored-by: Juampi Miceli <jpmiceli@google.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* pkg/report: check for get_maintainer.pl before calling it
For Android kernels, this tool will be in a different location
(common/scripts/get_maintainer.pl). Currently this causes the
Symbolize() call to fail, which stops reproduction.
* pkg/report: check for get_maintainer.pl before calling it
For Android kernels, this tool will be in a different location
(common/scripts/get_maintainer.pl). Currently this causes the
Symbolize() call to fail, which stops reproduction.
|
| |
|
|
|
|
|
|
| |
Currently "./syzkaller-testdir264563108" is replaced with "./syzkaller-testdir2ADDR".
That's due to a bug in the ADDR replacement rule. Fix it.
Also improve NUM replement b/c currently "testdir264563108" is considered
as it can be a function name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we would pick the first non-ignored file. Now instead,
continue searching the stack trace for more specific files.
A "more specific" file wrt the first non-ignored file has:
- the same directory prefix
- a deeper directory nesting
E.g. `fs/ntfs3/*.c` is "more specific" than "fs/*.c".
We search for the most specific file (i.e. the deepest nesting), and
take the first most specific if there are multiple files with the same
nesting.
This commit also adds three tests for this behaviour, taken from
recent `syzbot` bugs which identified the wrong file. Now the desired
file is identified.
Only one existing test shows different output with the new behaviour.
Updates #3393.
|
| |
|
|
| |
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
|
|
|
| |
Support extracting multiple frames from a single report
(one per parseStackTrace marker). Extract KMSAN origin
frame and use it as an additional ALT title for deduplication.
Fixes #2927
|
| |
|
|
|
|
|
|
| |
The recent commit 'pkg/mgrconfig: add "interests"' made pkg/repro
symbolize returned reports. But syz-manager symbolizes them as well.
This leads to double symbolization. Don't symbolize second time.
Fixes #2934
|
| |
|
|
|
|
|
| |
We have "suppressions" parameter to suppress non-interesting reports.
Add "interests" parameter which is an opposite of "suppressions" --
everything that's not in "interests" is suppressed.
It's matched against bug title, guilty file and maintainer emails.
|
| |
|
|
|
|
|
|
|
| |
Currently KMSAN does not include the "Call Trace" line into its reports.
As syzkaller still expects it, most of those reports end up being
classified as corruped and do not get published by syzbot (see #2733).
Adjust the parsing rules to support these new reports.
Add a test to validate the new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace not just long sequences of digits in report titles, but every
sequence of '0'-'9' that is not surrounded by word characters.
As such matches will overlap and Go does not (currently?) support regexp
lookarounds, do the replacement multiple times until there is nothing
more to do. This should not slow down syzkaller, since this code is
only invoked during crash processing.
Restrict LINE replacement only to fragments that have a preceeding file
name. This prevents replacements like [1:2] -> [NUM:LINE].
|
| |
|
|
|
|
|
|
|
|
| |
Currently syzkaller only applies its suppressions regexps to the oops message
itself and a small number of its preceding bytes. A case has been reported
(#2685), where it was important to analyse a bigger portion of output data.
Pass the whole log and a starting position to the `Report.Parse` method
separately instead of passing an already cut log there. Adjust use cases of
the `Report.Parse` method to handle its new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently all executor fail errors go into "lost connection" bucket.
This is not very useful. First, there are different executor failures.
Second, it's not possible to understand what failures happen how frequently.
Third, there are not authentic lost connection.
Create separate SYZFAIL: bugs for them.
Update #573
Update #502
Update #318
|
| | |
|
| |
|
|
| |
Update #1575
|
| | |
|
