aboutsummaryrefslogtreecommitdiffstats
path: root/pkg/runtest
Commit message (Collapse)AuthorAgeFilesLines
* all: use any instead of interface{}Dmitry Vyukov2025-12-221-1/+1
| | | | Any is the preferred over interface{} now in Go.
* pkg/runtest: refactor checkCallResult()Alexander Potapenko2025-09-221-36/+54
| | | | | Break checkCallResult() down into smaller functions, checkCallStatus() and checkCallCoverage().
* executor: sys/linux/: pkg/runtest: pkg/vminfo: add syz_kvm_assert_syzos_kvm_exitAlexander Potapenko2025-09-191-1/+1
| | | | Implement a pseudo-syscall to check the value of kvm_run.exit_reason
* pkg/runtest: fix a null deref in checkCallResultAlexander Potapenko2025-09-191-15/+9
| | | | | | | | | | Pseudo-syscalls from noCovSyscalls may not generate any coverage, which leads to a crash in the following line: if len(inf.Signal) < 2 && !calls[callName] && len(info.Extra.Signal) Make sure that this check is only done for calls not belonging to noCovSyscalls.
* pkg/runtest: typo fixAlexander Potapenko2025-07-311-1/+1
|
* pkg/flatrpc, pkg/vminfo, executor: introduce readonly coverageAlexander Potapenko2025-07-311-0/+1
| | | | | | | | | | | | | Add a new vminfo feature, FeatureKcovResetIoctl, that is true if the kernel supports ioctl(KCOV_RESET_TRACE) making it possible to reset the coverage buffer on the kernel side. This, in turn, allows us to map the coverage buffer read-only, which will prevent all sorts of userspace-generated corruptions at a cost of an extra syscall per program execution. The corresponding exec env flag, ExecEnv::ReadOnlyCoverage, turns on read-only coverage in the executor. It is enabled by default if FeatureKcovResetIoctl is on.
* all: apply linter auto fixesTaras Madan2025-07-171-2/+2
| | | | ./tools/syz-env bin/golangci-lint run ./... --fix
* pkg/runtest: collect syz-executor logs on failuresAleksandr Nogikh2025-06-231-0/+5
| | | | This will help us eventually debug #6109.
* all: remove loop variables scopingTaras Madan2025-02-172-4/+0
|
* pkg/rpcserver: refactor RunLocalAleksandr Nogikh2025-02-031-2/+1
| | | | | Accept context as a function argument. Split out the code that creates a syz-executor process instance.
* sys/syz-sysgen: serialize descriptions as gob and embedDmitry Vyukov2025-01-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of generating Go files with descriptions serialize them as gob and compress with flate. This significantly reduces build time, go vet time, and solves scalability problems with some static analysis tools. Reference times (all after rm -rf ~/.cache/go-build) before: TIME="%e %P %M" time go install ./syz-manager 48.29 577% 4824820 TIME="%e %P %M" time go test -c ./prog 56.28 380% 6973292 After: TIME="%e %P %M" time go install ./syz-manager 22.81 865% 859788 TIME="%e %P %M" time go test -c ./prog 12.74 565% 267760 syz-manager size before/after: 194712597 -> 83418407 -57% even provided we now embed all descriptions instead of just a single arch. Deflate/decoding time for a single Linux arch is ~330ms. Fixes #5542
* executor: query globs in the test program contextDmitry Vyukov2024-12-111-2/+3
| | | | | | | | | | | | | | | | | We query globs for 2 reasons: 1. Expand glob types in syscall descriptions. 2. Dynamic file probing for automatic descriptions generation. In both of these contexts are are interested in files that will be present during test program execution (rather than normal unsandboxed execution). For example, some files may not be accessible to test programs after pivot root. On the other hand, we create and link some additional files for the test program that don't normally exist. Add a new request type for querying of globs that are executed in the test program context.
* pkg/vminfo: sys/linux: executor: define syz_kvm_assert_syzos_uexit()Alexander Potapenko2024-12-111-4/+13
| | | | | The new pseudo-syscall will serve as a test assertion, checking the uexit return value. This is going to help us validate SyzOS code.
* pkg/runtest: use qemu-<arch> binaries to run cross-compiled testsAlexander Potapenko2024-12-061-7/+50
| | | | | | | | | When running the executor tests, do not rely on qemu-user providing binfmt_misc handlers for alien arches (e.g. arm64 on x86), because binfmt_misc cannot be mounted inside the Docker container. Instead, explicitly run the cross-compiled executor under the corresponding QEMU binary.
* pkg/runtest: make cross-arch failures fatal on CIAlexander Potapenko2024-12-061-1/+2
| | | | | When running on Github CI, turn every failure to start a cross-arch binary (e.g. due to missing qemu-user) into a fatal error.
* pkg/runtest: fail on cross-platform SYZFAIL reportsAlexander Potapenko2024-12-051-1/+6
| | | | | | | Previously, cross-platform invocations of `syz-executor test` were ignored in the case of a SYZFAIL, and the test was still marked as PASS. Explicitly report a test failure instead.
* syz-manager: pkg: skip seeds with mismatching requirements in fuzzing modeAlexander Potapenko2024-12-032-79/+4
| | | | | | | | | | When running in the test mode, syz-manager already ignores tests that have arch requirements mismatching the target arch. Because the same tests are also used as seeds in the fuzzing mode, skip them likewise, instead of reporting errors if they contain arch-specific syscalls. The code and tests for parsing the requirements is moved from pkg/runtest to pkg/manager.
* executor: add Glob testDmitry Vyukov2024-11-261-1/+2
|
* executor: don't revert coverage orderDmitry Vyukov2024-11-261-11/+11
| | | | | | | Currently we write coverage backwards. This is visible e.g. when running syz-execprog -coverfile, and in the manager raw cover mode. Write it in the right order.
* pkg/runtest: rely on pkg/manager seed loading logicAleksandr Nogikh2024-10-141-1/+2
| | | | It will help us catch broken seeds right in TestParse().
* all: follow new linter recommendationsTaras Madan2024-09-101-1/+1
|
* pkg/runtest: add target arch to the propertiesAlexander Potapenko2024-07-291-3/+4
| | | | Without that, tests that e.g. require arch=arm64 fail on an ARM64 VM.
* pkg/runtest: report invalid programs as failingAlexander Potapenko2024-07-261-5/+15
| | | | | Instead of bailing out on the first program with e.g. parsing errors, create a "failing" runRequest for each of such programs.
* pkg/vminfo: don't parse modules for gvisor or starnixLaura Peskin2024-07-261-0/+2
|
* pkg/runtest: fix a race during startupDmitry Vyukov2024-07-242-2/+8
| | | | | | Run method usually runs in a separate goroutine concurrently with request consumer (Next calls), so at least executor needs to be initialized before Run. Otherwise we can get episodic nil derefs in Next method.
* pkg/runtest: fix nil deref on test failuresDmitry Vyukov2024-07-241-1/+5
|
* executor: fix writing of remote coverageDmitry Vyukov2024-07-221-2/+22
| | | | | | | | We never reset remote coverage, so if there is one block, we will write it after every call and multiple times at the end. It can lead to "too many calls in output" and just writes quadratic amount of coverage/signal. Reset remote coverage after writing.
* prog: restricts hints to at most 10 attempts per single kernel PCDmitry Vyukov2024-07-221-43/+37
| | | | | | | | | We are getting too many generated candidates, the fuzzer may not keep up with them at all (hints jobs keep growing infinitely). If a hint indeed came from the input w/o transformation, then we should guess it on the first attempt (or at least after few attempts). If it did not come from the input, or came with a non-trivial transformation, then any number of attempts won't help. So limit the total number of attempts (until the next restart).
* pkg/runtest: skip 32bit cover tests on architectures supporting only 64bitAlexander Egorenkov2024-07-161-0/+4
| | | | | Fixes: a6f99ace4014 ("pkg/rpcserver: move kernel test/data range checks from executor") Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
* pkg/runtest: reduce the number of executorsAleksandr Nogikh2024-07-112-34/+55
| | | | | On 32 core machines, we spin up 32 executor procs per each subtest. In many cases, we don't need that many.
* pkg/rpcserver: debug executor stallsAleksandr Nogikh2024-07-111-3/+4
| | | | | | | | In some cases, the executor seems to be mysteriously silent when we were awaiting a reply. During pkg/runtest tests, give it 1 minute to prepare a reply, then try to request the current state and abort the connection.
* pkg/runtest: accept Context as a parameterAleksandr Nogikh2024-07-082-4/+4
| | | | | The cancellable context will let us abort runtest early in case of problems.
* pkg/runtest: pass a proper context for Request.Wait() callsAleksandr Nogikh2024-07-081-6/+9
| | | | | Otherwise there's a risk of an infinite hang in case RPCServer has finished its execution.
* pkg/runtest: fix episodic "directory not empty" failures in testsDmitry Vyukov2024-07-051-1/+19
| | | | | | | | | | | | | | I still see the following errors in every other run: === CONT TestCover/64/1 === NAME TestCover/64/3 testing.go:1232: TempDir RemoveAll cleanup: unlinkat /tmp/TestCover6431888025363/001: directory not empty === CONT TestCover/64_fork/0 === CONT TestCover/64_fork/9 === NAME TestCover/64/1 testing.go:1232: TempDir RemoveAll cleanup: unlinkat /tmp/TestCover6412810450597/001: directory not empty We set PR_SET_PDEATHSIG for subprocesses, but we still don't wait for them to terminate.
* pkg/rpcserver: move kernel test/data range checks from executorDmitry Vyukov2024-07-012-32/+32
| | | | | | | | | | | | | | | | | We see some errors of the form: SYZFAIL: coverage filter is full pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156 Executor shouldn't send non kernel addresses in signal, but somehow it does. It can happen if the VM memory is corrupted, or if the test program does something very nasty (e.g. discovers the output region and writes to it). It's not possible to reliably filter signal in the tested VM. Move all of the filtering logic to the host. Fixes #4942
* pkg/runtest: add tests for max signal and cover filterDmitry Vyukov2024-06-282-18/+77
|
* executor: always return some coverage for test OSDmitry Vyukov2024-06-281-1/+1
| | | | This allows to enable test executor with coverage.
* Revert "pkg/vminfo: make it possible to force coverage support"Dmitry Vyukov2024-06-281-6/+5
| | | | This reverts commit 62e12a69a0ef8fec1cc0648b1314428621f9a697.
* pkg/vminfo: make it possible to force coverage supportAleksandr Nogikh2024-06-281-5/+6
| | | | | | | | | We need this in pkg/runtest since not all TestOS targets natively support the coverage instrumentation. We used to achieve this by starting the RPC server with Coverage=false and then updating it to Coverage=true to suppress fallback the fallback signal, but it's better to avoid such runtime config changes.
* pkg/runtest: test feature detectionDmitry Vyukov2024-06-272-6/+37
| | | | | Fail some features in various ways for test OS, and check that features are detected properly.
* pkg/runtest: shorted parsing testsDmitry Vyukov2024-06-262-11/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Parsing auto-generated seeds takes lots of time: --- PASS: TestParsing/linux/mips64le (56.86s) --- PASS: TestParsing/linux/amd64 (53.63s) --- PASS: TestParsing/linux/arm64 (53.32s) --- PASS: TestParsing/linux/arm (53.57s) --- PASS: TestParsing/linux/386 (53.59s) --- PASS: TestParsing/linux/s390x (43.09s) --- PASS: TestParsing/linux/riscv64 (43.17s) --- PASS: TestParsing/linux/ppc64le (43.12s) Don't even parse them. After: --- PASS: TestParsing/fuchsia/amd64 (0.48s) --- PASS: TestParsing/test/64_fork (0.59s) --- PASS: TestParsing/linux/386 (3.04s) --- PASS: TestParsing/linux/arm64 (3.08s) --- PASS: TestParsing/linux/riscv64 (3.10s) --- PASS: TestParsing/linux/s390x (3.13s) --- PASS: TestParsing/linux/amd64 (3.13s) --- PASS: TestParsing/linux/arm (3.14s) --- PASS: TestParsing/linux/mips64le (3.21s) --- PASS: TestParsing/test/32 (0.37s) --- PASS: TestParsing/fuchsia/arm64 (0.35s) --- PASS: TestParsing/test/32_fork (0.57s) --- PASS: TestParsing/test/64 (0.53s) --- PASS: TestParsing/test/64_fuzz (0.54s) --- PASS: TestParsing/linux/ppc64le (2.87s)
* executor: add runner modeDmitry Vyukov2024-06-243-239/+320
| | | | | | | Move all syz-fuzzer logic into syz-executor and remove syz-fuzzer. Also restore syz-runtest functionality in the manager. Update #4917 (sets most signal handlers to SIG_IGN)
* pkg/runtest: fix input data for 32-bit empty coverage test caseAlexander Egorenkov2024-06-121-1/+1
| | | | Signed-off-by: Alexander Egorenkov <eaibmz@gmail.com>
* pkg/runtest: properly resubmit requests on retryAleksandr Nogikh2024-06-111-20/+37
| | | | | | | Use the intended Request.OnDone() mechanism to implement the retry logic. Fixes #4843.
* pkg/ipc: fix sign extension of comparison argumentsDmitry Vyukov2024-06-111-5/+5
| | | | | | | We incorrectly extended comparison arguments since forever. This is sad. We tested the prog logic, but not the ipc/executor part. Fix the extension, add tests and force manager to re-triage inputs.
* executor: ignore kernel text addresses in comparisonsDmitry Vyukov2024-06-111-3/+0
| | | | | | We ignore comparisons of kernel data/physical addresses b/c these are not coming from user space. Ignore kernel text addresses for the same reason.
* executor: factor out is_kernel_pc helperDmitry Vyukov2024-06-111-1/+12
| | | | Factor out is_kernel_pc helper and add kernel pc range for test OS for testing.
* executor: add end-to-end coverage/signal/comparisons testDmitry Vyukov2024-06-111-0/+249
|
* sys/targets: mark big-endian targetsDmitry Vyukov2024-06-041-1/+1
| | | | | | Litte-endian is kind of default (except for s390). So instead of saying that each arch is litte-endian, mark only s390 as big-endian.
* executor: remove noshmem modeDmitry Vyukov2024-06-041-1/+0
| | | | | | | | | All OSes we have now support shmem. Support for Fuchia/Starnix/Windows wasn't implemented, but generally they support shared memory. Remove all of the complexity and code associated with noshmem mode. If/when we revive these OSes, it's easier to properly implement shmem mode for them.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 17:43:56 +0000