| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
probability coverage
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Static prefix sums have been replaced with a Fenwick tree.
In the current syzkaller, program priority was set based on a Signal
received by a single system call. This commit allows priority to be
changed dynamically, making it possible to maintain priority based on
Signals from all system calls.
Signed-off-by: Grigory Bazilevich <g.bazilevich@ispras.ru>
|
| |
|
|
| |
This seems to help a bit with number of round-trips.
|
| |
|
|
|
|
| |
Calculating total disk usage of all cache entries can take very long time
for large caches (needs to stat all files). This is especially problematic
for tools/syz-aflow. Cache disk usage in the meta file.
|
| |
|
|
|
| |
We currently duplicate list of source extensions in the build action
and codesearch tool. Unify the lists.
|
| |
|
|
|
|
|
|
|
|
| |
The error allows tools to communicate that an error is not an infrastructure error
that must fail the whole workflow, but rather a bad tool invocation by an LLM
(e.g. asking for a non-existent file contents).
Previously in the codesearcher tool we used a separate Missing bool
to communicate that. With the error everything just becomes cleaner and nicer.
The errors also allows all other tools to communicate any errors to the LLM
when the normal results cannot be provided and don't make sense.
|
| |
|
|
| |
Just provides full file contents as last resort.
|
| |
|
|
|
| |
dir-index provides a list of subdirectories and files in the given
directory in the source tree.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Gracefully handle (reply to LLM with error):
- incorrect tool name
- incorrect tool arg type
- missing tool arg
Silently handle:
- more than one call to set-results
- excessive tool args
Fixes #6604
|
| |
|
|
|
|
|
|
| |
Detect model quota violations (assumed to be RPD).
Make syz-agent not request jobs that use the model
until the next quota reset time.
Fixes #6573
|
| |
|
|
|
|
| |
Having LLM model per-agent is even more flexible than per-flow.
We can have some more complex tasks during patch generation with the most elaborate model,
but also some simpler ones with less elaborate models.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements syz_kvm_setup_cpu for riscv64 architecture.
The pseudo-syscall accepts VM fd, vCPU fd, host memory, and guest code
as parameters. Additional parameters (ntext, flags, opts, nopt) are
included for interface consistency with other architectures but are
currently unused on riscv64.
Implementation:
- Set up guest memory via KVM_SET_USER_MEMORY_REGION
- Copy guest code to guest memory
- Initialize guest registers to enable code execution in S-mode
- Return 0 on success, -1 on failure
Testing:
A test file syz_kvm_setup_cpu_riscv64 is included in sys/linux/test/
to verify basic functionality.
Known limitations:
- ifuzz is not yet compatible with riscv64. Temporary workaround: set
text[riscv64] to TextTarget and return nil in createTargetIfuzzConfig
for riscv64 to ensure generateText and mutateText work correctly.
This patch also adds support for KVM_GET_ONE_REG ioctl.
|
| | |
|
| |
|
|
|
|
|
|
| |
Contrary to the description on top of MAINTAINERS, many F: records that
point to folders actually don't end with / or /*.
The get_maintainer.pl script already tolerates this, so let's do the
same.
|
| |
|
|
|
|
|
|
| |
Make it possible to print more debugging information when (re)generating
a subsystem list.
Include parent inference details to the source code itself and add a
-debug flag to list the source files assigned to each subsystem.
|
| |
|
|
| |
Update #6573
|
| |
|
|
|
|
|
|
|
| |
Add LLMAgent.Candidates parameter.
If set to a value N>1, then the agent is invoked N times,
and all outputs become slices.
The results can be later aggregated by another agent,
as shown in the test.
|
| | |
|
| |
|
|
|
|
| |
Start update goroutine even in the case of early returns in UpdateOnStart.
Fixes #6619
|
| |
|
|
|
|
|
|
|
|
| |
Do not tolerate unknown blob hashes - it means that we are unable to
find the correct base commit given the repository.
Explicitly ignore newly added files - we definitely won't find their
hashes.
Explicitly skip malformed patches that won't have any blob hashes -
otherwise we could end up with too many candidates and waste too much
time.
|
| |
|
|
|
|
|
|
|
|
| |
Flow errors denote failure of the flow itself,
rather than an infrastructure error. A flow errors mean an expected
condition in the flow when it cannot continue, and cannot produce
expected outputs. For example, if we are doing something with the kernel,
but the kernel build fails. Flow errors shouldn't be flagged in
Fixes #6610
|
| |
|
|
|
|
|
|
|
|
|
|
| |
GCE instance tags can be used for various purposes, such as applying
network firewall rules or filtering VMs for scheduling onto specific
hosts.
To support these use cases, syzkaller needs the ability to set
instance tags during VM creation.
This patch introduces a new tags field to the gce VM configuration that
allows users to specify a list of tags to be attached to GCE instances
created by syz-manager.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
CitationMetadata may be present in replies sometimes.
CitationMetadata is a specific field in the Gemini API's response object
that alerts you when the model has directly quoted or closely derived
content from a specific source, such as a book, website, or open-source code repository.
We've got the following error:
syz-agent: unexpected reply fields ({Content:0xc0058eb4a0 CitationMetadata:0xc0094009a8
FinishMessage: TokenCount:0 FinishReason:STOP AvgLogprobs:0
GroundingMetadata:<nil> Index:0 LogprobsResult:<nil> SafetyRatings:[]
URLContextMetadata:<nil>})
|
| |
|
|
|
| |
A bag of minor assorted improvements to data formatting.
+ show job results in the jobs table
|
| |
|
|
|
|
| |
When configuring focus areas before directed fuzzing, construct regular
expressions that match the exact function names. Otherwise, we end up
adding more functions than intended.
|
| |
|
|
|
| |
We may want to use a weaker model for some workflows.
Allow to use different models for different workflows.
|
| |
|
|
|
| |
Add race:harmful/benign label.
Set it automatically by confirmed AI jobs.
|
| |
|
|
|
|
| |
The bug lists on the main page are extremely long,
it's very hard to navigate between them.
Make bug lists collapsible.
|
| |
|
|
|
| |
Return the commits that represent unique sets of branches.
Sort the list topologically, breaking ties by commit date.
|
| |
|
|
|
|
| |
Add workflow that can be used for moderation of UAF bugs (consistent/actionable reports),
such UAF bugs can be upstreammed automatically, even if they happened only once
and don't have a reproducer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rephrase the prompt to be only about KCSAN,
currently it has some leftovers from more generic assessment prompt
that covered KASAN bugs as well (actionability).
Also add Confident bool output.
We may want to act on both benign/non-benign,
so we need to know when LLM wasn't actually sure either way.
This should also be useful for manual verification/statistics.
If LLM is not confident and can can admit that, it's much better
than giving a wrong answer. But we will likely want to track
percent of non-confident answers.
|
| |
|
|
|
|
|
|
|
|
| |
We return Ctime from CreationTime. But "C" does not stand for "creation",
it stands for "status change" (inode update). It may or may not be the
creation time.
Use Btime (birth time) for creation time.
Fixes #6547
|
| | |
|
| |
|
|
| |
If the author of a patch series provides a base-commit tag, extract and store the hash.
|
| |
|
|
|
| |
Paths passed to filepath.WalkDir are absolute (include the dir prefix), account for that.
Strings returned by filepath.Ext include the dot, account for that as well.
|
| |
|
|
|
|
|
|
|
| |
TitleToCrashType is a simple function with no heavy dependencies
that is used by the dashboard app.
Currnetly we have to import pkg/report into dashboard/app,
and this package has lots of heavy deps (symbolizer, demangler,
coverage report generation, etc).
Move TitleToCrashType to pkg/report/crash (where it arguably belongs anyway).
|
| |
|
|
|
| |
rep.Output and rep.Report offsets are different because rep.Report is symbolized
Fix converts offsets from symbolized version back to the raw version.
|
| |
|
|
|
|
| |
Given a git diff, determine the latest commit where the modified files
still have the exact sha hashes they had at the moment the git patch was
created.
|
| |
|
|
|
| |
Add a commitChangeset() method to simplify setting up repository states
in tests.
|
| |
|
|
| |
Return not just the modified files, but also their blob hashes.
|
| |
|
|
|
| |
Keep vmlinux for debug info/addr2line.
Keep compile_commands.json, we need it for codesearch.
|
| |
|
|
|
| |
Add server for running agentic workflows as part of syzbot.
The architecture and use are similar to that of syz-ci.
|
| | |
|
| | |
|
| | |
|
| | |
|
