| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It duplicates random calls in a program and makes the duplicated copies
async.
E.g. it could transform
r0 = test()
test2(r0)
to
r0 = test()
test2(r0) (async)
test2(r0)
or
test() (async)
r0 = test()
test2(r0)
|
| |
|
|
|
|
|
|
|
|
| |
Add a strategy that resembles the previous collide mode, but detaches not
every other call, rather all calls during the second execution (or at least
as much as possible). Follow the strategy for 33% of all collide
executions.
It was shown during the experiments that this strategy has a positive
effect on the number of discovered crashes and bugs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
|
|
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
