| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Does not require passing text program to ipc.Env.Exec.
Make it possible to provide just the exec encoding.
This requires moving fallback coverage to the host
since it need the program.
|
| |
|
|
|
|
| |
Prepend total number of calls to the exec encoding.
This will allow pkg/ipc to better parse executor response
without full parsing of the encoded program.
|
| |
|
|
|
|
| |
If we send exec encoding to the fuzzer, it's not necessary to serialize
exec encoding into existing buffer (currnetly we serialize directly into shmem).
So simplify code by serializing into a new slice.
|
| |
|
|
|
|
|
|
| |
Allow to profile how many bytes are consumed for what in the exec encoding.
The profile shows there are not many opportunities left.
53% are consumed by data blobs.
13% for const args.
18% for non-arg things (syscall number, copyout index, props, etc).
|
| |
|
|
|
|
|
|
|
|
| |
1. Don't write size/flags for addresses.
2. Write address w/o data offset (fewer bytes in leb128 encoding).
Median exec size shrinks by 25%:
- exec sizes: 10%:584 50%:1423 90%:7076
+ exec sizes: 10%:448 50%:1065 90%:6319
|
| |
|
|
|
|
|
|
| |
With leb128 ints it does not make any sense.
Reduces exec sizes a bit more:
- exec sizes: 10%:597 50%:1438 90%:7145
+ exec sizes: 10%:584 50%:1423 90%:7076
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Switch from uint64 to leb128 encoding for integers.
This almost more than halves serialized size:
- exec sizes: 10%:2160 50%:4792 90%:14288
+ exec sizes: 10%:597 50%:1438 90%:7145
and makes it smaller than the text serialization:
text sizes: 10%:837 50%:1591 90%:10156
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
| |
If a call having non-default call props is followed by a call not having
copyin instructions, the non-default call prop values will be lost.
Fix this by trying to commit the call before processing the call props
structure.
Adjust the call-props-related decodeexec test to emulate that situation as
well.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
|
|
| |
Call properties let us specify how each individual call within a program
must be executed. So far the only way to enforce extra rules was to pass
extra program-level properties (e.g. that is how fault injection was done).
However, it entangles the logic and not flexible enough.
Implement an ability to pass properties along with each individual call.
|
| |
|
|
|
|
| |
Detect the case when a program requires more copyout than executor can handle.
Curretnly these result in: "SYZFAIL: command refers to bad result" failures.
Now syz-fuzzer should ignore them.
|
| |
|
|
|
|
|
|
| |
Use native byte-order for IPC and program serialization.
This way we will be able to support both little- and big-endian
architectures.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
| |
Checks for too long functions (based on lines and statements).
|
| |
|
|
|
| |
Update #477
Update #502
|
| |
|
|
|
|
| |
Fixes #1542
Found thanks to syz-check. Update #590
|
| |
|
|
|
|
| |
Make pseudo checksums depend (via csumUses) on the arg it requires for
calculation. Otherwise we fail to assign addrs to those args during encoding
for execution. Also add a test.
|
| |
|
|
|
|
|
|
|
|
|
| |
Over time we relaxed parsing to handle all kinds of invalid programs
(excessive/missing args, wrong types, etc).
This is useful when reading old programs from corpus.
But this is harmful for e.g. reading test inputs as they can become arbitrary outdated.
For runtests which creates additional problem of executing not
what is actually written in the test (or at least what author meant).
Add strict parsing mode that does not tolerate any errors.
For now it just checks excessive syscall arguments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we only generate either valid user-space pointers or NULL.
Extend NULL to a set of special pointers that we will use in programs.
All targets now contain 3 special values:
- NULL
- 0xfffffffffffffff (invalid kernel pointer)
- 0x999999999999999 (non-canonical address)
Each target can add additional special pointers on top of this.
Also generate NULL/special pointers for non-opt ptr's.
This restriction was always too restrictive. We may want to generate
them with very low probability, but we do want to generate them.
Also change pointers to NULL/special during mutation
(but still not in the opposite direction).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make as much code as possible shared between all OSes.
In particular main is now common across all OSes.
Make more code shared between executor and csource
(in particular, loop function and threaded execution logic).
Also make loop and threaded logic shared across all OSes.
Make more posix/unix code shared across OSes
(e.g. signal handling, pthread creation, etc).
Plus other changes along similar lines.
Also support test OS in executor (based on portable posix)
and add 4 arches that cover all execution modes
(fork server/no fork server, shmem/no shmem).
This change paves way for testing of executor code
and allows to preserve consistency across OSes and executor/csource.
|
| |
|
|
|
| |
fmt type allows to convert intergers and resources
to string representation.
|
| |
|
|
|
|
|
|
|
| |
We currently use -1 as default value for resources
when the actual value is not available.
-1 is good for fd's, but is not the right default
value for pointers/keys/etc.
Pass from prog and use in executor proper default
value for resources.
|
| |
|
|
|
| |
Fix alignemnt calculation for packed structs with alignment and bitfields.
Amusingly this affected only a single real struct -- ipv6_fragment_ext_header.
|
| |
|
|
|
|
| |
Turns out we never produced NULL pointers because
what's meant to be NULL pointer was actually encoded
as pointer to beginning of the data region.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Generated program always uses pid=0 even when there are multiple processes.
Make each process use own pid.
Unfortunately required to do quite significant changes to prog,
because the current format only supported fixed pid.
Fixes #490
|
| |
|
|
| |
Fixes #174
|
| |
|
|
|
|
|
|
|
| |
Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.
|
| |
|
|
|
|
| |
We have them in linux solely for historical reasons.
Fixes #462
|
| |
|
|
|
|
| |
Currently we always send 2MB of data to executor in ipc_simple.go.
Send only what's consumed by the program, and don't send the trailing zeros.
Serialized programs usually take only few KBs.
|
| |
|
|
|
|
| |
Now each prog function accepts the desired target explicitly.
No global, implicit state involved.
This is much cleaner and allows cross-OS/arch testing, etc.
|
| |
|
|
|
|
|
|
|
|
|
| |
Large overhaul moves syscalls and arg types from sys to prog.
Sys package now depends on prog and contains only generated
descriptions of syscalls.
Introduce prog.Target type that encapsulates all targer properties,
like syscall list, ptr/page size, etc. Also moves OS-dependent pieces
like mmap call generation from prog to sys.
Update #191
|
| |
|
|
| |
In preparation for moving sys types to prog to reduce later diffs.
|
| |
|
|
|
| |
In preparation for moving sys types to prog
to avoid confusion between sys.Call and prog.Call.
|
| |
|
|
| |
This makes types constant during execution, everything is precomputed.
|
| |
|
|
| |
It is used only by a single test. Remove it from non-test code.
|
| |
|
|
|
|
| |
Move most of the logic from sysgen to pkg/compiler.
Update #217
|
| |
|
|
|
|
| |
ResultArg might have const value.
Also add a test.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A bunch of spot optmizations after cpu/memory profiling:
1. Optimize hot-path coverage comparison in fuzzer.
2. Don't allocate and copy serialized program, serialize directly into shmem.
3. Reduce allocations during parsing of output shmem (encoding/binary sucks).
4. Don't allocate and copy coverage arrays, refer directly to the shmem region
(we are not going to mutate them).
5. Don't validate programs outside of tests, validation allocates tons of memory.
6. Replace the choose primitive with simpler switches.
Choose allocates fullload of memory (for int, func, and everything the func refers).
7. Other minor optimizations.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field.
This fixes #72.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Struct padding was accidentially lost after:
852e3d2eae98a913b7ec91822ba4dc61059a6955
Restore it. Now with tests.
Fixes #78
|
