| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
We have too many corpus minimization executions and the main source of these is call removal.
Try to remove all "unrelated" calls at once. Unrelated calls are the calls that don't use
any resources/files from the transitive closure of the resources/files used by the target call.
This may significantly reduce large generated programs in a single step.
|
| |
|
|
|
| |
If there are at least 3 elements, try to remove all at once first.
If will be faster than removing them one-by-one if all of them are not needed.
|
| |
|
|
|
|
| |
We have too many corpus minimization executions and for corpus we are only
interested in reducing total number of args that will be considered for mutation.
So don't minimize file names.
|
| |
|
|
|
|
| |
We have too many corpus minimization executions, so it does not make sense
to do even finer grained minimizations. These TODOs are super old and nobody
ever complained about poor minimization. So remove them.
|
| |
|
|
|
|
|
|
| |
Generally we try to avoid generating duplicates,
but in some cases they are hard to avoid.
For example, if we have an array with several equal elements,
removing them leads to the same program.
So check for duplicates explicitly.
|
| |
|
|
|
|
|
|
|
| |
It makes little sense to minimize int's for corpus.
Also replacing resource with a default value does not make sense as well.
For corpus we are only interesting in reducing total number of args
that will be considered for mutation.
Add CrashSnapshot mode, mainly to keep the minimization code "alive" for now.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All callers shouldn't control lots of internal details of minimization
(if we have more params, that's just more variations to test,
and we don't have more, params is just a more convoluted way to say
if we minimize for corpus or a crash).
2 bools also allow to express 4 options, but only 3 make sense.
Also when I see MinimizeParams{} in the code, it's unclear what it means.
Replace params with mode.
And potentially "crash" minimization is not "light", it's just different.
E.g. we can simplify int arguments for reproducers (esp in snapshot mode),
but we don't need that for corpus.
|
| |
|
|
|
|
| |
Program minimization executions consitute majority of executions in most runs.
Count what parts of minimization consume how many executions so that
it's possible to optimizat this.
|
| |
|
|
| |
Add an explicit parameter to only run call removal.
|
| |
|
|
|
|
|
|
|
| |
Treat all default union arguments as transient and reevaluate them after
the call was fully parsed.
Before conditional field patching, we do need to have performed arg
validation, which also reevaluates conditions. To break the cycle, make
validation configurable.
|
| |
|
|
| |
This reverts commit 8e75c913b6f9b09cab2ad31fd7d66ea0d1703de8.
|
| |
|
|
|
|
|
|
|
| |
Treat all default union arguments as transient and reevaluate them after
the call was fully parsed.
Before conditional field patching, we do need to have performed arg
validation, which also reevaluates conditions. To break the cycle, make
validation configurable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pkg/compiler restructures conditional fields in structures into unions,
so we only have to implement the support for unions.
Semantics is as follows:
If a union has conditions, syzkaller picks the first field whose
condition matches. Since we require the last union field to have no
conditions, we can always construct an object.
Changes from this commit aim at ensuring that the selected union fields
always follow the rule above.
|
| |
|
|
|
|
| |
In many cases we can remove all calls that follow the call of interest.
Try this before deleting them one-by-one.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
builtin
Create the `BufferCompressed` kind of `BufferType`, which will be used
to represent compressed data. Create the corresponding `compressed_image`
syzlang builtin, which is backed by `BufferCompressed`. For now, no
syscalls use this feature - this will be introduced in future commits.
We have to be careful to decompress the data before mutating, and
re-compress before storing. We make sure that any deserialised
`BufferCompressed` data is valid too.
`BufferCompressed` arguments are mutated using a generic heatmap. In
future, we could add variants of `BufferCompressed` or populate the
`BufferType` sub-kind, using it to choose different kinds of heatmap for
different uncompressed data formats.
Various operations on compressed data must be forbidden, so we check for
`BufferCompressed` in key places. We also have to ensure `compressed_image`
can only be used in syscalls that are marked `no_{generate,minimize}`.
Therefore, we add a generic compiler check which allows type
descriptions to require attributes on the syscalls which use them.
|
| |
|
|
|
|
|
|
|
|
| |
Create a `no_minimize` attribute to be used with syscalls that
`syzkaller` should not try to modify when minimizing a program that
produces a bug. The intention is to use this with syscalls that are
expensive to minimize, such as `syz_mount_image`.
Currently there are no `no_minimize` syscalls, but the next commit will
add some.
|
| |
|
|
|
| |
Generate very long file names once in a while to provoke bugs like:
https://github.com/google/gvisor/commit/f857f268eceb1cdee0b2bdfa218c969c84033fcd
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To be able to collide specific syscalls more precisely, we need to
repeat the process many times.
Introduce the `rerun` call property, which instructs `syz-executor` to
repeat the call the specified number of times. The intended use is:
call1() (rerun: 100, async)
call2() (rerun: 100)
For now, assign rerun values randomly to consecutive pairs of calls,
where the first one is async.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the currently existing straightforward approach to race triggering
(that was almost entirely implemented inside syz-executor) with a more
flexible one.
The `async` call property instructs syz-executor not to block until the
call has completed execution and proceed immediately to the next call.
The decision on what calls to mark with `async` is made by syz-fuzzer.
Ultimately this should let us implement more intelligent race provoking
strategies as well as make more fine-grained reproducers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently csource skips calls at the very last moment, which has an
unpleasant consequence - if we make choice of enabled defines depend on
the individual calls or call properties, we may end up with defined yet
unused functions.
The perfect solution would be to untie
syz_emit_ethernet/syz_extract_tcp_res and NetInjection, and also to
untie VhciInjection and syz_emit_vhci.
For the time being, move these checks to the very beginning of csource
processing, so that these calls could be removed before we construct our
defines.
Adjust pkg/csource/csource_test.go to better cover fault injection
generation problems.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now that call properties mechanism is implemented, we can refactor
fault injection.
Unfortunately, it is impossible to remove all traces of the previous apprach.
In reprolist and while performing syz-ci jobs, syzkaller still needs to
parse the old format.
Remove the old prog options-based approach whenever possible and replace
it with the use of call properties.
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remvoe FieldName from Type and add a separate Field type
that holds field name. Use Field for struct fields, union options
and syscalls arguments, only these really have names.
Reduces size of sys/linux/gen/amd64.go from 5665583 to 5201321 (-8.2%).
Allows to not create new type for squashed any pointer.
But main advantages will follow, e.g. removing StructDesc,
using TypeRef in Arg, etc.
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| |
|
|
|
|
|
|
| |
Default value for ProcType is 0 (same for all PID's).
Usually 0 either does not make sense at all or make different PIDs collide
(since we use ProcType to separate value ranges for different PIDs).
So don't change ProcType to 0 unless the type is explicitly marked as opt
(in that case we will also generate 0 anyway).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Fix several nasty bugs in minimization that could lead
to almost arbitrary results. These bugs affected both
crash minimization and corpus population.
Extend the randomized test to catch these bugs.
Add additional asserts to code to catch similar bugs in future.
Reported-by @xairy
|
| |
|
|
|
| |
It's effectively exported anyway.
So export it the proper way.
|
| |
|
|
|
| |
This patch changes minimization routines to try assigning a.Res to nil
for each pointer arg.
|
| |
|
|
|
|
| |
Move debug validation into a separate function.
Update #538
|
| |
|
|
|
|
| |
Refactor from single-big-switch to type methods.
Update #538
|
| |
|
|
|
|
|
|
| |
Reduce cyclomatic complexity of argument minimization
by moving type-specific logic into separate functions.
Fix few bugs along the way.
Update #538
|
| |
|
|
|
|
| |
Refactor some functions to be simpler.
Update #538
|
| |
|
|
| |
Fix typos, non-canonical code, remove dead code, etc.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| |
|
|
|
| |
Make the predicate the last argument.
It's more common and convenient (arguments are not separated by multiple lines).
|
| |
|
