aboutsummaryrefslogtreecommitdiffstats
path: root/prog
Commit message (Collapse)AuthorAgeFilesLines
* all: remove unused nolint directivesDmitry Vyukov2026-01-022-2/+1
|
* prog: support snapshot-only callsDmitry Vyukov2026-01-021-0/+1
| | | | Update #5308
* all: use any instead of interface{}Dmitry Vyukov2025-12-224-7/+7
| | | | Any is the preferred over interface{} now in Go.
* pkg/csource: exclude auto-generated syscalls from testsAleksandr Nogikh2025-11-242-2/+13
| | | | | | | | | | | | | Auto-generated syscall descriptions currently do not properly mark arch-specific syscalls like socketcall (which is only available on 32 bit systems), which leads to TestGenerate breakages. Until the syz-declextract tool is fixed and descriptions are re-generated, don't use such calls in TestGenerate tests. It has recently caused numerous syzkaller update erorrs on syzbot. Cc #5410. Closes #6468.
* prog: take multiple serialization flagsAleksandr Nogikh2025-11-032-17/+48
| | | | | | | | Refactor Prog.Serialize() to accept a variadic list of flags. For now, two are supported: 1) Verbose (equal to SerializeVerbose()). 2) SkipImages (don't serialize fs images).
* prog: fix syz_kfuzztest_run allocation strategyEthan Graham2025-09-222-22/+37
| | | | | | | | | | | | | | | | | | | | Previously, the generated KFuzzTest programs were reusing the address of the top-level input struct. A problem could arise when the encoded blob is large and overflows into another allocated region - this certainly happens in the case where the input struct points to some large char buffer, for example. While this wasn't directly a problem, it could lead to racy behavior when running KFuzzTest targets concurrently. To fix this, we now introduce an additional buffer parameter into syz_kfuzztest_run that is as big as the maximum accepted input size in the KFuzzTest kernel code. When this buffer is allocated, we ensure that we have some allocated space in the program that can hold the entire encoded input. This works in practice, but has not been tested with concurrent KFuzzTest executions yet.
* pkg/fuzzer: use a smaller number of recommended calls for KFuzzTestEthan Graham2025-09-221-0/+4
| | | | | | | Introduce a KFuzzTest mode for the fuzzer so that a smaller number of recommended calls can be used if we are fuzzing KFuzzTest targets. Signed-off-by: Ethan Graham <ethangraham@google.com>
* prog: add specialized mutation for KFuzzTest callsEthan Graham2025-09-223-20/+60
| | | | | | | | | | | | Internal kernel functions (and as a result KFuzzTest) have stricter contracts than system calls. For this reason, we must avoid mutating the following cases: - Length arguments not matching the length of the related buffer. - Strings not being null-terminated. Add special cases for KFuzzTest calls that avoids these situations. Signed-off-by: Ethan Graham <ethangraham@google.com>
* prog/target: add fetching function for syz_kfuzztest_run IDEthan Graham2025-09-221-0/+25
| | | | | | | | | | | All non-base variants of syz_kfuzztest_run (i.e., those that are discovered dynamically) are encoded so that they map onto the base variant which is defined in kfuzztest.txt, and known by the executor. We add a function for fetching this, that is wrapped in a sync.once block to avoid repeated iteration over the target's array of syscalls. Signed-off-by: Ethan Graham <ethangraham@google.com>
* prog/target: add Extend methodEthan Graham2025-09-221-2/+11
| | | | | | | | As KFuzzTest targets are discovered at boot, we need a mechanism for adding these to the array of enabled system calls. This is implemented by the new Extend method, which performs this setup. Signed-off-by: Ethan Graham <ethangraham@google.com>
* kfuzztest: introduce syz_kfuzztest_run pseudo-syscallEthan Graham2025-09-224-0/+615
| | | | | | | | | | | | | Add syz_kfuzztest_run pseudo-syscall, KFuzzTest attribute, and encoding logic. KFuzzTest targets, which are invoked in the executor with the new syz_kfuzztest_run pseudo-syscall, require specialized encoding. To differentiate KFuzzTest calls from standard syzkaller calls, we introduce a new attribute called KFuzzTest or "kfuzz_test" in syzkaller descriptions that can be used to annotate calls. Signed-off-by: Ethan Graham <ethangraham@google.com>
* prog: pkg/compiler: docs: introduce the `no_squash` attributeAlexander Potapenko2025-09-094-5/+41
| | | | | | | | | | | | | | | | | The `no_squash` per-syscall attribute prevents the fuzzer from generating squashed arguments to a particular syscall. This is particularly helpful for pseudo-syscalls with elaborate arguments that are hard to reason about when they are squashed - e.g. for syz_kvm_add_vcpu() that takes a SYZOS program as an input. I've considered an alternative solution that prohibits ANY for all pseudo-syscalls. But there is a bunch of existing programs (both the tests and the repros) for syscalls like syz_mount_image() for which the benefit of not passing ANY is not immediately obvious. I therefore decided to go with an explicit attribute that can later be enforced for every pseudo-syscall at compile time.
* tools/syz-imagegen: accept filesystem descriptions as inputAleksandr Nogikh2025-08-291-0/+3
| | | | | | | | | Don't generate just the hard-coded list of filesystems, but also generate seeds for the externally supplied json description of a filesystem. Add a special syscall attribute to help syz-imagegen guess the actual filesystem name from the syz_mount_image variant name.
* pkg/csource: add call argument annotations to generated C-source filesEthan Graham2025-08-041-0/+102
| | | | | | | | | | | The structure of arguments passed into syscalls is often hard to parse since it is memcpy'd into mmap'd regions. Structural relations are often lost in translation, resulting in reproducers that take longer for a developer to understand. This patch adds functionality for parsing syscall arguments semantically and emitting a structured and human-readable comment which is inserted before each syscall in the resulting C-source.
* prog: generate choice table only for enabled callsAleksandr Nogikh2025-07-292-46/+80
| | | | | | | | | | | | | We used to generate a choice table and do its normalization for all present syscalls, also it was not considered during the /prio page generation. Enabled/disabled syscalls were accounted for in the choice table construction, but there's a chance that the resulting table was still somewhat skewed. The situation must have become worse after several thousands of auto syscalls were added.
* all: apply linter auto fixesTaras Madan2025-07-173-6/+8
| | | | ./tools/syz-env bin/golangci-lint run ./... --fix
* prog: use consistent default values for conditional unionsAleksandr Nogikh2025-06-243-9/+38
| | | | | | | | | | | | | | | | We used to assume that the default value was the last, yet when it was not specified in the serialized program, the first union option whose condition is satisfied was chosen. Let's be consistent and use the last value in both cases. Also, remember that there's a case when there's no valid default value - this happens when pkg/compiler wraps a conditional field into a union with two conditional fields. Explicitly check for this case and assume that, whatever value is set, is the correct default because in this particular case the conditions of the two union options must be mutually exclusive. Fixes #6105.
* prog: validate transient unionsAleksandr Nogikh2025-06-241-0/+4
| | | | | Ensure that there are no more transient unions in the fully constructed programs.
* prog: skip large calls in TestHintsRandomAleksandr Nogikh2025-05-231-3/+11
| | | | | | | | | In the test mode that sets debug=true, MutateWithHints is essentially quadratic to the prog(call) size due to numerous validation checks. Skip calls that are too large in order to prevent test hangs. Closes #5637.
* all: opt-out some functions to enforce linter checksTaras Madan2025-03-271-0/+1
| | | | New code will be limited to max 7 function params.
* all: remove loop variables scopingTaras Madan2025-02-175-7/+0
|
* all: delete dead codeTaras Madan2025-02-102-9/+0
| | | | | go install golang.org/x/tools/cmd/deadcode@latest deadcode -test ./...
* all: fix recvcheck errorsTaras Madan2025-02-073-4/+4
|
* sys/syz-sysgen: serialize descriptions as gob and embedDmitry Vyukov2025-01-233-11/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of generating Go files with descriptions serialize them as gob and compress with flate. This significantly reduces build time, go vet time, and solves scalability problems with some static analysis tools. Reference times (all after rm -rf ~/.cache/go-build) before: TIME="%e %P %M" time go install ./syz-manager 48.29 577% 4824820 TIME="%e %P %M" time go test -c ./prog 56.28 380% 6973292 After: TIME="%e %P %M" time go install ./syz-manager 22.81 865% 859788 TIME="%e %P %M" time go test -c ./prog 12.74 565% 267760 syz-manager size before/after: 194712597 -> 83418407 -57% even provided we now embed all descriptions instead of just a single arch. Deflate/decoding time for a single Linux arch is ~330ms. Fixes #5542
* all: use min/max functionsDmitry Vyukov2025-01-1714-99/+29
| | | | They are shorter, more readable, and don't require temp vars.
* prog: make TestRotationCoverage fasterFlorent Revest2024-12-191-1/+1
| | | | | | Now that we added automatically generated syscalls to the Linux corpus, we added a lot of work to the TestRotationCoverage test. We can make it faster by skipping all automatically generated syscalls.
* prog: annotate image assets with fsck logsFlorent Revest2024-12-094-4/+24
| | | | | | | | | | | | | | | | | | Syscall attributes are extended with a fsck command field which lets file system mount definitions specify a fsck-like command to run. This is required because all file systems have a custom fsck command invokation style. When uploading a compressed image asset to the dashboard, syz-manager also runs the fsck command and logs its output over the dashapi. The dashboard logs these fsck logs into the database. This has been requested by fs maintainer Ted Tso who would like to quickly understand whether a filesystem is corrupted or not before looking at a reproducer in more details. Ultimately, this could be used as an early triage sign to determine whether a bug is obviously critical.
* tools/syz-execprog: support running unsafe programsDmitry Vyukov2024-11-263-7/+7
|
* pkg/manager: show number of times coverage for each call has overflowedDmitry Vyukov2024-11-201-1/+3
| | | | | If the overflows happen often, it's bad. Add visibility into this.
* pkg/compiler: allow recursion via arraysDmitry Vyukov2024-11-181-18/+33
| | | | | Permit structs to recursively contain itself in arrays. This is needed for netlink. Amusingly several netlink policies contain itself.
* sys/linux: ensure that auto descriptions are self-sufficientDmitry Vyukov2024-11-141-0/+18
| | | | | Test that if we enable only auto descriptions, nothing gets disabled. Currently nothing can create fd_cgroup which is used by the descriptions.
* all: support || operator in syzlang if conditionJiao, Joey2024-11-133-8/+21
| | | | | | | | | | | ex. f3 field has logic or operator in if condition: conditional_struct { mask int32 f1 field1 (if[value[mask] & FIELD_FLAG1]) f2 int64 (if[value[mask] & FIELD_FLAG2]) f3 int64 (if[value[mask] == FIELD_FLAG1 || value[mask] == FIELD_FLAG2]) } [packed]
* prog: let explicitly check whether git revision is knownAleksandr Nogikh2024-10-251-4/+10
| | | | | There was a bug in syz-manager because of that. Fix it by introducing a new method in prog.
* dashboard/config/linux: increase number of devices to 32Dmitry Vyukov2024-10-241-0/+2
|
* prog: allow deeper nesting of conditional fields patchingAleksandr Nogikh2024-09-113-9/+34
| | | | | | | | | | | | There is a totally valid situation when we could be recursively patching conditional fields: if by changing a field's value we insert new resource constructor calls. It's a bug to skip conditional field patching for them. Allow up to 2 nested patchConditionalFields() calls and panic if there happen to be more. Add a test that reproduces the situation described above.
* all: follow new linter recommendationsTaras Madan2024-09-103-11/+19
|
* pkg/mgrconfig, prog, sys/linux: add automatic_helper attributePimyn Girgis2024-09-091-9/+10
| | | | | Add automatic_helper attribute and enable it for system calls that are required to properly run automatically generated descriptions. Enable these system calls when descriptions_mode = `Auto`.
* pkg/fuzzer: display hints job infoAleksandr Nogikh2024-09-021-0/+10
| | | | This will let us gain even more insight into what the fuzzer is doing.
* prog: extract program IDs from the logsAleksandr Nogikh2024-08-222-1/+20
|
* prog: test new log format parsingAleksandr Nogikh2024-08-211-6/+42
| | | | | A few months ago, we have changed the execution log format. Let's test whether we correctly parse both the old and the new ones.
* pkg/mgrconfig, prog, tools: allow automatically generated or manually ↵Pimyn Girgis2024-08-121-0/+1
| | | | | | written descriptions or both Add "Auto" type and allow to choose descriptions mode in configurations. Defaults to using manual only.
* prog: try to remove all unrelated calls during minimizationDmitry Vyukov2024-08-082-18/+187
| | | | | | | We have too many corpus minimization executions and the main source of these is call removal. Try to remove all "unrelated" calls at once. Unrelated calls are the calls that don't use any resources/files from the transitive closure of the resources/files used by the target call. This may significantly reduce large generated programs in a single step.
* prog: optimize array minimizationDmitry Vyukov2024-08-081-1/+15
| | | | | If there are at least 3 elements, try to remove all at once first. If will be faster than removing them one-by-one if all of them are not needed.
* prog: don't minimize file names for corpusDmitry Vyukov2024-08-082-18/+22
| | | | | | We have too many corpus minimization executions and for corpus we are only interested in reducing total number of args that will be considered for mutation. So don't minimize file names.
* prog: remove minimization TODOsDmitry Vyukov2024-08-081-3/+0
| | | | | | We have too many corpus minimization executions, so it does not make sense to do even finer grained minimizations. These TODOs are super old and nobody ever complained about poor minimization. So remove them.
* prog: avoid duplicate programs during minimizationDmitry Vyukov2024-08-072-17/+37
| | | | | | | | Generally we try to avoid generating duplicates, but in some cases they are hard to avoid. For example, if we have an array with several equal elements, removing them leads to the same program. So check for duplicates explicitly.
* prog: don't minimize int/resource for corpusDmitry Vyukov2024-08-073-8/+14
| | | | | | | | | It makes little sense to minimize int's for corpus. Also replacing resource with a default value does not make sense as well. For corpus we are only interesting in reducing total number of args that will be considered for mutation. Add CrashSnapshot mode, mainly to keep the minimization code "alive" for now.
* prog: replace MinimizeParams with MinimizeModeDmitry Vyukov2024-08-076-30/+33
| | | | | | | | | | | | | | All callers shouldn't control lots of internal details of minimization (if we have more params, that's just more variations to test, and we don't have more, params is just a more convoluted way to say if we minimize for corpus or a crash). 2 bools also allow to express 4 options, but only 3 make sense. Also when I see MinimizeParams{} in the code, it's unclear what it means. Replace params with mode. And potentially "crash" minimization is not "light", it's just different. E.g. we can simplify int arguments for reproducers (esp in snapshot mode), but we don't need that for corpus.
* syz-manager: move prog helpers to the prog packageAleksandr Nogikh2024-08-061-0/+22
| | | | Reduce the size of syz-manager.
* prog: add minimization statsDmitry Vyukov2024-07-241-17/+41
| | | | | | Program minimization executions consitute majority of executions in most runs. Count what parts of minimization consume how many executions so that it's possible to optimizat this.
generated by ggit (джигит) mrf-deployment (git 2.46.0) at 2026-03-11 15:56:49 +0000