| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Akaros support is unused, it was shutdown on syzbot for a while,
the akaros development seems to be frozen for years as well.
We have a bunch of hacks for Akaros since it supported
only super old gcc and haven't supported Go. Remove it.
|
| |
|
|
|
|
|
|
|
|
|
| |
Ideally, we should properly support the already existing fix flag to
distinguish between fixing and checking, but for now at least let it
control whether structural changes are to be made.
Otherwise we get into trouble while hint-mutating syz_mount_image calls,
because we iterate over all call arguments and (possibly) remove them at
the same time. It leads to `bad group arg size %v, should be <= %v for
%#v type %#v` errors.
|
| |
|
|
|
|
| |
Commit empty files into generated packages,
so that the tree is buildable even w/o generated files
and Go tools continue to work.
|
| |
|
|
|
|
|
| |
Fix capitalization, dots at the end
and two spaces after a period.
Update #1876
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking in the generated descriptions files makes few things simpler,
but causes pain for pull requests: (1) PRs that touch descriptions
_always_ conflict, (2) PRs are large and harder to review,
(3) people sometimes forget to add auto-generated files.
The proposed way does not require us to hardcode lots of dependencies
in the Makefile (which is nice) and seem to work.
Let's see how it works.
The main contributor-visible consequence is that the auto-generated
files do not need to be checked-in now.
Credit for figuring the Makefile magic goes to @melver.
Fixes #1291
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add prog.Ref Type that serves as a proxy for real types
and allows to deduplicate Types in generated descriptions.
The Ref type is effectively an index in an array of types.
Just before serialization pkg/compiler replaces real types
with the Ref types and prepares corresponding array of real types.
When a Target is registered in prog package, we do the opposite
operation and replace Ref's with the corresponding real types.
This brings improvements across the board:
compiler memory consumption is reduced by 15%,
test building time by 25%, descriptions size by 33%.
Before:
$ du -h sys/linux/gen
54M sys/linux/gen
$ time GOMAXPROCS=1 go test -p=1 -c ./prog
real 0m54.200s
real 0m53.883s
$ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog
real 0m27.911s
real 0m27.767s
$ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen
20.59 100% 3200016
20.97 100% 3445976
20.25 100% 3209684
After:
$ du -h sys/linux/gen
36M sys/linux/gen
$ time GOMAXPROCS=1 go test -p=1 -c ./prog
real 0m42.290s
real 0m43.230s
$ time GOMAXPROCS=1 go install -p=1 ./tools/syz-execprog
real 0m24.337s
real 0m24.727s
$ TIME="%e %P %M" GOMAXPROCS=1 time go tool compile ./sys/linux/gen
19.11 100% 2764952
19.66 100% 2787624
19.35 100% 2749376
Update #1580
|
| |
|
|
|
|
|
|
|
|
|
| |
Surround the main data mapping with PROT_NONE pages to make virtual address layout more consistent
across different configurations (static/non-static build) and C repros.
One observed case before: executor had a mapping above the data mapping (output region),
while C repros did not have that mapping above, as the result in one case VMA had next link,
while in the other it didn't and it caused a bug to not reproduce with the C repro.
The bug that reproduces only with the mapping above:
https://lkml.org/lkml/2020/4/17/819
|
| |
|
|
|
|
|
|
|
|
|
| |
Make MakeMmap return more than 1 call.
This is a preparation for future changes.
Also remove addr/size as they are effectively
always the same and can be inferred from the target
(will also conflict with the future changes).
Also rename to MakeDataMmap to better represent
the new purpose: it's just some arbitrary mmap,
but rather mapping of the data segment.
|
| |
|
|
|
|
|
| |
Turns out the mmap protection get out of sync
between executor and C reproducers.
C reproducers missed PROT_EXEC.
Add PROT_EXEC for linux, freebsd and akaros.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We will need a wrapper for target.SanitizeCall that will do more
than just calling the target-provided function. To avoid confusion
and potential mistakes, give the target function and prog function
different names. Prog package will continue to call this "sanitize",
which will include target's "neutralize" + more.
Also refactor API a bit: we need a helper function that sanitizes
the whole program because that's needed most of the time.
Fixes #477
Fixes #502
|
| | |
|
| |
|
|
|
|
|
| |
If we are going to write all values, don't write field names.
This only increases size of generated files.
The change reduces size of generated files by 5.8%
(62870496-59410354=3460142 bytes saved).
|
| |
|
|
|
|
|
| |
They can't be a bitmask. This fixes important cases
of "0, 1" and "0, 1, 2" flags. Fix some descriptions
that added 0 to bitmasks explicitly (we should do it
automatically instead).
|
| |
|
|
|
|
| |
Will simplify runtime analysis of flags.
Also just no reason to make it more deterministic
and avoid unnecessary diffs in future if values are reordered.
|
| |
|
|
| |
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
|
| |
|
|
|
|
|
|
|
| |
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
|
| |
|
|
| |
In preparation for making syscall a reserved name.
|
| |
|
|
| |
Change the generated format for len type to support multiple path elements.
|
| |
|
|
|
|
|
|
|
|
|
| |
Ptr type has special handling of direction (pointers are always input).
But buffer type missed this special case all the time.
Make buffer less special by aliasing to the ptr[array[int8]] type.
As the result buffer type can't have optional trailing "opt" attribute
because we don't have such support for templates yet.
Change such cases to use ptr type directly.
Fixes #1097
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't specify trailing unused args for some syscalls
(e.g. ioctl that does not use its arg).
Executor always filled tailing unsed args with 0's
but pkg/csource didn't. Some such syscalls actually
check that the unsed arg is 0 and as the result failed with C repro.
We could statically check and eliminate all such cases,
but it turns out the warning fires in 1500+ cases:
https://gist.githubusercontent.com/dvyukov/e59ba1d9a211ee32fa0ba94fab86a943/raw/a3ace5a63f7281f0298f51ea9842ead1e4713418/gistfile1.txt
So instead fill such args with 0's in pkg/csource too.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when we get target consts with target.ConstMap["name"]
during target initialization, we just get 0 for missing consts.
This is error-prone as we can mis-type a const, or a const may
be undefined only on some archs (as we have common unix code
shared between several OSes).
Check that all the consts are actually defined.
The check detects several violations, to fix them:
1. move mremap to linux as it's only defined on linux
2. move S_IFMT to openbsd, as it's only defined and used on openbsd
3. define missing MAP_ANONYMOUS for freebsd and netbsd
4. fix extract for netbsd
|
| |
|
|
|
|
| |
The function executes random code.
Update #310
|
| |
|
|
|
|
|
|
|
|
|
| |
The tool is run as:
$ syz-runtest -config manager.config
This runs all programs from sys/*/test/* in different modes
on actual VMs and checks results.
Fixes #603
|
| |
|
|
| |
Presumably it causes corrupted console output.
|
| |
|
|
|
|
|
|
|
|
| |
Currently target binaries contain support for all OS/arch combinations.
However, obviously a fuchsia target binary won't test windows.
For target binaries we need support only for a single target
(with the exception of 386/arm target in amd64/arm64 binaries).
So compile in only _the_ target into target binaries.
This reduces akaros/amd64 fuzzer binary from 33 to 7 MB
and execprog from 28 to 2 MB.
|
| | |
|
| |
|
|
| |
Most of them differ and accept path length and/or pid.
|
| |
|
|
|
| |
It causes kernel debug splat,
which has high chances of corrupting kernel crashes.
|
| |
|
|
| |
It unconditionally crashes kernel now.
|
| | |
|
| | |
|
| |
|
|
|
| |
Mark output resources as opt in preparation for more
precise constructor calculation.
|
| |
|
|
| |
Update #538
|
| |
|
|
|
|
|
|
|
| |
Move generated files to gen subdir. This allows to:
1. Rebuild init.go without rebuilding generated code.
2. Excluding generated files from gometalinter checking.
This makes faster and consume less memory.
Update #538
|
| |
|
|
| |
Update #538
|
| |
|
|
|
|
| |
IDs change whenever a call is added or removed,
this leads to large diffs unnecessarly.
Assign IDs dynamically.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
1. mmap all memory always, without explicit mmap calls in the program.
This makes lots of things much easier and removes lots of code.
Makes mmap not a special syscall and allows to fuzz without mmap enabled.
2. Change address assignment algorithm.
Current algorithm allocates unmapped addresses too frequently
and allows collisions between arguments of a single syscall.
The new algorithm analyzes actual allocations in the program
and places new arguments at unused locations.
|
| |
|
|
|
|
| |
"void": type with static size 0
mostly useful inside of templates and varlen unions
can't be syscall argument
|
| |
|
|
|
|
|
| |
1. remove workaround for pthread attrs (was fixed in akaros)
2. remove workaround for dup2 (was fixed in akaros)
3. check that we receive a program
4. implement timeout for test processes
|
| |
|
