| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: cui fliter <imcusg@gmail.com>
|
| |
|
|
| |
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
|
| |
|
|
| |
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
|
| | |
|
| |
|
|
|
| |
The openat filename argument is not necessary a pointer to a string.
It can be a pointer to a struct that builds a string by pieces.
|
| |
|
|
|
| |
Create a constructor for the prog.Call type. It allows to reduce
the duplication of code now and during further changes.
|
| |
|
|
|
|
|
|
|
|
|
| |
"make generate" produces this diff when go 1.17 (go1.17-c95464f0ea3f==upstream)
is used. Seems compatible with >=1.16.
https://github.com/golang/go/commit/4d2d89ff42ca documents the syntax.
https://github.com/golang/go/commit/eeadce2d8713 enforces "ignore" for
unsatisfiable tags hence the pkg/csource/gen.go change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Represent array[const[X, int8], N] as string["XX...X"].
This replaces potentially huge number of:
NONFAILING(*(uint8_t*)0x2000126c = 0);
NONFAILING(*(uint8_t*)0x2000126d = 0);
NONFAILING(*(uint8_t*)0x2000126e = 0);
with a single memcpy. In one reproducer we had 3991 such lines.
Also replace memcpy's with memset's when possible.
Update #1070
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Calls to alloc didn't respect the alignment attribute. Now
Type.Alignment() is used to ensure each type is correctly
aligned. Existing descriptions with [align[X]] don't have an
issue as they align to small blocks and default align is to
64 bytes. This commits adds support for [align[X]] for an X
larger than 64.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remvoe FieldName from Type and add a separate Field type
that holds field name. Use Field for struct fields, union options
and syscalls arguments, only these really have names.
Reduces size of sys/linux/gen/amd64.go from 5665583 to 5201321 (-8.2%).
Allows to not create new type for squashed any pointer.
But main advantages will follow, e.g. removing StructDesc,
using TypeRef in Arg, etc.
Update #1580
|
| |
|
|
|
|
|
| |
Name "Type" is confusing when referring to pointer/array element type.
Frequently there are too many Type/typ/typ1/t and typ.Type is not very informative.
It _is_ a type, but what's usually more relevant is that it's an _element_ type.
Let's leave type checking to compiler and give it a more meaningful name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having Dir is Type is handy, but forces us to duplicate lots of types.
E.g. if a struct is referenced as both in and out, then we need to
have 2 copies and 2 copies of structs/types it includes.
If also prevents us from having the struct type as struct identity
(because we can have up to 3 of them).
Revert to the old way we used to do it: propagate Dir as we walk
syscall arguments. This moves lots of dir passing from pkg/compiler
to prog package.
Now Arg contains the dir, so once we build the tree, we can use dirs
as before.
Reduces size of sys/linux/gen/amd64.go from 6058336 to 5661150 (-6.6%).
Update #1580
|
| |
|
|
| |
Add few private ipv4/6 addresses that may affect kernel behavior.
|
| | |
|
| |
|
|
| |
Fixes #1604
|
| |
|
|
| |
For some reason it started using a different syscall...
|
| |
|
|
|
|
| |
A new version of golangci-lint started failing trying to build syz-trace2syz
(because we already ignore some files).
Ignore the rest of files to fix the failure.
|
| |
|
|
| |
Update #533
|
| |
|
|
|
| |
syz_open_dev$char_usb opens char devices with major = USB_MAJOR.
Sanitize its values to make sure it doesn't open other char/block devices.
|
| |
|
|
|
|
|
|
|
| |
Using a build tag to exclude files for golangci-lint
reduces memory consumption (it does not parse them).
The naive attempt with skip-dirs did not work.
So add codeanalysis build tag and use it in auto-generated files.
Update #977
|
| |
|
|
| |
move openat$rtc to rtc_dev and change return type to fd_rtc
|
| |
|
|
|
|
|
|
|
|
| |
sockaddr_storage_in6
trace2syz has trouble generating structs like sockaddr_storage_in6 which are
wrappers around other structs like sockaddr_in6 because strace just decodes the
wrapped struct (sockaddr_in6). This causes trace2syz to generate the addr field
of sockaddr_storage_in6 from the af_family field of sockaddr_in6 which triggers
an error. We now try and detect these cases and recursively generate the struct.
|
| |
|
|
|
|
|
| |
Add support to accurately select variants for open and openat system calls.
This is needed because in order to accurately select ioctl variants we need
to use device resource types. The device resource types can only be created
by syz_open_dev and openat variants.
|
| |
|
|
|
|
|
| |
genSockaddrStorage() determines the correct sockaddr_storage union option when we
cannot identify the system call variant. We used to have custom logic per system
call which was not tested and is actually unnecessary. This patch deletes that
code and adds a test to make sure there are no regressions.
|
| |
|
|
|
|
|
|
| |
strace incorrectly printed sin6_addr before sin6_flowinfo. To fix this,
trace2syz added reorderStructFields() which swapped back the order. Incorrect
orderings of structs is a bug in strace or in our descriptions so we should
fix the source rather than work around. We have submitted a patch to fix the
sockaddr_in6 decoding in strace so we can safely delete this function.
|
| | |
|
| |
|
|
|
|
|
| |
strace decodes certain arguments like sockaddr_in.sin_port or sin_addr
as hex strings under -Xraw. This is because the arguments are in network byte
order. This patch supports converting those hex strings to int args if the size
of the string is 1, 2, 4, or 8.
|
| |
|
|
|
| |
String buffers get the null byte added during generation.
This means we need to add the null byte explicitly in trace2syz.
|
| |
|
|
|
|
|
| |
trace2syz used to always add a null byte to strings.
This isn't correct behavior since we may end up writing null bytes to files.
The extra byte can affect system calls like ioctl FS_IOC_ENABLE_VERITY.
We now only add the byte for filenames.
|
| |
|
|
|
|
| |
We don't properly parse octal numbers which is an issue because that's how strace decodes file permissions even under -Xraw.
We used to do so but we didn't have a test for it so as when we added support for negative numbers we broke how we parse octals.
This commit fixes how we parse octals and includes a test to catch future regressions.
|
| |
|
|
|
| |
Strace decodes bitsets like fd_set or sa_mask into the following structure: [a b c d e].
Before we couldn't parse these structures, but now parse them into the Group IR Type
|
| | |
|
| |
|
|
|
|
|
| |
golint suggests to comment all blank imports.
But actually we don't need whole sys, we can import only sys/linux.
Also rename target var to prevent name shadowing.
|
| |
|
|
|
|
| |
golint suggests that "prog.Prog" is a bad naming
because everything in prog package is ProgSomething.
Rename to Builder, "prog.Builder" sounds right.
|
| | |
|
| |
|
|
|
|
|
| |
It's used only by 2 functions: genSockaddrNetlink and genIfrIfru.
Majority of functions just accept the straceType as argument,
which looks like a much more appropriate way to pass an argument to a function.
Amusingly, both functions already accept and use the straceType as argument.
|
| |
|
|
|
|
| |
1. Unexport Context, it's not meant for callers.
2. Unexport all Context fields.
3. Make all function Context methods.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has number of advantages:
1. Tests are readable and writable.
The current checks [1] are neither.
2. Tests are much more compact.
3. Tests verify all aspects rather than just
1 aspect of the resulting program.
4. Tests are much less fragile.
5. Any diffs in the results will be more clearly visible.
[1]
switch a := p.Calls[1].Args[0].(type) {
case *prog.ResultArg:
if a.Res != p.Calls[0].Ret {
switch a := p.Calls[1].Args[0].(type) {
case *prog.ResultArg:
pipeSecondFd := p.Calls[0].Args[0].(*prog.PointerArg).Res.(*prog.GroupArg).Inner[1]
if a.Res != pipeSecondFd {
write := p.Calls[len(p.Calls)-2]
inotifyRmWatch := p.Calls[len(p.Calls)-1]
switch a := write.Args[0].Type().(type) {
case *prog.ResourceType:
if a.TypeName != "fd" {
t.Fatalf("expected first argument of write to have type fd, got: %s", a.TypeName)
}
default:
t.Fatalf("first argument of write is not resource type: %s", a.Name())
}
switch a := inotifyRmWatch.Args[1].(type) {
case *prog.ResultArg:
b := a.Type().(*prog.ResourceType)
if b.TypeName != "inotifydesc" {
t.Fatalf("expected second argument of inotify_rm_watch to have type inoitfydesc, got: %s", b.TypeName)
}
if a.Res != p.Calls[2].Ret {
t.Fatalf("inotify_rm_watch's second argument should match the result of inotify_add_watch.")
}
}
sockaddr, ok := a.(*prog.PointerArg).Res.(*prog.GroupArg)
if !ok {
t.Fatalf("%s", a.Type().Name())
}
ipv4Addr, ok := sockaddr.Inner[2].(*prog.UnionArg)
if !ok {
t.Fatalf("expected 3rd argument to be unionArg, got %s", sockaddr.Inner[2].Type().Name())
}
optName := ipv4Addr.Option.Type().FieldName()
if !strings.Contains(optName, "rand") {
t.Fatalf("expected ip option to be random opt, got: %s", optName)
}
ip, ok := ipv4Addr.Option.(*prog.ConstArg)
if !ok {
t.Fatalf("ipv4Addr option is not IntType")
}
if ip.Val != expectedIp {
t.Fatalf("parsed != expected, %d != %d", ip.Val, expectedIp)
}
|
| |
|
|
|
|
|
| |
There are 2 bugs:
1. We always allocate 1 page, even if use more.
2. VMA addresses are not aligned, so most mmap-like functions fail with EINVAL.
The added test currently panics with "unaligned vma address".
|
| | |
|
| |
|
|
|
|
| |
Inputs like "2__R" or "3_F T.3.3l" make
traze2syz hang infinitely consuming all machine memory.
Need to fix all crashes over time.
|
| |
|
|
|
|
| |
log.Fatal is not the proper way to handle errors.
It does not allow to write good tests, fuzzers
and utilities that crash all the time.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Current code structuring has 2 problems:
1. parsing anything with proggen requires complex multistep dance including
- parsing data with parser
- walking the resulting tree manually and calling proggen on each
- then for each context
- calling FillOutMemory (unclear why it's not part of parsing)
- calling prog.Finalize
- checking is the program is not too large
All of this duplicated across trace2syz and tests.
And any new tests or fuzzers we will write will need to duplicate
all of this logic too.
2. As the result of this structuring, lots of proggen guts
and implementation details are exposed.
While none of the callers are actually intersted in Context details,
they are not interested in Context itself whatsoever.
What every caller wants is "here is data to parse, give me programs".
Add such function.
|
| |
|
|
|
|
|
|
| |
We already printed file name of the trace in parseTraces,
no need to print it again and again.
Consequently we don't need Filename in TraceTree.
If needed, caller can always log it before parsing,
or pass along with the TraceTree.
|
