| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Some functions are not the struct members now.
Some functions deleted.
Client mock generated.
|
| |
|
|
|
|
| |
When using go run, I had to specify the path of syz-declextract or I'd
get the following error: package tools/syz-declextract is not in std
(/usr/lib/google-golang/src/tools/syz-declextract)
|
| |
|
|
|
| |
The cmake command used to generate syz-declextract uses the -GNinja flag
so it should be built with ninja rather than make.
|
| | |
|
| |
|
|
| |
To simplify interface Read*Symbols were moved out from symbolizer.Symbolizer.
|
| | |
|
| | |
|
| |
|
|
|
| |
Loop variables are per-iteration, not per loop since go122.
https://go.dev/blog/loopvar-preview
|
| | |
|
| | |
|
| |
|
|
| |
"go mod go@1.23" updates go.mod to the latest 1.23.*.
|
| |
|
|
| |
Run differential fuzzing as a workflow step.
|
| |
|
|
|
| |
Accept context as a function argument.
Split out the code that creates a syz-executor process instance.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux-next now offers a choice between using `CONFIG_GENDWARFKSYMS`
and `CONFIG_GENKSYMS`. See:
Docs: https://www.kernel.org/doc/html/next/kbuild/gendwarfksyms.html
Series: https://patchwork.kernel.org/project/linux-kbuild/list/?series=922143
We could either enforce CONFIG_GENKSYMS=y and keep things as they used
to be or we could add a libdw-dev dependency to the container and be
more flexible.
CONFIG_GENDWARFKSYMS offers a slight advantage in that it will be better
if/when we start fuzzing Rust code in the kernel.
|
| |
|
|
|
|
|
|
| |
filepath.Walk calls os.Lstat for every file or directory to retrieve os.FileInfo.
filepath.WalkDir avoids unnecessary system calls since it provides a fs.DirEntry,
which includes file type information without requiring a stat call.
This improves performance by reducing redundant system calls.
|
| |
|
|
|
| |
Make the method more flexible.
Rename the variables to better reflect what is being done.
|
| |
|
|
|
|
|
|
| |
1. Init coveragedb client once and propagate it through context to enable mocking.
2. Always init coverage handlers. It simplifies testing.
3. Read webGit and coveragedb client from ctx to make it mockable.
4. Use int for file line number and int64 for merged coverage.
5. Add tests.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Adjust the code to properly handle context cancellation.
Replace log.Fatalf() by errors where it was straightforward.
Decouple from the global variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of generating Go files with descriptions
serialize them as gob and compress with flate.
This significantly reduces build time, go vet time,
and solves scalability problems with some static analysis tools.
Reference times (all after rm -rf ~/.cache/go-build) before:
TIME="%e %P %M" time go install ./syz-manager
48.29 577% 4824820
TIME="%e %P %M" time go test -c ./prog
56.28 380% 6973292
After:
TIME="%e %P %M" time go install ./syz-manager
22.81 865% 859788
TIME="%e %P %M" time go test -c ./prog
12.74 565% 267760
syz-manager size before/after: 194712597 -> 83418407
-57% even provided we now embed all descriptions
instead of just a single arch.
Deflate/decoding time for a single Linux arch is ~330ms.
Fixes #5542
|
| |
|
|
|
| |
Prevent Go from downloading all external dependencies each time syz-env
is called. It will become a problem once vendor/ is deleted.
|
| |
|
|
|
|
|
|
| |
Use function scope information extracted in the previous commit
to infer multiplexed syscalls (fcntl, prctl, ...) and infer
their arguments.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we have a bug in struct layout that affects
some corner cases that involve recursive structs.
The result of this bug is that we use wrong alignment 1
(not yet calculated) for some structs when calculating
layout of other structs.
The root cause of this bug is that we calculate struct
alignment too early in typeStruct.Gen when structs
are not yet laid out.
For this reason we moved struct size calculation to the
later phase (after compiler.layoutStruct).
Move alignment calculation from typeStruct.Gen to
compiler.layoutStruct to fix this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 2 bugs:
1. We completly remove empty structs, but they can have
effect on parent struct layout if they have >1 alignment.
Replace empty structs with a special auto_aligner type
that preserves alignment.
2. Arrays of 0 size are currently emitted as dynamically-sized
(we assume 0 size means "this is not a const-size array").
Add separate IsConstSize flag for arrays that marks const-size arrays.
Additionally cross-check that generated structs have exactly
the same size/alignment as the corresponding C structs.
This allows to catch the above bugs.
|
| |
|
|
|
|
|
|
|
|
| |
This is nice on its own, but this will also help to prevent
lots of problems when we export more info from the clang tool in future.
The clang tool does not know what will end up in the final descriptions,
so it exports info about all consts that it encounters.
As the result we pull in lots of includes/defines, and lots of kernel
includes/defines are broken or create problems.
So the fewer we have, the better.
|
| |
|
|
|
|
|
|
| |
Export raw info about consts from the clang tool, and let the Go part handle it.
The less logic is in the clang tool, the better. Also this will allow to remove
unused includes when we know which consts we ended up using.
The more includes we include, the higher the chances we include something
that's broken.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
| |
They are shorter, more readable, and don't require temp vars.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
First, I replaced the previous substitution inside /etc/ssh/sshd_config
with an extended and simplified rewrite with a correct path to
sftp-server.
Second, systemd networking won't work correctly without correct mod
bits. Looks like while creating it in a docker container a wrong mod is
being set, so we explicitly fix it in the script.
Also, openssh-clients should be installed to fulfill all requirements
for an ssh connection
|
| |
|
|
|
|
|
|
|
| |
If we pass a platform argument to docker the script could also create us
a rootfs image for arm64. (and maybe more in the future, who knows)
Set it to linux/amd64 by default.
While there, remove some confirmations by automating them.
|
| |
|
|
|
| |
DOCKER_BUILDKIT=1 ensures that the Docker builder parallelizes the build
steps (whenever it's possible).
|
| |
|
|
| |
This allows for better caching and parallelization.
|
| | |
|
| |
|
|
|
| |
It allows for better caching/parallelization.
Also, the resulting image is now ~100MB smaller.
|
| |
|
|
|
|
|
|
| |
We don't really need an HTTP server when running syz-manager during kernel
image testing and when running syz-diff automatically.
Don't require the config to be set and don't start the HTTP server in
this case.
|
| |
|
|
|
| |
Refactor the code to make it more reusable.
Add a method to extract specifically the list of new patch series.
|
| |
|
|
|
| |
Current schema makes session+filepath a primary key (it is unique).
Manager as a part of primary key makes session+filepath+manager a unique combination.
|
| |
|
|
|
| |
It allows to skip communication with dashboard and test merge+"upload to gcs".
+ Trim gs:// prefix. It is a convenient way to specify target address.
|
| |
|
|
|
|
|
|
| |
1. Make interface testable.
2. Add Spanner interfaces.
3. Generate mocks for proxy interfaces.
4. Test SaveMergeResult.
5. Test MergeCSVWriteJSONL and coveragedb.SaveMergeResult integration.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous implementation store only the summary of processed records.
The summary was <1GB and single processing node was able to manipulate the data.
Current implementation stores all the details about records read to make post-processing more flexible.
This change was needed to get access to the source manager name and will help to analyze other details.
This new implementation requires 20GB mem to process single day records.
CSV log interning experiment allowed to merge using 10G.
Quarter data aggregation will cost ~100 times more.
The alternative is to use stream processing. We can process data kernel-file-by-file.
It allows to /15000 memory consumption.
This approach is implemented here.
We're batching coverage signals by file and store per-file results in GCS JSONL file.
See https://jsonlines.org/ to learn about jsonl.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Use data flow analysis to infer syscall argument, return value,
and struct field types.
See the comment in pkg/declextract/typing.go for more details.
|
| |
|
|
|
| |
Storing all the details about coverage data source we're able to better explain the origin.
This origin data is currently used to get "manager" name.
|
| |
|
|
| |
Remove constants that are already covered by arm64_bitmap and arm64_fw in kvm_one_reg.
|
