From c8c15bb214509bafc8fe1a1e3abb8ccf90b3306e Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Fri, 13 Dec 2024 15:15:49 +0100 Subject: tools/syz-declextract: infer argument/field types Use data flow analysis to infer syscall argument, return value, and struct field types. See the comment in pkg/declextract/typing.go for more details. --- tools/syz-declextract/testdata/functions.c.json | 231 +++++++++++++++++++++++- 1 file changed, 229 insertions(+), 2 deletions(-) (limited to 'tools/syz-declextract/testdata/functions.c.json') diff --git a/tools/syz-declextract/testdata/functions.c.json b/tools/syz-declextract/testdata/functions.c.json index 8a1fd4ee1..eb1b3b880 100644 --- a/tools/syz-declextract/testdata/functions.c.json +++ b/tools/syz-declextract/testdata/functions.c.json @@ -5,9 +5,47 @@ "file": "functions.c", "loc": 2, "calls": [ + "__fget_light", "func_baz" + ], + "facts": [ + { + "src": { + "argument": { + "func": "__do_sys_functions", + "arg": 0 + } + }, + "dst": { + "argument": { + "func": "__fget_light", + "arg": 0 + } + } + }, + { + "src": { + "return": { + "func": "func_baz" + } + }, + "dst": { + "return": { + "func": "__do_sys_functions" + } + } + } ] }, + { + "name": "__fget_light", + "file": "functions.c" + }, + { + "name": "alloc_fd", + "file": "functions.c", + "loc": 1 + }, { "name": "atomic_load32", "file": "include/types.h", @@ -19,6 +57,11 @@ "file": "include/types.h", "loc": 1 }, + { + "name": "from_kuid", + "file": "functions.c", + "loc": 1 + }, { "name": "func_bar", "file": "functions.c", @@ -31,21 +74,205 @@ { "name": "func_baz", "file": "functions.c", - "loc": 5, + "loc": 8, "calls": [ "func_foo", - "func_bar" + "func_bar", + "from_kuid", + "alloc_fd" + ], + "facts": [ + { + "src": { + "return": { + "func": "from_kuid" + } + }, + "dst": { + "return": { + "func": "func_baz" + } + } + }, + { + "src": { + "return": { + "func": "alloc_fd" + } + }, + "dst": { + "return": { + "func": "func_baz" + } + } + } ] }, { "name": "func_foo", "file": "functions.c", "is_static": true + }, + { + "name": "func_qux", + "file": "functions.c", + "loc": 2, + "calls": [ + "alloc_fd" + ], + "facts": [ + { + "src": { + "return": { + "func": "alloc_fd" + } + }, + "dst": { + "local": { + "name": "fd" + } + } + }, + { + "src": { + "local": { + "name": "fd" + } + }, + "dst": { + "return": { + "func": "func_qux" + } + } + } + ] + }, + { + "name": "typing", + "file": "functions.c", + "loc": 5, + "calls": [ + "typing1" + ], + "facts": [ + { + "src": { + "argument": { + "func": "typing", + "arg": 1 + } + }, + "dst": { + "argument": { + "func": "typing1", + "arg": 0 + } + } + }, + { + "src": { + "field": { + "struct": "Typed", + "field": "a" + } + }, + "dst": { + "argument": { + "func": "typing1", + "arg": 1 + } + } + }, + { + "src": { + "field": { + "struct": "Typed", + "field": "b" + } + }, + "dst": { + "field": { + "struct": "Typed", + "field": "a" + } + } + }, + { + "src": { + "local": { + "name": "l" + } + }, + "dst": { + "field": { + "struct": "Typed", + "field": "c" + } + } + }, + { + "src": { + "return": { + "func": "typing1" + } + }, + "dst": { + "local": { + "name": "l" + } + } + }, + { + "src": { + "local": { + "name": "l" + } + }, + "dst": { + "return": { + "func": "typing" + } + } + } + ] + }, + { + "name": "typing1", + "file": "functions.c", + "loc": 1, + "facts": [ + { + "src": { + "argument": { + "func": "typing1", + "arg": 0 + } + }, + "dst": { + "return": { + "func": "typing1" + } + } + } + ] } ], "syscalls": [ { "func": "__do_sys_functions", + "args": [ + { + "name": "x", + "counted_by": -1, + "type": { + "int": { + "byte_size": 8, + "name": "long", + "base": "long" + } + } + } + ], "source_file": "functions.c" } ] -- cgit mrf-deployment