2016-08-08 13:32:48 +00:00
|
|
|
// Copyright 2015/2016 syzkaller project authors. All rights reserved.
|
2015-10-14 14:55:09 +00:00
|
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package prog
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"math/rand"
|
|
|
|
"sort"
|
|
|
|
|
|
|
|
"github.com/google/syzkaller/sys"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Calulation of call-to-call priorities.
|
|
|
|
// For a given pair of calls X and Y, the priority is our guess as to whether
|
|
|
|
// additional of call Y into a program containing call X is likely to give
|
|
|
|
// new coverage or not.
|
|
|
|
// The current algorithm has two components: static and dynamic.
|
|
|
|
// The static component is based on analysis of argument types. For example,
|
|
|
|
// if call X and call Y both accept fd[sock], then they are more likely to give
|
|
|
|
// new coverage together.
|
|
|
|
// The dynamic component is based on frequency of occurrence of a particular
|
|
|
|
// pair of syscalls in a single program in corpus. For example, if socket and
|
|
|
|
// connect frequently occur in programs together, we give higher priority to
|
|
|
|
// this pair of syscalls.
|
|
|
|
// Note: the current implementation is very basic, there is no theory behind any
|
|
|
|
// constants.
|
|
|
|
|
|
|
|
func CalculatePriorities(corpus []*Prog) [][]float32 {
|
2016-01-19 11:26:27 +00:00
|
|
|
static := calcStaticPriorities()
|
2015-10-14 14:55:09 +00:00
|
|
|
dynamic := calcDynamicPrio(corpus)
|
|
|
|
for i, prios := range static {
|
|
|
|
for j, p := range prios {
|
|
|
|
dynamic[i][j] *= p
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return dynamic
|
|
|
|
}
|
|
|
|
|
|
|
|
func calcStaticPriorities() [][]float32 {
|
|
|
|
uses := make(map[string]map[int]float32)
|
|
|
|
for _, c := range sys.Calls {
|
|
|
|
noteUsage := func(weight float32, str string, args ...interface{}) {
|
|
|
|
id := fmt.Sprintf(str, args...)
|
|
|
|
if uses[id] == nil {
|
|
|
|
uses[id] = make(map[int]float32)
|
|
|
|
}
|
|
|
|
old := uses[id][c.ID]
|
|
|
|
if weight > old {
|
|
|
|
uses[id][c.ID] = weight
|
|
|
|
}
|
|
|
|
}
|
2016-10-19 12:41:46 +00:00
|
|
|
sys.ForeachType(c, func(t sys.Type) {
|
2015-10-14 14:55:09 +00:00
|
|
|
switch a := t.(type) {
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.ResourceType:
|
2016-08-27 16:27:50 +00:00
|
|
|
if a.Desc.Name == "pid" || a.Desc.Name == "uid" || a.Desc.Name == "gid" {
|
2015-10-14 14:55:09 +00:00
|
|
|
// Pid/uid/gid usually play auxiliary role,
|
|
|
|
// but massively happen in some structs.
|
2016-08-27 16:27:50 +00:00
|
|
|
noteUsage(0.1, "res%v", a.Desc.Name)
|
2015-10-14 14:55:09 +00:00
|
|
|
} else {
|
2016-08-27 16:27:50 +00:00
|
|
|
str := "res"
|
|
|
|
for i, k := range a.Desc.Kind {
|
|
|
|
str += "-" + k
|
|
|
|
w := 1.0
|
|
|
|
if i < len(a.Desc.Kind)-1 {
|
|
|
|
w = 0.2
|
|
|
|
}
|
|
|
|
noteUsage(float32(w), str)
|
|
|
|
}
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.PtrType:
|
2016-09-03 10:36:49 +00:00
|
|
|
if _, ok := a.Type.(*sys.StructType); ok {
|
2015-10-14 14:55:09 +00:00
|
|
|
noteUsage(1.0, "ptrto-%v", a.Type.Name())
|
|
|
|
}
|
2016-09-03 10:36:49 +00:00
|
|
|
if _, ok := a.Type.(*sys.UnionType); ok {
|
2015-12-29 14:00:57 +00:00
|
|
|
noteUsage(1.0, "ptrto-%v", a.Type.Name())
|
|
|
|
}
|
2016-10-19 14:20:37 +00:00
|
|
|
if arr, ok := a.Type.(*sys.ArrayType); ok {
|
2015-12-29 14:00:57 +00:00
|
|
|
noteUsage(1.0, "ptrto-%v", arr.Type.Name())
|
|
|
|
}
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.BufferType:
|
2015-10-14 14:55:09 +00:00
|
|
|
switch a.Kind {
|
2017-01-08 16:20:32 +00:00
|
|
|
case sys.BufferBlobRand, sys.BufferBlobRange, sys.BufferText:
|
2015-10-14 14:55:09 +00:00
|
|
|
case sys.BufferString:
|
2016-11-07 22:45:15 +00:00
|
|
|
if a.SubKind != "" {
|
|
|
|
noteUsage(0.2, fmt.Sprintf("str-%v", a.SubKind))
|
|
|
|
}
|
2016-10-29 21:55:35 +00:00
|
|
|
case sys.BufferFilename:
|
|
|
|
noteUsage(1.0, "filename")
|
2015-10-14 14:55:09 +00:00
|
|
|
default:
|
|
|
|
panic("unknown buffer kind")
|
|
|
|
}
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.VmaType:
|
2015-10-14 14:55:09 +00:00
|
|
|
noteUsage(0.5, "vma")
|
2016-10-19 14:20:37 +00:00
|
|
|
case *sys.IntType:
|
2015-10-14 14:55:09 +00:00
|
|
|
switch a.Kind {
|
2016-10-29 22:06:40 +00:00
|
|
|
case sys.IntPlain, sys.IntFileoff, sys.IntRange:
|
2015-10-14 14:55:09 +00:00
|
|
|
case sys.IntSignalno:
|
|
|
|
noteUsage(1.0, "signalno")
|
|
|
|
default:
|
|
|
|
panic("unknown int kind")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
prios := make([][]float32, len(sys.Calls))
|
|
|
|
for i := range prios {
|
|
|
|
prios[i] = make([]float32, len(sys.Calls))
|
|
|
|
}
|
|
|
|
for _, calls := range uses {
|
|
|
|
for c0, w0 := range calls {
|
|
|
|
for c1, w1 := range calls {
|
|
|
|
if c0 == c1 {
|
|
|
|
// Self-priority is assigned below.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
prios[c0][c1] += w0 * w1
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2015-12-30 17:24:26 +00:00
|
|
|
|
2015-10-14 14:55:09 +00:00
|
|
|
// Self-priority (call wrt itself) is assigned to the maximum priority
|
|
|
|
// this call has wrt other calls. This way the priority is high, but not too high.
|
|
|
|
for c0, pp := range prios {
|
|
|
|
var max float32
|
|
|
|
for _, p := range pp {
|
|
|
|
if max < p {
|
|
|
|
max = p
|
|
|
|
}
|
|
|
|
}
|
|
|
|
pp[c0] = max
|
|
|
|
}
|
|
|
|
normalizePrio(prios)
|
|
|
|
return prios
|
|
|
|
}
|
|
|
|
|
|
|
|
func calcDynamicPrio(corpus []*Prog) [][]float32 {
|
|
|
|
prios := make([][]float32, len(sys.Calls))
|
|
|
|
for i := range prios {
|
|
|
|
prios[i] = make([]float32, len(sys.Calls))
|
|
|
|
}
|
|
|
|
for _, p := range corpus {
|
2017-05-02 10:28:48 +00:00
|
|
|
for _, c0 := range p.Calls {
|
|
|
|
for _, c1 := range p.Calls {
|
|
|
|
id0 := c0.Meta.ID
|
|
|
|
id1 := c1.Meta.ID
|
|
|
|
// There are too many mmap's anyway.
|
|
|
|
if id0 == id1 || c0.Meta.Name == "mmap" || c1.Meta.Name == "mmap" {
|
2015-10-14 14:55:09 +00:00
|
|
|
continue
|
|
|
|
}
|
2017-05-02 10:28:48 +00:00
|
|
|
prios[id0][id1] += 1.0
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizePrio(prios)
|
|
|
|
return prios
|
|
|
|
}
|
|
|
|
|
|
|
|
// normalizePrio assigns some minimal priorities to calls with zero priority,
|
|
|
|
// and then normalizes priorities to 0.1..1 range.
|
|
|
|
func normalizePrio(prios [][]float32) {
|
|
|
|
for _, prio := range prios {
|
|
|
|
max := float32(0)
|
|
|
|
min := float32(1e10)
|
|
|
|
nzero := 0
|
|
|
|
for _, p := range prio {
|
|
|
|
if max < p {
|
|
|
|
max = p
|
|
|
|
}
|
|
|
|
if p != 0 && min > p {
|
|
|
|
min = p
|
|
|
|
}
|
|
|
|
if p == 0 {
|
|
|
|
nzero++
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if nzero != 0 {
|
|
|
|
min /= 2 * float32(nzero)
|
|
|
|
}
|
|
|
|
for i, p := range prio {
|
|
|
|
if max == 0 {
|
|
|
|
prio[i] = 1
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if p == 0 {
|
|
|
|
p = min
|
|
|
|
}
|
|
|
|
p = (p-min)/(max-min)*0.9 + 0.1
|
|
|
|
if p > 1 {
|
|
|
|
p = 1
|
|
|
|
}
|
|
|
|
prio[i] = p
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ChooseTable allows to do a weighted choice of a syscall for a given syscall
|
|
|
|
// based on call-to-call priorities and a set of enabled syscalls.
|
|
|
|
type ChoiceTable struct {
|
2015-10-15 15:58:37 +00:00
|
|
|
run [][]int
|
|
|
|
enabledCalls []*sys.Call
|
2015-12-27 11:20:00 +00:00
|
|
|
enabled map[*sys.Call]bool
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
2015-12-27 11:20:00 +00:00
|
|
|
func BuildChoiceTable(prios [][]float32, enabled map[*sys.Call]bool) *ChoiceTable {
|
|
|
|
if enabled == nil {
|
|
|
|
enabled = make(map[*sys.Call]bool)
|
|
|
|
for _, c := range sys.Calls {
|
|
|
|
enabled[c] = true
|
|
|
|
}
|
2015-10-16 20:10:51 +00:00
|
|
|
}
|
2015-12-27 11:20:00 +00:00
|
|
|
var enabledCalls []*sys.Call
|
|
|
|
for c := range enabled {
|
|
|
|
enabledCalls = append(enabledCalls, c)
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
run := make([][]int, len(sys.Calls))
|
|
|
|
for i := range run {
|
2015-12-27 11:20:00 +00:00
|
|
|
if !enabled[sys.Calls[i]] {
|
2015-10-14 14:55:09 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
run[i] = make([]int, len(sys.Calls))
|
|
|
|
sum := 0
|
|
|
|
for j := range run[i] {
|
2015-12-27 11:20:00 +00:00
|
|
|
if enabled[sys.Calls[j]] {
|
2015-10-14 14:55:09 +00:00
|
|
|
sum += int(prios[i][j] * 1000)
|
|
|
|
}
|
|
|
|
run[i][j] = sum
|
|
|
|
}
|
|
|
|
}
|
2015-10-15 15:58:37 +00:00
|
|
|
return &ChoiceTable{run, enabledCalls, enabled}
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (ct *ChoiceTable) Choose(r *rand.Rand, call int) int {
|
2015-10-15 15:58:37 +00:00
|
|
|
if ct == nil {
|
2015-10-14 14:55:09 +00:00
|
|
|
return r.Intn(len(sys.Calls))
|
|
|
|
}
|
2015-10-15 15:58:37 +00:00
|
|
|
if call < 0 {
|
|
|
|
return ct.enabledCalls[r.Intn(len(ct.enabledCalls))].ID
|
|
|
|
}
|
2015-10-14 14:55:09 +00:00
|
|
|
run := ct.run[call]
|
|
|
|
if run == nil {
|
2015-10-15 15:58:37 +00:00
|
|
|
return ct.enabledCalls[r.Intn(len(ct.enabledCalls))].ID
|
2015-10-14 14:55:09 +00:00
|
|
|
}
|
|
|
|
for {
|
|
|
|
x := r.Intn(run[len(run)-1])
|
|
|
|
i := sort.SearchInts(run, x)
|
2015-12-27 11:20:00 +00:00
|
|
|
if !ct.enabled[sys.Calls[i]] {
|
2015-10-14 14:55:09 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
return i
|
|
|
|
}
|
|
|
|
}
|