syzkaller/pkg/csource/csource.go

// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

// Package csource generates [almost] equivalent C programs from syzkaller programs.
package csource

import (
	"bytes"
	"fmt"
	"regexp"
	"strings"

	"github.com/google/syzkaller/prog"
	"github.com/google/syzkaller/sys/targets"
)

func Write(p *prog.Prog, opts Options) ([]byte, error) {
	if err := opts.Check(); err != nil {
		return nil, fmt.Errorf("csource: invalid opts: %v", err)
	}
	ctx := &context{
		p:         p,
		opts:      opts,
		target:    p.Target,
		sysTarget: targets.List[p.Target.OS][p.Target.Arch],
		w:         new(bytes.Buffer),
		calls:     make(map[string]uint64),
	}
	for _, c := range p.Calls {
		ctx.calls[c.Meta.CallName] = c.Meta.NR
	}

	ctx.print("// autogenerated by syzkaller (http://github.com/google/syzkaller)\n\n")

	hdr, err := createCommonHeader(p, opts)
	if err != nil {
		return nil, err
	}
	ctx.w.Write(hdr)
	ctx.print("\n")

	ctx.generateSyscallDefines()

	exec := make([]byte, prog.ExecBufferSize)
	progSize, err := ctx.p.SerializeForExec(exec, 0)
	if err != nil {
		return nil, fmt.Errorf("failed to serialize program: %v", err)
	}
	decoded, err := ctx.target.DeserializeExec(exec[:progSize])
	if err != nil {
		return nil, err
	}
	calls, nvar := ctx.generateCalls(decoded)
	if nvar != 0 {
		ctx.printf("long r[%v];\n", nvar)
	}

	if !opts.Repeat {
		ctx.generateTestFunc(calls, nvar, "loop")

		ctx.print("int main()\n{\n")
		if opts.HandleSegv {
			ctx.printf("\tinstall_segv_handler();\n")
		}
		if opts.UseTmpDir {
			ctx.printf("\tuse_temporary_dir();\n")
		}
		if opts.Sandbox != "" {
			ctx.printf("\tint pid = do_sandbox_%v(0, %v);\n", opts.Sandbox, opts.EnableTun)
			ctx.print("\tint status = 0;\n")
			ctx.print("\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
		} else {
			if opts.EnableTun {
				ctx.printf("\tsetup_tun(0, %v);\n", opts.EnableTun)
			}
			ctx.print("\tloop();\n")
		}
		ctx.print("\treturn 0;\n}\n")
	} else {
		ctx.generateTestFunc(calls, nvar, "test")
		if opts.Procs <= 1 {
			ctx.print("int main()\n{\n")
			if opts.HandleSegv {
				ctx.printf("\tinstall_segv_handler();\n")
			}
			if opts.UseTmpDir {
				ctx.printf("\tuse_temporary_dir();\n")
			}
			if opts.Sandbox != "" {
				ctx.printf("\tint pid = do_sandbox_%v(0, %v);\n", opts.Sandbox, opts.EnableTun)
				ctx.print("\tint status = 0;\n")
				ctx.print("\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
			} else {
				if opts.EnableTun {
					ctx.printf("\tsetup_tun(0, %v);\n", opts.EnableTun)
				}
				ctx.print("\tloop();\n")
			}
			ctx.print("\treturn 0;\n}\n")
		} else {
			ctx.print("int main()\n{\n")
			ctx.print("\tint i;")
			ctx.printf("\tfor (i = 0; i < %v; i++) {\n", opts.Procs)
			ctx.print("\t\tif (fork() == 0) {\n")
			if opts.HandleSegv {
				ctx.printf("\t\t\tinstall_segv_handler();\n")
			}
			if opts.UseTmpDir {
				ctx.printf("\t\t\tuse_temporary_dir();\n")
			}
			if opts.Sandbox != "" {
				ctx.printf("\t\t\tint pid = do_sandbox_%v(i, %v);\n", opts.Sandbox, opts.EnableTun)
				ctx.print("\t\t\tint status = 0;\n")
				ctx.print("\t\t\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
			} else {
				if opts.EnableTun {
					ctx.printf("\t\t\tsetup_tun(i, %v);\n", opts.EnableTun)
				}
				ctx.print("\t\t\tloop();\n")
			}
			ctx.print("\t\t\treturn 0;\n")
			ctx.print("\t\t}\n")
			ctx.print("\t}\n")
			ctx.print("\tsleep(1000000);\n")
			ctx.print("\treturn 0;\n}\n")
		}
	}

	// Remove NONFAILING and debug calls.
	out0 := ctx.w.String()
	if !opts.HandleSegv {
		re := regexp.MustCompile(`\t*NONFAILING\((.*)\);\n`)
		out0 = re.ReplaceAllString(out0, "$1;\n")
	}
	if !opts.Debug {
		re := regexp.MustCompile(`\t*debug\(.*\);\n`)
		out0 = re.ReplaceAllString(out0, "")
		re = regexp.MustCompile(`\t*debug_dump_data\(.*\);\n`)
		out0 = re.ReplaceAllString(out0, "")
	}
	out0 = strings.Replace(out0, "NORETURN", "", -1)

	// Remove duplicate new lines.
	out1 := []byte(out0)
	for {
		out2 := bytes.Replace(out1, []byte{'\n', '\n', '\n'}, []byte{'\n', '\n'}, -1)
		if len(out1) == len(out2) {
			break
		}
		out1 = out2
	}

	return out1, nil
}

type context struct {
	p         *prog.Prog
	opts      Options
	target    *prog.Target
	sysTarget *targets.Target
	w         *bytes.Buffer
	calls     map[string]uint64 // CallName -> NR
}

func (ctx *context) print(str string) {
	ctx.w.WriteString(str)
}

func (ctx *context) printf(str string, args ...interface{}) {
	ctx.print(fmt.Sprintf(str, args...))
}

func (ctx *context) generateTestFunc(calls []string, nvar uint64, name string) {
	opts := ctx.opts
	if !opts.Threaded && !opts.Collide {
		ctx.printf("void %v()\n{\n", name)
		if opts.Debug {
			// Use debug to avoid: error: ‘debug’ defined but not used.
			ctx.printf("\tdebug(\"%v\\n\");\n", name)
		}
		if opts.Repro {
			ctx.printf("\tsyscall(SYS_write, 1, \"executing program\\n\", strlen(\"executing program\\n\"));\n")
		}
		if nvar != 0 {
			ctx.printf("\tmemset(r, -1, sizeof(r));\n")
		}
		for _, c := range calls {
			ctx.printf("%s", c)
		}
		ctx.printf("}\n\n")
	} else {
		ctx.printf("void *thr(void *arg)\n{\n")
		ctx.printf("\tswitch ((long)arg) {\n")
		for i, c := range calls {
			ctx.printf("\tcase %v:\n", i)
			ctx.printf("%s", strings.Replace(c, "\t", "\t\t", -1))
			ctx.printf("\t\tbreak;\n")
		}
		ctx.printf("\t}\n")
		ctx.printf("\treturn 0;\n}\n\n")

		ctx.printf("void %v()\n{\n", name)
		ctx.printf("\tlong i;\n")
		ctx.printf("\tpthread_t th[%v];\n", 2*len(calls))
		ctx.printf("\tpthread_attr_t attr;\n")
		ctx.printf("\n")
		if opts.Debug {
			// Use debug to avoid: error: ‘debug’ defined but not used.
			ctx.printf("\tdebug(\"%v\\n\");\n", name)
		}
		if opts.Repro {
			ctx.printf("\tsyscall(SYS_write, 1, \"executing program\\n\", strlen(\"executing program\\n\"));\n")
		}
		if nvar != 0 {
			ctx.printf("\tmemset(r, -1, sizeof(r));\n")
		}
		if opts.Collide {
			ctx.printf("\tsrand(getpid());\n")
		}
		ctx.printf("\tpthread_attr_init(&attr);\n")
		ctx.printf("\tpthread_attr_setstacksize(&attr, 128 << 10);\n")
		ctx.printf("\tfor (i = 0; i < %v; i++) {\n", len(calls))
		ctx.printf("\t\tpthread_create(&th[i], &attr, thr, (void*)i);\n")
		ctx.printf("\t\tusleep(rand()%%10000);\n")
		ctx.printf("\t}\n")
		if opts.Collide {
			ctx.printf("\tfor (i = 0; i < %v; i++) {\n", len(calls))
			ctx.printf("\t\tpthread_create(&th[%v+i], &attr, thr, (void*)i);\n", len(calls))
			ctx.printf("\t\tif (rand()%%2)\n")
			ctx.printf("\t\t\tusleep(rand()%%10000);\n")
			ctx.printf("\t}\n")
		}
		ctx.printf("\tusleep(rand()%%100000);\n")
		ctx.printf("}\n\n")
	}
}

func (ctx *context) generateSyscallDefines() {
	prefix := ctx.sysTarget.SyscallPrefix
	for name, nr := range ctx.calls {
		if strings.HasPrefix(name, "syz_") || !ctx.sysTarget.NeedSyscallDefine(nr) {
			continue
		}
		ctx.printf("#ifndef %v%v\n", prefix, name)
		ctx.printf("#define %v%v %v\n", prefix, name, nr)
		ctx.printf("#endif\n")
	}
	if ctx.target.OS == "linux" && ctx.target.PtrSize == 4 {
		// This is a dirty hack.
		// On 32-bit linux mmap translated to old_mmap syscall which has a different signature.
		// mmap2 has the right signature. syz-extract translates mmap to mmap2, do the same here.
		ctx.printf("#undef __NR_mmap\n")
		ctx.printf("#define __NR_mmap __NR_mmap2\n")
	}
	ctx.printf("\n")
}

func (ctx *context) generateCalls(p prog.ExecProg) ([]string, uint64) {
	resultRef := func(arg prog.ExecArgResult) string {
		res := fmt.Sprintf("r[%v]", arg.Index)
		if arg.DivOp != 0 {
			res = fmt.Sprintf("%v/%v", res, arg.DivOp)
		}
		if arg.AddOp != 0 {
			res = fmt.Sprintf("%v+%v", res, arg.AddOp)
		}
		return res
	}
	var calls []string
	csumSeq := 0
	for ci, call := range p.Calls {
		w := new(bytes.Buffer)
		// Copyin.
		for _, copyin := range call.Copyin {
			switch arg := copyin.Arg.(type) {
			case prog.ExecArgConst:
				if arg.BitfieldOffset == 0 && arg.BitfieldLength == 0 {
					fmt.Fprintf(w, "\tNONFAILING(*(uint%v_t*)0x%x = (uint%v_t)0x%x);\n",
						arg.Size*8, copyin.Addr, arg.Size*8, arg.Value)
				} else {
					fmt.Fprintf(w, "\tNONFAILING(STORE_BY_BITMASK(uint%v_t, 0x%x, 0x%x, %v, %v));\n",
						arg.Size*8, copyin.Addr, arg.Value, arg.BitfieldOffset, arg.BitfieldLength)
				}
			case prog.ExecArgResult:
				fmt.Fprintf(w, "\tNONFAILING(*(uint%v_t*)0x%x = %v);\n",
					arg.Size*8, copyin.Addr, resultRef(arg))
			case prog.ExecArgData:
				fmt.Fprintf(w, "\tNONFAILING(memcpy((void*)0x%x, \"%s\", %v));\n",
					copyin.Addr, toCString(arg.Data), len(arg.Data))
			case prog.ExecArgCsum:
				switch arg.Kind {
				case prog.ExecArgCsumInet:
					csumSeq++
					fmt.Fprintf(w, "\tstruct csum_inet csum_%d;\n", csumSeq)
					fmt.Fprintf(w, "\tcsum_inet_init(&csum_%d);\n", csumSeq)
					for i, chunk := range arg.Chunks {
						switch chunk.Kind {
						case prog.ExecArgCsumChunkData:
							fmt.Fprintf(w, "\tNONFAILING(csum_inet_update(&csum_%d, (const uint8_t*)0x%x, %d));\n", csumSeq, chunk.Value, chunk.Size)
						case prog.ExecArgCsumChunkConst:
							fmt.Fprintf(w, "\tuint%d_t csum_%d_chunk_%d = 0x%x;\n", chunk.Size*8, csumSeq, i, chunk.Value)
							fmt.Fprintf(w, "\tcsum_inet_update(&csum_%d, (const uint8_t*)&csum_%d_chunk_%d, %d);\n", csumSeq, csumSeq, i, chunk.Size)
						default:
							panic(fmt.Sprintf("unknown checksum chunk kind %v", chunk.Kind))
						}
					}
					fmt.Fprintf(w, "\tNONFAILING(*(uint16_t*)0x%x = csum_inet_digest(&csum_%d));\n", copyin.Addr, csumSeq)
				default:
					panic(fmt.Sprintf("unknown csum kind %v", arg.Kind))
				}
			default:
				panic(fmt.Sprintf("bad argument type: %+v", arg))
			}
		}

		// Call itself.
		if ctx.opts.Fault && ctx.opts.FaultCall == ci {
			fmt.Fprintf(w, "\twrite_file(\"/sys/kernel/debug/failslab/ignore-gfp-wait\", \"N\");\n")
			fmt.Fprintf(w, "\twrite_file(\"/sys/kernel/debug/fail_futex/ignore-private\", \"N\");\n")
			fmt.Fprintf(w, "\tinject_fault(%v);\n", ctx.opts.FaultNth)
		}
		callName := call.Meta.CallName
		resCopyout := call.Index != prog.ExecNoCopyout
		argCopyout := len(call.Copyout) != 0
		emitCall := ctx.opts.EnableTun || callName != "syz_emit_ethernet" &&
			callName != "syz_extract_tcp_res"
		// TODO: if we don't emit the call we must also not emit copyin, copyout and fault injection.
		// However, simply skipping whole iteration breaks tests due to unused static functions.
		if emitCall {
			native := !strings.HasPrefix(callName, "syz_")
			fmt.Fprintf(w, "\t")
			if argCopyout {
				fmt.Fprintf(w, "if (")
				if resCopyout {
					fmt.Fprintf(w, "(")
				}
			}
			if resCopyout {
				fmt.Fprintf(w, "r[%v] = ", call.Index)
			}
			if native {
				fmt.Fprintf(w, "syscall(%v%v", ctx.sysTarget.SyscallPrefix, callName)
			} else {
				fmt.Fprintf(w, "%v(", callName)
			}
			for ai, arg := range call.Args {
				if native || ai > 0 {
					fmt.Fprintf(w, ", ")
				}
				switch arg := arg.(type) {
				case prog.ExecArgConst:
					fmt.Fprintf(w, "0x%xul", arg.Value)
				case prog.ExecArgResult:
					fmt.Fprintf(w, "%v", resultRef(arg))
				default:
					panic(fmt.Sprintf("unknown arg type: %+v", arg))
				}
			}
			fmt.Fprintf(w, ")")
			if argCopyout {
				if resCopyout {
					fmt.Fprintf(w, ")")
				}
				fmt.Fprintf(w, " != -1) {")
			} else {
				fmt.Fprintf(w, ";")
			}
			fmt.Fprintf(w, "\n")
		}

		// Copyout.
		for _, copyout := range call.Copyout {
			fmt.Fprintf(w, "\t\tNONFAILING(r[%v] = *(uint%v_t*)0x%x);\n",
				copyout.Index, copyout.Size*8, copyout.Addr)
		}
		if emitCall && argCopyout {
			fmt.Fprintf(w, "\t}\n")
		}

		calls = append(calls, w.String())
	}
	return calls, p.NumVars
}

func toCString(data []byte) []byte {
	if len(data) == 0 {
		return nil
	}
	readable := true
	for i, v := range data {
		// Allow 0 only as last byte.
		if !isReadable(v) && (i != len(data)-1 || v != 0) {
			readable = false
			break
		}
	}
	if !readable {
		buf := new(bytes.Buffer)
		for _, v := range data {
			buf.Write([]byte{'\\', 'x', toHex(v >> 4), toHex(v << 4 >> 4)})
		}
		return buf.Bytes()
	}
	if data[len(data)-1] == 0 {
		// Don't serialize last 0, C strings are 0-terminated anyway.
		data = data[:len(data)-1]
	}
	buf := new(bytes.Buffer)
	for _, v := range data {
		switch v {
		case '\t':
			buf.Write([]byte{'\\', 't'})
		case '\r':
			buf.Write([]byte{'\\', 'r'})
		case '\n':
			buf.Write([]byte{'\\', 'n'})
		case '\\':
			buf.Write([]byte{'\\', '\\'})
		case '"':
			buf.Write([]byte{'\\', '"'})
		default:
			if v < 0x20 || v >= 0x7f {
				panic("unexpected char during data serialization")
			}
			buf.WriteByte(v)
		}
	}
	return buf.Bytes()
}

func isReadable(v byte) bool {
	return v >= 0x20 && v < 0x7f || v == '\t' || v == '\r' || v == '\n'
}

func toHex(v byte) byte {
	if v < 10 {
		return '0' + v
	}
	return 'a' + v - 10
}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+								// Copyright 2015 syzkaller project authors. All rights reserved.
 								// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+								// Package csource generates [almost] equivalent C programs from syzkaller programs.
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+								package csource
 								import (
 									"bytes"
 									"fmt"
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
+									"regexp"
-												csource: reformat

											
										
										
											2015-12-23 12:50:02 +00:00
+									"strings"
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
 									"github.com/google/syzkaller/prog"
-												sys/targets: move targets from sys package

This breaks circular dependency between:
sysgen -> sys/linux -> sys -> sysgen
With this circular dependency it is very difficult to
update format of generated descriptions because sysgen does not build.

											
										
										
											2017-09-15 13:56:48 +00:00
+									"github.com/google/syzkaller/sys/targets"
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+								)
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+								func Write(p *prog.Prog, opts Options) ([]byte, error) {
-												pkg/csource, pkg/repro: filter out invalid options combinations

We currently have 2 invalid options combinations:
 - collide without threads
 - procs>1 without repeat
They are invalid in the sense that result of csource.Write
is the same for them. Filter out these combinations.
This cuts csource testing time in half and reduces repro minimization time.

											
										
										
											2017-08-09 10:57:23 +00:00
+									if err := opts.Check(); err != nil {
 										return nil, fmt.Errorf("csource: invalid opts: %v", err)
 									}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									ctx := &context{
 										p:         p,
 										opts:      opts,
 										target:    p.Target,
 										sysTarget: targets.List[p.Target.OS][p.Target.Arch],
 										w:         new(bytes.Buffer),
 										calls:     make(map[string]uint64),
-												all: spot optimizations

A bunch of spot optmizations after cpu/memory profiling:
1. Optimize hot-path coverage comparison in fuzzer.
2. Don't allocate and copy serialized program, serialize directly into shmem.
3. Reduce allocations during parsing of output shmem (encoding/binary sucks).
4. Don't allocate and copy coverage arrays, refer directly to the shmem region
   (we are not going to mutate them).
5. Don't validate programs outside of tests, validation allocates tons of memory.
6. Replace the choose primitive with simpler switches.
   Choose allocates fullload of memory (for int, func, and everything the func refers).
7. Other minor optimizations.

											
										
										
											2017-01-20 22:55:25 +00:00
+									}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+									for _, c := range p.Calls {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.calls[c.Meta.CallName] = c.Meta.NR
-												csource: teach how to execute pseudo syz_ syscalls

Update #59

											
										
										
											2016-08-28 14:33:32 +00:00
+									}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
 									ctx.print("// autogenerated by syzkaller (http://github.com/google/syzkaller)\n\n")
-												pkg/csource: refactor

csource.go is too large and messy.
Move Build/Format into buid.go.
Move generation of common header into common.go.
Split generation of common header into smaller managable functions.

											
										
										
											2017-12-15 10:25:19 +00:00
+									hdr, err := createCommonHeader(p, opts)
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									if err != nil {
 										return nil, err
 									}
-												pkg/csource: refactor

csource.go is too large and messy.
Move Build/Format into buid.go.
Move generation of common header into common.go.
Split generation of common header into smaller managable functions.

											
										
										
											2017-12-15 10:25:19 +00:00
+									ctx.w.Write(hdr)
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									ctx.print("\n")
-												csource: teach how to execute pseudo syz_ syscalls

Update #59

											
										
										
											2016-08-28 14:33:32 +00:00
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									ctx.generateSyscallDefines()
-												pkg/csource: support archs other than x86_64

											
										
										
											2017-09-14 19:27:56 +00:00
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									exec := make([]byte, prog.ExecBufferSize)
 									progSize, err := ctx.p.SerializeForExec(exec, 0)
 									if err != nil {
 										return nil, fmt.Errorf("failed to serialize program: %v", err)
 									}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+									decoded, err := ctx.target.DeserializeExec(exec[:progSize])
 									if err != nil {
 										return nil, err
 									}
 									calls, nvar := ctx.generateCalls(decoded)
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+									if nvar != 0 {
 										ctx.printf("long r[%v];\n", nvar)
 									}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									if !opts.Repeat {
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										ctx.generateTestFunc(calls, nvar, "loop")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.print("int main()\n{\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+										if opts.HandleSegv {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tinstall_segv_handler();\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+										}
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+										if opts.UseTmpDir {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tuse_temporary_dir();\n")
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+										}
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+										if opts.Sandbox != "" {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tint pid = do_sandbox_%v(0, %v);\n", opts.Sandbox, opts.EnableTun)
 											ctx.print("\tint status = 0;\n")
 											ctx.print("\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+										} else {
 											if opts.EnableTun {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\tsetup_tun(0, %v);\n", opts.EnableTun)
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.print("\tloop();\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+										}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.print("\treturn 0;\n}\n")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									} else {
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										ctx.generateTestFunc(calls, nvar, "test")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										if opts.Procs <= 1 {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.print("int main()\n{\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+											if opts.HandleSegv {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\tinstall_segv_handler();\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+											}
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+											if opts.UseTmpDir {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\tuse_temporary_dir();\n")
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+											}
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											if opts.Sandbox != "" {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\tint pid = do_sandbox_%v(0, %v);\n", opts.Sandbox, opts.EnableTun)
 												ctx.print("\tint status = 0;\n")
 												ctx.print("\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											} else {
 												if opts.EnableTun {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+													ctx.printf("\tsetup_tun(0, %v);\n", opts.EnableTun)
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+												}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.print("\tloop();\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.print("\treturn 0;\n}\n")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										} else {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.print("int main()\n{\n")
 											ctx.print("\tint i;")
 											ctx.printf("\tfor (i = 0; i < %v; i++) {\n", opts.Procs)
 											ctx.print("\t\tif (fork() == 0) {\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+											if opts.HandleSegv {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\t\t\tinstall_segv_handler();\n")
-												csource: only handle SIGSEGV when necessary

											
										
										
											2017-05-18 12:54:02 +00:00
+											}
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+											if opts.UseTmpDir {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\t\t\tuse_temporary_dir();\n")
-												csource: use tmp dir only when necessary

											
										
										
											2017-05-18 12:26:02 +00:00
+											}
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											if opts.Sandbox != "" {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.printf("\t\t\tint pid = do_sandbox_%v(i, %v);\n", opts.Sandbox, opts.EnableTun)
 												ctx.print("\t\t\tint status = 0;\n")
 												ctx.print("\t\t\twhile (waitpid(pid, &status, __WALL) != pid) {}\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											} else {
 												if opts.EnableTun {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+													ctx.printf("\t\t\tsetup_tun(i, %v);\n", opts.EnableTun)
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+												}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+												ctx.print("\t\t\tloop();\n")
-												csource: use sandbox only when required

											
										
										
											2017-05-18 15:03:02 +00:00
+											}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.print("\t\t\treturn 0;\n")
 											ctx.print("\t\t}\n")
 											ctx.print("\t}\n")
 											ctx.print("\tsleep(1000000);\n")
 											ctx.print("\treturn 0;\n}\n")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										}
 									}
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
 									// Remove NONFAILING and debug calls.
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									out0 := ctx.w.String()
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
+									if !opts.HandleSegv {
 										re := regexp.MustCompile(`\t*NONFAILING\((.*)\);\n`)
 										out0 = re.ReplaceAllString(out0, "$1;\n")
 									}
 									if !opts.Debug {
 										re := regexp.MustCompile(`\t*debug\(.*\);\n`)
 										out0 = re.ReplaceAllString(out0, "")
 										re = regexp.MustCompile(`\t*debug_dump_data\(.*\);\n`)
 										out0 = re.ReplaceAllString(out0, "")
 									}
-												executor, pkg/ipc: unify ipc protocol between linux and other OSes

We currently use more complex and functional protocol on linux,
and a simple ad-hoc protocol on other OSes.
This leads to code duplication in both ipc and executor.
Linux supports coverage, shared memory communication and fork server,
which would also be useful for most other OSes.

Unify communication protocol and parametrize it by
(1) use of shmem or only pipes, (2) use of fork server.

This reduces duplication in ipc and executor and will
allow to support the useful features for other OSes easily.

Finally, this fixes akaros support as it currently uses
syz-stress running on host (linux) and executor running on akaros.

											
										
										
											2017-10-16 10:18:50 +00:00
+									out0 = strings.Replace(out0, "NORETURN", "", -1)
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									// Remove duplicate new lines.
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
+									out1 := []byte(out0)
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									for {
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
+										out2 := bytes.Replace(out1, []byte{'\n', '\n', '\n'}, []byte{'\n', '\n'}, -1)
 										if len(out1) == len(out2) {
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+											break
 										}
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
+										out1 = out2
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+									}
-												csource: don't use guard macros for debug() and NONFAILING()

											
										
										
											2017-06-06 11:52:57 +00:00
 									return out1, nil
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+								}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+								type context struct {
 									p         *prog.Prog
 									opts      Options
 									target    *prog.Target
 									sysTarget *targets.Target
 									w         *bytes.Buffer
 									calls     map[string]uint64 // CallName -> NR
 								}
 								func (ctx *context) print(str string) {
 									ctx.w.WriteString(str)
 								}
 								func (ctx *context) printf(str string, args ...interface{}) {
 									ctx.print(fmt.Sprintf(str, args...))
 								}
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+								func (ctx *context) generateTestFunc(calls []string, nvar uint64, name string) {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+									opts := ctx.opts
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+									if !opts.Threaded && !opts.Collide {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("void %v()\n{\n", name)
-												executor: fix clang-tidy warnings

A single check is enabled for now (misc-definitions-in-headers).
But it's always fixable and found 2 bugs in csource.

											
										
										
											2017-06-13 15:21:33 +00:00
+										if opts.Debug {
 											// Use debug to avoid: error: ‘debug’ defined but not used.
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tdebug(\"%v\\n\");\n", name)
-												executor: fix clang-tidy warnings

A single check is enabled for now (misc-definitions-in-headers).
But it's always fixable and found 2 bugs in csource.

											
										
										
											2017-06-13 15:21:33 +00:00
+										}
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										if opts.Repro {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tsyscall(SYS_write, 1, \"executing program\\n\", strlen(\"executing program\\n\"));\n")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										}
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										if nvar != 0 {
 											ctx.printf("\tmemset(r, -1, sizeof(r));\n")
 										}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										for _, c := range calls {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("%s", c)
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("}\n\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+									} else {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("void *thr(void *arg)\n{\n")
 										ctx.printf("\tswitch ((long)arg) {\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										for i, c := range calls {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tcase %v:\n", i)
 											ctx.printf("%s", strings.Replace(c, "\t", "\t\t", -1))
 											ctx.printf("\t\tbreak;\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("\t}\n")
 										ctx.printf("\treturn 0;\n}\n\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("void %v()\n{\n", name)
 										ctx.printf("\tlong i;\n")
 										ctx.printf("\tpthread_t th[%v];\n", 2*len(calls))
-												pkg/csource: limit thread stacks

We always set RLIMIT_AS to 128MB. I've debugged a program with 21 syscalls.
With collide it creates 42 threads. With default stack size of 8MB this
requires: 42*8 = 336MB. Thread creation fails and nothing works.
Limit thread stacks the same way executor does.

Fixes #488

											
										
										
											2017-12-21 14:01:12 +00:00
+										ctx.printf("\tpthread_attr_t attr;\n")
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("\n")
-												executor: fix clang-tidy warnings

A single check is enabled for now (misc-definitions-in-headers).
But it's always fixable and found 2 bugs in csource.

											
										
										
											2017-06-13 15:21:33 +00:00
+										if opts.Debug {
 											// Use debug to avoid: error: ‘debug’ defined but not used.
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tdebug(\"%v\\n\");\n", name)
-												executor: fix clang-tidy warnings

A single check is enabled for now (misc-definitions-in-headers).
But it's always fixable and found 2 bugs in csource.

											
										
										
											2017-06-13 15:21:33 +00:00
+										}
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										if opts.Repro {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tsyscall(SYS_write, 1, \"executing program\\n\", strlen(\"executing program\\n\"));\n")
-												repro: factor out of syz-repro tool

Factor out repro logic from syz-repro tool,
so that it can be used in syz-manager.
Also, support sandboxes in code generated by
csoure. This is required to reproduce crashes
that require e.g. namespace sandbox.

											
										
										
											2016-10-18 19:07:40 +00:00
+										}
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										if nvar != 0 {
 											ctx.printf("\tmemset(r, -1, sizeof(r));\n")
 										}
-												csource: generate includes when necessary

											
										
										
											2017-05-29 13:15:39 +00:00
+										if opts.Collide {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tsrand(getpid());\n")
-												csource: generate includes when necessary

											
										
										
											2017-05-29 13:15:39 +00:00
+										}
-												pkg/csource: limit thread stacks

We always set RLIMIT_AS to 128MB. I've debugged a program with 21 syscalls.
With collide it creates 42 threads. With default stack size of 8MB this
requires: 42*8 = 336MB. Thread creation fails and nothing works.
Limit thread stacks the same way executor does.

Fixes #488

											
										
										
											2017-12-21 14:01:12 +00:00
+										ctx.printf("\tpthread_attr_init(&attr);\n")
 										ctx.printf("\tpthread_attr_setstacksize(&attr, 128 << 10);\n")
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("\tfor (i = 0; i < %v; i++) {\n", len(calls))
-												pkg/csource: limit thread stacks

We always set RLIMIT_AS to 128MB. I've debugged a program with 21 syscalls.
With collide it creates 42 threads. With default stack size of 8MB this
requires: 42*8 = 336MB. Thread creation fails and nothing works.
Limit thread stacks the same way executor does.

Fixes #488

											
										
										
											2017-12-21 14:01:12 +00:00
+										ctx.printf("\t\tpthread_create(&th[i], &attr, thr, (void*)i);\n")
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("\t\tusleep(rand()%%10000);\n")
 										ctx.printf("\t}\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										if opts.Collide {
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\tfor (i = 0; i < %v; i++) {\n", len(calls))
-												pkg/csource: limit thread stacks

We always set RLIMIT_AS to 128MB. I've debugged a program with 21 syscalls.
With collide it creates 42 threads. With default stack size of 8MB this
requires: 42*8 = 336MB. Thread creation fails and nothing works.
Limit thread stacks the same way executor does.

Fixes #488

											
										
										
											2017-12-21 14:01:12 +00:00
+											ctx.printf("\t\tpthread_create(&th[%v+i], &attr, thr, (void*)i);\n", len(calls))
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+											ctx.printf("\t\tif (rand()%%2)\n")
 											ctx.printf("\t\t\tusleep(rand()%%10000);\n")
 											ctx.printf("\t}\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("\tusleep(rand()%%100000);\n")
 										ctx.printf("}\n\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+									}
 								}
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+								func (ctx *context) generateSyscallDefines() {
 									prefix := ctx.sysTarget.SyscallPrefix
 									for name, nr := range ctx.calls {
 										if strings.HasPrefix(name, "syz_") || !ctx.sysTarget.NeedSyscallDefine(nr) {
 											continue
 										}
 										ctx.printf("#ifndef %v%v\n", prefix, name)
 										ctx.printf("#define %v%v %v\n", prefix, name, nr)
 										ctx.printf("#endif\n")
 									}
 									if ctx.target.OS == "linux" && ctx.target.PtrSize == 4 {
 										// This is a dirty hack.
 										// On 32-bit linux mmap translated to old_mmap syscall which has a different signature.
-												sys/syz-extract: fix mmap on arm

__NR_mmap is missing on arm entirely,
so we disable mmap during generate.
Patch mmap to mmap2 right in syz-extract,
so that mmap is never missing.

											
										
										
											2017-11-23 07:51:04 +00:00
+										// mmap2 has the right signature. syz-extract translates mmap to mmap2, do the same here.
-												pkg/csource: support akaros

											
										
										
											2017-10-15 09:15:27 +00:00
+										ctx.printf("#undef __NR_mmap\n")
 										ctx.printf("#define __NR_mmap __NR_mmap2\n")
 									}
 									ctx.printf("\n")
 								}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+								func (ctx *context) generateCalls(p prog.ExecProg) ([]string, uint64) {
 									resultRef := func(arg prog.ExecArgResult) string {
 										res := fmt.Sprintf("r[%v]", arg.Index)
 										if arg.DivOp != 0 {
 											res = fmt.Sprintf("%v/%v", res, arg.DivOp)
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+										if arg.AddOp != 0 {
 											res = fmt.Sprintf("%v+%v", res, arg.AddOp)
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
 										return res
 									}
 									var calls []string
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+									csumSeq := 0
 									for ci, call := range p.Calls {
 										w := new(bytes.Buffer)
 										// Copyin.
 										for _, copyin := range call.Copyin {
 											switch arg := copyin.Arg.(type) {
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+											case prog.ExecArgConst:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												if arg.BitfieldOffset == 0 && arg.BitfieldLength == 0 {
 													fmt.Fprintf(w, "\tNONFAILING(*(uint%v_t*)0x%x = (uint%v_t)0x%x);\n",
 														arg.Size*8, copyin.Addr, arg.Size*8, arg.Value)
-												prog: add bitfields to templates

Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field.

This fixes #72.

											
										
										
											2017-01-10 15:45:52 +00:00
+												} else {
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													fmt.Fprintf(w, "\tNONFAILING(STORE_BY_BITMASK(uint%v_t, 0x%x, 0x%x, %v, %v));\n",
 														arg.Size*8, copyin.Addr, arg.Value, arg.BitfieldOffset, arg.BitfieldLength)
-												prog: add bitfields to templates

Now it's possible to use `int32:18` to denote a bitfield of size 18 as a struct field.

This fixes #72.

											
										
										
											2017-01-10 15:45:52 +00:00
+												}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+											case prog.ExecArgResult:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												fmt.Fprintf(w, "\tNONFAILING(*(uint%v_t*)0x%x = %v);\n",
 													arg.Size*8, copyin.Addr, resultRef(arg))
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+											case prog.ExecArgData:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												fmt.Fprintf(w, "\tNONFAILING(memcpy((void*)0x%x, \"%s\", %v));\n",
-												pkg/csource: make strings more readable

If string contains a file name or a crypto alg name,
don't escape it all to hex.

											
										
										
											2017-12-17 09:55:35 +00:00
+													copyin.Addr, toCString(arg.Data), len(arg.Data))
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+											case prog.ExecArgCsum:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												switch arg.Kind {
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+												case prog.ExecArgCsumInet:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													csumSeq++
 													fmt.Fprintf(w, "\tstruct csum_inet csum_%d;\n", csumSeq)
 													fmt.Fprintf(w, "\tcsum_inet_init(&csum_%d);\n", csumSeq)
 													for i, chunk := range arg.Chunks {
 														switch chunk.Kind {
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+														case prog.ExecArgCsumChunkData:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+															fmt.Fprintf(w, "\tNONFAILING(csum_inet_update(&csum_%d, (const uint8_t*)0x%x, %d));\n", csumSeq, chunk.Value, chunk.Size)
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+														case prog.ExecArgCsumChunkConst:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+															fmt.Fprintf(w, "\tuint%d_t csum_%d_chunk_%d = 0x%x;\n", chunk.Size*8, csumSeq, i, chunk.Value)
 															fmt.Fprintf(w, "\tcsum_inet_update(&csum_%d, (const uint8_t*)&csum_%d_chunk_%d, %d);\n", csumSeq, csumSeq, i, chunk.Size)
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+														default:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+															panic(fmt.Sprintf("unknown checksum chunk kind %v", chunk.Kind))
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+														}
 													}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													fmt.Fprintf(w, "\tNONFAILING(*(uint16_t*)0x%x = csum_inet_digest(&csum_%d));\n", copyin.Addr, csumSeq)
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+												default:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													panic(fmt.Sprintf("unknown csum kind %v", arg.Kind))
-												prog, executor: move checksum computation to executor

This commit moves checksum computation to executor. This will allow to embed
dynamically generated values (like TCP sequence numbers) into packets.

											
										
										
											2017-04-27 18:31:00 +00:00
+												}
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+											default:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												panic(fmt.Sprintf("bad argument type: %+v", arg))
-												csource: don't generate execute_syscall calls

											
										
										
											2017-05-19 13:53:19 +00:00
+											}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+										}
 										// Call itself.
 										if ctx.opts.Fault && ctx.opts.FaultCall == ci {
 											fmt.Fprintf(w, "\twrite_file(\"/sys/kernel/debug/failslab/ignore-gfp-wait\", \"N\");\n")
 											fmt.Fprintf(w, "\twrite_file(\"/sys/kernel/debug/fail_futex/ignore-private\", \"N\");\n")
 											fmt.Fprintf(w, "\tinject_fault(%v);\n", ctx.opts.FaultNth)
 										}
 										callName := call.Meta.CallName
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										resCopyout := call.Index != prog.ExecNoCopyout
 										argCopyout := len(call.Copyout) != 0
 										emitCall := ctx.opts.EnableTun || callName != "syz_emit_ethernet" &&
 											callName != "syz_extract_tcp_res"
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+										// TODO: if we don't emit the call we must also not emit copyin, copyout and fault injection.
 										// However, simply skipping whole iteration breaks tests due to unused static functions.
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										if emitCall {
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+											native := !strings.HasPrefix(callName, "syz_")
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+											fmt.Fprintf(w, "\t")
 											if argCopyout {
 												fmt.Fprintf(w, "if (")
 												if resCopyout {
 													fmt.Fprintf(w, "(")
 												}
 											}
 											if resCopyout {
 												fmt.Fprintf(w, "r[%v] = ", call.Index)
 											}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+											if native {
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+												fmt.Fprintf(w, "syscall(%v%v", ctx.sysTarget.SyscallPrefix, callName)
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+											} else {
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+												fmt.Fprintf(w, "%v(", callName)
-												csource: don't generate execute_syscall calls

											
										
										
											2017-05-19 13:53:19 +00:00
+											}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+											for ai, arg := range call.Args {
 												if native || ai > 0 {
-												csource: don't generate execute_syscall calls

											
										
										
											2017-05-19 13:53:19 +00:00
+													fmt.Fprintf(w, ", ")
 												}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+												switch arg := arg.(type) {
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+												case prog.ExecArgConst:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													fmt.Fprintf(w, "0x%xul", arg.Value)
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+												case prog.ExecArgResult:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													fmt.Fprintf(w, "%v", resultRef(arg))
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+												default:
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+													panic(fmt.Sprintf("unknown arg type: %+v", arg))
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+												}
 											}
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+											fmt.Fprintf(w, ")")
 											if argCopyout {
 												if resCopyout {
 													fmt.Fprintf(w, ")")
 												}
 												fmt.Fprintf(w, " != -1) {")
 											} else {
 												fmt.Fprintf(w, ";")
 											}
 											fmt.Fprintf(w, "\n")
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+										}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
 										// Copyout.
 										for _, copyout := range call.Copyout {
 											fmt.Fprintf(w, "\t\tNONFAILING(r[%v] = *(uint%v_t*)0x%x);\n",
 												copyout.Index, copyout.Size*8, copyout.Addr)
 										}
-												prog: use dense indexes for copyout instructions

Fixes #174

											
										
										
											2017-12-16 11:38:49 +00:00
+										if emitCall && argCopyout {
 											fmt.Fprintf(w, "\t}\n")
 										}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
 										calls = append(calls, w.String())
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+									}
-												prog: add DeserializeExec

Factor out program parsing from pkg/csource.
csource code that parses program and at the same time
formats output is very messy and complex.
New aproach also allows to understand e.g.
when a call has copyout instructions which is
useful for better C source output.

											
										
										
											2017-12-15 12:42:28 +00:00
+									return calls, p.NumVars
-												csource: new package

Move C source generation into a separate package.
Prog is too bloated already.

											
										
										
											2015-12-23 12:38:31 +00:00
+								}
-												pkg/csource: make strings more readable

If string contains a file name or a crypto alg name,
don't escape it all to hex.

											
										
										
											2017-12-17 09:55:35 +00:00
 								func toCString(data []byte) []byte {
 									if len(data) == 0 {
 										return nil
 									}
 									readable := true
 									for i, v := range data {
 										// Allow 0 only as last byte.
 										if !isReadable(v) && (i != len(data)-1 || v != 0) {
 											readable = false
 											break
 										}
 									}
 									if !readable {
 										buf := new(bytes.Buffer)
 										for _, v := range data {
 											buf.Write([]byte{'\\', 'x', toHex(v >> 4), toHex(v << 4 >> 4)})
 										}
 										return buf.Bytes()
 									}
 									if data[len(data)-1] == 0 {
 										// Don't serialize last 0, C strings are 0-terminated anyway.
 										data = data[:len(data)-1]
 									}
 									buf := new(bytes.Buffer)
 									for _, v := range data {
 										switch v {
 										case '\t':
 											buf.Write([]byte{'\\', 't'})
 										case '\r':
 											buf.Write([]byte{'\\', 'r'})
 										case '\n':
 											buf.Write([]byte{'\\', 'n'})
 										case '\\':
 											buf.Write([]byte{'\\', '\\'})
-												pkg/csource: fix string escaping bug

											
										
										
											2017-12-22 10:59:09 +00:00
+										case '"':
 											buf.Write([]byte{'\\', '"'})
-												pkg/csource: make strings more readable

If string contains a file name or a crypto alg name,
don't escape it all to hex.

											
										
										
											2017-12-17 09:55:35 +00:00
+										default:
 											if v < 0x20 || v >= 0x7f {
 												panic("unexpected char during data serialization")
 											}
 											buf.WriteByte(v)
 										}
 									}
 									return buf.Bytes()
 								}
 								func isReadable(v byte) bool {
 									return v >= 0x20 && v < 0x7f || v == '\t' || v == '\r' || v == '\n'
 								}
 								func toHex(v byte) byte {
 									if v < 10 {
 										return '0' + v
 									}
 									return 'a' + v - 10
 								}