syzkaller/prog/analysis.go

// Copyright 2015 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

// Conservative resource-related analysis of programs.
// The analysis figures out what files descriptors are [potentially] opened
// at a particular point in program, what pages are [potentially] mapped,
// what files were already referenced in calls, etc.

package prog

import (
	"fmt"
)

const (
	maxPages = 4 << 10
)

type state struct {
	target    *Target
	ct        *ChoiceTable
	files     map[string]bool
	resources map[string][]Arg
	strings   map[string]bool
	pages     [maxPages]bool
}

// analyze analyzes the program p up to but not including call c.
func analyze(ct *ChoiceTable, p *Prog, c *Call) *state {
	s := newState(p.Target, ct)
	for _, c1 := range p.Calls {
		if c1 == c {
			break
		}
		s.analyze(c1)
	}
	return s
}

func newState(target *Target, ct *ChoiceTable) *state {
	s := &state{
		target:    target,
		ct:        ct,
		files:     make(map[string]bool),
		resources: make(map[string][]Arg),
		strings:   make(map[string]bool),
	}
	return s
}

func (s *state) analyze(c *Call) {
	ForeachArg(c, func(arg Arg, _ *ArgCtx) {
		switch typ := arg.Type().(type) {
		case *ResourceType:
			if typ.Dir() != DirIn {
				s.resources[typ.Desc.Name] = append(s.resources[typ.Desc.Name], arg)
				// TODO: negative PIDs and add them as well (that's process groups).
			}
		case *BufferType:
			a := arg.(*DataArg)
			if typ.Dir() != DirOut && len(a.Data()) != 0 {
				switch typ.Kind {
				case BufferString:
					s.strings[string(a.Data())] = true
				case BufferFilename:
					s.files[string(a.Data())] = true
				}
			}
		}
	})
	start, npages, mapped := s.target.AnalyzeMmap(c)
	if npages != 0 {
		if start+npages > uint64(len(s.pages)) {
			panic(fmt.Sprintf("address is out of bounds: page=%v len=%v bound=%v",
				start, npages, len(s.pages)))
		}
		for i := uint64(0); i < npages; i++ {
			s.pages[start+i] = mapped
		}
	}
}

type ArgCtx struct {
	Parent *[]Arg      // GroupArg.Inner (for structs) or Call.Args containing this arg
	Base   *PointerArg // pointer to the base of the heap object containing this arg
	Offset uint64      // offset of this arg from the base
	Stop   bool        // if set by the callback, subargs of this arg are not visited
}

func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx)) {
	foreachArgImpl(arg, ArgCtx{}, f)
}

func ForeachArg(c *Call, f func(Arg, *ArgCtx)) {
	ctx := ArgCtx{}
	if c.Ret != nil {
		foreachArgImpl(c.Ret, ctx, f)
	}
	ctx.Parent = &c.Args
	for _, arg := range c.Args {
		foreachArgImpl(arg, ctx, f)
	}
}

func foreachArgImpl(arg Arg, ctx ArgCtx, f func(Arg, *ArgCtx)) {
	f(arg, &ctx)
	if ctx.Stop {
		return
	}
	switch a := arg.(type) {
	case *GroupArg:
		if _, ok := a.Type().(*StructType); ok {
			ctx.Parent = &a.Inner
		}
		var totalSize uint64
		for _, arg1 := range a.Inner {
			foreachArgImpl(arg1, ctx, f)
			if !arg1.Type().BitfieldMiddle() {
				size := arg1.Size()
				ctx.Offset += size
				totalSize += size
			}
		}
		if totalSize > a.Size() {
			panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %+v",
				totalSize, a.Size(), a))
		}
	case *PointerArg:
		if a.Res != nil {
			ctx.Base = a
			ctx.Offset = 0
			foreachArgImpl(a.Res, ctx, f)
		}
	case *UnionArg:
		foreachArgImpl(a.Option, ctx, f)
	}
}

func RequiredFeatures(p *Prog) (bitmasks, csums bool) {
	for _, c := range p.Calls {
		ForeachArg(c, func(arg Arg, _ *ArgCtx) {
			if a, ok := arg.(*ConstArg); ok {
				if a.Type().BitfieldOffset() != 0 || a.Type().BitfieldLength() != 0 {
					bitmasks = true
				}
			}
			if _, ok := arg.Type().(*CsumType); ok {
				csums = true
			}
		})
	}
	return
}
initial commit 2015-10-12 08:16:57 +00:00			`// Copyright 2015 syzkaller project authors. All rights reserved.`
			`// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.`

			`// Conservative resource-related analysis of programs.`
			`// The analysis figures out what files descriptors are [potentially] opened`
			`// at a particular point in program, what pages are [potentially] mapped,`
			`// what files were already referenced in calls, etc.`

			`package prog`

			`import (`
			`"fmt"`
			`)`

			`const (`
			`maxPages = 4 << 10`
			`)`

			`type state struct {`
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc. 2017-09-14 17:25:01 +00:00			`target *Target`
initial support for call priorities 2015-10-14 14:55:09 +00:00			`ct *ChoiceTable`
			`files map[string]bool`
prog: split Arg into smaller structs Right now Arg is a huge struct (160 bytes), which has many different fields used for different arg kinds. Since most of the args we see in a typical corpus are ArgConst, this results in a significant memory overuse. This change: - makes Arg an interface instead of a struct - adds a SomethingArg struct for each arg kind we have - converts all *Arg pointers into just Arg, since interface variable by itself contains a pointer to the actual data - removes ArgPageSize, now ConstArg is used instead - consolidates correspondence between arg kinds and types, see comments before each SomethingArg struct definition - now LenType args that denote the length of VmaType args are serialized as "0x1000" instead of "(0x1000)"; to preserve backwards compatibility syzkaller is able to parse the old format for now - multiple small changes all over to make the above work After this change syzkaller uses twice less memory after deserializing a typical corpus. 2017-07-11 14:49:08 +00:00			`resources map[string][]Arg`
initial support for call priorities 2015-10-14 14:55:09 +00:00			`strings map[string]bool`
			`pages [maxPages]bool`
initial commit 2015-10-12 08:16:57 +00:00			`}`

			`// analyze analyzes the program p up to but not including call c.`
initial support for call priorities 2015-10-14 14:55:09 +00:00			`func analyze(ct ChoiceTable, p Prog, c Call) state {`
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc. 2017-09-14 17:25:01 +00:00			`s := newState(p.Target, ct)`
initial commit 2015-10-12 08:16:57 +00:00			`for _, c1 := range p.Calls {`
			`if c1 == c {`
			`break`
			`}`
			`s.analyze(c1)`
			`}`
			`return s`
			`}`

prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc. 2017-09-14 17:25:01 +00:00			`func newState(target Target, ct ChoiceTable) *state {`
initial commit 2015-10-12 08:16:57 +00:00			`s := &state{`
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc. 2017-09-14 17:25:01 +00:00			`target: target,`
initial support for call priorities 2015-10-14 14:55:09 +00:00			`ct: ct,`
			`files: make(map[string]bool),`
prog: split Arg into smaller structs Right now Arg is a huge struct (160 bytes), which has many different fields used for different arg kinds. Since most of the args we see in a typical corpus are ArgConst, this results in a significant memory overuse. This change: - makes Arg an interface instead of a struct - adds a SomethingArg struct for each arg kind we have - converts all *Arg pointers into just Arg, since interface variable by itself contains a pointer to the actual data - removes ArgPageSize, now ConstArg is used instead - consolidates correspondence between arg kinds and types, see comments before each SomethingArg struct definition - now LenType args that denote the length of VmaType args are serialized as "0x1000" instead of "(0x1000)"; to preserve backwards compatibility syzkaller is able to parse the old format for now - multiple small changes all over to make the above work After this change syzkaller uses twice less memory after deserializing a typical corpus. 2017-07-11 14:49:08 +00:00			`resources: make(map[string][]Arg),`
initial support for call priorities 2015-10-14 14:55:09 +00:00			`strings: make(map[string]bool),`
initial commit 2015-10-12 08:16:57 +00:00			`}`
			`return s`
			`}`

			`func (s state) analyze(c Call) {`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`ForeachArg(c, func(arg Arg, _ *ArgCtx) {`
prog: split Arg into smaller structs Right now Arg is a huge struct (160 bytes), which has many different fields used for different arg kinds. Since most of the args we see in a typical corpus are ArgConst, this results in a significant memory overuse. This change: - makes Arg an interface instead of a struct - adds a SomethingArg struct for each arg kind we have - converts all *Arg pointers into just Arg, since interface variable by itself contains a pointer to the actual data - removes ArgPageSize, now ConstArg is used instead - consolidates correspondence between arg kinds and types, see comments before each SomethingArg struct definition - now LenType args that denote the length of VmaType args are serialized as "0x1000" instead of "(0x1000)"; to preserve backwards compatibility syzkaller is able to parse the old format for now - multiple small changes all over to make the above work After this change syzkaller uses twice less memory after deserializing a typical corpus. 2017-07-11 14:49:08 +00:00			`switch typ := arg.Type().(type) {`
prog: dot-import sys In preparation for moving sys types to prog to reduce later diffs. 2017-09-05 08:46:34 +00:00			`case *ResourceType:`
			`if typ.Dir() != DirIn {`
sys: specify resources in text descriptions Currently to add a new resource one needs to modify multiple source files, which complicates descirption of new system calls. Move resource descriptions from source code to text desciptions. 2016-08-27 16:27:50 +00:00			`s.resources[typ.Desc.Name] = append(s.resources[typ.Desc.Name], arg)`
			`// TODO: negative PIDs and add them as well (that's process groups).`
initial commit 2015-10-12 08:16:57 +00:00			`}`
prog: dot-import sys In preparation for moving sys types to prog to reduce later diffs. 2017-09-05 08:46:34 +00:00			`case *BufferType:`
prog: split Arg into smaller structs Right now Arg is a huge struct (160 bytes), which has many different fields used for different arg kinds. Since most of the args we see in a typical corpus are ArgConst, this results in a significant memory overuse. This change: - makes Arg an interface instead of a struct - adds a SomethingArg struct for each arg kind we have - converts all *Arg pointers into just Arg, since interface variable by itself contains a pointer to the actual data - removes ArgPageSize, now ConstArg is used instead - consolidates correspondence between arg kinds and types, see comments before each SomethingArg struct definition - now LenType args that denote the length of VmaType args are serialized as "0x1000" instead of "(0x1000)"; to preserve backwards compatibility syzkaller is able to parse the old format for now - multiple small changes all over to make the above work After this change syzkaller uses twice less memory after deserializing a typical corpus. 2017-07-11 14:49:08 +00:00			`a := arg.(*DataArg)`
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed. 2017-12-13 19:12:13 +00:00			`if typ.Dir() != DirOut && len(a.Data()) != 0 {`
sys: replace FilenameType with BufferType{Kind: BufferFilename} FilenameType is effectively a buffer, there is no need for a separate type. 2016-10-29 21:55:35 +00:00			`switch typ.Kind {`
prog: dot-import sys In preparation for moving sys types to prog to reduce later diffs. 2017-09-05 08:46:34 +00:00			`case BufferString:`
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed. 2017-12-13 19:12:13 +00:00			`s.strings[string(a.Data())] = true`
prog: dot-import sys In preparation for moving sys types to prog to reduce later diffs. 2017-09-05 08:46:34 +00:00			`case BufferFilename:`
prog: don't serialize output data args Fixes #188 We now will write just ""/1000 to denote a 1000-byte output buffer. Also we now don't store 1000-byte buffer in memory just to denote size. Old format is still parsed. 2017-12-13 19:12:13 +00:00			`s.files[string(a.Data())] = true`
sys: replace FilenameType with BufferType{Kind: BufferFilename} FilenameType is effectively a buffer, there is no need for a separate type. 2016-10-29 21:55:35 +00:00			`}`
initial commit 2015-10-12 08:16:57 +00:00			`}`
			`}`
			`})`
prog: remove default target and all global state Now each prog function accepts the desired target explicitly. No global, implicit state involved. This is much cleaner and allows cross-OS/arch testing, etc. 2017-09-14 17:25:01 +00:00			`start, npages, mapped := s.target.AnalyzeMmap(c)`
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191 2017-09-05 11:31:14 +00:00			`if npages != 0 {`
			`if start+npages > uint64(len(s.pages)) {`
			`panic(fmt.Sprintf("address is out of bounds: page=%v len=%v bound=%v",`
			`start, npages, len(s.pages)))`
initial commit 2015-10-12 08:16:57 +00:00			`}`
prog, sys: move types to prog Large overhaul moves syscalls and arg types from sys to prog. Sys package now depends on prog and contains only generated descriptions of syscalls. Introduce prog.Target type that encapsulates all targer properties, like syscall list, ptr/page size, etc. Also moves OS-dependent pieces like mmap call generation from prog to sys. Update #191 2017-09-05 11:31:14 +00:00			`for i := uint64(0); i < npages; i++ {`
			`s.pages[start+i] = mapped`
support iocb pointers as resources 2015-10-13 15:06:01 +00:00			`}`
initial commit 2015-10-12 08:16:57 +00:00			`}`
			`}`

prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`type ArgCtx struct {`
			`Parent *[]Arg // GroupArg.Inner (for structs) or Call.Args containing this arg`
			`Base *PointerArg // pointer to the base of the heap object containing this arg`
			`Offset uint64 // offset of this arg from the base`
			`Stop bool // if set by the callback, subargs of this arg are not visited`
prog: implement mutation of union args 2015-12-31 14:24:08 +00:00			`}`

prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`func ForeachSubArg(arg Arg, f func(Arg, *ArgCtx)) {`
			`foreachArgImpl(arg, ArgCtx{}, f)`
prog: implement mutation of union args 2015-12-31 14:24:08 +00:00			`}`

prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`func ForeachArg(c Call, f func(Arg, ArgCtx)) {`
			`ctx := ArgCtx{}`
			`if c.Ret != nil {`
			`foreachArgImpl(c.Ret, ctx, f)`
initial commit 2015-10-12 08:16:57 +00:00			`}`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`ctx.Parent = &c.Args`
			`for _, arg := range c.Args {`
			`foreachArgImpl(arg, ctx, f)`
initial commit 2015-10-12 08:16:57 +00:00			`}`
			`}`

prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`func foreachArgImpl(arg Arg, ctx ArgCtx, f func(Arg, *ArgCtx)) {`
			`f(arg, &ctx)`
			`if ctx.Stop {`
			`return`
			`}`
			`switch a := arg.(type) {`
			`case *GroupArg:`
			`if _, ok := a.Type().(*StructType); ok {`
			`ctx.Parent = &a.Inner`
			`}`
prog: merge foreachSubargOffset into foreachArgImpl 2018-02-18 13:12:50 +00:00			`var totalSize uint64`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`for _, arg1 := range a.Inner {`
			`foreachArgImpl(arg1, ctx, f)`
prog: merge foreachSubargOffset into foreachArgImpl 2018-02-18 13:12:50 +00:00			`if !arg1.Type().BitfieldMiddle() {`
			`size := arg1.Size()`
			`ctx.Offset += size`
			`totalSize += size`
			`}`
			`}`
			`if totalSize > a.Size() {`
			`panic(fmt.Sprintf("bad group arg size %v, should be <= %v for %+v",`
			`totalSize, a.Size(), a))`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`}`
			`case *PointerArg:`
			`if a.Res != nil {`
			`ctx.Base = a`
prog: merge foreachSubargOffset into foreachArgImpl 2018-02-18 13:12:50 +00:00			`ctx.Offset = 0`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`foreachArgImpl(a.Res, ctx, f)`
			`}`
			`case *UnionArg:`
			`foreachArgImpl(a.Option, ctx, f)`
			`}`
initial commit 2015-10-12 08:16:57 +00:00			`}`

prog: combine RequiresBitmasks and RequiresChecksums into RequiredFeatures 2018-02-18 13:16:07 +00:00			`func RequiredFeatures(p *Prog) (bitmasks, csums bool) {`
csource: force enable tun flag when required 2017-05-18 14:08:43 +00:00			`for _, c := range p.Calls {`
prog: rework foreachArg Make Foreach* callback accept the arg and a context struct that can contain lots of aux info. This (1) removes lots of unuser base/parent args, (2) provides foundation for stopping recursion, (3) allows to merge foreachSubargOffset. 2018-02-18 12:49:48 +00:00			`ForeachArg(c, func(arg Arg, _ *ArgCtx) {`
prog: split Arg into smaller structs Right now Arg is a huge struct (160 bytes), which has many different fields used for different arg kinds. Since most of the args we see in a typical corpus are ArgConst, this results in a significant memory overuse. This change: - makes Arg an interface instead of a struct - adds a SomethingArg struct for each arg kind we have - converts all *Arg pointers into just Arg, since interface variable by itself contains a pointer to the actual data - removes ArgPageSize, now ConstArg is used instead - consolidates correspondence between arg kinds and types, see comments before each SomethingArg struct definition - now LenType args that denote the length of VmaType args are serialized as "0x1000" instead of "(0x1000)"; to preserve backwards compatibility syzkaller is able to parse the old format for now - multiple small changes all over to make the above work After this change syzkaller uses twice less memory after deserializing a typical corpus. 2017-07-11 14:49:08 +00:00			`if a, ok := arg.(*ConstArg); ok {`
			`if a.Type().BitfieldOffset() != 0 \|\| a.Type().BitfieldLength() != 0 {`
prog: combine RequiresBitmasks and RequiresChecksums into RequiredFeatures 2018-02-18 13:16:07 +00:00			`bitmasks = true`
csource: force enable tun flag when required 2017-05-18 14:08:43 +00:00			`}`
			`}`
prog: dot-import sys In preparation for moving sys types to prog to reduce later diffs. 2017-09-05 08:46:34 +00:00			`if _, ok := arg.Type().(*CsumType); ok {`
prog: combine RequiresBitmasks and RequiresChecksums into RequiredFeatures 2018-02-18 13:16:07 +00:00			`csums = true`
repro: always minimize over EnableTun 2017-05-29 16:22:55 +00:00			`}`
			`})`
			`}`
prog: combine RequiresBitmasks and RequiresChecksums into RequiredFeatures 2018-02-18 13:16:07 +00:00			`return`
repro: always minimize over EnableTun 2017-05-29 16:22:55 +00:00			`}`