It seems that different gcc's have different defaults for ASAN flags.
Some fail with:
run.go:67: nonfailing none/thr/repeat : FAIL: run 0: call 0 is not executed
ASAN:DEADLYSIGNAL
=================================================================
==67143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7b0befb0a2 bp 0x7f7b0cfdad10 sp 0x7f7b0cfda490 T1)
#0 0x7f7b0befb0a1 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
#1 0x404bbb in syz_compare(long, long, long, long) (/tmp/utor355225125.0+0x404bbb)
#2 0x403cdf in execute_call(thread_t*) (/tmp/utor355225125.0+0x403cdf)
#3 0x404006 in worker_thread(void*) (/tmp/utor355225125.0+0x404006)
#4 0x7f7b0bc584a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#5 0x7f7b0b99ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d0a1)
Thread T1 created by T0 here:
#0 0x7f7b0be9ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x406117 in execute_one() (/tmp/utor355225125.0+0x406117)
Currently we sprinkle NONFAILING all over pseudo-syscall code,
around all individual accesses to fuzzer-generated pointers.
This is tedious manual work and subject to errors.
Wrap execute_syscall invocation with NONFAILING in execute_call once instead.
Then we can remove NONFAILING from all pseudo-syscalls and never get back to this.
Potential downsides: (1) this is coarser-grained and we will skip whole syscall
on invalid pointer, but this is how normal syscalls work as well,
so should not be a problem; (2) we will skip any clean up (closing of files, etc)
as well; but this may be fine as well (programs can perfectly leave open file
descriptors as well).
Update #1918
We set HostFuzzer for all test targets b/c in some contexts
they needed the same special behavior as real HostFuzzer targets
(e.g no checking enabled syscalls).
However, in some other contexts they don't the same special
behavior as real HostFuzzer targets. For example, pkg/ipc
does rate limiting for HostFuzzer and pkg/runtest don't run
C tests for HostFuzzer.
Add special case for test targets in pkg/host,
and don't set HostFuzzer for all test targets
(keep it for one target for better coverage).
Add Timeout config param for bisections.
Specify timeout in syz-ci as 8h based on the following data.
Out of 1049 cause bisections that we have now:
- 891 finished under 6h (84.9%)
- 957 finished under 8h (91.2%)
- 980 finished under 10h (93.4%)
- 989 finished under 12h (94.3%)
- 1011 finished under 18h (96.3%)
- 1025 finished under 24h (97.7%)
There is also a significant increase in errors/inconclusive bisections after ~8h.
Out of 4075 fix bisections:
- 4015 finished under 6h (98.5%)
- 4020 finished under 8h (98.7%)
- 4026 finished under 10h (98.8%)
- 4032 finished under 12h (98.9%)
Significant increase in errors starts after ~12h.
The current timeout also take into account that bisection jobs
compete with patch testing jobs (it's bad delaying patch testing).
When/if bisection jobs don't compete with patch testing,
it makes sense to increase this to 12-24h.
Fixes#1923
Currently we sandbox all repos b/c we assumed
that all builds are also sandboxes. But this causes
havoc for bisection/patch testing b/c syzkaller build
is not actually sandboxed anywhere. Build creates
root-owned files and then git can't do anything with them
but don't report errors either:
$ git checkout 8eda0b95 && echo OK
error: unable to unlink old 'sys/linux/gen/386.go': Permission denied
error: unable to unlink old 'sys/linux/gen/ppc64le.go': Permission denied
...
HEAD is now at 8eda0b957e
OK
We trust own sources and we don't test syzkaller patches,
so don't sandbox syzkaller repos.
Currently we have only "fixed" link at the top of the page.
"invalid" is missing and this is not scalable.
Add natigation buttons (tabs) for main pages.
Right after committing the on_each_cpu change,
another report come in where smp_call_function
is not called from on_each_cpu. And there are
actually more such callers in code, and also
as existing tests show. smp_call_function seems
to be the better root cause indication.
config-bisect.pl uses bash-isms and can't run on non-linux.
It also silently ignores all errors which made failures
very obscure -- the script happily succeeds in presence
of any errors. So the test failed later reading .config.
Use "set -eu" to not fail silently.
Also trace all config-bisect.pl invocations and output.
good/bad decisions are important and we always log them
in the normal bisection.
The test requires new git binary.
It's not necessary installed everywhere.
Skip the test if git binary does not support bisection.
Also reoder functions from more important to less important.
Mark the test as parallel.
Move individual tests into subtests.
Split trace per subtest.
It also hash high branching factor and a bug is more likely in the callback.
For the added test we used to say:
INFO: rcu detected stall in __sys_sendmsg
now we say more useful:
INFO: rcu detected stall in tc_modify_qdisc
"git clean -fd" does not remove ignored files,
while can mess state when .gitignore changes across commits.
Use "git clean -fdx" to delete ignored files as well.
Config minimization did not update test results for the starting commit.
Test result for the starting commit still refered to the original config,
not the minimized config that was actually used during bisection.
Change a test to actually produce a new config as it is supposed
to do during config minimization and check the resulting config.
Add a regression test for the bug where we committed a broken config.
One of main outputs of the config minimization is the new config,
but tests don't do any single check of it.
Check the resulting config (is it correct in all cases?).
Ignoring errors is bad. It leads to silent failures.
If there is some particular error condition that is expected
to happen and we want to ignore, we need to ignore that one only
rather than all potenital errors in the whole process.
Implement Linux kernel configuration bisection. Use bisected minimalistic
configuration in commit bisection. Utilizes config_bisect.pl script from Linux
kernel tree in bisection.
Modify syz-bisect to read in kernel.baseline_config. This is used as a "good"
configuration when bisection is run.
Add new new Syzkaller configuration option kernel_baseline_config. This option
is supposed to be used by kernel configruation bisection as a "good" config"
Signed-off-by: Jukka Kaartinen <jukka.kaartinen@unikie.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Use unix.Unmount instead of manually wrapping SYS_UMOUNT2.
Use unix.IoctlSetPointerInt instead of manually wrapping SYS_IOCTL. This
also allows to use FS_IOC_SETFLAGS instead of manually defining it for
each GOARCH.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
