Including access size potentially leads to failure to deduplicate
reports when size comes from user or for racy bugs (bug is detected
on different accesses depending on timings).
We already drop size from UAF and OOB, drop it for other bug types.
Add coverage and number of reproducing programs to the periodic messages.
When all machines are busy reproducing crashes, it appears that
syz-manager hanged as number of executed programs does not increase.
Coverage is just a nice characteristic.
Also print machine check message, it appears once and contains useful info.
This is mostly copied form linux.
We probably need better support for sharing descriptions
between multiple OSes. But there are lots of differences,
so this is not trivial.
1. remove workaround for pthread attrs (was fixed in akaros)
2. remove workaround for dup2 (was fixed in akaros)
3. check that we receive a program
4. implement timeout for test processes
This fails on bots with:
strip --strip-debug ./bin/linux_arm64/syz-executor
strip: Unable to recognise the format of the input file `./bin/linux_arm64/syz-executor'
We don't generate debug info for Go binaries to reduce their size.
Don't generate debug info for executor as well.
For akaros this reduces binary size from 4.5MB to 800KB.
We currently use more complex and functional protocol on linux,
and a simple ad-hoc protocol on other OSes.
This leads to code duplication in both ipc and executor.
Linux supports coverage, shared memory communication and fork server,
which would also be useful for most other OSes.
Unify communication protocol and parametrize it by
(1) use of shmem or only pipes, (2) use of fork server.
This reduces duplication in ipc and executor and will
allow to support the useful features for other OSes easily.
Finally, this fixes akaros support as it currently uses
syz-stress running on host (linux) and executor running on akaros.
We print all other output to stderr, write debug output to stderr as well.
This does not matter for the main use case of running syz-execprog -debug,
but can is helpful if we want to communicate with syz-executor via stdin/stdout.
KCOV comparisons support is in the kernel mm tree already, and the
patch contains an additional uint64_t to store PCs of functions calling
__sanitizer_cov_trace_XXX().
Change kcov_comparison_t accordingly.
Currently we always send 2MB of data to executor in ipc_simple.go.
Send only what's consumed by the program, and don't send the trailing zeros.
Serialized programs usually take only few KBs.
Each arch duplicates significant portion of logic
to compile the extract source file.
Factor this logic into a separate function and reuse
it across all OSes.
This adds /rawcover handler which returns a file with all covered so far PCs, e.g.:
0xffffffff8100763e
0xffffffff81007667
...
0xffffffff8100767d
Useful for offline coverage processing, diffing coverage, etc.
In particular allows to do:
curl http://localhost:1234/rawcover | addr2line -e vmlinux
We currently return raw error, so sometimes it's hard to tell
even what call produced the error (e.g. just "invalid argument").
Extend the error so that it's clear that it comes from cmd.Start.
Executor process does not have any env, including PATH.
On some distributions, system/shell adds a minimal PATH, on some it does not.
Set own standard PATH to make it work across distributions.
The call index check episodically fails:
2017/10/02 22:07:32 bad call index 1, calls 1, program:
under unknown circumstances. I've looked at the code again
and don't see where/how we can mess CallIndex.
Added a new test for minimization that especially checks resulting
CallIndex.
It would be good to understand what happens, but we don't have
any reproducers. CallIndex is actually unused at this point.
Manager only needs call name. So remove CallIndex entirely.