mirror of
https://github.com/reactos/syzkaller.git
synced 2024-12-03 17:01:28 +00:00
512 lines
14 KiB
Go
512 lines
14 KiB
Go
// Copyright 2017 syzkaller project authors. All rights reserved.
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
package prog
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"fmt"
|
|
"math/rand"
|
|
"reflect"
|
|
"sort"
|
|
"testing"
|
|
)
|
|
|
|
type uint64Set map[uint64]bool
|
|
|
|
type ConstArgTest struct {
|
|
name string
|
|
in uint64
|
|
comps CompMap
|
|
res []uint64
|
|
}
|
|
|
|
type DataArgTest struct {
|
|
name string
|
|
in string
|
|
comps CompMap
|
|
res map[string]bool
|
|
}
|
|
|
|
// Tests checkConstArg(). Is not intended to check correctness of any mutations.
|
|
// Mutation are checked in their own tests.
|
|
func TestHintsCheckConstArg(t *testing.T) {
|
|
t.Parallel()
|
|
var tests = []ConstArgTest{
|
|
{
|
|
"One replacer test",
|
|
0xdeadbeef,
|
|
CompMap{0xdeadbeef: uint64Set{0xdeadbeef: true, 0xcafebabe: true}},
|
|
[]uint64{0xcafebabe},
|
|
},
|
|
// Test for cases when there's multiple comparisons (op1, op2), (op1, op3), ...
|
|
// Checks that for every such operand a program is generated.
|
|
{
|
|
"Multiple replacers test",
|
|
0xabcd,
|
|
CompMap{0xabcd: uint64Set{0x2: true, 0x3: true}},
|
|
[]uint64{0x2, 0x3},
|
|
},
|
|
// Checks that special ints are not used.
|
|
{
|
|
"Special ints test",
|
|
0xabcd,
|
|
CompMap{0xabcd: uint64Set{0x1: true, 0x2: true}},
|
|
[]uint64{0x2},
|
|
},
|
|
}
|
|
for _, test := range tests {
|
|
t.Run(fmt.Sprintf("%v", test.name), func(t *testing.T) {
|
|
var res []uint64
|
|
constArg := &ConstArg{ArgCommon{nil}, test.in}
|
|
checkConstArg(constArg, test.comps, func() {
|
|
res = append(res, constArg.Val)
|
|
})
|
|
if !reflect.DeepEqual(res, test.res) {
|
|
t.Fatalf("\ngot : %v\nwant: %v", res, test.res)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// Tests checkDataArg(). Is not intended to check correctness of any mutations.
|
|
// Mutation are checked in their own tests.
|
|
func TestHintsCheckDataArg(t *testing.T) {
|
|
t.Parallel()
|
|
// All inputs are in Little-Endian.
|
|
var tests = []DataArgTest{
|
|
{
|
|
"One replacer test",
|
|
"\xef\xbe\xad\xde",
|
|
CompMap{
|
|
0xdeadbeef: uint64Set{0xcafebabe: true, 0xdeadbeef: true},
|
|
0xbeef: uint64Set{0xbeef: true},
|
|
0xef: uint64Set{0xef: true},
|
|
},
|
|
map[string]bool{
|
|
"\xbe\xba\xfe\xca": true,
|
|
},
|
|
},
|
|
// Test for cases when there's multiple comparisons (op1, op2), (op1, op3), ...
|
|
// Checks that for every such operand a program is generated.
|
|
{
|
|
"Multiple replacers test",
|
|
"\xcd\xab",
|
|
CompMap{0xabcd: uint64Set{0x2: true, 0x3: true}},
|
|
map[string]bool{
|
|
"\x02\x00": true, "\x03\x00": true,
|
|
},
|
|
},
|
|
// Checks that special ints are not used.
|
|
{
|
|
"Special ints test",
|
|
"\xcd\xab",
|
|
CompMap{0xabcd: uint64Set{0x1: true, 0x2: true}},
|
|
map[string]bool{
|
|
"\x02\x00": true,
|
|
},
|
|
},
|
|
// Checks that ints of various sizes are extracted.
|
|
{
|
|
"Different sizes test",
|
|
"\xef\xcd\xab\x90\x78\x56\x34\x12",
|
|
CompMap{
|
|
0xef: uint64Set{0x11: true},
|
|
0xcdef: uint64Set{0x2222: true},
|
|
0x90abcdef: uint64Set{0x33333333: true},
|
|
0x1234567890abcdef: uint64Set{0x4444444444444444: true},
|
|
},
|
|
map[string]bool{
|
|
"\x11\xcd\xab\x90\x78\x56\x34\x12": true,
|
|
"\x22\x22\xab\x90\x78\x56\x34\x12": true,
|
|
"\x33\x33\x33\x33\x78\x56\x34\x12": true,
|
|
"\x44\x44\x44\x44\x44\x44\x44\x44": true,
|
|
},
|
|
},
|
|
// Checks that values with different offsets are extracted.
|
|
{
|
|
"Different offsets test",
|
|
"\xab\xab\xab\xab\xab\xab\xab\xab\xab",
|
|
CompMap{
|
|
0xab: uint64Set{0x11: true},
|
|
0xabab: uint64Set{0x2222: true},
|
|
0xabababab: uint64Set{0x33333333: true},
|
|
0xabababababababab: uint64Set{0x4444444444444444: true},
|
|
},
|
|
map[string]bool{
|
|
"\x11\xab\xab\xab\xab\xab\xab\xab\xab": true,
|
|
"\xab\x11\xab\xab\xab\xab\xab\xab\xab": true,
|
|
"\xab\xab\x11\xab\xab\xab\xab\xab\xab": true,
|
|
"\xab\xab\xab\x11\xab\xab\xab\xab\xab": true,
|
|
"\xab\xab\xab\xab\x11\xab\xab\xab\xab": true,
|
|
"\xab\xab\xab\xab\xab\x11\xab\xab\xab": true,
|
|
"\xab\xab\xab\xab\xab\xab\x11\xab\xab": true,
|
|
"\xab\xab\xab\xab\xab\xab\xab\x11\xab": true,
|
|
"\xab\xab\xab\xab\xab\xab\xab\xab\x11": true,
|
|
"\x22\x22\xab\xab\xab\xab\xab\xab\xab": true,
|
|
"\xab\x22\x22\xab\xab\xab\xab\xab\xab": true,
|
|
"\xab\xab\x22\x22\xab\xab\xab\xab\xab": true,
|
|
"\xab\xab\xab\x22\x22\xab\xab\xab\xab": true,
|
|
"\xab\xab\xab\xab\x22\x22\xab\xab\xab": true,
|
|
"\xab\xab\xab\xab\xab\x22\x22\xab\xab": true,
|
|
"\xab\xab\xab\xab\xab\xab\x22\x22\xab": true,
|
|
"\xab\xab\xab\xab\xab\xab\xab\x22\x22": true,
|
|
"\x33\x33\x33\x33\xab\xab\xab\xab\xab": true,
|
|
"\xab\x33\x33\x33\x33\xab\xab\xab\xab": true,
|
|
"\xab\xab\x33\x33\x33\x33\xab\xab\xab": true,
|
|
"\xab\xab\xab\x33\x33\x33\x33\xab\xab": true,
|
|
"\xab\xab\xab\xab\x33\x33\x33\x33\xab": true,
|
|
"\xab\xab\xab\xab\xab\x33\x33\x33\x33": true,
|
|
"\x44\x44\x44\x44\x44\x44\x44\x44\xab": true,
|
|
"\xab\x44\x44\x44\x44\x44\x44\x44\x44": true,
|
|
},
|
|
},
|
|
{
|
|
"Replace in the middle of a larger blob",
|
|
"\xef\xcd\xab\x90\x78\x56\x34\x12",
|
|
CompMap{0xffffffffffff90ab: uint64Set{0xffffffffffffaabb: true}},
|
|
map[string]bool{
|
|
"\xef\xcd\xbb\xaa\x78\x56\x34\x12": true,
|
|
},
|
|
},
|
|
{
|
|
|
|
"Big-endian replace",
|
|
"\xef\xcd\xab\x90\x78\x56\x34\x12",
|
|
CompMap{
|
|
// 0xff07 is reversed special int.
|
|
0xefcd: uint64Set{0xaabb: true, 0xff07: true},
|
|
0x3412: uint64Set{0xaabb: true, 0xff07: true},
|
|
0x9078: uint64Set{0xaabb: true, 0x11223344: true, 0xff07: true},
|
|
0x90785634: uint64Set{0xaabbccdd: true, 0x11223344: true},
|
|
0xefcdab9078563412: uint64Set{0x1122334455667788: true},
|
|
},
|
|
map[string]bool{
|
|
"\xaa\xbb\xab\x90\x78\x56\x34\x12": true,
|
|
"\xef\xcd\xab\x90\x78\x56\xaa\xbb": true,
|
|
"\xef\xcd\xab\xaa\xbb\x56\x34\x12": true,
|
|
"\xef\xcd\xab\xaa\xbb\xcc\xdd\x12": true,
|
|
"\xef\xcd\xab\x11\x22\x33\x44\x12": true,
|
|
"\x11\x22\x33\x44\x55\x66\x77\x88": true,
|
|
},
|
|
},
|
|
}
|
|
for _, test := range tests {
|
|
t.Run(fmt.Sprintf("%v", test.name), func(t *testing.T) {
|
|
res := make(map[string]bool)
|
|
// Whatever type here. It's just needed to pass the
|
|
// dataArg.Type().Dir() == DirIn check.
|
|
typ := &ArrayType{TypeCommon{"", "", 0, DirIn, false, true}, nil, 0, 0, 0}
|
|
dataArg := MakeDataArg(typ, []byte(test.in))
|
|
checkDataArg(dataArg, test.comps, func() {
|
|
res[string(dataArg.Data())] = true
|
|
})
|
|
if !reflect.DeepEqual(res, test.res) {
|
|
s := "\ngot: ["
|
|
for x := range res {
|
|
s += fmt.Sprintf("0x%x, ", x)
|
|
}
|
|
s += "]\nwant: ["
|
|
for x := range test.res {
|
|
s += fmt.Sprintf("0x%x, ", x)
|
|
}
|
|
s += "]\n"
|
|
t.Fatalf(s)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestHintsShrinkExpand(t *testing.T) {
|
|
t.Parallel()
|
|
// Naming conventions:
|
|
// b - byte variable (i8 or u8)
|
|
// w - word variable (i16 or u16)
|
|
// dw - dword variable (i32 or u32)
|
|
// qw - qword variable (i64 or u64)
|
|
// -----------------------------------------------------------------
|
|
// Shrink tests:
|
|
var tests = []ConstArgTest{
|
|
{
|
|
// Models the following code:
|
|
// void f(u16 w) {
|
|
// u8 b = (u8) w;
|
|
// if (b == 0xab) {...}
|
|
// if (w == 0xcdcd) {...}
|
|
// }; f(0x1234);
|
|
"Shrink 16 test",
|
|
0x1234,
|
|
CompMap{
|
|
0x34: uint64Set{0xab: true},
|
|
0x1234: uint64Set{0xcdcd: true},
|
|
},
|
|
[]uint64{0x12ab, 0xcdcd},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(u32 dw) {
|
|
// u8 b = (u8) dw
|
|
// i16 w = (i16) dw
|
|
// if (b == 0xab) {...}
|
|
// if (w == 0xcdcd) {...}
|
|
// if (dw == 0xefefefef) {...}
|
|
// }; f(0x12345678);
|
|
"Shrink 32 test",
|
|
0x12345678,
|
|
CompMap{
|
|
0x78: uint64Set{0xab: true},
|
|
0x5678: uint64Set{0xcdcd: true},
|
|
0x12345678: uint64Set{0xefefefef: true},
|
|
},
|
|
[]uint64{0x123456ab, 0x1234cdcd, 0xefefefef},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(u64 qw) {
|
|
// u8 b = (u8) qw
|
|
// u16 w = (u16) qw
|
|
// u32 dw = (u32) qw
|
|
// if (b == 0xab) {...}
|
|
// if (w == 0xcdcd) {...}
|
|
// if (dw == 0xefefefef) {...}
|
|
// if (qw == 0x0101010101010101) {...}
|
|
// }; f(0x1234567890abcdef);
|
|
"Shrink 64 test",
|
|
0x1234567890abcdef,
|
|
CompMap{
|
|
0xef: uint64Set{0xab: true, 0xef: true},
|
|
0xcdef: uint64Set{0xcdcd: true},
|
|
0x90abcdef: uint64Set{0xefefefef: true},
|
|
0x1234567890abcdef: uint64Set{0x0101010101010101: true},
|
|
},
|
|
[]uint64{
|
|
0x0101010101010101,
|
|
0x1234567890abcdab,
|
|
0x1234567890abcdcd,
|
|
0x12345678efefefef,
|
|
},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(i16 w) {
|
|
// i8 b = (i8) w;
|
|
// i16 other = 0xabab;
|
|
// if (b == other) {...}
|
|
// }; f(0x1234);
|
|
// In such code the comparison will never be true, so we don't
|
|
// generate a hint for it.
|
|
"Shrink with a wider replacer test1",
|
|
0x1234,
|
|
CompMap{0x34: uint64Set{0x1bab: true}},
|
|
nil,
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(i16 w) {
|
|
// i8 b = (i8) w;
|
|
// i16 other = 0xfffd;
|
|
// if (b == other) {...}
|
|
// }; f(0x1234);
|
|
// In such code b will be sign extended to 0xff34 and, if we replace
|
|
// the lower byte, then the if statement will be true.
|
|
// Note that executor sign extends all the comparison operands to
|
|
// int64, so we model this accordingly.
|
|
"Shrink with a wider replacer test2",
|
|
0x1234,
|
|
CompMap{0x34: uint64Set{0xfffffffffffffffd: true}},
|
|
[]uint64{0x12fd},
|
|
},
|
|
// -----------------------------------------------------------------
|
|
// Extend tests:
|
|
// Note that executor sign extends all the comparison operands to int64,
|
|
// so we model this accordingly.
|
|
{
|
|
// Models the following code:
|
|
// void f(i8 b) {
|
|
// i64 qw = (i64) b;
|
|
// if (qw == -2) {...};
|
|
// }; f(-1);
|
|
"Extend 8 test",
|
|
0xff,
|
|
CompMap{0xffffffffffffffff: uint64Set{0xfffffffffffffffe: true}},
|
|
[]uint64{0xfe},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(i16 w) {
|
|
// i64 qw = (i64) w;
|
|
// if (qw == -2) {...};
|
|
// }; f(-1);
|
|
"Extend 16 test",
|
|
0xffff,
|
|
CompMap{0xffffffffffffffff: uint64Set{0xfffffffffffffffe: true}},
|
|
[]uint64{0xfffe},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(i32 dw) {
|
|
// i64 qw = (i32) dw;
|
|
// if (qw == -2) {...};
|
|
// }; f(-1);
|
|
"Extend 32 test",
|
|
0xffffffff,
|
|
CompMap{0xffffffffffffffff: uint64Set{0xfffffffffffffffe: true}},
|
|
[]uint64{0xfffffffe},
|
|
},
|
|
{
|
|
// Models the following code:
|
|
// void f(i8 b) {
|
|
// i16 w = (i16) b;
|
|
// if (w == (i16) 0xfeff) {...};
|
|
// }; f(-1);
|
|
// There's no value for b that will make the comparison true,
|
|
// so we don't generate hints.
|
|
"Extend with a wider replacer test",
|
|
0xff,
|
|
CompMap{0xffffffffffffffff: uint64Set{0xfffffffffffffeff: true}},
|
|
nil,
|
|
},
|
|
}
|
|
for _, test := range tests {
|
|
t.Run(fmt.Sprintf("%v", test.name), func(t *testing.T) {
|
|
res := shrinkExpand(test.in, test.comps)
|
|
if !reflect.DeepEqual(res, test.res) {
|
|
t.Fatalf("\ngot : %v\nwant: %v", res, test.res)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestHintsRandom(t *testing.T) {
|
|
target, rs, iters := initTest(t)
|
|
iters /= 10 // the test takes long
|
|
r := newRand(target, rs)
|
|
for i := 0; i < iters; i++ {
|
|
p := target.Generate(rs, 5, nil)
|
|
for i, c := range p.Calls {
|
|
vals := extractValues(c)
|
|
for j := 0; j < 5; j++ {
|
|
vals[r.randInt()] = true
|
|
}
|
|
comps := make(CompMap)
|
|
for v := range vals {
|
|
comps.AddComp(v, r.randInt())
|
|
}
|
|
p.MutateWithHints(i, comps, func(p1 *Prog) {})
|
|
}
|
|
}
|
|
}
|
|
|
|
func extractValues(c *Call) map[uint64]bool {
|
|
vals := make(map[uint64]bool)
|
|
ForeachArg(c, func(arg Arg, _ *ArgCtx) {
|
|
if typ := arg.Type(); typ == nil || typ.Dir() == DirOut {
|
|
return
|
|
}
|
|
switch a := arg.(type) {
|
|
case *ConstArg:
|
|
vals[a.Val] = true
|
|
case *DataArg:
|
|
data := a.Data()
|
|
for i := range data {
|
|
vals[uint64(data[i])] = true
|
|
if i < len(data)-1 {
|
|
v := uint64(data[i]) | uint64(data[i+1])<<8
|
|
vals[v] = true
|
|
}
|
|
if i < len(data)-3 {
|
|
v := uint64(data[i]) | uint64(data[i+1])<<8 |
|
|
uint64(data[i+2])<<16 | uint64(data[i+3])<<24
|
|
vals[v] = true
|
|
}
|
|
if i < len(data)-7 {
|
|
v := uint64(data[i]) | uint64(data[i+1])<<8 |
|
|
uint64(data[i+2])<<16 | uint64(data[i+3])<<24 |
|
|
uint64(data[i+4])<<32 | uint64(data[i+5])<<40 |
|
|
uint64(data[i+6])<<48 | uint64(data[i+7])<<56
|
|
vals[v] = true
|
|
}
|
|
}
|
|
}
|
|
})
|
|
delete(vals, 0) // replacing 0 can yield too many condidates
|
|
return vals
|
|
}
|
|
|
|
func TestHintsData(t *testing.T) {
|
|
target := initTargetTest(t, "test", "64")
|
|
type Test struct {
|
|
in string
|
|
comps CompMap
|
|
out []string
|
|
}
|
|
tests := []Test{
|
|
{
|
|
in: "0809101112131415",
|
|
comps: CompMap{0x12111009: uint64Set{0x10: true}},
|
|
out: []string{"0810000000131415"},
|
|
},
|
|
}
|
|
call := target.SyscallMap["test$hint_data"]
|
|
for _, test := range tests {
|
|
input, err := hex.DecodeString(test.in)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
p := &Prog{
|
|
Target: target,
|
|
Calls: []*Call{{
|
|
Meta: call,
|
|
Args: []Arg{MakePointerArg(call.Args[0], 0,
|
|
MakeDataArg(call.Args[0].(*PtrType).Type, input))},
|
|
Ret: MakeReturnArg(call.Ret),
|
|
}},
|
|
}
|
|
if err := p.validate(); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
var got []string
|
|
p.MutateWithHints(0, test.comps, func(newP *Prog) {
|
|
got = append(got, hex.EncodeToString(
|
|
newP.Calls[0].Args[0].(*PointerArg).Res.(*DataArg).Data()))
|
|
})
|
|
sort.Strings(test.out)
|
|
sort.Strings(got)
|
|
if !reflect.DeepEqual(got, test.out) {
|
|
t.Fatalf("comps: %v\ninput: %v\ngot : %+v\nwant: %+v",
|
|
test.comps, test.in, got, test.out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func BenchmarkHints(b *testing.B) {
|
|
olddebug := debug
|
|
debug = false
|
|
defer func() { debug = olddebug }()
|
|
target, err := GetTarget("linux", "amd64")
|
|
if err != nil {
|
|
b.Fatal(err)
|
|
}
|
|
rs := rand.NewSource(0)
|
|
r := newRand(target, rs)
|
|
p := target.Generate(rs, 30, nil)
|
|
comps := make([]CompMap, len(p.Calls))
|
|
for i, c := range p.Calls {
|
|
vals := extractValues(c)
|
|
for j := 0; j < 5; j++ {
|
|
vals[r.randInt()] = true
|
|
}
|
|
comps[i] = make(CompMap)
|
|
for v := range vals {
|
|
comps[i].AddComp(v, r.randInt())
|
|
}
|
|
}
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
for pb.Next() {
|
|
for i := range p.Calls {
|
|
p.MutateWithHints(i, comps[i], func(p1 *Prog) {})
|
|
}
|
|
}
|
|
})
|
|
}
|