mirror of
https://github.com/reactos/syzkaller.git
synced 2024-11-24 11:59:58 +00:00
476b8ca987
We used to subtract 5 which is length of call instruction on amd64. Do proper per-arch calculation.
522 lines
12 KiB
Go
522 lines
12 KiB
Go
// Copyright 2015 syzkaller project authors. All rights reserved.
|
|
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
|
|
|
|
package main
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"fmt"
|
|
"html/template"
|
|
"io"
|
|
"io/ioutil"
|
|
"path/filepath"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/google/syzkaller/pkg/cover"
|
|
"github.com/google/syzkaller/pkg/hash"
|
|
. "github.com/google/syzkaller/pkg/log"
|
|
"github.com/google/syzkaller/pkg/osutil"
|
|
"github.com/google/syzkaller/pkg/symbolizer"
|
|
)
|
|
|
|
type symbol struct {
|
|
start uint64
|
|
end uint64
|
|
name string
|
|
}
|
|
|
|
type symbolArray []symbol
|
|
|
|
func (a symbolArray) Len() int { return len(a) }
|
|
func (a symbolArray) Less(i, j int) bool { return a[i].start < a[j].start }
|
|
func (a symbolArray) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
|
|
type coverage struct {
|
|
line int
|
|
covered bool
|
|
}
|
|
|
|
type coverageArray []coverage
|
|
|
|
func (a coverageArray) Len() int { return len(a) }
|
|
func (a coverageArray) Less(i, j int) bool { return a[i].line < a[j].line }
|
|
func (a coverageArray) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
|
|
type uint64Array []uint64
|
|
|
|
func (a uint64Array) Len() int { return len(a) }
|
|
func (a uint64Array) Less(i, j int) bool { return a[i] < a[j] }
|
|
func (a uint64Array) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
|
|
var (
|
|
allCoverPCs []uint64
|
|
allCoverReady = make(chan bool)
|
|
allSymbols map[string][]symbolizer.Symbol
|
|
allSymbolsReady = make(chan bool)
|
|
vmOffsets = make(map[string]uint32)
|
|
)
|
|
|
|
func initAllCover(os, arch, vmlinux string) {
|
|
// Running objdump on vmlinux takes 20-30 seconds, so we do it asynchronously on start.
|
|
// Running nm on vmlinux may takes 200 microsecond and being called during symbolization of every crash,
|
|
// so also do it asynchronously on start and reuse the value during each crash.
|
|
go func() {
|
|
defer func() {
|
|
close(allCoverReady)
|
|
close(allSymbolsReady)
|
|
}()
|
|
if vmlinux == "" {
|
|
return
|
|
}
|
|
pcs, err := coveredPCs(arch, vmlinux)
|
|
if err == nil {
|
|
sort.Sort(uint64Array(pcs))
|
|
allCoverPCs = pcs
|
|
} else {
|
|
Logf(0, "failed to run objdump on %v: %v", vmlinux, err)
|
|
}
|
|
|
|
allSymbols, err = symbolizer.ReadSymbols(vmlinux)
|
|
if err != nil {
|
|
Logf(0, "failed to run nm on %v: %v", vmlinux, err)
|
|
}
|
|
}()
|
|
}
|
|
|
|
func generateCoverHTML(w io.Writer, vmlinux, arch string, cov cover.Cover) error {
|
|
if len(cov) == 0 {
|
|
return fmt.Errorf("No coverage data available")
|
|
}
|
|
|
|
base, err := getVMOffset(vmlinux)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
pcs := make([]uint64, 0, len(cov))
|
|
for pc := range cov {
|
|
fullPC := cover.RestorePC(pc, base)
|
|
prevPC := previousInstructionPC(arch, fullPC)
|
|
pcs = append(pcs, prevPC)
|
|
}
|
|
uncovered, err := uncoveredPcsInFuncs(vmlinux, pcs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
coveredFrames, _, err := symbolize(vmlinux, pcs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(coveredFrames) == 0 {
|
|
return fmt.Errorf("'%s' does not have debug info (set CONFIG_DEBUG_INFO=y)", vmlinux)
|
|
}
|
|
|
|
uncoveredFrames, prefix, err := symbolize(vmlinux, uncovered)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var d templateData
|
|
for f, covered := range fileSet(coveredFrames, uncoveredFrames) {
|
|
lines, err := parseFile(f)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
coverage := 0
|
|
var buf bytes.Buffer
|
|
for i, ln := range lines {
|
|
if len(covered) > 0 && covered[0].line == i+1 {
|
|
if covered[0].covered {
|
|
buf.Write([]byte("<span id='covered'>"))
|
|
buf.Write(ln)
|
|
buf.Write([]byte("</span> /*covered*/\n"))
|
|
coverage++
|
|
} else {
|
|
buf.Write([]byte("<span id='uncovered'>"))
|
|
buf.Write(ln)
|
|
buf.Write([]byte("</span>\n"))
|
|
}
|
|
covered = covered[1:]
|
|
} else {
|
|
buf.Write(ln)
|
|
buf.Write([]byte{'\n'})
|
|
}
|
|
}
|
|
f = filepath.Clean(strings.TrimPrefix(f, prefix))
|
|
d.Files = append(d.Files, &templateFile{
|
|
ID: hash.String([]byte(f)),
|
|
Name: f,
|
|
Body: template.HTML(buf.String()),
|
|
Coverage: coverage,
|
|
})
|
|
}
|
|
|
|
sort.Sort(templateFileArray(d.Files))
|
|
return coverTemplate.Execute(w, d)
|
|
}
|
|
|
|
func fileSet(covered, uncovered []symbolizer.Frame) map[string][]coverage {
|
|
files := make(map[string]map[int]bool)
|
|
funcs := make(map[string]bool)
|
|
for _, frame := range covered {
|
|
if files[frame.File] == nil {
|
|
files[frame.File] = make(map[int]bool)
|
|
}
|
|
files[frame.File][frame.Line] = true
|
|
funcs[frame.Func] = true
|
|
}
|
|
for _, frame := range uncovered {
|
|
if !funcs[frame.Func] {
|
|
continue
|
|
}
|
|
if files[frame.File] == nil {
|
|
files[frame.File] = make(map[int]bool)
|
|
}
|
|
if !files[frame.File][frame.Line] {
|
|
files[frame.File][frame.Line] = false
|
|
}
|
|
}
|
|
res := make(map[string][]coverage)
|
|
for f, lines := range files {
|
|
sorted := make([]coverage, 0, len(lines))
|
|
for ln, covered := range lines {
|
|
sorted = append(sorted, coverage{ln, covered})
|
|
}
|
|
sort.Sort(coverageArray(sorted))
|
|
res[f] = sorted
|
|
}
|
|
return res
|
|
}
|
|
|
|
func parseFile(fn string) ([][]byte, error) {
|
|
data, err := ioutil.ReadFile(fn)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
htmlReplacer := strings.NewReplacer(">", ">", "<", "<", "&", "&", "\t", " ")
|
|
var lines [][]byte
|
|
for {
|
|
idx := bytes.IndexByte(data, '\n')
|
|
if idx == -1 {
|
|
break
|
|
}
|
|
lines = append(lines, []byte(htmlReplacer.Replace(string(data[:idx]))))
|
|
data = data[idx+1:]
|
|
}
|
|
if len(data) != 0 {
|
|
lines = append(lines, data)
|
|
}
|
|
return lines, nil
|
|
}
|
|
|
|
func getVMOffset(vmlinux string) (uint32, error) {
|
|
if v, ok := vmOffsets[vmlinux]; ok {
|
|
return v, nil
|
|
}
|
|
out, err := osutil.RunCmd(time.Hour, "", "readelf", "-SW", vmlinux)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
s := bufio.NewScanner(bytes.NewReader(out))
|
|
var addr uint32
|
|
for s.Scan() {
|
|
ln := s.Text()
|
|
pieces := strings.Fields(ln)
|
|
for i := 0; i < len(pieces); i++ {
|
|
if pieces[i] != "PROGBITS" {
|
|
continue
|
|
}
|
|
v, err := strconv.ParseUint("0x"+pieces[i+1], 0, 64)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("failed to parse addr in readelf output: %v", err)
|
|
}
|
|
if v == 0 {
|
|
continue
|
|
}
|
|
v32 := (uint32)(v >> 32)
|
|
if addr == 0 {
|
|
addr = v32
|
|
}
|
|
if addr != v32 {
|
|
return 0, fmt.Errorf("different section offsets in a single binary")
|
|
}
|
|
}
|
|
}
|
|
vmOffsets[vmlinux] = addr
|
|
return addr, nil
|
|
}
|
|
|
|
// uncoveredPcsInFuncs returns uncovered PCs with __sanitizer_cov_trace_pc calls in functions containing pcs.
|
|
func uncoveredPcsInFuncs(vmlinux string, pcs []uint64) ([]uint64, error) {
|
|
<-allSymbolsReady
|
|
if allSymbols == nil {
|
|
return nil, fmt.Errorf("failed to run nm on vmlinux")
|
|
}
|
|
var symbols symbolArray
|
|
for name, ss := range allSymbols {
|
|
for _, s := range ss {
|
|
symbols = append(symbols, symbol{s.Addr, s.Addr + uint64(s.Size), name})
|
|
}
|
|
}
|
|
sort.Sort(symbols)
|
|
|
|
<-allCoverReady
|
|
if len(allCoverPCs) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
handledFuncs := make(map[uint64]bool)
|
|
uncovered := make(map[uint64]bool)
|
|
for _, pc := range pcs {
|
|
idx := sort.Search(len(symbols), func(i int) bool {
|
|
return pc < symbols[i].end
|
|
})
|
|
if idx == len(symbols) {
|
|
continue
|
|
}
|
|
s := symbols[idx]
|
|
if pc < s.start || pc > s.end {
|
|
continue
|
|
}
|
|
if !handledFuncs[s.start] {
|
|
handledFuncs[s.start] = true
|
|
startPC := sort.Search(len(allCoverPCs), func(i int) bool {
|
|
return s.start <= allCoverPCs[i]
|
|
})
|
|
endPC := sort.Search(len(allCoverPCs), func(i int) bool {
|
|
return s.end < allCoverPCs[i]
|
|
})
|
|
for _, pc1 := range allCoverPCs[startPC:endPC] {
|
|
uncovered[pc1] = true
|
|
}
|
|
}
|
|
delete(uncovered, pc)
|
|
}
|
|
uncoveredPCs := make([]uint64, 0, len(uncovered))
|
|
for pc := range uncovered {
|
|
uncoveredPCs = append(uncoveredPCs, pc)
|
|
}
|
|
return uncoveredPCs, nil
|
|
}
|
|
|
|
// coveredPCs returns list of PCs of __sanitizer_cov_trace_pc calls in binary bin.
|
|
func coveredPCs(arch, bin string) ([]uint64, error) {
|
|
cmd := osutil.Command("objdump", "-d", "--no-show-raw-insn", bin)
|
|
stdout, err := cmd.StdoutPipe()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer stdout.Close()
|
|
if err := cmd.Start(); err != nil {
|
|
return nil, err
|
|
}
|
|
defer cmd.Wait()
|
|
var pcs []uint64
|
|
s := bufio.NewScanner(stdout)
|
|
traceFunc := []byte(" <__sanitizer_cov_trace_pc>")
|
|
var callInsn []byte
|
|
switch arch {
|
|
case "amd64":
|
|
// ffffffff8100206a: callq ffffffff815cc1d0 <__sanitizer_cov_trace_pc>
|
|
callInsn = []byte("\tcallq ")
|
|
case "386":
|
|
// c1000102: call c10001f0 <__sanitizer_cov_trace_pc>
|
|
callInsn = []byte("\tcall ")
|
|
case "arm64":
|
|
// ffff0000080d9cc0: bl ffff00000820f478 <__sanitizer_cov_trace_pc>
|
|
callInsn = []byte("\tbl\t")
|
|
case "arm":
|
|
// 8010252c: bl 801c3280 <__sanitizer_cov_trace_pc>
|
|
callInsn = []byte("\tbl\t")
|
|
case "ppc64le":
|
|
// c00000000006d904: bl c000000000350780 <.__sanitizer_cov_trace_pc>
|
|
callInsn = []byte("\tbl ")
|
|
traceFunc = []byte(" <.__sanitizer_cov_trace_pc>")
|
|
default:
|
|
panic("unknown arch")
|
|
}
|
|
for s.Scan() {
|
|
ln := s.Bytes()
|
|
if pos := bytes.Index(ln, callInsn); pos == -1 {
|
|
continue
|
|
} else if !bytes.Contains(ln[pos:], traceFunc) {
|
|
continue
|
|
}
|
|
colon := bytes.IndexByte(ln, ':')
|
|
if colon == -1 {
|
|
continue
|
|
}
|
|
pc, err := strconv.ParseUint(string(ln[:colon]), 16, 64)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
pcs = append(pcs, pc)
|
|
}
|
|
if err := s.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
return pcs, nil
|
|
}
|
|
|
|
func symbolize(vmlinux string, pcs []uint64) ([]symbolizer.Frame, string, error) {
|
|
symb := symbolizer.NewSymbolizer()
|
|
defer symb.Close()
|
|
|
|
frames, err := symb.SymbolizeArray(vmlinux, pcs)
|
|
if err != nil {
|
|
return nil, "", err
|
|
}
|
|
|
|
prefix := ""
|
|
for i := range frames {
|
|
frame := &frames[i]
|
|
frame.PC--
|
|
if prefix == "" {
|
|
prefix = frame.File
|
|
} else {
|
|
i := 0
|
|
for ; i < len(prefix) && i < len(frame.File); i++ {
|
|
if prefix[i] != frame.File[i] {
|
|
break
|
|
}
|
|
}
|
|
prefix = prefix[:i]
|
|
}
|
|
|
|
}
|
|
return frames, prefix, nil
|
|
}
|
|
|
|
func previousInstructionPC(arch string, pc uint64) uint64 {
|
|
switch arch {
|
|
case "amd64":
|
|
return pc - 5
|
|
case "386":
|
|
return pc - 1
|
|
case "arm64":
|
|
return pc - 4
|
|
case "arm":
|
|
// THUMB instructions are 2 or 4 bytes with low bit set.
|
|
// ARM instructions are always 4 bytes.
|
|
return (pc - 3) & ^uint64(1)
|
|
case "ppc64le":
|
|
return pc - 4
|
|
default:
|
|
panic("unknown arch")
|
|
}
|
|
}
|
|
|
|
type templateData struct {
|
|
Files []*templateFile
|
|
}
|
|
|
|
type templateFile struct {
|
|
ID string
|
|
Name string
|
|
Body template.HTML
|
|
Coverage int
|
|
}
|
|
|
|
type templateFileArray []*templateFile
|
|
|
|
func (a templateFileArray) Len() int { return len(a) }
|
|
func (a templateFileArray) Less(i, j int) bool {
|
|
n1 := a[i].Name
|
|
n2 := a[j].Name
|
|
// Move include files to the bottom.
|
|
if len(n1) != 0 && len(n2) != 0 {
|
|
if n1[0] != '.' && n2[0] == '.' {
|
|
return true
|
|
}
|
|
if n1[0] == '.' && n2[0] != '.' {
|
|
return false
|
|
}
|
|
}
|
|
return n1 < n2
|
|
}
|
|
func (a templateFileArray) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
|
|
var coverTemplate = template.Must(template.New("").Parse(`
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<style>
|
|
body {
|
|
background: white;
|
|
}
|
|
#topbar {
|
|
background: black;
|
|
position: fixed;
|
|
top: 0; left: 0; right: 0;
|
|
height: 42px;
|
|
border-bottom: 1px solid rgb(70, 70, 70);
|
|
}
|
|
#nav {
|
|
float: left;
|
|
margin-left: 10px;
|
|
margin-top: 10px;
|
|
}
|
|
#content {
|
|
font-family: 'Courier New', Courier, monospace;
|
|
color: rgb(70, 70, 70);
|
|
margin-top: 50px;
|
|
}
|
|
#covered {
|
|
color: rgb(0, 0, 0);
|
|
font-weight: bold;
|
|
}
|
|
#uncovered {
|
|
color: rgb(255, 0, 0);
|
|
font-weight: bold;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div id="topbar">
|
|
<div id="nav">
|
|
<select id="files">
|
|
{{range $f := .Files}}
|
|
<option value="{{$f.ID}}">{{$f.Name}} ({{$f.Coverage}})</option>
|
|
{{end}}
|
|
</select>
|
|
</div>
|
|
</div>
|
|
<div id="content">
|
|
{{range $i, $f := .Files}}
|
|
<pre class="file" id="{{$f.ID}}" {{if $i}}style="display: none;"{{end}}>{{$f.Body}}</pre>{{end}}
|
|
</div>
|
|
</body>
|
|
<script>
|
|
(function() {
|
|
var files = document.getElementById('files');
|
|
var visible = document.getElementById(files.value);
|
|
if (window.location.hash) {
|
|
var hash = window.location.hash.substring(1);
|
|
for (var i = 0; i < files.options.length; i++) {
|
|
if (files.options[i].value === hash) {
|
|
files.selectedIndex = i;
|
|
visible.style.display = 'none';
|
|
visible = document.getElementById(files.value);
|
|
visible.style.display = 'block';
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
files.addEventListener('change', onChange, false);
|
|
function onChange() {
|
|
visible.style.display = 'none';
|
|
visible = document.getElementById(files.value);
|
|
visible.style.display = 'block';
|
|
window.scrollTo(0, 0);
|
|
window.location.hash = files.value;
|
|
}
|
|
})();
|
|
</script>
|
|
</html>
|
|
`))
|