pkg/rpcserver: move kernel test/data range checks from executor #4949
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Several optimizations to reduce amount of hint replacements: 1. Don't mutate int's that are <= 8 bits. 2. Don't mutate data that is <= 3 bytes. 3. Restrict mutation of len only value >10 and < 1<<20. Values <= 10 we can produce during normal mutation. Values > 1<<20 are presumably not length of something and we have logic to produce various large bogus lengths. 4. Include all small ints <= 16 into specialInts and remove 31, 32, 63 (don't remember where they come from). 5. Don't produce other known flags (and combinations) for flags. And a larger part computes groups of related arguments so that we don't try to produce known ioctl's from other known ioctl's, and similarly for socket/socketpair/setsockopt/etc. See comments in Target.initRelatedFields for details. Update google#477
1. Run only 25 mutations during smash. 2. Run collide during normal fuzzing rather than during smashing. 3. Run hints and fault injection before random mutations and order hints/fault injection jobs. 4. Random mutations still run round-robin w/o ordering to give better diversity.
Signal rotation is intended to make the fuzzer re-discover flaky coverage in non flaky way. However, taking into accout that we get effectively the same effect after each manager restart, and that the fuzzer is overloaded with triage/smash jobs, it does not look to be worth it.
dvyukov
force-pushed
the
dvyukov-filter-signal
branch
from
590c971
to
29549c7
Compare
dvyukov
changed the title
dvyukov
force-pushed
the
dvyukov-filter-signal
branch
from
29549c7
to
3154396
Compare
We see some errors of the form: SYZFAIL: coverage filter is full pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156 Executor shouldn't send non kernel addresses in signal, but somehow it does. It can happen if the VM memory is corrupted, or if the test program does something very nasty (e.g. discovers the output region and writes to it). It's not possible to reliably filter signal in the tested VM. Move all of the filtering logic to the host. Fixes google#4942
dvyukov
force-pushed
the
dvyukov-filter-signal
branch
from
3154396
to
0558320
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We see some errors of the form:
SYZFAIL: coverage filter is full
pc=0x80007000c0008 regions=[0xffffffffbfffffff 0x243fffffff 0x143fffffff 0xc3fffffff] alloc=156
Executor shouldn't send non kernel addresses in signal,
but somehow it does. It can happen if the VM memory is corrupted,
or if the test program does something very nasty (e.g. discovers
the output region and writes to it).
It's not possible to reliably filter signal in the tested VM.
Move all of the filtering logic to the host.
Fixes #4942