Add Tool Trace2Syz

.gometalinter.json

@@ -39,6 +39,7 @@
 	],
 	"exclude": [
 		"(sys/.*/init.*|sys/targets/common.go).* don't use ALL_CAPS in Go names",
+		"(tools/syz-trace2syz/parser/(lex|strace).go)",
 		"exported .* should have comment",
 		"comment on .* should be of the form",
 		"declaration of \"err\" shadows",

Makefile

@@ -86,7 +86,7 @@ endif
 .PHONY: all host target \
 	manager runtest fuzzer executor \
 	ci hub \
-	execprog mutate prog2c stress repro upgrade db \
+	execprog mutate prog2c trace2syz stress repro upgrade db \
 	bin/syz-sysgen bin/syz-extract bin/syz-fmt \
 	extract generate generate_go generate_sys \
 	format format_go format_cpp format_sys \
@@ -157,6 +157,9 @@ db:
 upgrade:
 	GOOS=$(HOSTOS) GOARCH=$(HOSTARCH) $(HOSTGO) build $(GOHOSTFLAGS) -o ./bin/syz-upgrade github.com/google/syzkaller/tools/syz-upgrade
 
+trace2syz:
+	GOOS=$(HOSTOS) GOARCH=$(HOSTARCH) $(HOSTGO) build $(GOHOSTFLAGS) -o ./bin/syz-trace2syz github.com/google/syzkaller/tools/syz-trace2syz
+
 # `extract` extracts const files from various kernel sources, and may only
 # re-generate parts of files.
 extract: bin/syz-extract
@@ -187,6 +190,10 @@ ifeq ($(TARGETOS),fuchsia)
 else
 endif
 
+generate_trace2syz:
+	(cd tools/syz-trace2syz/parser; ragel -Z -G2 -o lex.go straceLex.rl)
+	(cd tools/syz-trace2syz/parser; goyacc -o strace.go -p Strace -v="" strace.y)
+
 bin/syz-sysgen:
 	$(GO) build $(GOHOSTFLAGS) -o $@ ./sys/syz-sysgen
 
@@ -317,6 +324,8 @@ install_prerequisites:
 	sudo apt-get install -y -q g++-aarch64-linux-gnu || true
 	sudo apt-get install -y -q g++-powerpc64le-linux-gnu || true
 	sudo apt-get install -y -q g++-arm-linux-gnueabihf || true
+	sudo apt-get install -y -q ragel
+	go get -u golang.org/x/tools/cmd/goyacc
 	go get -u gopkg.in/alecthomas/gometalinter.v2
 	gometalinter.v2 --install
 

prog/size.go

@@ -112,6 +112,10 @@ func (target *Target) assignSizesArray(args []Arg) {
 	}
 }
 
+func (target *Target) AssignSizesCall(c *Call) {
+	target.assignSizesCall(c)
+}
+
 func (target *Target) assignSizesCall(c *Call) {
 	target.assignSizesArray(c.Args)
 }

prog/types.go

@@ -67,6 +67,10 @@ type Type interface {
 	minimize(ctx *minimizeArgsCtx, arg Arg, path string) bool
 }
 
+func DefaultArg(t Type) Arg {
+	return t.makeDefaultArg()
+}
+
 func IsPad(t Type) bool {
 	if ct, ok := t.(*ConstType); ok && ct.IsPad {
 		return true

prog/validation.go

@@ -23,6 +23,10 @@ type validCtx struct {
 	uses   map[Arg]Arg
 }
 
+func (p *Prog) Validate() error {
+	return p.validate()
+}
+
 func (p *Prog) validate() error {
 	ctx := &validCtx{
 		target: p.Target,

tools/syz-trace2syz/config/unsupported_calls.go

@@ -0,0 +1,41 @@
+// Copyright 2018 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package config
+
+var (
+	// ShouldSkip lists system calls that we should skip when parsing
+	// Some of these are unsupported or not worth executing
+	ShouldSkip = map[string]bool{
+		// While we have system call descriptions for execve it is not worth adding
+		// the ones in traces. Every trace has an execve at the beginning which means
+		// all the system calls afterwards will not execute
+		"execve": true,
+		// Unsafe to set the addr argument to some random argument. Needs more care
+		"arch_prctl": true,
+		// Don't produce multithreaded programs.
+		"wait4": true,
+		"wait":  true,
+		"futex": true,
+		// Cannot obtain coverage from the forks.
+		"clone": true,
+		// Can support these calls but need to identify the ones in the trace that are worth keeping
+		"mmap":     true,
+		"msync":    true,
+		"mremap":   true,
+		"mprotect": true,
+		"madvise":  true,
+		"munmap":   true,
+		// Not interesting coverage
+		"getcwd": true,
+		"getcpu": true,
+		// Cannot evaluate sigset
+		"rt_sigprocmask":  true,
+		"rt_sigtimedwait": true,
+		"rt_sigreturn":    true,
+		"rt_sigqueueinfo": true,
+		"rt_sigsuspend":   true,
+		// Require function pointers which are not recovered by strace
+		"rt_sigaction": true,
+	}
+)

tools/syz-trace2syz/parser/intermediate_types.go

@@ -0,0 +1,155 @@
+// Copyright 2018 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package parser
+
+import (
+	"bytes"
+	"fmt"
+)
+
+// TraceTree struct contains intermediate representation of trace
+// If a trace is multiprocess it constructs a trace for each type
+type TraceTree struct {
+	TraceMap map[int64]*Trace
+	Ptree    map[int64][]int64
+	RootPid  int64
+	Filename string
+}
+
+// NewTraceTree initializes a TraceTree
+func NewTraceTree() (tree *TraceTree) {
+	tree = &TraceTree{
+		TraceMap: make(map[int64]*Trace),
+		Ptree:    make(map[int64][]int64),
+		RootPid:  -1,
+	}
+	return
+}
+
+func (tree *TraceTree) add(call *Syscall) {
+	if tree.RootPid < 0 {
+		tree.RootPid = call.Pid
+	}
+
+	if !call.Resumed {
+		if tree.TraceMap[call.Pid] == nil {
+			tree.TraceMap[call.Pid] = new(Trace)
+			tree.Ptree[call.Pid] = make([]int64, 0)
+		}
+	}
+	c := tree.TraceMap[call.Pid].add(call)
+	if c.CallName == "clone" && !c.Paused {
+		tree.Ptree[c.Pid] = append(tree.Ptree[c.Pid], c.Ret)
+	}
+}
+
+// Trace is just a list of system calls
+type Trace struct {
+	Calls []*Syscall
+}
+
+func (trace *Trace) add(call *Syscall) (ret *Syscall) {
+	if !call.Resumed {
+		trace.Calls = append(trace.Calls, call)
+		ret = call
+		return
+	}
+	lastCall := trace.Calls[len(trace.Calls)-1]
+	lastCall.Args = append(lastCall.Args, call.Args...)
+	lastCall.Paused = false
+	lastCall.Ret = call.Ret
+	ret = lastCall
+	return
+}
+
+// IrType is the intermediate representation of the strace output
+// Every argument of a system call should be represented in an intermediate type
+type IrType interface {
+	String() string
+}
+
+// Syscall struct is the IR type for any system call
+type Syscall struct {
+	CallName string
+	Args     []IrType
+	Pid      int64
+	Ret      int64
+	Paused   bool
+	Resumed  bool
+}
+
+// NewSyscall - constructor
+func NewSyscall(pid int64, name string, args []IrType, ret int64, paused, resumed bool) (sys *Syscall) {
+	return &Syscall{
+		CallName: name,
+		Args:     args,
+		Pid:      pid,
+		Ret:      ret,
+		Paused:   paused,
+		Resumed:  resumed,
+	}
+}
+
+// String
+func (s *Syscall) String() string {
+	buf := new(bytes.Buffer)
+
+	fmt.Fprintf(buf, "Pid: -%v-", s.Pid)
+	fmt.Fprintf(buf, "Name: -%v-", s.CallName)
+	for _, typ := range s.Args {
+		buf.WriteString("-")
+		buf.WriteString(typ.String())
+		buf.WriteString("-")
+	}
+	buf.WriteString(fmt.Sprintf("-Ret: %d\n", s.Ret))
+	return buf.String()
+}
+
+// GroupType contains arrays and structs
+type GroupType struct {
+	Elems []IrType
+}
+
+func newGroupType(elems []IrType) (typ *GroupType) {
+	return &GroupType{Elems: elems}
+}
+
+// String implements IrType String()
+func (a *GroupType) String() string {
+	var buf bytes.Buffer
+
+	buf.WriteString("[")
+	for _, elem := range a.Elems {
+		buf.WriteString(elem.String())
+		buf.WriteString(",")
+	}
+	buf.WriteString("]")
+	return buf.String()
+}
+
+// Constant represents all evaluated expressions produced by strace
+// Constant types are evaluated at parse time
+type Constant uint64
+
+func (c Constant) String() string {
+	return fmt.Sprintf("%#v", c)
+}
+
+func (c Constant) Val() uint64 {
+	return uint64(c)
+}
+
+// BufferType contains strings
+type BufferType struct {
+	Val string
+}
+
+func newBufferType(val string) *BufferType {
+	return &BufferType{Val: val}
+}
+
+// String implements IrType String()
+func (b *BufferType) String() string {
+	return fmt.Sprintf("Buffer: %s with length: %d\n", b.Val, len(b.Val))
+}