[Dropping syzbot from Cc:] On Tue, 18 Dec 2018 14:26:00 +0100 Dmitry Vyukov <dvyu...@google.com> wrote:
> On Tue, Dec 18, 2018 at 1:40 PM Stefano Brivio <sbri...@redhat.com> > wrote: > > > Maybe it would be nice to have a semi-automated way to isolate and > > describe/name specific conditions found by syzbot via fuzzing and > > turn those into tests that are then repeated periodically. I'm not > > sure how that would look like, but I think it's still more > > maintainable than a pile of C reproducers with forged packets in > > selftests/net. > > It would be nice to do something like this. Filed > https://github.com/google/syzkaller/issues/884 > However, there are few open questions that I am not sure how to > resolve yet... I don't have a github account, so let me comment on your questions here: > 1. How to effectively fetch so many repros from datastore without > hitting timeouts? We probably need to limit this to 1 repro per bug, > but still that's many repros. I guess this would be less of a problem if reproducers are selected based on input from developers, instead of just taking all the reproducers. E.g. one could answer a report with something like: #syz regression-test: <name> <description> in this case I would have answered: #syz regression-test: icmp-udp-in-gue-recursion ICMP exceptions on UDP direct encapsulation in GUE and something could be automatically appended to the test name, perhaps e-mail and date. It would also be nice to be able to undo this and delete a regression test. > 2. Do we need some sorting based on namespace? E.g. stable releases > may not include fixes for bugs fixed in upstream, then we will just > crash lots of kernels in vain. Same here, I guess developer input might help, but I'm not sure how to formalise this. > 3. syzkaller repros depend on exact syzkaller revision, new syzkaller > won't be able to use old repros. Using C repros is much harder and > they are not present for all bugs. Not sure what to do here. Would it make a difference if you could use the "syz" reproducers and translate them to C reproducer only once needed? -- Stefano