pkg/kfuzztest: use dwarf type in syscall description generation

Prior to this, we were doing pattern matching on the dwarf type names.
This is brittle, and means that support for new types (e.g., u64) would
have to be added manually.

Switch to an approach that recurses over the dwarf types, resolving
typedefs into primitive types that map very easily onto syzkaller types.

Also refactor some of the code related to annotation processing, which
was become unwieldly.

Author: Ethan Graham

pkg/kfuzztest/builder.go

@@ -3,8 +3,8 @@
 package kfuzztest
 
 import (
+	"debug/dwarf"
 	"fmt"
-	"regexp"
 	"strings"
 
 	"github.com/google/syzkaller/pkg/ast"
@@ -53,7 +53,11 @@ func (b *Builder) EmitSyzlangDescription() (string, error) {
 	var descBuilder strings.Builder
 	descBuilder.WriteString("# This description was automatically generated with tools/kfuzztest-gen\n")
 	for _, s := range b.structs {
-		descBuilder.WriteString(syzStructToSyzlang(s, constraintMap, annotationMap))
+		structDesc, err := syzStructToSyzlang(s, constraintMap, annotationMap)
+		if err != nil {
+			return "", err
+		}
+		descBuilder.WriteString(structDesc)
 		descBuilder.WriteString("\n\n")
 	}
 
@@ -64,9 +68,7 @@ func (b *Builder) EmitSyzlangDescription() (string, error) {
 		}
 	}
 
-	fmt.Println(descBuilder.String())
-
-	// Format the output syzlang descriptions.
+	// Format the output syzlang descriptions for consistency.
 	var astError error
 	eh := func(pos ast.Pos, msg string) {
 		astError = fmt.Errorf("Failure: %v: %v\n", pos, msg)
@@ -76,135 +78,181 @@ func (b *Builder) EmitSyzlangDescription() (string, error) {
 		return "", astError
 	}
 	if descAst == nil {
-		return "", fmt.Errorf("Failed to format generated syzlang. Is it well-formed?")
+		return "", fmt.Errorf("failed to format generated syzkaller description - is it well-formed?")
 	}
-
 	return string(ast.Format(descAst)), nil
 }
 
-// FIXME: this function is gross because of the weird logic cases that arises
-// from having annotations that determine the type. I'm sure there's a much
-// nicer way of writing this control flow.
 func syzStructToSyzlang(s SyzStruct, constraintMap map[string]map[string]SyzConstraint,
-	annotationMap map[string]map[string]SyzAnnotation) string {
-	out := fmt.Sprintf("%s {\n", s.Name)
-	for _, field := range s.Fields {
-		out += "\t"
-		typeName := dwarfToSyzlangType(field.TypeName)
-
-		aSubMap, ok := annotationMap["struct "+s.Name]
-		if ok {
-			annotation, ok := aSubMap[field.Name]
-			if !ok {
-				goto append_type
-			}
-
-			// Annotated fields require special handling.
-			switch annotation.Attribute {
-			case AttributeLen:
-				out += fmt.Sprintf("%s\tlen[%s, %s]", field.Name, annotation.LinkedFieldName, typeName)
-			case AttributeString:
-				out += fmt.Sprintf("%s\tptr[in, string]", field.Name)
-			case AttributeArray:
-				// An array type is prefixed with a leading "*", which we remove
-				// to resolve the underlying type.
-				arrayType := typeName[1:]
-				out += fmt.Sprintf("%s\tptr[in, array[%s]]", field.Name, arrayType)
-			}
-			out += "\n"
-			continue
-		}
+	annotationMap map[string]map[string]SyzAnnotation) (string, error) {
+	var builder strings.Builder
 
-		// just appends the type as it appear in the
-	append_type:
-		out += fmt.Sprintf("%s\t%s", field.Name, typeName)
-
-		subMap, ok := constraintMap["struct "+s.Name]
-		if ok {
-			constraint, ok := subMap[field.Name]
-			if ok {
-				out += syzConstraintToSyzlang(constraint)
-			}
+	fmt.Fprintf(&builder, "%s {\n", s.Name)
+	structAnnotations := annotationMap["struct "+s.Name]
+	structConstraints := constraintMap["struct "+s.Name]
+	for _, field := range s.Fields {
+		line, err := syzFieldToSyzLang(field, structConstraints, structAnnotations)
+		if err != nil {
+			return "", err
 		}
-		out += "\n"
+		fmt.Fprintf(&builder, "\t%s\n", line)
 	}
-	out += "}"
-	return out
+	fmt.Fprint(&builder, "}")
+	return builder.String(), nil
 }
 
-func syzFuncToSyzlang(s SyzFunc) string {
-	typeName := strings.TrimPrefix(s.InputStructName, "struct ")
+func syzFieldToSyzLang(field SyzField, constraintMap map[string]SyzConstraint,
+	annotationMap map[string]SyzAnnotation) (string, error) {
+	constraint, hasConstraint := constraintMap[field.Name]
+	annotation, hasAnnotation := annotationMap[field.Name]
 
-	out := fmt.Sprintf("syz_kfuzztest_run$%s(", s.Name)
-	out += fmt.Sprintf("name ptr[in, string[\"%s\"]], ", s.Name)
-	out += fmt.Sprintf("data ptr[in, %s], ", typeName)
-	out += "len bytesize[data])"
-	// TODO:(ethangraham) The only other way I can think of getting this name
-	// would involve using the "reflect" package and matching against the
-	// KFuzzTest name, which isn't much better than hardcoding this.
-	out += "(kfuzz_test)"
+	var typeDesc string
+	var err error
+	if hasAnnotation {
+		// Annotations override the existing type definitions.
+		typeDesc, err = processAnnotation(field, annotation)
+	} else {
+		typeDesc, err = dwarfToSyzlangType(field.dwarfType, false)
+	}
+	if err != nil {
+		return "", err
+	}
 
-	return out
+	if hasConstraint {
+		constraint, err := processConstraint(constraint)
+		if err != nil {
+			return "", err
+		}
+		typeDesc += constraint
+	}
+	return fmt.Sprintf("%s %s", field.Name, typeDesc), nil
 }
 
-func syzConstraintToSyzlang(c SyzConstraint) string {
+func processConstraint(c SyzConstraint) (string, error) {
 	switch c.ConstraintType {
 	case ExpectEq:
-		return fmt.Sprintf("[%d]", c.Value1)
+		return fmt.Sprintf("[%d]", c.Value1), nil
+	case ExpectNe:
+		// syzkaller does not have a built-in way to support an inequality
+		// constraint AFAIK.
+		return "", nil
 	case ExpectLt:
-		return fmt.Sprintf("[0:%d]", c.Value1-1)
+		return fmt.Sprintf("[0:%d]", c.Value1-1), nil
 	case ExpectLe:
-		return fmt.Sprintf("[0:%d]", c.Value1)
+		return fmt.Sprintf("[0:%d]", c.Value1), nil
 	case ExpectGt:
-		return fmt.Sprintf("[%d]", c.Value1+1)
+		return fmt.Sprintf("[%d]", c.Value1+1), nil
 	case ExpectGe:
-		return fmt.Sprintf("[%d]", c.Value1)
+		return fmt.Sprintf("[%d]", c.Value1), nil
 	case ExpectInRange:
-		return fmt.Sprintf("[%d:%d]", c.Value1, c.Value2)
+		return fmt.Sprintf("[%d:%d]", c.Value1, c.Value2), nil
 	default:
-		return ""
+		fmt.Printf("c = %d\n", c.ConstraintType)
+		return "", fmt.Errorf("unsupported constraint type")
 	}
 }
 
-func isArray(typeName string) (bool, string) {
-	re := regexp.MustCompile(`^\[(\d+)\]([a-zA-Z]+)$`)
-	matches := re.FindStringSubmatch(typeName)
-	if len(matches) == 0 {
-		return false, ""
+func processAnnotation(field SyzField, annotation SyzAnnotation) (string, error) {
+	switch annotation.Attribute {
+	case AttributeLen:
+		underlyingType, err := dwarfToSyzlangType(field.dwarfType, false)
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("len[%s, %s]", annotation.LinkedFieldName, underlyingType), nil
+	case AttributeString:
+		return "ptr[in, string]", nil
+	case AttributeArray:
+		pointeeType, isPtr := resolvesToPtr(field.dwarfType)
+		if !isPtr {
+			return "", fmt.Errorf("can only annotate pointer fields are arrays")
+		}
+		// TODO: discards const qualifier.
+		typeDesc, err := dwarfToSyzlangType(pointeeType, false)
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("ptr[in, array[%s]]", typeDesc), nil
+	default:
+		return "", fmt.Errorf("unsupported attribute type")
 	}
-	return true, fmt.Sprintf("array[%s, %s]", dwarfToSyzlangType(matches[2]), matches[1])
 }
 
-func dwarfToSyzlangType(typeName string) string {
-	if after, ok := strings.CutPrefix(typeName, "struct "); ok {
-		return after
+// Returns true iff `dwarfType` resolved down to a pointer. For example,
+// a `const *void` which isn't directly a pointer.
+func resolvesToPtr(dwarfType dwarf.Type) (dwarf.Type, bool) {
+	switch t := dwarfType.(type) {
+	case *dwarf.QualType:
+		return resolvesToPtr(t.Type)
+	case *dwarf.PtrType:
+		return t.Type, true
 	}
+	return nil, false
+}
 
-	if after, ok := strings.CutPrefix(typeName, "*const struct"); ok {
-		return fmt.Sprintf("ptr[in, %s]", after)
-	} else if after, ok := strings.CutPrefix(typeName, "*struct"); ok {
-		return fmt.Sprintf("ptr[inout, %s]", after)
-	}
+func syzFuncToSyzlang(s SyzFunc) string {
+	var builder strings.Builder
+	typeName := strings.TrimPrefix(s.InputStructName, "struct ")
 
-	isArr, arr := isArray(typeName)
-	if isArr {
-		return arr
-	}
+	fmt.Fprintf(&builder, "syz_kfuzztest_run$%s(", s.Name)
+	fmt.Fprintf(&builder, "name ptr[in, string[\"%s\"]], ", s.Name)
+	fmt.Fprintf(&builder, "data ptr[in, %s], ", typeName)
+	builder.WriteString("len bytesize[data])")
+	// TODO:(ethangraham) The only other way I can think of getting this name
+	// would involve using the "reflect" package and matching against the
+	// KFuzzTest name, which isn't much better than hardcoding this.
+	builder.WriteString("(kfuzz_test)")
+	return builder.String()
+}
 
-	switch typeName {
-	case "long unsigned int", "long int", "size_t":
-		return "int64"
-	case "int", "unsigned int":
-		return "int32"
-	case "char":
-		return "int8"
-	case "__u16":
-		return "int16"
-	case "*const char", "*const void", "*const unsigned char":
-		return "ptr[in, array[int8]]" // const pointers are read-only
-	case "*char", "*void":
-		return "ptr[inout, array[int8]]"
+// Given a dwarf type, returns a syzlang string representation of this type.
+func dwarfToSyzlangType(dwarfType dwarf.Type, isConst bool) (string, error) {
+	var dir string
+	if isConst {
+		dir = "in"
+	} else {
+		dir = "inout"
+	}
+	switch t := dwarfType.(type) {
+	case *dwarf.PtrType:
+		underlyingType, err := dwarfToSyzlangType(t.Type, false)
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("ptr[%s, %s]", dir, underlyingType), nil
+	case *dwarf.QualType:
+		if t.Qual == "const" {
+			return dwarfToSyzlangType(t.Type, true)
+		} else {
+			return "", fmt.Errorf("no support for %s qualifier", t.Qual)
+		}
+	case *dwarf.ArrayType:
+		underlyingType, err := dwarfToSyzlangType(t.Type, false)
+		if err != nil {
+			return "", err
+		}
+		// If t.Count == -1 then this is a varlen array as per debug/dwarf
+		// documentation.
+		if t.Count == -1 {
+			return fmt.Sprintf("array[%s]", underlyingType), nil
+		} else {
+			return fmt.Sprintf("array[%s, %d]", underlyingType, t.Count), nil
+		}
+	case *dwarf.TypedefType:
+		return dwarfToSyzlangType(t.Type, isConst)
+	case *dwarf.IntType, *dwarf.UintType:
+		numBits := t.Size() * 8
+		return fmt.Sprintf("int%d", numBits), nil
+	case *dwarf.CharType, *dwarf.UcharType:
+		return "int8", nil
+	// `void` isn't a valid type by itself, so we know that it would have
+	// been wrapped in a pointer, e.g., `void *`. For this reason, we can return
+	// just interpret it as a byte, i.e., int8.
+	case *dwarf.VoidType:
+		return "int8", nil
+	case *dwarf.StructType:
+		return strings.TrimPrefix(t.StructName, "struct "), nil
 	default:
-		return typeName
+		return "", fmt.Errorf("unsupported type %s", dwarfType.String())
 	}
 }

pkg/kfuzztest/extractor.go

@@ -279,6 +279,10 @@ func (e *Extractor) dwarfGetType(entry *dwarf.Entry) (dwarf.Type, error) {
 	return e.dwarfData.Type(typeOffset)
 }
 
+// extractStructs extracts input structure metadata from discovered KFuzzTest
+// targets (funcs).
+// Performs a tree-traversal as all struct types need to be defined in the
+// resulting description that is emitted by the builder.
 func (e *Extractor) extractStructs(funcs []SyzFunc) ([]SyzStruct, error) {
 	// Set of input map names so that we can skip over entries that aren't
 	// interesting.
@@ -311,9 +315,9 @@ func (e *Extractor) extractStructs(funcs []SyzFunc) ([]SyzStruct, error) {
 	var visitRecur func(*dwarf.StructType, *map[string]bool)
 	visited := make(map[string]bool)
 	visitRecur = func(start *dwarf.StructType, visited *map[string]bool) {
-		newStruct := SyzStruct{Name: start.StructName, Fields: make([]SyzField, 0)}
+		newStruct := SyzStruct{dwarfType: start, Name: start.StructName, Fields: make([]SyzField, 0)}
 		for _, child := range start.Field {
-			newField := SyzField{Name: child.Name, TypeName: child.Type.String()}
+			newField := SyzField{Name: child.Name, dwarfType: child.Type}
 			newStruct.Fields = append(newStruct.Fields, newField)
 			switch childType := child.Type.(type) {
 			case *dwarf.StructType:
@@ -344,14 +348,14 @@ func (e *Extractor) extractStructs(funcs []SyzFunc) ([]SyzStruct, error) {
 		if err != nil {
 			return nil, err
 		}
-		// EOF
+		// EOF.
 		if entry == nil {
 			break
 		}
 		if entry.Tag != dwarf.TagStructType {
 			continue
 		}
-		// skip over unnamed structures
+		// Skip over unnamed structures.
 		nameField := entry.AttrField(dwarf.AttrName)
 		if nameField == nil {
 			continue

pkg/kfuzztest/kfuzztest.go

@@ -10,6 +10,7 @@
 package kfuzztest
 
 import (
+	"debug/dwarf"
 	"fmt"
 	"os"
 	"path"
@@ -19,18 +20,20 @@ import (
 	"github.com/google/syzkaller/pkg/ast"
 	"github.com/google/syzkaller/pkg/compiler"
 	"github.com/google/syzkaller/pkg/kcov"
+	"github.com/google/syzkaller/pkg/log"
 	"github.com/google/syzkaller/prog"
 	"github.com/google/syzkaller/sys/targets"
 )
 
 type SyzField struct {
-	Name     string
-	TypeName string
+	Name      string
+	dwarfType dwarf.Type
 }
 
 type SyzStruct struct {
-	Name   string
-	Fields []SyzField
+	dwarfType *dwarf.StructType
+	Name      string
+	Fields    []SyzField
 }
 
 type SyzFunc struct {