github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/tools/syz-declextract/README.md

github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/tools/syz-declextract/README.md (about)

     1  # syz-declextract
     2  
     3  ## Linux Kernel (for testing purposes)
     4  ```
     5  export KERNEL=$PWD/linux
     6  git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git $KERNEL
     7  cd $KERNEL
     8  make CC=clang defconfig
     9  ./scripts/config -e FTRACE_SYSCALLS
    10  make CC=clang olddefconfig
    11  make CC=clang -j`nproc` # kernel has to be built at least once for the script to work
    12  ./scripts/clang-tools/gen_compile_commands.py
    13  ```
    14  
    15  ## LLVM Project
    16  ```
    17  LLVM=$PWD/llvm-project
    18  git clone https://github.com/llvm/llvm-project.git $LLVM
    19  cd $LLVM
    20  git checkout d9dfe7540f81663f75350bb5ceb66d2f94dac078 # In case of any breaking changes, this commit works
    21  echo '
    22  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-c++20-designator -Wno-missing-designated-field-initializers")
    23  add_clang_executable(syz-declextract syz-declextract/declextract.cpp)
    24  target_link_libraries(syz-declextract PRIVATE clangTooling)
    25  ' >> $LLVM/clang/CMakeLists.txt
    26  ```
    27  
    28  ## syz-declextract
    29  ```
    30  mkdir $LLVM/clang/syz-declextract
    31  ```
    32  Copy `tools/clang/declextract/*.{cpp,h}` and `tools/clang/*.h` files to `$LLVM/clang/syz-declextract/` directory.
    33  ```
    34  LLVM_BUILD=$PWD/syz
    35  mkdir $LLVM_BUILD && cd $LLVM_BUILD
    36  cmake -DLLVM_ENABLE_PROJECTS="clang" -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=On \
    37  -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -GNinja $LLVM/llvm
    38  ninja syz-declextract
    39  ```
    40  
    41  ## Running on a single source file
    42  ```
    43  ./bin/syz-declextract $KERNEL/fs/read_write.c | less # or any other .c file
    44  ```
    45  
    46  ## Coverage Data
    47  
    48  Coverage data (coverage.jsonl) can be obtained from syzbot dashboard using:
    49  ```
    50  curl --header "accept-encoding: gzip" https://syzkaller.appspot.com/upstream/coverage?jsonl=1 | gunzip > coverage.jsonl
    51  ```
    52  Note: the coverage is tied to a particular kernel commit. For consistency that commit
    53  should be used for the rest of the process as well.
    54  
    55  ## Running on the whole kernel
    56  ```
    57  go run ./tools/syz-declextract -binary=$LLVM_BUILD/bin/syz-declextract -config=manager.cfg \
    58  	-coverage coverage.jsonl
    59  syz-env make extract SOURCEDIR=$KERNEL
    60  ```
    61  
    62  The tool caches results of static kernel analysis in manager.workdir/declextract.cache file,
    63  and results of the dynamic kernel probing in manager.workdir/interfaces.json file.
    64  These can be examined for debugging purposes, and will be reused in future runs if exist
    65  (greatly saves time). If the clang tool/kernel has changed, delete these cache files
    66  so that they are updated.