|
| 1 | +// Copyright 2025 syzkaller project authors. All rights reserved. |
| 2 | +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. |
| 3 | + |
| 4 | +package assessmenet |
| 5 | + |
| 6 | +import ( |
| 7 | + "github.com/google/syzkaller/pkg/aflow" |
| 8 | + "github.com/google/syzkaller/pkg/aflow/action/kernel" |
| 9 | + "github.com/google/syzkaller/pkg/aflow/ai" |
| 10 | + "github.com/google/syzkaller/pkg/aflow/tool/codesearcher" |
| 11 | +) |
| 12 | + |
| 13 | +type KCSANOutputs struct { |
| 14 | + Benign bool |
| 15 | + Explanation string |
| 16 | +} |
| 17 | + |
| 18 | +func init() { |
| 19 | + aflow.Register[Inputs, KCSANOutputs]( |
| 20 | + ai.WorkflowAssessmentKCSAN, |
| 21 | + "assess if a KCSAN report is about a benign race that only needs annotations or not", |
| 22 | + &aflow.Flow{ |
| 23 | + Root: &aflow.Pipeline{ |
| 24 | + Actions: []aflow.Action{ |
| 25 | + kernel.Checkout, |
| 26 | + kernel.Build, |
| 27 | + codesearcher.PrepareIndex, |
| 28 | + &aflow.LLMAgent{ |
| 29 | + Name: "expert", |
| 30 | + Reply: "Explanation", |
| 31 | + Outputs: aflow.LLMOutputs[struct { |
| 32 | + Benign bool `jsonschema:"If the data race is benign or not."` |
| 33 | + }](), |
| 34 | + Temperature: 1, |
| 35 | + Instruction: instruction, |
| 36 | + Prompt: prompt, |
| 37 | + Tools: codesearcher.Tools, |
| 38 | + }, |
| 39 | + }, |
| 40 | + }, |
| 41 | + }, |
| 42 | + ) |
| 43 | +} |
| 44 | + |
| 45 | +const instruction = ` |
| 46 | +You are an experienced Linux kernel developer tasked with determining if the given kernel bug |
| 47 | +report is actionable or not. Actionable means that it contains enough info to root cause |
| 48 | +the underlying bug, and that the report is self-consistent and makes sense, rather than |
| 49 | +a one-off nonsensical crash induced by a previous memory corruption. |
| 50 | +
|
| 51 | +Use the provided tools to confirm any assumptions, what variables/fields being accessed, etc. |
| 52 | +In particular, don't make assumptions about the kernel source code, |
| 53 | +use codesearch tools to read the actual source code. |
| 54 | +
|
| 55 | +The bug report is a data race report from KCSAN tool. |
| 56 | +It contains 2 stack traces of the memory accesses that constitute a data race. |
| 57 | +The report would be inconsistent, if the stacks point to different subsystems, |
| 58 | +or if they access different fields. |
| 59 | +The report would be non-actionable, if the underlysing data race is "benign". |
| 60 | +That is, the race is on a simple int/bool or similar field, and the accesses |
| 61 | +are not supposed to be protected by any mutual exclusion primitives. |
| 62 | +Common examples of such "benign" data races are accesses to various flags fields, |
| 63 | +statistics counters, and similar. |
| 64 | +An actionable race is "harmful", that is can lead to corruption/crash even with |
| 65 | +a conservative compiler that compiles memory accesses to primitive types |
| 66 | +effectively as atomic. A common example of a "harmful" data races is race on |
| 67 | +a complex container (list/hashmap/etc), where accesses are supposed to be protected |
| 68 | +by a mutual exclusion primitive. |
| 69 | +In the final reply explain why you think the report is consistent and the data race is harmful. |
| 70 | +` |
| 71 | + |
| 72 | +const prompt = ` |
| 73 | +The bug report is: |
| 74 | +
|
| 75 | +{{.CrashReport}} |
| 76 | +` |
0 commit comments