verifier: Prototype for new syz-verifier with new rpcserver and fuzzer

This commit introduces a prototype for the new syz-verifier using the new rpcserver and fuzzer. An in-depth explanation is available in README.md. Remaining work includes connecting the reproduction loop, HTTP servers, enabling snapshots, and the comparison phase. The prototype already implements a working differential fuzzing loop.

Author: dBransky

CONTRIBUTORS

@@ -143,3 +143,4 @@ Jeongjun Park
 Nikita Zhandarovich
 Jiacheng Xu
 Kuzey Arda Bulut
+Daniel Bransky

Makefile

@@ -226,8 +226,7 @@ kfuzztest:
 endif
 
 verifier: descriptions
-	# TODO: switch syz-verifier to use syz-executor.
-	# GOOS=$(HOSTOS) GOARCH=$(HOSTARCH) $(HOSTGO) build $(GOHOSTFLAGS) -o ./bin/syz-verifier github.com/google/syzkaller/syz-verifier
+	GOOS=$(HOSTOS) GOARCH=$(HOSTARCH) $(HOSTGO) build $(GOHOSTFLAGS) -o ./bin/syz-verifier github.com/google/syzkaller/syz-verifier
 
 # `extract` extracts const files from various kernel sources, and may only
 # re-generate parts of files.

syz-verifier/README.md

@@ -0,0 +1,93 @@
+# syz-verifier
+
+`syz-verifier` is a differential fuzzing tool for comparing the execution behavior of programs across different versions of the Linux kernel to detect semantic bugs and inconsistencies.
+
+## Design Overview
+
+The syz-verifier implements a centralized fuzzing architecture where a single `Verifier` instance manages multiple kernel configurations for differential testing:
+
+### Core Architecture
+
+```
+                    ┌─────────────────────────────────┐
+                    │          Verifier               │
+                    │                                 │
+                    │  ┌───────────────────────────┐  │
+                    │  │        Fuzzer             │  │
+                    │  │   (Program Generation)    │  │
+                    │  └───────────────────────────┘  │
+                    │              │                  │
+                    │              ▼                  │
+                    │  ┌───────────────────────────┐  │
+                    │  │    Distribution Logic     │  │
+                    │  └───────────────────────────┘  │
+                    │         │        │        │     │
+                    └─────────┼────────┼────────┼─────┘
+                              ▼        ▼        ▼
+                    ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
+                    │   Queue A   │ │   Queue B   │ │   Queue C   │
+                    │ (Kernel A)  │ │ (Kernel B)  │ │ (Kernel C)  │
+                    └─────────────┘ └─────────────┘ └─────────────┘
+```
+
+### Key Components
+
+1. **Single Fuzzer Instance**: The verifier maintains one `fuzzer.Fuzzer` that generates test programs
+2. **Per-Kernel Queues**: Each kernel configuration gets its own `queue.PlainQueue` for task distribution
+
+### Main loop
+
+1. **Generation**: The central fuzzer generates a new program
+2. **Distribution**: The program is cloned and sent to each kernel's queue
+3. **Execution**: Each kernel executes the program independently
+4. **Collection**: The verifier waits for all kernels to complete
+5. **Comparison**: Results are collected for differential analysis
+## Implementation Details
+
+### Verifier Structure
+
+The `Verifier` struct contains:
+- `fuzzer atomic.Pointer[fuzzer.Fuzzer]`: Single fuzzer instance for program generation
+- `sources map[int]*queue.PlainQueue`: Per-kernel queue mapping (kernel ID → queue)
+- `kernels map[int]*Kernel`: Kernel configuration mapping
+- `manager.HTTPServer`: The central HTTP server for all kernels
+
+
+Holds the fuzzer and implements a "proxy" between it and all the kernels.
+Also is responsible of aggregating requests from the different kernels
+
+### Kernel Structure
+
+Implements the functions so that it can work with the rpc server.
+- MachineChecked: aggregate features and enabled syscalls to the verifier.
+- MaxSignal: request the max signal from the verifier.
+- BugFrames: not implemented.
+- CoverageFilter: currently filters coverage similar to the KernelContext in diff.go. This is still work in progress.
+
+## Usage
+
+### Basic Usage
+
+This is a prototype implementation demonstrating the core differential fuzzing architecture.
+
+```bash
+# Build the verifier
+make verifier
+
+# Run with kernel configurations (example)
+./bin/syz-verifier -configs=kernel1.cfg,kernel2.cfg -debug
+
+# For debug we can also run with a single kernel
+./bin/syz-verifier -configs=kernel1.cfg -debug
+```
+
+## Development Status
+
+This is a **prototype** showcasing the verifier design with:
+- ✅ Centralized fuzzer architecture
+- ✅ Per-kernel queue distribution
+- ✅ Synchronous execution model
+- 🚧 Result comparison logic (TODO)
+- 🚧 Reproduction loop (TODO)
+- 🚧 Http server (TODO)
+- 🚧 Snapshots! are very important for diff fuzz (TODO)

syz-verifier/main.go

@@ -1,25 +1,24 @@
 // Copyright 2021 syzkaller project authors. All rights reserved.
 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
 
-// TODO: switch syz-verifier to use syz-fuzzer.
-
-//go:build ignore
-
 // package main starts the syz-verifier tool. High-level documentation can be
 // found in docs/syz_verifier.md.
 package main
 
 import (
 	"flag"
-	"io"
+	"fmt"
 	"os"
-	"path/filepath"
-	"strconv"
 
+	"github.com/google/syzkaller/pkg/flatrpc"
+	"github.com/google/syzkaller/pkg/fuzzer"
+	"github.com/google/syzkaller/pkg/fuzzer/queue"
 	"github.com/google/syzkaller/pkg/log"
+	"github.com/google/syzkaller/pkg/manager"
 	"github.com/google/syzkaller/pkg/mgrconfig"
 	"github.com/google/syzkaller/pkg/osutil"
 	"github.com/google/syzkaller/pkg/report"
+	"github.com/google/syzkaller/pkg/rpcserver"
 	"github.com/google/syzkaller/pkg/tool"
 	"github.com/google/syzkaller/prog"
 	"github.com/google/syzkaller/vm"
@@ -33,146 +32,95 @@ const (
 // and reporting crashes. It also keeps track of the Runners executing on
 // spawned VMs, what programs have been sent to each Runner and what programs
 // have yet to be sent on any of the Runners.
-type poolInfo struct {
-	cfg      *mgrconfig.Config
-	pool     *vm.Pool
-	Reporter *report.Reporter
-	// checked is set to true when the set of system calls not supported on the
-	// kernel is known.
-	checked bool
+func Setup(name string, cfg *mgrconfig.Config, debug bool) (*Kernel, error) {
+	kernel := &Kernel{
+		name:            name,
+		debug:           debug,
+		cfg:             cfg,
+		crashes:         make(chan *report.Report, 128),
+		servStats:       rpcserver.NewNamedStats(name),
+		candidates:      make(chan []fuzzer.Candidate),
+		reportGenerator: manager.ReportGeneratorCache(cfg),
+		enabledSyscalls: make(chan map[*prog.Syscall]bool, 1),
+		features:        make(chan flatrpc.Feature, 1),
+	}
+	var err error
+	kernel.reporter, err = report.NewReporter(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create reporter for %q: %w", name, err)
+	}
+
+	kernel.serv, err = rpcserver.New(&rpcserver.RemoteConfig{
+		Config:  cfg,
+		Manager: kernel,
+		Stats:   kernel.servStats,
+		Debug:   debug,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create rpc server for %q: %w", name, err)
+	}
+
+	vmPool, err := vm.Create(cfg, debug)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create vm.Pool for %q: %w", name, err)
+	}
+
+	kernel.pool = vm.NewDispatcher(vmPool, kernel.FuzzerInstance)
+	return kernel, nil
 }
 
 func main() {
 	var cfgs tool.CfgsFlag
 	flag.Var(&cfgs, "configs", "[MANDATORY] list of at least two kernel-specific comma-sepatated configuration files")
 	flagDebug := flag.Bool("debug", false, "dump all VM output to console")
-	flagStats := flag.String("stats", "", "where stats will be written when"+
-		"execution of syz-verifier finishes, defaults to stdout")
-	flagEnv := flag.Bool("new-env", true, "create a new environment for each program")
-	flagAddress := flag.String("address", "127.0.0.1:8080", "http address for monitoring")
-	flagReruns := flag.Int("rerun", 3, "number of time program is rerun when a mismatch is found")
+	// flagAddress := flag.String("address", "127.0.0.1:8080", "http address for monitoring")
+	// flagReruns := flag.Int("rerun", 3, "number of time program is rerun when a mismatch is found")
 	flag.Parse()
 
-	pools := make(map[int]*poolInfo)
+	kernels := make(map[int]*Kernel)
 	for idx, cfg := range cfgs {
-		var err error
-		pi := &poolInfo{}
-		pi.cfg, err = mgrconfig.LoadFile(cfg)
+		kcfg, err := mgrconfig.LoadFile(cfg)
 		if err != nil {
 			log.Fatalf("%v", err)
 		}
-		// TODO: call pi.pool.Close() on exit.
-		pi.pool, err = vm.Create(pi.cfg, *flagDebug)
+		kernels[idx], err = Setup(kcfg.Name, kcfg, *flagDebug)
 		if err != nil {
-			log.Fatalf("%v", err)
+			log.Fatalf("failed to setup kcfg context for %s: %v", kcfg.Name, err)
 		}
-		pools[idx] = pi
+
+		log.Logf(0, "loaded kernel %s", kcfg.Name)
 	}
 
-	if len(pools) < 2 {
+	log.Logf(0, "loaded %d kernel configurations", len(kernels))
+	if len(kernels) < 2 && !*flagDebug {
 		flag.Usage()
 		os.Exit(1)
 	}
-
-	cfg := pools[0].cfg
-	workdir, target, sysTarget, addr := cfg.Workdir, cfg.Target, cfg.SysTarget, cfg.RPC
-	for idx := 1; idx < len(pools); idx++ {
-		cfg := pools[idx].cfg
-
-		// TODO: pass the configurations that should be the same for all
-		// kernels in a default config file in order to avoid this checks and
-		// add testing
-		if workdir != cfg.Workdir {
-			log.Fatalf("working directory mismatch")
-		}
-		if target != cfg.Target {
-			log.Fatalf("target mismatch")
-		}
-		if sysTarget != cfg.SysTarget {
-			log.Fatalf("system target mismatch")
-		}
-		if addr != pools[idx].cfg.RPC {
-			log.Fatalf("tcp address mismatch")
+	workdir := kernels[0].cfg.Workdir
+	reqMaxSignal := make(chan int, len(kernels))
+	sources := make(map[int]*queue.PlainQueue)
+	for idx, kernel := range kernels {
+		if kernel.cfg.Workdir != workdir {
+			log.Fatalf("all kernel configurations must have the same workdir, got %q and %q", workdir, kernel.cfg.Workdir)
 		}
+		kernel.reqMaxSignal = reqMaxSignal
+		sources[idx] = queue.Plain()
+		kernel.source = sources[idx]
 	}
+	osutil.MkdirAll(workdir)
 
-	exe := sysTarget.ExeExtension
-	runnerBin := filepath.Join(cfg.Syzkaller, "bin", target.OS+"_"+target.Arch, "syz-runner"+exe)
-	if !osutil.IsExist(runnerBin) {
-		log.Fatalf("bad syzkaller config: can't find %v", runnerBin)
-	}
-	execBin := cfg.ExecutorBin
-	if !osutil.IsExist(execBin) {
-		log.Fatalf("bad syzkaller config: can't find %v", execBin)
-	}
-
-	crashdir := filepath.Join(workdir, "crashes")
-	osutil.MkdirAll(crashdir)
-	for idx := range pools {
-		OS, Arch := target.OS, target.Arch
-		targetPath := OS + "-" + Arch + "-" + strconv.Itoa(idx)
-		osutil.MkdirAll(filepath.Join(workdir, targetPath))
-		osutil.MkdirAll(filepath.Join(crashdir, targetPath))
-	}
-
-	resultsdir := filepath.Join(workdir, "results")
-	osutil.MkdirAll(resultsdir)
-
-	var sw io.Writer
-	var err error
-	if *flagStats == "" {
-		sw = os.Stdout
-	} else {
-		statsFile := filepath.Join(workdir, *flagStats)
-		sw, err = os.Create(statsFile)
-		if err != nil {
-			log.Fatalf("failed to create stats output file: %v", err)
-		}
-	}
-
-	for idx, pi := range pools {
-		var err error
-		pi.Reporter, err = report.NewReporter(pi.cfg)
-		if err != nil {
-			log.Fatalf("failed to create reporter for instance-%d: %v", idx, err)
-		}
-	}
-
-	calls := make(map[*prog.Syscall]bool)
-
-	for _, id := range cfg.Syscalls {
-		c := target.Syscalls[id]
-		calls[c] = true
-	}
+	log.Logf(0, "initialized %d sources", len(sources))
 
 	vrf := &Verifier{
-		workdir:       workdir,
-		crashdir:      crashdir,
-		resultsdir:    resultsdir,
-		pools:         pools,
-		target:        target,
-		calls:         calls,
-		reasons:       make(map[*prog.Syscall]string),
-		runnerBin:     runnerBin,
-		executorBin:   execBin,
-		addr:          addr,
-		reportReasons: len(cfg.EnabledSyscalls) != 0 || len(cfg.DisabledSyscalls) != 0,
-		stats:         MakeStats(),
-		statsWrite:    sw,
-		newEnv:        *flagEnv,
-		reruns:        *flagReruns,
+		kernels:        kernels,
+		cfg:            kernels[0].cfg, // for now take the first kernel's config
+		corpusPreload:  make(chan []fuzzer.Candidate),
+		disabledHashes: make(map[string]struct{}),
+		target:         kernels[0].cfg.Target,
+		sources:        sources,
 	}
 
-	vrf.Init()
-
-	vrf.StartProgramsAnalysis()
-	vrf.startInstances()
-
-	monitor := MakeMonitor()
-	monitor.SetStatsTracking(vrf.stats)
-
-	log.Logf(0, "run the Monitor at http://%s", *flagAddress)
-	go monitor.ListenAndServe(*flagAddress)
+	ctx := vm.ShutdownCtx()
+	vrf.RunVerifierFuzzer(ctx)
 
-	select {}
 }