? github.com/google/syzkaller/dashboard/dashapi [no test files] ok github.com/google/syzkaller/dashboard/app 0.084s ? github.com/google/syzkaller/pkg/debugtracer [no test files] ? github.com/google/syzkaller/pkg/gce [no test files] ? github.com/google/syzkaller/pkg/gcs [no test files] ? github.com/google/syzkaller/pkg/hash [no test files] ? github.com/google/syzkaller/pkg/html/pages [no test files] ? github.com/google/syzkaller/pkg/ifuzz/iset [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc [no test files] ? github.com/google/syzkaller/pkg/ifuzz/powerpc/generated [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86 [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/gen [no test files] ? github.com/google/syzkaller/pkg/ifuzz/x86/generated [no test files] ? github.com/google/syzkaller/pkg/ipc/ipcconfig [no test files] ? github.com/google/syzkaller/pkg/kcidb [no test files] ? github.com/google/syzkaller/pkg/report/crash [no test files] ? github.com/google/syzkaller/pkg/rpctype [no test files] ? github.com/google/syzkaller/pkg/signal [no test files] ? github.com/google/syzkaller/pkg/testutil [no test files] ? github.com/google/syzkaller/pkg/tools [no test files] ok github.com/google/syzkaller/executor 2.772s ok github.com/google/syzkaller/pkg/asset 0.149s ok github.com/google/syzkaller/pkg/ast 0.817s ok github.com/google/syzkaller/pkg/auth 0.027s ? github.com/google/syzkaller/sys [no test files] ? github.com/google/syzkaller/sys/akaros [no test files] ? github.com/google/syzkaller/sys/akaros/gen [no test files] ? github.com/google/syzkaller/sys/darwin [no test files] ? github.com/google/syzkaller/sys/darwin/gen [no test files] ? github.com/google/syzkaller/sys/freebsd [no test files] ? github.com/google/syzkaller/sys/freebsd/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia [no test files] ? github.com/google/syzkaller/sys/fuchsia/fidlgen [no test files] ? github.com/google/syzkaller/sys/fuchsia/gen [no test files] ? github.com/google/syzkaller/sys/fuchsia/layout [no test files] ? github.com/google/syzkaller/sys/linux/gen [no test files] ? github.com/google/syzkaller/sys/netbsd/gen [no test files] ? github.com/google/syzkaller/sys/openbsd/gen [no test files] ? github.com/google/syzkaller/sys/syz-extract [no test files] ? github.com/google/syzkaller/sys/syz-sysgen [no test files] ? github.com/google/syzkaller/sys/targets [no test files] ? github.com/google/syzkaller/sys/test [no test files] ? github.com/google/syzkaller/sys/test/gen [no test files] ? github.com/google/syzkaller/sys/trusty [no test files] ? github.com/google/syzkaller/sys/trusty/gen [no test files] ? github.com/google/syzkaller/sys/windows [no test files] ? github.com/google/syzkaller/sys/windows/gen [no test files] ? github.com/google/syzkaller/syz-runner [no test files] ? github.com/google/syzkaller/tools/syz-benchcmp [no test files] ? github.com/google/syzkaller/tools/syz-bisect [no test files] ? github.com/google/syzkaller/tools/syz-build [no test files] ? github.com/google/syzkaller/tools/syz-check [no test files] ? github.com/google/syzkaller/tools/syz-cover [no test files] ? github.com/google/syzkaller/tools/syz-crush [no test files] ? github.com/google/syzkaller/tools/syz-db [no test files] ? github.com/google/syzkaller/tools/syz-execprog [no test files] ? github.com/google/syzkaller/tools/syz-expand [no test files] ? github.com/google/syzkaller/tools/syz-fillreports [no test files] ? github.com/google/syzkaller/tools/syz-fmt [no test files] ? github.com/google/syzkaller/tools/syz-hubtool [no test files] ? github.com/google/syzkaller/tools/syz-imagegen [no test files] ? github.com/google/syzkaller/tools/syz-kcidb [no test files] ? github.com/google/syzkaller/tools/syz-lore [no test files] ? github.com/google/syzkaller/tools/syz-make [no test files] ? github.com/google/syzkaller/tools/syz-minconfig [no test files] ? github.com/google/syzkaller/tools/syz-mutate [no test files] ? github.com/google/syzkaller/tools/syz-prog2c [no test files] ? github.com/google/syzkaller/tools/syz-query-subsystems [no test files] ? github.com/google/syzkaller/tools/syz-reporter [no test files] ? github.com/google/syzkaller/tools/syz-repro [no test files] ? github.com/google/syzkaller/tools/syz-reprolist [no test files] ? github.com/google/syzkaller/tools/syz-runtest [no test files] ? github.com/google/syzkaller/tools/syz-showprio [no test files] ? github.com/google/syzkaller/tools/syz-stress [no test files] ? github.com/google/syzkaller/tools/syz-symbolize [no test files] ? github.com/google/syzkaller/tools/syz-testbed [no test files] ? github.com/google/syzkaller/tools/syz-testbuild [no test files] ? github.com/google/syzkaller/tools/syz-trace2syz [no test files] ? github.com/google/syzkaller/tools/syz-tty [no test files] ? github.com/google/syzkaller/tools/syz-upgrade [no test files] ? github.com/google/syzkaller/tools/syz-usbgen [no test files] ? github.com/google/syzkaller/vm/adb [no test files] ? github.com/google/syzkaller/vm/bhyve [no test files] ? github.com/google/syzkaller/vm/cuttlefish [no test files] ? github.com/google/syzkaller/vm/gce [no test files] ? github.com/google/syzkaller/vm/gvisor [no test files] ? github.com/google/syzkaller/vm/kvm [no test files] ? github.com/google/syzkaller/vm/odroid [no test files] ? github.com/google/syzkaller/vm/proxyapp/mocks [no test files] ? github.com/google/syzkaller/vm/proxyapp/proxyrpc [no test files] ? github.com/google/syzkaller/vm/qemu [no test files] ? github.com/google/syzkaller/vm/starnix [no test files] ? github.com/google/syzkaller/vm/vmm [no test files] ? github.com/google/syzkaller/vm/vmware [no test files] ok github.com/google/syzkaller/pkg/bisect 90.057s ok github.com/google/syzkaller/pkg/bisect/minimize 0.106s ok github.com/google/syzkaller/pkg/build 6.630s ok github.com/google/syzkaller/pkg/compiler 4.711s ok github.com/google/syzkaller/pkg/config 0.024s ok github.com/google/syzkaller/pkg/cover 82.285s ok github.com/google/syzkaller/pkg/cover/backend 0.577s --- FAIL: TestGenerate (79.52s) --- FAIL: TestGenerate/fuchsia/amd64 (0.31s) testutil.go:33: seed=1692188364463325111 testutil.go:33: seed=1692188364774890192 --- FAIL: TestGenerate/fuchsia/amd64/0 (1.98s) csource_test.go:150: opts: {Threaded:false Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_one(void) { intptr_t res = 0; *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); syz_future_time(/*when=*/0); syz_job_default(); syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); syz_process_self(); syz_thread_self(); syz_vmar_root_self(); } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :149:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor3913523324 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/10 (2.21s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); do_sandbox_none(); return 0; } :270:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor3345400636 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/5 (2.21s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); for (procid = 0; procid < 4; procid++) { if (fork() == 0) { use_temporary_dir(); do_sandbox_none(); } } sleep(1000000); return 0; } :284:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor1814401180 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/3 (2.23s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:10 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :282:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor2521828722 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/12 (2.41s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :284:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor946910451 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/9 (2.24s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:9223372036854775807 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :282:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor2108846505 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/2 (2.24s) csource_test.go:150: opts: {Threaded:true Repeat:false RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :276:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor1965533605 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/8 (2.51s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:-9223372036854775808 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :282:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor1963537514 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/1 (2.96s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } static void loop(); static int do_sandbox_none(void) { loop(); return 0; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); do_sandbox_none(); return 0; } :282:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor2174392803 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/7 (2.97s) csource_test.go:150: opts: {Threaded:true Repeat:true RepeatTimes:0 Procs:0 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} program: zx_channel_call_etc(0x0, 0x20, 0x7fffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)="e0a98cd5fef493ce66b2f575b218f61eb68a3771fade2fc1fa8458f3c7a3bfe45249af6d61d8cec7658ac8cf9c4dc822bdf89767cff0963807175b0c7ef797a7204bc3564e5b93e32c7b34dc4404dfe4608738f189c196af738c6c3c7ec88f57e078259dd27495072b86bd6c637b6ae19060fc245d526ccecb49fb3c0d92e7892cd3e81b40e2dcaa3fd4fb3918885d39adc57f1fee1bf4eb84c881527c50c31ea4f3a135b7d132c3f0b216746199d34894f31ac55667ee3e8646c2fc88e161daec5a69934ed99b5b5e0ff2c6d80d4c518fc1adab575e450d5c6f799a302d8d5b6cc1ec38785febeb5742cf9dc99282c95037549db37eba0749179d1d", &(0x7f0000000100)=[0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f0000000140)=""/142, &(0x7f0000000200)=[0x0, 0x0], 0xfc, 0x5, 0x8e, 0x2}, &(0x7f0000000280), &(0x7f00000002c0)) (fail_nth: 1) zx_channel_call$fuchsia_io_DirectoryAdminRewind(r0, 0x0, 0x7fffffffffffffff, &(0x7f00000103c0)={&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380), &(0x7f0000010380), 0x10, 0x0, 0x10000}, &(0x7f0000010400), &(0x7f0000010440)) (async) zx_system_get_event(r1, 0x3, &(0x7f0000010480)=0x0) (rerun: 4) r3 = zx_deadline_after(0x1f) zx_channel_call$fuchsia_cobalt_LoggerBaseLogEvent(r2, 0x0, r3, &(0x7f0000020580)={&(0x7f00000104c0)={{}, 0x6, 0x1}, &(0x7f0000010500), &(0x7f0000010540), &(0x7f0000020540), 0x18, 0x0, 0x10000}, &(0x7f00000205c0), &(0x7f0000020600)) zx_channel_call$fuchsia_io_FileReadAt(r2, 0x0, r3, &(0x7f0000030700)={&(0x7f0000020640)={{}, 0xffffffffffffffff, 0x3}, &(0x7f0000020680), &(0x7f00000206c0), &(0x7f00000306c0), 0x20, 0x0, 0x10000}, &(0x7f0000030740), &(0x7f0000030780)) zx_futex_wait(&(0x7f00000307c0)=0x3, 0x9, r2, r3) r4 = zx_deadline_after(0x5) zx_channel_call$fuchsia_cobalt_LoggerBaseEndTimer(0x0, 0x0, r4, &(0x7f00000408c0)={&(0x7f0000030800)={{}, {0xffffffffffffffca, 0xffffffffffffffff}, 0xe0, 0x1, {'!'}}, &(0x7f0000030840), &(0x7f0000030880), &(0x7f0000040880), 0x34, 0x0, 0x10000}, &(0x7f0000040900), &(0x7f0000040940)) zx_channel_call$fuchsia_io_NodeNodeSetFlags(r2, 0x0, r4, &(0x7f0000050a40)={&(0x7f0000040980)={{}, 0x8001}, &(0x7f00000409c0), &(0x7f0000040a00), &(0x7f0000050a00), 0x14, 0x0, 0x10000}, &(0x7f0000050a80), &(0x7f0000050ac0)) syz_execute_func(&(0x7f0000000000)="c44235dcffc4c2d12b6301c4e259b6adffefffff640f380b91614ee55946ffd48f2808871dba1debec02470f01d047d8dcc4a24d2d98610f7a2fc4a3a10ddc00") syz_future_time(0x0) syz_job_default() syz_mmap(&(0x7f0000ffb000/0x3000)=nil, 0x3000) syz_process_self() syz_thread_self() syz_vmar_root_self() csource_test.go:151: failed to build program: // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "/tmp/syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static int inject_fault(int nth) { return 0; } static void setup_fault() { } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) usleep(200); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout_ms) { uint64_t start = current_time_ms(); for (;;) { if (__atomic_load_n(&ev->state, __ATOMIC_RELAXED)) return 1; if (current_time_ms() - start > timeout_ms) return 0; usleep(200); } } long syz_mmap(size_t addr, size_t size) { zx_handle_t root = zx_vmar_root_self(); zx_info_vmar_t info; zx_status_t status = zx_object_get_info(root, ZX_INFO_VMAR, &info, sizeof(info), 0, 0); if (status != ZX_OK) { return status; } zx_handle_t vmo; status = zx_vmo_create(size, 0, &vmo); if (status != ZX_OK) { return status; } uintptr_t mapped_addr; status = zx_vmar_map(root, ZX_VM_FLAG_SPECIFIC_OVERWRITE | ZX_VM_FLAG_PERM_READ | ZX_VM_FLAG_PERM_WRITE, addr - info.base, vmo, 0, size, &mapped_addr); zx_status_t close_vmo_status = zx_handle_close(vmo); if (close_vmo_status != ZX_OK) { } return status; } static long syz_process_self(void) { return zx_process_self(); } static long syz_thread_self(void) { return zx_thread_self(); } static long syz_vmar_root_self(void) { return zx_vmar_root_self(); } static long syz_job_default(void) { return zx_job_default(); } static long syz_future_time(volatile long when) { zx_time_t delta_ms = 10000; switch (when) { case 0: delta_ms = 5; break; case 1: delta_ms = 30; break; } zx_time_t now = 0; zx_clock_read(ZX_CLOCK_MONOTONIC, &now); return now + delta_ms * 1000 * 1000; } #define CAST(f) ({void* p = (void*)f; p; }) static long syz_execute_func(volatile long text) { ((void (*)(void))(text))(); return 0; } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { int i, call, thread; for (call = 0; call < 17; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); static void loop(void) { execute_one(); } uint64_t r[5] = {0x0, 0x0, 0x0, 0x0, 0x0}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20000240 = 0x20000000; memcpy((void*)0x20000000, "\xe0\xa9\x8c\xd5\xfe\xf4\x93\xce\x66\xb2\xf5\x75\xb2\x18\xf6\x1e\xb6\x8a\x37\x71\xfa\xde\x2f\xc1\xfa\x84\x58\xf3\xc7\xa3\xbf\xe4\x52\x49\xaf\x6d\x61\xd8\xce\xc7\x65\x8a\xc8\xcf\x9c\x4d\xc8\x22\xbd\xf8\x97\x67\xcf\xf0\x96\x38\x07\x17\x5b\x0c\x7e\xf7\x97\xa7\x20\x4b\xc3\x56\x4e\x5b\x93\xe3\x2c\x7b\x34\xdc\x44\x04\xdf\xe4\x60\x87\x38\xf1\x89\xc1\x96\xaf\x73\x8c\x6c\x3c\x7e\xc8\x8f\x57\xe0\x78\x25\x9d\xd2\x74\x95\x07\x2b\x86\xbd\x6c\x63\x7b\x6a\xe1\x90\x60\xfc\x24\x5d\x52\x6c\xce\xcb\x49\xfb\x3c\x0d\x92\xe7\x89\x2c\xd3\xe8\x1b\x40\xe2\xdc\xaa\x3f\xd4\xfb\x39\x18\x88\x5d\x39\xad\xc5\x7f\x1f\xee\x1b\xf4\xeb\x84\xc8\x81\x52\x7c\x50\xc3\x1e\xa4\xf3\xa1\x35\xb7\xd1\x32\xc3\xf0\xb2\x16\x74\x61\x99\xd3\x48\x94\xf3\x1a\xc5\x56\x67\xee\x3e\x86\x46\xc2\xfc\x88\xe1\x61\xda\xec\x5a\x69\x93\x4e\xd9\x9b\x5b\x5e\x0f\xf2\xc6\xd8\x0d\x4c\x51\x8f\xc1\xad\xab\x57\x5e\x45\x0d\x5c\x6f\x79\x9a\x30\x2d\x8d\x5b\x6c\xc1\xec\x38\x78\x5f\xeb\xeb\x57\x42\xcf\x9d\xc9\x92\x82\xc9\x50\x37\x54\x9d\xb3\x7e\xba\x07\x49\x17\x9d\x1d", 252); *(uint64_t*)0x20000248 = 0x20000100; *(uint32_t*)0x20000100 = 0; *(uint32_t*)0x20000104 = 0; *(uint32_t*)0x20000108 = 0; *(uint32_t*)0x2000010c = 0; *(uint32_t*)0x20000110 = 0; *(uint64_t*)0x20000250 = 0x20000140; *(uint64_t*)0x20000258 = 0x20000200; *(uint32_t*)0x20000260 = 0xfc; *(uint32_t*)0x20000264 = 5; *(uint32_t*)0x20000268 = 0x8e; *(uint32_t*)0x2000026c = 2; inject_fault(1); res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); if (res == ZX_OK) { r[0] = *(uint32_t*)0x20000200; r[1] = *(uint32_t*)0x20000204; } break; case 1: *(uint64_t*)0x200103c0 = 0x20000300; *(uint32_t*)0x20000300 = 0; memset((void*)0x20000304, 0, 3); *(uint8_t*)0x20000307 = 1; *(uint64_t*)0x20000308 = 0x7072fd8700000000; *(uint64_t*)0x200103c8 = 0x20000340; *(uint64_t*)0x200103d0 = 0x20000380; *(uint64_t*)0x200103d8 = 0x20010380; *(uint32_t*)0x200103e0 = 0x10; *(uint32_t*)0x200103e4 = 0; *(uint32_t*)0x200103e8 = 0x10000; *(uint32_t*)0x200103ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[0], /*options=*/0, /*deadline=*/0x7fffffffffffffff, /*args=*/0x200103c0, /*actual_bytes=*/0x20010400, /*actual_handles=*/0x20010440); break; case 2: res = -1; res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); { int i; for(i = 0; i < 4; i++) { ((intptr_t(*)(intptr_t,intptr_t,intptr_t))CAST(zx_system_get_event))(/*root_job=*/r[1], /*kind=*/3, /*event=*/0x20010480); } } if (res == ZX_OK) r[2] = *(uint32_t*)0x20010480; break; case 3: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/0x1f); if (res == ZX_OK) r[3] = res; break; case 4: *(uint64_t*)0x20020580 = 0x200104c0; *(uint32_t*)0x200104c0 = 0; memset((void*)0x200104c4, 0, 3); *(uint8_t*)0x200104c7 = 1; *(uint64_t*)0x200104c8 = 0x135d628d00000000; *(uint32_t*)0x200104d0 = 6; *(uint32_t*)0x200104d4 = 1; *(uint64_t*)0x20020588 = 0x20010500; *(uint64_t*)0x20020590 = 0x20010540; *(uint64_t*)0x20020598 = 0x20020540; *(uint32_t*)0x200205a0 = 0x18; *(uint32_t*)0x200205a4 = 0; *(uint32_t*)0x200205a8 = 0x10000; *(uint32_t*)0x200205ac = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20020580, /*actual_bytes=*/0x200205c0, /*actual_handles=*/0x20020600); break; case 5: *(uint64_t*)0x20030700 = 0x20020640; *(uint32_t*)0x20020640 = 0; memset((void*)0x20020644, 0, 3); *(uint8_t*)0x20020647 = 1; *(uint64_t*)0x20020648 = 0x7c724dc400000000; *(uint64_t*)0x20020650 = -1; *(uint64_t*)0x20020658 = 3; *(uint64_t*)0x20030708 = 0x20020680; *(uint64_t*)0x20030710 = 0x200206c0; *(uint64_t*)0x20030718 = 0x200306c0; *(uint32_t*)0x20030720 = 0x20; *(uint32_t*)0x20030724 = 0; *(uint32_t*)0x20030728 = 0x10000; *(uint32_t*)0x2003072c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[3], /*args=*/0x20030700, /*actual_bytes=*/0x20030740, /*actual_handles=*/0x20030780); break; case 6: *(uint32_t*)0x200307c0 = 3; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_futex_wait))(/*value_ptr=*/0x200307c0, /*current_value=*/9, /*new_futex_owner=*/r[2], /*deadline=*/r[3]); break; case 7: res = -1; res = ((intptr_t(*)(intptr_t))CAST(zx_deadline_after))(/*nanoseconds=*/5); if (res == ZX_OK) r[4] = res; break; case 8: *(uint64_t*)0x200408c0 = 0x20030800; *(uint32_t*)0x20030800 = 0; memset((void*)0x20030804, 0, 3); *(uint8_t*)0x20030807 = 1; *(uint64_t*)0x20030808 = 0x65db6e4200000000; *(uint64_t*)0x20030810 = 0xffffffffffffffca; *(uint64_t*)0x20030818 = -1; *(uint64_t*)0x20030820 = 0xe0; *(uint32_t*)0x20030828 = 1; memset((void*)0x2003082c, 33, 1); *(uint64_t*)0x200408c8 = 0x20030840; *(uint64_t*)0x200408d0 = 0x20030880; *(uint64_t*)0x200408d8 = 0x20040880; *(uint32_t*)0x200408e0 = 0x34; *(uint32_t*)0x200408e4 = 0; *(uint32_t*)0x200408e8 = 0x10000; *(uint32_t*)0x200408ec = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/0, /*options=*/0, /*deadline=*/r[4], /*args=*/0x200408c0, /*actual_bytes=*/0x20040900, /*actual_handles=*/0x20040940); break; case 9: *(uint64_t*)0x20050a40 = 0x20040980; *(uint32_t*)0x20040980 = 0; memset((void*)0x20040984, 0, 3); *(uint8_t*)0x20040987 = 1; *(uint64_t*)0x20040988 = 0x46940c1600000000; *(uint32_t*)0x20040990 = 0x8001; *(uint64_t*)0x20050a48 = 0x200409c0; *(uint64_t*)0x20050a50 = 0x20040a00; *(uint64_t*)0x20050a58 = 0x20050a00; *(uint32_t*)0x20050a60 = 0x14; *(uint32_t*)0x20050a64 = 0; *(uint32_t*)0x20050a68 = 0x10000; *(uint32_t*)0x20050a6c = 0; ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call))(/*handle=*/r[2], /*options=*/0, /*deadline=*/r[4], /*args=*/0x20050a40, /*actual_bytes=*/0x20050a80, /*actual_handles=*/0x20050ac0); break; case 10: memcpy((void*)0x20000000, "\xc4\x42\x35\xdc\xff\xc4\xc2\xd1\x2b\x63\x01\xc4\xe2\x59\xb6\xad\xff\xef\xff\xff\x64\x0f\x38\x0b\x91\x61\x4e\xe5\x59\x46\xff\xd4\x8f\x28\x08\x87\x1d\xba\x1d\xeb\xec\x02\x47\x0f\x01\xd0\x47\xd8\xdc\xc4\xa2\x4d\x2d\x98\x61\x0f\x7a\x2f\xc4\xa3\xa1\x0d\xdc\x00", 64); syz_execute_func(/*text=*/0x20000000); break; case 11: syz_future_time(/*when=*/0); break; case 12: syz_job_default(); break; case 13: syz_mmap(/*addr=*/0x20ffb000, /*len=*/0x3000); break; case 14: syz_process_self(); break; case 15: syz_thread_self(); break; case 16: syz_vmar_root_self(); break; } } int main(void) { syz_mmap(/*addr=*/0x20000000, /*len=*/0x1000000); setup_fault(); use_temporary_dir(); loop(); return 0; } :276:81: error: use of undeclared identifier 'zx_channel_call_etc' res = ((intptr_t(*)(intptr_t,intptr_t,intptr_t,intptr_t,intptr_t,intptr_t))CAST(zx_channel_call_etc))(/*handle=*/0, /*options=*/0x20, /*deadline=*/0x7fffffffffffffff, /*args=*/0x20000240, /*actual_bytes=*/0x20000280, /*actual_handles=*/0x200002c0); ^ 1 error generated. compiler invocation: /syzkaller/shared/fuchsia/prebuilt/third_party/clang/linux-x64/bin/clang [-o /tmp/syz-executor334202522 -DGOOS_fuchsia=1 -DGOARCH_amd64=1 -DHOSTGOOS_linux=1 -x c - -Wno-deprecated -target x86_64-fuchsia -ldriver -lfdio -lzircon --sysroot /syzkaller/shared/fuchsia/out/x64/zircon_toolchain/obj/zircon/public/sysroot/sysroot -I /syzkaller/shared/fuchsia/sdk/lib/fdio/include -I /syzkaller/shared/fuchsia/zircon/system/ulib/fidl/include -I /syzkaller/shared/fuchsia/src/lib/ddk/include -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.device.manager -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.nand -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.power.statecontrol -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/sdk/fidl/fuchsia.hardware.usb.peripheral -I /syzkaller/shared/fuchsia/out/x64/fidling/gen/zircon/vdso/zx -L /syzkaller/shared/fuchsia/out/x64/x64-shared -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-array-bounds -Wno-unused-command-line-argument] --- FAIL: TestGenerate/fuchsia/amd64/13 (3.02s) csource_test.go:148: --- FAIL: TestGenerate/fuchsia/amd64/14 (3.06s) csource_test.go:148: --- FAIL: TestGenerate/fuchsia/amd64/4 (3.09s) csource_test.go:148: --- FAIL: TestGenerate/fuchsia/amd64/6 (3.30s) csource_test.go:148: FAIL FAIL github.com/google/syzkaller/pkg/csource 86.096s ok github.com/google/syzkaller/pkg/db 3.420s ok github.com/google/syzkaller/pkg/email 0.029s ok github.com/google/syzkaller/pkg/email/lore 0.072s ok github.com/google/syzkaller/pkg/host 56.206s ok github.com/google/syzkaller/pkg/html 0.115s ok github.com/google/syzkaller/pkg/ifuzz 0.605s ok github.com/google/syzkaller/pkg/image 2.546s ok github.com/google/syzkaller/pkg/instance 8.737s ok github.com/google/syzkaller/pkg/ipc 85.377s ok github.com/google/syzkaller/pkg/kconfig 1.491s ok github.com/google/syzkaller/pkg/kd 0.289s ok github.com/google/syzkaller/pkg/log 0.369s ok github.com/google/syzkaller/pkg/mgrconfig 3.131s ok github.com/google/syzkaller/pkg/osutil 0.479s ok github.com/google/syzkaller/pkg/report 43.672s ok github.com/google/syzkaller/pkg/repro 3.236s ok github.com/google/syzkaller/pkg/runtest 111.776s ok github.com/google/syzkaller/pkg/serializer 0.440s ok github.com/google/syzkaller/pkg/stats 0.478s ok github.com/google/syzkaller/pkg/subsystem 0.464s ok github.com/google/syzkaller/pkg/subsystem/linux 0.513s ok github.com/google/syzkaller/pkg/subsystem/lists 1.094s ok github.com/google/syzkaller/pkg/symbolizer 0.646s ok github.com/google/syzkaller/pkg/tool 0.609s ok github.com/google/syzkaller/pkg/vcs 26.542s ok github.com/google/syzkaller/prog 14.396s ok github.com/google/syzkaller/prog/test 0.282s ok github.com/google/syzkaller/sys/linux 0.082s ok github.com/google/syzkaller/sys/netbsd 0.037s ok github.com/google/syzkaller/sys/openbsd 0.038s ok github.com/google/syzkaller/syz-ci 16.946s ok github.com/google/syzkaller/syz-fuzzer 0.388s ok github.com/google/syzkaller/syz-hub 0.055s ok github.com/google/syzkaller/syz-hub/state 14.858s ok github.com/google/syzkaller/syz-manager 19.162s ok github.com/google/syzkaller/syz-verifier 16.423s ok github.com/google/syzkaller/tools/syz-kconf 0.051s ok github.com/google/syzkaller/tools/syz-linter 19.389s ok github.com/google/syzkaller/tools/syz-trace2syz/parser 0.056s ok github.com/google/syzkaller/tools/syz-trace2syz/proggen 0.231s ok github.com/google/syzkaller/vm 24.368s ok github.com/google/syzkaller/vm/isolated 16.416s ok github.com/google/syzkaller/vm/proxyapp 18.733s ok github.com/google/syzkaller/vm/vmimpl 16.402s FAIL