pkg/aflow: initial repro workflow implementation

Author: tarasmadan

pkg/aflow/action/crash/compare.go

@@ -0,0 +1,27 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"github.com/google/syzkaller/pkg/aflow"
+)
+
+var CompareCrashSignature = aflow.NewFuncAction("compare-crash-signature", compareCrash)
+
+type CompareCrashArgs struct {
+	BugTitle         string
+	ProducedBugTitle string
+}
+
+type CompareCrashResult struct {
+	Matches       bool
+	CompareErrors string
+}
+
+func compareCrash(ctx *aflow.Context, args CompareCrashArgs) (CompareCrashResult, error) {
+	if args.BugTitle != args.ProducedBugTitle {
+		return CompareCrashResult{Matches: false, CompareErrors: "Crash signature did not match target"}, nil
+	}
+	return CompareCrashResult{Matches: true}, nil
+}

pkg/aflow/action/crash/compiler.go

@@ -0,0 +1,33 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/prog"
+	_ "github.com/google/syzkaller/sys"
+)
+
+var SyzCompilerCheck = aflow.NewFuncAction("syz-compiler-check", compilerCheck)
+
+type CompilerCheckArgs struct {
+	CandidateSyzlang string
+}
+
+type CompilerCheckResult struct {
+	CompilerSuccess bool
+	CompilerErrors  string
+}
+
+func compilerCheck(ctx *aflow.Context, args CompilerCheckArgs) (CompilerCheckResult, error) {
+	pt, err := prog.GetTarget("linux", "amd64")
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	_, err = pt.Deserialize([]byte(args.CandidateSyzlang), prog.Strict)
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	return CompilerCheckResult{CompilerSuccess: true}, nil
+}

pkg/aflow/action/crash/reproduce.go

@@ -86,7 +86,7 @@ func ReproduceCrash(args ReproduceArgs, workdir string) (*report.Report, string,
 		return nil, "", err
 	}
 	// TODO: run multiple instances, handle TestError.Infra, and aggregate results.
-	results, err := env.Test(1, nil, nil, []byte(args.ReproC))
+	results, err := env.Test(1, []byte(args.ReproSyz), []byte(args.ReproOpts), []byte(args.ReproC))
 	if err != nil {
 		return nil, "", err
 	}
@@ -160,3 +160,85 @@ func reproduce(ctx *aflow.Context, args ReproduceArgs) (reproduceResult, error)
 		CrashReport: cached.Report,
 	}, nil
 }
+
+var ReproduceSyzlang = aflow.NewFuncAction("crash-reproducer", reproduceSyzlang)
+
+type ReproduceSyzlangArgs struct {
+	Syzkaller        string
+	Image            string
+	Type             string
+	VM               json.RawMessage
+	CandidateSyzlang string
+	SyzkallerCommit  string
+	KernelSrc        string
+	KernelObj        string
+	KernelCommit     string
+	KernelConfig     string
+}
+
+type reproduceSyzlangResult struct {
+	ProducedBugTitle    string
+	ProducedCrashReport string
+	ReproduceErrors     string
+}
+
+func reproduceSyzlang(ctx *aflow.Context, args ReproduceSyzlangArgs) (reproduceSyzlangResult, error) {
+	imageData, err := os.ReadFile(args.Image)
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	desc := fmt.Sprintf("kernel commit %v, kernel config hash %v, image hash %v,"+
+		" vm %v, vm config hash %v, syz repro hash %v, version 4",
+		args.KernelCommit, hash.String(args.KernelConfig), hash.String(imageData),
+		args.Type, hash.String(args.VM), hash.String(args.CandidateSyzlang))
+
+	type Cached struct {
+		BugTitle string
+		Report   string
+		Error    string
+	}
+
+	cached, err := aflow.CacheObject(ctx, "repro", desc, func() (Cached, error) {
+		var res Cached
+		workdir, err := ctx.TempDir()
+		if err != nil {
+			return res, err
+		}
+
+		reproArgs := ReproduceArgs{
+			Syzkaller:       args.Syzkaller,
+			Image:           args.Image,
+			Type:            args.Type,
+			VM:              args.VM,
+			ReproOpts:       "",
+			ReproSyz:        args.CandidateSyzlang,
+			ReproC:          "",
+			SyzkallerCommit: args.SyzkallerCommit,
+			KernelSrc:       args.KernelSrc,
+			KernelObj:       args.KernelObj,
+			KernelCommit:    args.KernelCommit,
+			KernelConfig:    args.KernelConfig,
+		}
+
+		rep, buildError, err := ReproduceCrash(reproArgs, workdir)
+		if rep != nil {
+			res.BugTitle = rep.Title
+			res.Report = string(rep.Report)
+		}
+		res.Error = buildError
+		return res, err
+	})
+
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	if cached.Error != "" {
+		return reproduceSyzlangResult{ReproduceErrors: cached.Error}, nil
+	} else if cached.Report == "" {
+		return reproduceSyzlangResult{ReproduceErrors: "reproducer did not crash"}, nil
+	}
+	return reproduceSyzlangResult{
+		ProducedBugTitle:    cached.BugTitle,
+		ProducedCrashReport: cached.Report,
+	}, nil
+}

pkg/aflow/ai/ai.go

@@ -45,3 +45,8 @@ type ModerationOutputs struct {
 	Actionable  bool
 	Explanation string
 }
+
+type ReproOutputs struct {
+	Syzlang string
+	Success bool
+}

pkg/aflow/flow/flows.go

@@ -6,4 +6,5 @@ package flow
 import (
 	_ "github.com/google/syzkaller/pkg/aflow/flow/assessment"
 	_ "github.com/google/syzkaller/pkg/aflow/flow/patching"
+	_ "github.com/google/syzkaller/pkg/aflow/flow/repro"
 )

pkg/aflow/flow/repro/repro.go

@@ -0,0 +1,110 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package repro
+
+import (
+	"encoding/json"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/aflow/action/crash"
+	"github.com/google/syzkaller/pkg/aflow/action/kernel"
+	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/aflow/tool/syzlang"
+)
+
+type ReproInputs struct {
+	BugTitle        string
+	CrashReport     string
+	KernelConfig    string
+	KernelRepo      string
+	KernelCommit    string
+	Syzkaller       string
+	SyzkallerCommit string
+	Image           string
+	Type            string
+	VM              json.RawMessage
+}
+
+func init() {
+	aflow.Register[ReproInputs, ai.ReproOutputs](
+		ai.WorkflowRepro,
+		"reproduce a kernel crash and generate a syzlang program",
+		&aflow.Flow{
+			Root: aflow.Pipeline(
+				kernel.Checkout,
+				kernel.Build,
+				&aflow.DoWhile{
+					Do: aflow.Pipeline(
+						&aflow.LLMAgent{
+							Name:        "crash-reproducer",
+							Model:       aflow.BestExpensiveModel,
+							Reply:       "RawSyzlang",
+							TaskType:    aflow.FormalReasoningTask,
+							Instruction: reproInstruction,
+							Prompt:      reproPrompt,
+							Tools:       syzlang.Tools,
+						},
+						crash.SyzCompilerCheck,
+						// If compiler succeeded, evaluate Reproduce and Compare outputs
+						// In order to not fail early if reproduce failed or compile failed, we use an aggregator
+						aflow.NewFuncAction("evaluate-iteration", func(ctx *aflow.Context, args struct {
+							CompilerSuccess     bool
+							CompilerErrors      string
+							ReproduceErrors     string
+							CompareErrors       string
+							ProducedCrashReport string
+						}) (struct{ IterationErrors string }, error) {
+							if !args.CompilerSuccess {
+								return struct{ IterationErrors string }{IterationErrors: args.CompilerErrors}, nil
+							}
+							if args.ReproduceErrors != "" {
+								return struct{ IterationErrors string }{IterationErrors: args.ReproduceErrors}, nil
+							}
+							if args.CompareErrors != "" {
+								return struct{ IterationErrors string }{IterationErrors: args.CompareErrors}, nil
+							}
+							return struct{ IterationErrors string }{}, nil
+						}),
+						crash.ReproduceSyzlang,
+						crash.CompareCrashSignature,
+					),
+					While:         "IterationErrors",
+					MaxIterations: 10,
+				},
+				aflow.NewFuncAction("emit-result", func(ctx *aflow.Context, args struct {
+					CandidateSyzlang string
+					Matches          bool
+				}) (ai.ReproOutputs, error) {
+					return ai.ReproOutputs{
+						Syzlang: args.CandidateSyzlang,
+						Success: args.Matches,
+					}, nil
+				}),
+			),
+		},
+	)
+}
+
+const reproInstruction = `
+You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger
+a specific bug. Use syzlang syntax strictly.
+
+First, search for the relevant syzlang definitions using the syzlang-search tool.
+Then, write a candidate .syz test program. Use the syz-compiler-check tool to validate your syntax.
+Once compilation passes, use the crash-reproducer tool to run it in the VM.
+After that, use compare-crash-signature to verify if the reproduced crash matches the target crash title.
+
+If previous attempts failed, pay attention to the errors and fix them.
+Print only the syz program that could be executed directly. 
+`
+
+const reproPrompt = `
+Original Crash Report:
+{{.CrashReport}}
+
+{{if .IterationErrors}}
+Previous Attempt Errors:
+{{.IterationErrors}}
+{{end}}
+`

pkg/aflow/tool/syzlang/syzlang.go

@@ -0,0 +1,64 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package syzlang
+
+import (
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/google/syzkaller/pkg/aflow"
+)
+
+var Tools = []aflow.Tool{
+	aflow.NewFuncTool("syzlang-search", search, `
+Tool provides syzlang definitions for a given subsystem (e.g., "bpf", "io_uring").
+`),
+}
+
+type searchArgs struct {
+	Subsystem string `jsonschema:"Name of the subsystem to retrieve descriptions for (e.g. bpf, ext4)."`
+}
+
+type searchResult struct {
+	Definitions string `jsonschema:"Syzlang definitions."`
+	Error       string `jsonschema:"Error message, if any." json:",omitempty"`
+}
+
+func search(ctx *aflow.Context, state struct{}, args searchArgs) (searchResult, error) {
+	if args.Subsystem == "" || args.Subsystem == "all" {
+		return searchResult{Error: "Subsystem name is required and cannot be 'all'. " +
+			"Please specify a specific subsystem like 'bpf' or 'ext4'."}, nil
+	}
+
+	// Let's assume the current working directory of the process is syzkaller root,
+	// because aflow tools are executed by the syzkaller manager/tools.
+	var out strings.Builder
+	err := filepath.WalkDir("sys/linux", func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if d.IsDir() || !strings.HasSuffix(d.Name(), ".txt") {
+			return nil
+		}
+
+		name := strings.TrimSuffix(d.Name(), ".txt")
+		if name != "sys" && name != args.Subsystem && !strings.HasPrefix(name, args.Subsystem+"_") {
+			return nil
+		}
+
+		data, err := os.ReadFile(path)
+		if err != nil {
+			return err
+		}
+		out.Write(data)
+		out.WriteString("\n")
+		return nil
+	})
+	if err != nil {
+		return searchResult{Error: "failed to access sys/linux: " + err.Error()}, nil
+	}
+	return searchResult{Definitions: out.String()}, nil
+}

tools/syz-aflow/aflow.go

@@ -131,6 +131,12 @@ func downloadBug(id, inputFile, token string) error {
 		"KernelCommit":    crash["kernel-source-commit"],
 	}
 
+	if title, ok := info["title"].(string); ok {
+		inputs["BugTitle"] = title
+	} else if title, ok := crash["title"].(string); ok {
+		inputs["BugTitle"] = title
+	}
+
 	fetchText := func(key string) (string, error) {
 		path, ok := crash[key].(string)
 		if !ok || path == "" {