pkg/aflow: initial repro workflow implementation

Author: tarasmadan

pkg/aflow/action/crash/compare.go

@@ -0,0 +1,27 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"github.com/google/syzkaller/pkg/aflow"
+)
+
+var CompareCrashSignature = aflow.NewFuncAction("compare-crash-signature", compareCrash)
+
+type CompareCrashArgs struct {
+	BugTitle         string
+	ProducedBugTitle string
+}
+
+type CompareCrashResult struct {
+	Matches       bool
+	CompareErrors string
+}
+
+func compareCrash(ctx *aflow.Context, args CompareCrashArgs) (CompareCrashResult, error) {
+	if args.BugTitle != args.ProducedBugTitle {
+		return CompareCrashResult{Matches: false, CompareErrors: "Crash signature did not match target"}, nil
+	}
+	return CompareCrashResult{Matches: true}, nil
+}

pkg/aflow/action/crash/compiler.go

@@ -0,0 +1,63 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/prog"
+	_ "github.com/google/syzkaller/sys"
+)
+
+var SyzCompilerCheck = aflow.NewFuncAction("syz-compiler-check", compilerCheck)
+
+type CompilerCheckArgs struct {
+	CandidateSyzlang string
+}
+
+type CompilerCheckResult struct {
+	CompilerSuccess bool
+	CompilerErrors  string
+}
+
+func compilerCheck(ctx *aflow.Context, args CompilerCheckArgs) (CompilerCheckResult, error) {
+	pt, err := prog.GetTarget("linux", "amd64")
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	_, err = pt.Deserialize([]byte(args.CandidateSyzlang), prog.Strict)
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	return CompilerCheckResult{CompilerSuccess: true}, nil
+}
+
+var ExtractSyzCode = aflow.NewFuncAction("extract-syz-code", extractSyzCode)
+
+type ExtractSyzCodeArgs struct {
+	RawSyzlang string
+}
+
+type ExtractSyzCodeResult struct {
+	CandidateSyzlang string
+}
+
+func extractSyzCode(ctx *aflow.Context, args ExtractSyzCodeArgs) (ExtractSyzCodeResult, error) {
+	code := args.RawSyzlang
+	// If the code is inside a markdown block, extract it.
+	if match := reSyzBlock.FindStringSubmatch(code); match != nil {
+		code = match[1]
+	} else if match := reCodeBlock.FindStringSubmatch(code); match != nil {
+		code = match[1]
+	}
+	code = strings.TrimSpace(code)
+	return ExtractSyzCodeResult{CandidateSyzlang: code}, nil
+}
+
+var (
+	reSyzBlock  = regexp.MustCompile("(?s)```(?:ex-?)?syz(?:kaller|lang)?\\n(.*?)```")
+	reCodeBlock = regexp.MustCompile("(?s)```\\n(.*?)```")
+)

pkg/aflow/action/crash/reproduce.go

@@ -85,8 +85,18 @@ func ReproduceCrash(args ReproduceArgs, workdir string) (*report.Report, string,
 	if err != nil {
 		return nil, "", err
 	}
+	var reproSyz, reproOpts, reproC []byte
+	if args.ReproSyz != "" {
+		reproSyz = []byte(args.ReproSyz)
+	}
+	if args.ReproOpts != "" {
+		reproOpts = []byte(args.ReproOpts)
+	}
+	if args.ReproC != "" {
+		reproC = []byte(args.ReproC)
+	}
 	// TODO: run multiple instances, handle TestError.Infra, and aggregate results.
-	results, err := env.Test(1, nil, nil, []byte(args.ReproC))
+	results, err := env.Test(1, reproSyz, reproOpts, reproC)
 	if err != nil {
 		return nil, "", err
 	}
@@ -160,3 +170,85 @@ func reproduce(ctx *aflow.Context, args ReproduceArgs) (reproduceResult, error)
 		CrashReport: cached.Report,
 	}, nil
 }
+
+var ReproduceSyzlang = aflow.NewFuncAction("crash-reproducer", reproduceSyzlang)
+
+type ReproduceSyzlangArgs struct {
+	Syzkaller        string
+	Image            string
+	Type             string
+	VM               json.RawMessage
+	CandidateSyzlang string
+	SyzkallerCommit  string
+	KernelSrc        string
+	KernelObj        string
+	KernelCommit     string
+	KernelConfig     string
+}
+
+type reproduceSyzlangResult struct {
+	ProducedBugTitle    string
+	ProducedCrashReport string
+	ReproduceErrors     string
+}
+
+func reproduceSyzlang(ctx *aflow.Context, args ReproduceSyzlangArgs) (reproduceSyzlangResult, error) {
+	imageData, err := os.ReadFile(args.Image)
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	desc := fmt.Sprintf("kernel commit %v, kernel config hash %v, image hash %v,"+
+		" vm %v, vm config hash %v, syz repro hash %v, version 4",
+		args.KernelCommit, hash.String(args.KernelConfig), hash.String(imageData),
+		args.Type, hash.String(args.VM), hash.String(args.CandidateSyzlang))
+
+	type Cached struct {
+		BugTitle string
+		Report   string
+		Error    string
+	}
+
+	cached, err := aflow.CacheObject(ctx, "repro", desc, func() (Cached, error) {
+		var res Cached
+		workdir, err := ctx.TempDir()
+		if err != nil {
+			return res, err
+		}
+
+		reproArgs := ReproduceArgs{
+			Syzkaller:       args.Syzkaller,
+			Image:           args.Image,
+			Type:            args.Type,
+			VM:              args.VM,
+			ReproOpts:       "",
+			ReproSyz:        args.CandidateSyzlang,
+			ReproC:          "",
+			SyzkallerCommit: args.SyzkallerCommit,
+			KernelSrc:       args.KernelSrc,
+			KernelObj:       args.KernelObj,
+			KernelCommit:    args.KernelCommit,
+			KernelConfig:    args.KernelConfig,
+		}
+
+		rep, buildError, err := ReproduceCrash(reproArgs, workdir)
+		if rep != nil {
+			res.BugTitle = rep.Title
+			res.Report = string(rep.Report)
+		}
+		res.Error = buildError
+		return res, err
+	})
+
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	if cached.Error != "" {
+		return reproduceSyzlangResult{ReproduceErrors: cached.Error}, nil
+	} else if cached.Report == "" {
+		return reproduceSyzlangResult{ReproduceErrors: "reproducer did not crash"}, nil
+	}
+	return reproduceSyzlangResult{
+		ProducedBugTitle:    cached.BugTitle,
+		ProducedCrashReport: cached.Report,
+	}, nil
+}

pkg/aflow/flow/patching/actions.go pkg/aflow/action/kernel/common.gopkg/aflow/flow/patching/actions.go renamed to pkg/aflow/action/kernel/common.go

@@ -1,7 +1,7 @@
 // Copyright 2025 syzkaller project authors. All rights reserved.
 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
 
-package patching
+package kernel
 
 import (
 	"errors"
@@ -14,11 +14,12 @@ import (
 	"github.com/google/syzkaller/pkg/aflow"
 	"github.com/google/syzkaller/pkg/aflow/action/kernel"
 	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/aflow/common"
 	"github.com/google/syzkaller/pkg/osutil"
 	"github.com/google/syzkaller/pkg/vcs"
 )
 
-var baseCommitPicker = aflow.NewFuncAction("base-commit-picker", pickBaseCommit)
+var BaseCommitPicker = aflow.NewFuncAction("base-commit-picker", pickBaseCommit)
 
 type baseCommitArgs struct {
 	// Can be used to override the selected base commit (for manual testing).
@@ -60,7 +61,7 @@ func pickBaseCommit(ctx *aflow.Context, args baseCommitArgs) (baseCommitResult,
 		return res, nil
 	}
 
-	err := kernel.UseLinuxRepo(ctx, func(_ string, repo vcs.Repo) error {
+	err := UseLinuxRepo(ctx, func(_ string, repo vcs.Repo) error {
 		head, err := repo.Poll(baseRepo, baseBranch)
 		if err != nil {
 			return err
@@ -79,7 +80,7 @@ func pickBaseCommit(ctx *aflow.Context, args baseCommitArgs) (baseCommitResult,
 	return res, err
 }
 
-var getMaintainers = aflow.NewFuncAction("get-maintainers", maintainers)
+var GetMaintainers = aflow.NewFuncAction("get-maintainers", maintainers)
 
 type maintainersArgs struct {
 	KernelSrc string

pkg/aflow/ai/ai.go

@@ -45,3 +45,8 @@ type ModerationOutputs struct {
 	Actionable  bool
 	Explanation string
 }
+
+type ReproOutputs struct {
+	Syzlang string
+	Success bool
+}

pkg/aflow/common/recipient.go

@@ -0,0 +1,10 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package common
+
+type Recipient struct {
+	Name  string
+	Email string
+	To    bool // whether the recipient should be on the To or Cc line
+}

pkg/aflow/flow/flows.go

@@ -6,4 +6,5 @@ package flow
 import (
 	_ "github.com/google/syzkaller/pkg/aflow/flow/assessment"
 	_ "github.com/google/syzkaller/pkg/aflow/flow/patching"
+	_ "github.com/google/syzkaller/pkg/aflow/flow/repro"
 )

pkg/aflow/flow/patching/patching.go

@@ -40,7 +40,7 @@ func createPatchingFlow(name string, summaryWindow int) *aflow.Flow {
 	return &aflow.Flow{
 		Name: name,
 		Root: aflow.Pipeline(
-			baseCommitPicker,
+			kernel.BaseCommitPicker,
 			kernel.Checkout,
 			kernel.Build,
 			// Ensure we can reproduce the crash (and the build boots).

pkg/aflow/flow/repro/repro.go

@@ -0,0 +1,116 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package repro
+
+import (
+	"encoding/json"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/aflow/action/crash"
+	"github.com/google/syzkaller/pkg/aflow/action/kernel"
+	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/aflow/tool/syzlang"
+)
+
+type ReproInputs struct {
+	BugTitle        string
+	CrashReport     string
+	KernelConfig    string
+	Syzkaller       string
+	SyzkallerCommit string
+	Image           string
+	Type            string
+	VM              json.RawMessage
+
+	// Optional; used for testing.
+	FixedBaseCommit string
+	FixedRepository string
+}
+
+func init() {
+	aflow.Register[ReproInputs, ai.ReproOutputs](
+		ai.WorkflowRepro,
+		"reproduce a kernel crash and generate a syzlang program",
+		&aflow.Flow{
+			Root: aflow.Pipeline(
+				kernel.BaseCommitPicker,
+				kernel.Checkout,
+				kernel.Build,
+				&aflow.DoWhile{
+					Do: aflow.Pipeline(
+						&aflow.LLMAgent{
+							Name:        "expert",
+							Model:       aflow.BestExpensiveModel,
+							Reply:       "RawSyzlang",
+							Temperature: 1,
+							Instruction: reproInstruction,
+							Prompt:      reproPrompt,
+							Tools:       syzlang.Tools,
+						},
+						crash.ExtractSyzCode,
+						crash.SyzCompilerCheck,
+						// If compiler succeeded, evaluate Reproduce and Compare outputs
+						// In order to not fail early if reproduce failed or compile failed, we use an aggregator
+						aflow.NewFuncAction("evaluate-iteration", func(ctx *aflow.Context, args struct {
+							CompilerSuccess     bool
+							CompilerErrors      string
+							ReproduceErrors     string
+							CompareErrors       string
+							ProducedCrashReport string
+						}) (struct{ IterationErrors string }, error) {
+							if !args.CompilerSuccess {
+								return struct{ IterationErrors string }{IterationErrors: args.CompilerErrors}, nil
+							}
+							if args.ReproduceErrors != "" {
+								return struct{ IterationErrors string }{IterationErrors: args.ReproduceErrors}, nil
+							}
+							if args.CompareErrors != "" {
+								return struct{ IterationErrors string }{IterationErrors: args.CompareErrors}, nil
+							}
+							return struct{ IterationErrors string }{}, nil
+						}),
+						crash.ReproduceSyzlang,
+						crash.CompareCrashSignature,
+					),
+					While:         "IterationErrors",
+					MaxIterations: 10,
+				},
+				aflow.NewFuncAction("emit-result", func(ctx *aflow.Context, args struct {
+					CandidateSyzlang string
+					Matches          bool
+				}) (ai.ReproOutputs, error) {
+					return ai.ReproOutputs{
+						Syzlang: args.CandidateSyzlang,
+						Success: args.Matches,
+					}, nil
+				}),
+			),
+		},
+	)
+}
+
+const reproInstruction = `
+You are an expert kernel security researcher. Your goal is to write a syzkaller program to trigger
+a specific bug. Use syzlang syntax strictly.
+
+First, search for the relevant syzlang definitions using the syzlang-search tool.
+Then, write a candidate .syz test program. Use the syz-compiler-check tool to validate your syntax.
+Once compilation passes, use the crash-reproducer tool to run it in the VM.
+After that, use compare-crash-signature to verify if the reproduced crash matches the target crash title.
+
+If previous attempts failed, pay attention to the errors and fix them.
+
+Iterate until you find a working reproducer or exhaust your attempts.
+`
+
+const reproPrompt = `
+Bug Title: {{.BugTitle}}
+Original Crash Report:
+{{.CrashReport}}
+
+{{if .IterationErrors}}
+Previous Attempt Errors:
+{{.IterationErrors}}
+{{end}}
+`