google
diff --git a/‎pkg/aflow/action/crash/compare.go‎
Lines changed: 27 additions & 0 deletions b/‎pkg/aflow/action/crash/compare.go‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎pkg/aflow/action/crash/compiler.go‎
Lines changed: 63 additions & 0 deletions b/‎pkg/aflow/action/crash/compiler.go‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎pkg/aflow/action/crash/compiler_test.go‎
Lines changed: 56 additions & 0 deletions b/‎pkg/aflow/action/crash/compiler_test.go‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎pkg/aflow/action/crash/reproduce.go‎
Lines changed: 83 additions & 1 deletion b/‎pkg/aflow/action/crash/reproduce.go‎
Lines changed: 83 additions & 1 deletion
diff --git a/‎pkg/aflow/action/kernel/basecommitpicker.go‎
Lines changed: 79 additions & 0 deletions b/‎pkg/aflow/action/kernel/basecommitpicker.go‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎pkg/aflow/action/kernel/getmaintainers.go‎
Lines changed: 50 additions & 0 deletions b/‎pkg/aflow/action/kernel/getmaintainers.go‎
Lines changed: 50 additions & 0 deletions
@@ -0,0 +1,27 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"github.com/google/syzkaller/pkg/aflow"
+)
+
+var CompareCrashSignature = aflow.NewFuncAction("compare-crash-signature", compareCrash)
+
+type CompareCrashArgs struct {
+	BugTitle         string
+	ProducedBugTitle string
+}
+
+type CompareCrashResult struct {
+	Matches       bool
+	CompareErrors string
+}
+
+func compareCrash(ctx *aflow.Context, args CompareCrashArgs) (CompareCrashResult, error) {
+	if args.BugTitle != args.ProducedBugTitle {
+		return CompareCrashResult{Matches: false, CompareErrors: "Crash signature did not match target"}, nil
+	}
+	return CompareCrashResult{Matches: true}, nil
+}
@@ -0,0 +1,63 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/prog"
+	_ "github.com/google/syzkaller/sys"
+)
+
+var SyzCompilerCheck = aflow.NewFuncAction("syz-compiler-check", compilerCheck)
+
+type CompilerCheckArgs struct {
+	CandidateSyzlang string
+}
+
+type CompilerCheckResult struct {
+	CompilerSuccess bool
+	CompilerErrors  string
+}
+
+func compilerCheck(ctx *aflow.Context, args CompilerCheckArgs) (CompilerCheckResult, error) {
+	pt, err := prog.GetTarget("linux", "amd64")
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	_, err = pt.Deserialize([]byte(args.CandidateSyzlang), prog.Strict)
+	if err != nil {
+		return CompilerCheckResult{CompilerSuccess: false, CompilerErrors: err.Error()}, nil
+	}
+	return CompilerCheckResult{CompilerSuccess: true}, nil
+}
+
+var ExtractSyzCode = aflow.NewFuncAction("extract-syz-code", extractSyzCode)
+
+type ExtractSyzCodeArgs struct {
+	RawSyzlang string
+}
+
+type ExtractSyzCodeResult struct {
+	CandidateSyzlang string
+}
+
+func extractSyzCode(ctx *aflow.Context, args ExtractSyzCodeArgs) (ExtractSyzCodeResult, error) {
+	code := args.RawSyzlang
+	// If the code is inside a markdown block, extract it.
+	if match := reSyzBlock.FindStringSubmatch(code); match != nil {
+		code = match[1]
+	} else if match := reCodeBlock.FindStringSubmatch(code); match != nil {
+		code = match[1]
+	}
+	code = strings.TrimSpace(code)
+	return ExtractSyzCodeResult{CandidateSyzlang: code}, nil
+}
+
+var (
+	reSyzBlock  = regexp.MustCompile("(?s)```(?:ex-?)?syz(?:kaller|lang)?\\n(.*?)```")
+	reCodeBlock = regexp.MustCompile("(?s)```\\n(.*?)```")
+)
@@ -0,0 +1,56 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package crash
+
+import (
+	"testing"
+
+	"github.com/google/syzkaller/pkg/aflow"
+)
+
+func TestExtractSyzCode(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		wantCode string
+	}{
+		{
+			name:     "raw_code",
+			input:    "getpid()\n",
+			wantCode: "getpid()",
+		},
+		{
+			name:     "markdown_block",
+			input:    "Here is the code:\n```\ngetpid()\n```\n",
+			wantCode: "getpid()",
+		},
+		{
+			name:     "syzlang_block",
+			input:    "Try this:\n```syzlang\ngetpid()\n```\n",
+			wantCode: "getpid()",
+		},
+		{
+			name:     "syzkaller_block",
+			input:    "Try this:\n```syzkaller\ngetpid()\n```\n",
+			wantCode: "getpid()",
+		},
+		{
+			name:     "chatty_no_block",
+			input:    "I think you should use open syscall.",
+			wantCode: "I think you should use open syscall.",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			res, err := extractSyzCode(&aflow.Context{}, ExtractSyzCodeArgs{RawSyzlang: test.input})
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if res.CandidateSyzlang != test.wantCode {
+				t.Errorf("got code %q, want %q", res.CandidateSyzlang, test.wantCode)
+			}
+		})
+	}
+}
@@ -86,7 +86,7 @@ func ReproduceCrash(args ReproduceArgs, workdir string) (*report.Report, string,
 		return nil, "", err
 	}
 	// TODO: run multiple instances, handle TestError.Infra, and aggregate results.
-	results, err := env.Test(1, nil, nil, []byte(args.ReproC))
+	results, err := env.Test(1, []byte(args.ReproSyz), []byte(args.ReproOpts), []byte(args.ReproC))
 	if err != nil {
 		return nil, "", err
 	}
@@ -160,3 +160,85 @@ func reproduce(ctx *aflow.Context, args ReproduceArgs) (reproduceResult, error)
 		CrashReport: cached.Report,
 	}, nil
 }
+
+var ReproduceSyzlang = aflow.NewFuncAction("crash-reproducer", reproduceSyzlang)
+
+type ReproduceSyzlangArgs struct {
+	Syzkaller        string
+	Image            string
+	Type             string
+	VM               json.RawMessage
+	CandidateSyzlang string
+	SyzkallerCommit  string
+	KernelSrc        string
+	KernelObj        string
+	KernelCommit     string
+	KernelConfig     string
+}
+
+type reproduceSyzlangResult struct {
+	ProducedBugTitle    string
+	ProducedCrashReport string
+	ReproduceErrors     string
+}
+
+func reproduceSyzlang(ctx *aflow.Context, args ReproduceSyzlangArgs) (reproduceSyzlangResult, error) {
+	imageData, err := os.ReadFile(args.Image)
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	desc := fmt.Sprintf("kernel commit %v, kernel config hash %v, image hash %v,"+
+		" vm %v, vm config hash %v, syz repro hash %v, version 4",
+		args.KernelCommit, hash.String(args.KernelConfig), hash.String(imageData),
+		args.Type, hash.String(args.VM), hash.String(args.CandidateSyzlang))
+
+	type Cached struct {
+		BugTitle string
+		Report   string
+		Error    string
+	}
+
+	cached, err := aflow.CacheObject(ctx, "repro", desc, func() (Cached, error) {
+		var res Cached
+		workdir, err := ctx.TempDir()
+		if err != nil {
+			return res, err
+		}
+
+		reproArgs := ReproduceArgs{
+			Syzkaller:       args.Syzkaller,
+			Image:           args.Image,
+			Type:            args.Type,
+			VM:              args.VM,
+			ReproOpts:       "",
+			ReproSyz:        args.CandidateSyzlang,
+			ReproC:          "",
+			SyzkallerCommit: args.SyzkallerCommit,
+			KernelSrc:       args.KernelSrc,
+			KernelObj:       args.KernelObj,
+			KernelCommit:    args.KernelCommit,
+			KernelConfig:    args.KernelConfig,
+		}
+
+		rep, buildError, err := ReproduceCrash(reproArgs, workdir)
+		if rep != nil {
+			res.BugTitle = rep.Title
+			res.Report = string(rep.Report)
+		}
+		res.Error = buildError
+		return res, err
+	})
+
+	if err != nil {
+		return reproduceSyzlangResult{}, err
+	}
+	if cached.Error != "" {
+		return reproduceSyzlangResult{ReproduceErrors: cached.Error}, nil
+	} else if cached.Report == "" {
+		return reproduceSyzlangResult{ReproduceErrors: "reproducer did not crash"}, nil
+	}
+	return reproduceSyzlangResult{
+		ProducedBugTitle:    cached.BugTitle,
+		ProducedCrashReport: cached.Report,
+	}, nil
+}
@@ -0,0 +1,79 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package kernel
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/osutil"
+	"github.com/google/syzkaller/pkg/vcs"
+)
+
+var BaseCommitPicker = aflow.NewFuncAction("base-commit-picker", pickBaseCommit)
+
+type baseCommitArgs struct {
+	// Can be used to override the selected base commit (for manual testing).
+	FixedBaseCommit string
+	FixedRepository string
+}
+
+type baseCommitResult struct {
+	KernelRepo   string
+	KernelBranch string
+	KernelCommit string
+}
+
+func pickBaseCommit(ctx *aflow.Context, args baseCommitArgs) (baseCommitResult, error) {
+	// Currently we use the latest RC of the mainline tree as the base.
+	// This is a reasonable choice overall in lots of cases, and it enables good caching
+	// of all artifacts (we need to rebuild them only approx every week).
+	// Potentially we can use subsystem trees for few important, well-maintained subsystems
+	// (mm, net, etc). However, it will work poorly for all subsystems. First, there is no
+	// machine-usable mapping of subsystems to repo/branch; second, lots of them are poorly
+	// maintained (can be much older than latest RC); third, it will make artifact caching
+	// much worse.
+	// In the future we ought to support automated rebasing of patches to requested trees/commits.
+	// We need it anyway, but it will also alleviate imperfect base commit picking.
+	const (
+		baseRepo   = "git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"
+		baseBranch = "master"
+	)
+
+	res := baseCommitResult{
+		KernelRepo:   baseRepo,
+		KernelBranch: baseBranch,
+		KernelCommit: args.FixedBaseCommit,
+	}
+	if args.FixedRepository != "" {
+		res.KernelRepo = args.FixedRepository
+	}
+	if args.FixedBaseCommit != "" {
+		return res, nil
+	}
+
+	err := UseLinuxRepo(ctx, func(_ string, repo vcs.Repo) error {
+		head, err := repo.Poll(baseRepo, baseBranch)
+		if err != nil {
+			return err
+		}
+		tag, err := repo.ReleaseTag(head.Hash)
+		if err != nil {
+			return err
+		}
+		com, err := repo.SwitchCommit(tag)
+		if err != nil {
+			return err
+		}
+		res.KernelCommit = com.Hash
+		return err
+	})
+	return res, err
+}
@@ -0,0 +1,50 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package kernel
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/aflow/ai"
+	"github.com/google/syzkaller/pkg/osutil"
+	"github.com/google/syzkaller/pkg/vcs"
+)
+
+var GetMaintainers = aflow.NewFuncAction("get-maintainers", maintainers)
+
+type maintainersArgs struct {
+	KernelSrc string
+	PatchDiff string
+}
+
+type maintainersResult struct {
+	Recipients []ai.Recipient
+}
+
+func maintainers(ctx *aflow.Context, args maintainersArgs) (maintainersResult, error) {
+	res := maintainersResult{}
+	// See #1441 re --git-min-percent.
+	script := filepath.Join(args.KernelSrc, "scripts/get_maintainer.pl")
+	cmd := exec.Command(script, "--git-min-percent=15")
+	cmd.Dir = args.KernelSrc
+	cmd.Stdin = strings.NewReader(args.PatchDiff)
+	output, err := osutil.Run(time.Minute, cmd)
+	if err != nil {
+		return res, err
+	}
+	for _, recipient := range vcs.ParseMaintainersLinux(output) {
+		res.Recipients = append(res.Recipients, ai.Recipient{
+			Name:  recipient.Address.Name,
+			Email: recipient.Address.Address,
+			To:    recipient.Type == vcs.To,
+		})
+	}
+	return res, nil
+}