LockDoc is an approach to extract locking rules for kernel data structures from a dynamic execution trace recorded while the system is under a benchmark load. These locking rules can e.g. be used to locate synchronization bugs. For high rule precision and thorough bug finding, the approach heavily depends on the choice of benchmarks: They must trigger the execution of as much code as possible in the kernel subsystem relevant for the targeted data structures. However, existing test suites such as those provided by the Linux Test Project (LTP) only achieve -- in the case of LTP -- about 35 percent basic-block coverage for the VFS subsystem, which is the relevant subsystem when extracting locking rules for filesystem-related data structures. In this article, we discuss how to complement the LTP suites to improve the code coverage for our LockDoc scenario. We repurpose syzkaller -- a coverage-guided fuzzer with the goal to validate the robustness of kernel APIs -- to 1) not aim for kernel crashes, and to 2) maximize code coverage for a specific kernel subsystem. Thereby, we generate new benchmark programs that can be run in addition to the LTP, and increase VFS basic-block coverage by 26.1 percent.

中文翻译：

---

使用反馈驱动的模糊测试改进 LockDoc 的 Linux 内核测试

LockDoc 是一种从系统处于基准负载时记录的动态执行跟踪中提取内核数据结构的锁定规则的方法。例如，这些锁定规则可用于定位同步错误。对于高规则精度和彻底的错误发现，该方法在很大程度上取决于基准的选择：它们必须在与目标数据结构相关的内核子系统中触发尽可能多的代码的执行。但是，现有的测试套件（例如 Linux 测试项目 (LTP) 提供的测试套件）仅实现了 - 在 LTP 的情况下 - VFS 子系统的基本块覆盖率约为 35%，这是提取锁定规则时的相关子系统文件系统相关的数据结构。在本文中，我们讨论了如何补充 LTP 套件以提高 LockDoc 场景的代码覆盖率。我们重新利用了 syzkaller——一个覆盖引导的模糊器，目标是验证内核 API 的健壮性——1）不针对内核崩溃，2）最大化特定内核子系统的代码覆盖率。因此，我们生成了除 LTP 之外还可以运行的新基准程序，并将 VFS 基本块覆盖率提高了 26.1%。