Re: question about syz-trace2syz

[Aleksandr Nogikh]

(+ the mailing list)

Hi David,

On Sat, Nov 8, 2025 at 7:40 AM David Lee <sayni...@gmail.com> wrote:
>
> Hi Aleksandr,
>
> I hope that this email finds you well.
> I am working on using trace2syz to convert C source codes to syzlang programs. However, it seems that trace2syz is actively maintained. I saw you replies in https://github.com/google/syzkaller/issues/3508#issuecomment-1637625439, and I feel that you may be an expert on syz-trace2syz. So I am writing this email to you.

The tool is unfortunately barely maintained now. It should ideally be
rewritten to rely not on strace output, but rather on e.g. ptrace to
directly match syscall arguments and the memory at the pointed-to
addresses with the syzkaller descriptions.

> Here is the error when I use trace2syz.
> I try to convert the below trace into syzlang program:
>>
>> 9760 socket(0x10, 0x3, 0xc) = 3
>> 9760 bind(3, {sa_family=0x10, nl_pid=0, nl_groups=00000000}, 12) = 0
>> 9760 sendmsg(3, {msg_name={sa_family=0x10, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=20, type=0x10, flags=0x1, seq=0, pid=0}, {nfgen_family=0, version=0, res_id=htons(10)}, {{len=40, type=0xa<<8|0, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=8, nla_type=0x2}, "\x00\x00\x00\x00"}]}, {{len=84, type=0xa<<8|0x3, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=9, nla_type=0x3}, "\x63\x5f\x78\x74\x00"}, {{nla_len=11, nla_type=0x7}, "\x66\x69\x6c\x74\x65\x72\x00"}, {{nla_len=20, nla_type=0x4}, "\x08\x00\x01\x00\x00\x00\x00\x01\x08\x00\x02\x00\x00\x00\x00\x00"}, {{nla_len=8, nla_type=0x5}, "\x00\x00\x00\x01"}]}, {{len=180, type=0xa<<8|0x6, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=9, nla_type=0x2}, "\x63\x5f\x78\x74\x00"}, {{nla_len=136, nla_type=0x4}, "\x54\x00\x01\x00\x0a\x00\x01\x00\x6d\x61\x74\x63\x68\x00\x00\x00\x44\x00\x02\x00\x0b\x00\x01\x00\x6e\x66\x61\x63\x63\x74\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00\x2c\x00\x03\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x41\x42\x43\x44\x45\x46\x47\x48\x49\x42\x42\x42\x42\x42\x42\x42\x42\x30\x00\x01\x00\x0e\x00\x01\x00\x69\x6d\x6d\x65\x64\x69\x61\x74\x65\x00\x00\x00\x1c\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x0c\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x01"}]}, {{len=20, type=0x11, flags=0x1, seq=0, pid=0}, {nfgen_family=0, version=0, res_id=htons(10)}], iov_len=344}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 344
>> 9760 exit_group(0) = ?
>> 9760 +++ exited with 0 +++
>
> .However, trace2syz use reports the below error:
>>
>> 2025/11/07 22:21:43 parsing 1 traces
>> error: syntax error
>> 2025/11/07 22:21:43 [FATAL] failed to parse line: 9760 sendmsg(3, {msg_name={sa_family=0x10, nl_pid=0, nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=20, type=0x10, flags=0x1, seq=0, pid=0}, {nfgen_family=0, version=0, res_id=htons(10)}, {{len=40, type=0xa<<8|0, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=8, nla_type=0x2}, "\x00\x00\x00\x00"}]}, {{len=84, type=0xa<<8|0x3, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=9, nla_type=0x3}, "\x63\x5f\x78\x74\x00"}, {{nla_len=11, nla_type=0x7}, "\x66\x69\x6c\x74\x65\x72\x00"}, {{nla_len=20, nla_type=0x4}, "\x08\x00\x01\x00\x00\x00\x00\x01\x08\x00\x02\x00\x00\x00\x00\x00"}, {{nla_len=8, nla_type=0x5}, "\x00\x00\x00\x01"}]}, {{len=180, type=0xa<<8|0x6, flags=0x601, seq=0, pid=0}, {nfgen_family=0x2, version=0, res_id=0xa00, [{{nla_len=9, nla_type=0x1}, "\x74\x5f\x78\x74\x00"}, {{nla_len=9, nla_type=0x2}, "\x63\x5f\x78\x74\x00"}, {{nla_len=136, nla_type=0x4}, "\x54\x00\x01\x00\x0a\x00\x01\x00\x6d\x61\x74\x63\x68\x00\x00\x00\x44\x00\x02\x00\x0b\x00\x01\x00\x6e\x66\x61\x63\x63\x74\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00\x2c\x00\x03\x00\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x41\x42\x43\x44\x45\x46\x47\x48\x49\x42\x42\x42\x42\x42\x42\x42\x42\x30\x00\x01\x00\x0e\x00\x01\x00\x69\x6d\x6d\x65\x64\x69\x61\x74\x65\x00\x00\x00\x1c\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x0c\x00\x02\x00\x08\x00\x01\x00\x00\x00\x00\x01"}]}, {{len=20, type=0x11, flags=0x1, seq=0, pid=0}, {nfgen_family=0, version=0, res_id=htons(10)}], iov_len=344}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 344
>
>
> The trace is generated by command: strace -o trace.txt -a 1 -s 65500 -v -xx -f -Xraw ./prog. The original trace contains more syscalls, I manually removed those which are noise and not related (before removing, there is also the error).
> I also compiled trace2syz using "make trace2syz", as you said in https://github.com/google/syzkaller/issues/3508#issuecomment-1637625439.
>
> Can you give me some guidance on how to solve this?

This is a new problem that needs to be triaged/debugged. Most likely,
the error occurs because the tool doesn't recognize some new `strace`
output syntax. It was implemented in 2018 - seven years ago.

I can recommend opening an issue in our GitHub repository, but, since
the tool isn't actively maintained anymore, it's is unlikely to be
addressed promptly.
Any help would be very welcome though :)

--
Aleksandr

>
> Thanks for your time and consideration!

[David Lee]

Hi Aleksandr,

Thanks for your response. 

It seem that to reliably convert C codes to syzlang program, there are two ways: one is "rewritten to rely not on strace output, but rather on e.g. ptrace to

directly match syscall arguments and the memory at the pointed-to

addresses with the syzkaller descriptions."; the other is to modify trace2syz to recognize the new strace output syntax. 

For this way, which is your recommendation? Thanks.