All of the kenrel is being tested when only some functions are specified with focus_areas
13 views
Skip to first unread message
Sanan Hasanov
Sep 14, 2025, 7:50:34 PMSep 14
to syzkaller
Hello, dear maintainers,
I recently tried adding some functions and weights as filters in focus_areas field of syz-manager config, however, after the trials, I noticed that the rest of the kernel was still tested.
I would like to ask if it's the expected behavior.
I checked out pkg/mgr/mgrconfig.go(https://github.com/google/syzkaller/blob/e2beed91937c0ace342f19a2e9afb67adb3a828a/pkg/mgrconfig/config.go#L254C1-L255C48), and here it is mentioned that if the whole kernel still needs to be considered for testing, weight of 1.0 without any filter should be appended to the end.
As I did not add the weight at the end of focus_areas, I assumed that syzkaller should focus only the functions that are specified.
Have a nice day!
Best regards,
Sanan Hasanov
Dmitry Vyukov
Sep 15, 2025, 3:29:54 AMSep 15
to Sanan Hasanov, syzkaller
It's the _focus_ area. It's not theoretically possible to not test
something specified in the config, as it would require precise
prediction of coverage for each program.
Enable/disable_syscalls provide more precise control in this sense.
Sanan Hasanov
Sep 15, 2025, 10:03:05 AMSep 15
to syzkaller
Hello Mr. Vyukov,
My insight was that the whole kernel's tested with the seeds in the initial corpus.
But later on, as only the functions specified in focus_areas are instrumented, syzkaller starts mutating the seeds that can reach those functions and drop others from the corpus.
I assume it's not as straightforward as I thought.
Thanks for the clarification.
Best regards,
Sanan Hasanov
Reply all
Reply to author
Forward
0 new messages