pkg/aflow: expose reproducer test coverage to the LLM

GEMINI.md

@@ -51,7 +51,7 @@ tests that eventually use `prog.Target` or `targets.Target`.
 -   **Commit Messages:** Strict formatting required.
     -   Format: `dir/path: description` (e.g., `pkg/fuzzer: fix crash in minimization`).
     -   No trailing dot in the summary.
--   **Testing:** New features must have tests. When writing test assertions, prefer using `require.Equal(t, tt.want, got)` from the `github.com/stretchr/testify/require` package instead of manual `if` comparisons.
+-   **Testing:** New features must have tests. When writing test assertions, prefer using `require.Equal(t, tt.want, got)` and `require.NoError(t, err)` from the `github.com/stretchr/testify/require` package instead of manual `if` comparisons or `if err != nil { t.Fatal(err) }`. Use raw string literals where they improve readability (e.g., when verifying multi-line text outputs).
 -   **Formatting:** Always run `make format` before committing.
 -   **Linting:** Always run the linter (`make lint` or `golangci-lint run ./...`) to fix all problems when a big patch is ready or structural changes are finalized.
 -   **Syscall Descriptions:** When modifying `sys/*/*.txt`, `make generate` must be run to update generated code.

pkg/aflow/GEMINI.md

@@ -59,6 +59,7 @@ We globally agree on the semantics of names so that actions can work securely ac
 - **`SyzkallerCommit`**: The exact syzkaller revision hash used during testing phases.
 - **`Reproduced`**: A boolean indicating if a crash reproduced successfully.
 - **`ReproducedCrashReport`**: The captured crash report logs from a successful reproducer run.
+- **`CoverageID`**: A unique hash ID pointing to a persistently cached code coverage artifact collected during a test run.
 
 ### Defining Workflows
 

pkg/aflow/action/crash/reproduce.go

@@ -18,6 +18,7 @@ import (
 	"github.com/google/syzkaller/pkg/hash"
 	"github.com/google/syzkaller/pkg/instance"
 	"github.com/google/syzkaller/pkg/mgrconfig"
+	"github.com/google/syzkaller/pkg/osutil"
 	"github.com/google/syzkaller/pkg/report"
 	"github.com/google/syzkaller/pkg/symbolizer"
 	"github.com/google/syzkaller/sys/targets"
@@ -142,47 +143,66 @@ func parseTestError(err *instance.TestError) string {
 	return fmt.Sprintf("%v: %v\n%s", what, err.Title, extraInfo)
 }
 
-func ReproduceFunc(ctx *aflow.Context, args ReproduceArgs) (reproduceResult, error) {
+func ReproduceFuncWithCoverage(ctx *aflow.Context, args ReproduceArgs,
+	collectCoverage bool) (reproduceResult, string, error) {
 	imageData, err := os.ReadFile(args.Image)
 	if err != nil {
-		return reproduceResult{}, err
+		return reproduceResult{}, "", err
 	}
 	desc := fmt.Sprintf("kernel commit %v, kernel config hash %v, image hash %v,"+
-		" vm %v, vm config hash %v, C repro hash %v, syz repro hash %v, opts hash %v, version 4",
+		" vm %v, vm config hash %v, C repro hash %v, syz repro hash %v, opts hash %v, cov %v, version 5",
 		args.KernelCommit, hash.String(args.KernelConfig), hash.String(imageData),
 		args.Type, hash.String(args.VM), hash.String(args.ReproC),
-		hash.String(args.ReproSyz), hash.String(args.ReproOpts))
+		hash.String(args.ReproSyz), hash.String(args.ReproOpts), collectCoverage)
 	type Cached struct {
-		BugTitle string
-		Report   string
-		Error    string
+		BugTitle   string
+		Report     string
+		Error      string
+		CoverageID string
 	}
 	cached, err := aflow.CacheObject(ctx, "repro", desc, func() (Cached, error) {
 		var res Cached
 		workdir, err := ctx.TempDir()
 		if err != nil {
 			return res, err
 		}
-		testRes, err := RunTest(args, workdir, false)
+		testRes, err := RunTest(args, workdir, collectCoverage)
 		if testRes.Report != nil {
 			res.BugTitle = testRes.Report.Title
 			res.Report = string(testRes.Report.Report)
 		}
 		res.Error = testRes.BootError
+		// If the reproducer crashes the kernel, the VM halts abruptly and coverage
+		// often fails to flush, leaving testRes.Coverage empty. This is expected: we
+		// generally only want diagnostics on reproducers that failed to crash.
+		if err == nil && collectCoverage && len(testRes.Coverage) > 0 {
+			dir, err := ctx.Cache("coverage", desc, func(dir string) error {
+				return osutil.WriteJSON(filepath.Join(dir, "coverage.json"), testRes.Coverage)
+			})
+			if err != nil {
+				return res, err
+			}
+			res.CoverageID = filepath.Base(dir)
+		}
 		return res, err
 	})
 	if err != nil {
-		return reproduceResult{}, err
+		return reproduceResult{}, "", err
 	}
 	if cached.Error != "" {
-		return reproduceResult{}, errors.New(cached.Error)
+		return reproduceResult{}, "", errors.New(cached.Error)
 	} else if cached.Report == "" {
-		return reproduceResult{}, aflow.FlowError(ErrDidNotCrash)
+		return reproduceResult{}, "", aflow.FlowError(ErrDidNotCrash)
 	}
 	return reproduceResult{
 		ReproducedBugTitle:    cached.BugTitle,
 		ReproducedCrashReport: cached.Report,
-	}, nil
+	}, cached.CoverageID, nil
+}
+
+func ReproduceFunc(ctx *aflow.Context, args ReproduceArgs) (reproduceResult, error) {
+	res, _, err := ReproduceFuncWithCoverage(ctx, args, false)
+	return res, err
 }
 
 func symbolize(kernelObj string, coverage [][]uint64) ([][]symbolizer.Frame, error) {

pkg/aflow/execute.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"maps"
 	"os"
+	"path/filepath"
 	"slices"
 	"strings"
 	"sync"
@@ -287,6 +288,11 @@ func CacheObject[T any](ctx *Context, typ, desc string, populate func() (T, erro
 	return obj, nil
 }
 
+// CacheDir returns an absolute path where cache entries of the given type and id are stored.
+func (ctx *Context) CacheDir(typ, id string) string {
+	return filepath.Join(ctx.cache.dir, typ, id)
+}
+
 // TempDir creates a new temp dir that will be automatically removed
 // when the flow finished, or on the next restart.
 func (ctx *Context) TempDir() (string, error) {

pkg/aflow/flow/repro/repro.go

@@ -56,6 +56,7 @@ func init() {
 					Tools: aflow.Tools(
 						syzlang.ReadDescription,
 						syzlang.Reproduce,
+						syzlang.CoverageTools,
 						codesearcher.Tools,
 						grepper.Tool,
 					),

pkg/aflow/test_util.go

@@ -0,0 +1,20 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package aflow
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// NewTestContext creates an initialized dummy Context for internal aflow and tool unit tests.
+func NewTestContext(t *testing.T) *Context {
+	cache, err := NewCache(t.TempDir(), 10000000)
+	require.NoError(t, err)
+
+	return &Context{
+		cache: cache,
+	}
+}

pkg/aflow/tool/syzlang/coverage.go

@@ -0,0 +1,140 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package syzlang
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/osutil"
+	"github.com/google/syzkaller/pkg/symbolizer"
+)
+
+var (
+	ToolCoverageFiles = aflow.NewFuncTool("get-coverage-files", getCoverageFiles, `
+Tool returns a list of source files that were covered during a crash reproducer run.
+The list is deduplicated and sorted, presenting a high-level summary of the covered code regions.
+`)
+
+	ToolFileCoverage = aflow.NewFuncTool("get-file-coverage", getFileCoverage, `
+Tool evaluates code coverage for a specific file and returns coverage snippets highlighting the executed lines.
+For each function that had hits in the file, it will dump the executed source lines with short context
+around them. Covered lines are prefixed with '* '.
+`)
+
+	CoverageTools = []aflow.Tool{ToolCoverageFiles, ToolFileCoverage}
+)
+
+type CoverageFilesArgs struct {
+	CoverageID string `jsonschema:"CoverageID returned by the reproduce-crash tool."`
+}
+
+type CoverageFilesResult struct {
+	Files []string `jsonschema:"List of source files containing coverage."`
+}
+
+func getCoverageFiles(ctx *aflow.Context, state reproduceState, args CoverageFilesArgs) (CoverageFilesResult, error) {
+	coverage, err := readCoverage(ctx, args.CoverageID)
+	if err != nil {
+		return CoverageFilesResult{}, err
+	}
+
+	var files []string
+	for _, callcov := range coverage {
+		for _, frame := range callcov {
+			if frame.File != "" {
+				files = append(files, frame.File)
+			}
+		}
+	}
+	slices.Sort(files)
+	files = slices.Compact(files)
+
+	return CoverageFilesResult{Files: files}, nil
+}
+
+type FileCoverageArgs struct {
+	CoverageID string `jsonschema:"CoverageID returned by the reproduce-crash tool."`
+	Filename   string `jsonschema:"Name of the source file to inspect."`
+}
+
+type FileCoverageResult struct {
+	Snippets []string `jsonschema:"List of formatted code snippets for each executed function in the requested file."`
+}
+
+func getFileCoverage(ctx *aflow.Context, state reproduceState, args FileCoverageArgs) (FileCoverageResult, error) {
+	if !filepath.IsLocal(args.Filename) {
+		return FileCoverageResult{}, aflow.BadCallError("filename must be a safe, local relative path")
+	}
+
+	coverage, err := readCoverage(ctx, args.CoverageID)
+	if err != nil {
+		return FileCoverageResult{}, err
+	}
+
+	funcLines := make(map[string][]int)
+	for _, callcov := range coverage {
+		for _, frame := range callcov {
+			if frame.File == args.Filename && frame.Func != "" {
+				funcLines[frame.Func] = append(funcLines[frame.Func], frame.Line)
+			}
+		}
+	}
+
+	if len(funcLines) == 0 {
+		return FileCoverageResult{}, aflow.BadCallError("no coverage found for file: %v", args.Filename)
+	}
+
+	srcBytes, err := os.ReadFile(filepath.Join(state.KernelSrc, args.Filename))
+	if err != nil {
+		return FileCoverageResult{}, aflow.BadCallError("failed to read source file: %v", err)
+	}
+	srcLines := strings.Split(string(srcBytes), "\n")
+
+	var res FileCoverageResult
+
+	for fnName, lines := range funcLines {
+		if len(lines) == 0 {
+			continue
+		}
+		slices.Sort(lines)
+		lines = slices.Compact(lines)
+		minLine := lines[0]
+		maxLine := lines[len(lines)-1]
+
+		ctxPadding := 10
+		start := max(1, minLine-ctxPadding)
+		end := min(len(srcLines), maxLine+ctxPadding)
+
+		var out strings.Builder
+		fmt.Fprintf(&out, "Function: %v\n", fnName)
+		for i := start; i <= end; i++ {
+			prefix := "  "
+			if _, hit := slices.BinarySearch(lines, i); hit {
+				prefix = "* "
+			}
+			fmt.Fprintf(&out, "%s%4d: %s\n", prefix, i, srcLines[i-1])
+		}
+		res.Snippets = append(res.Snippets, out.String())
+	}
+	slices.Sort(res.Snippets)
+
+	return res, nil
+}
+
+func readCoverage(ctx *aflow.Context, coverageID string) ([][]symbolizer.Frame, error) {
+	if !filepath.IsLocal(coverageID) {
+		return nil, aflow.BadCallError("invalid CoverageID: %v", coverageID)
+	}
+	covFile := filepath.Join(ctx.CacheDir("coverage", coverageID), "coverage.json")
+	frames, err := osutil.ReadJSON[[][]symbolizer.Frame](covFile)
+	if err != nil {
+		return nil, aflow.BadCallError("invalid or missing CoverageID: %v", coverageID)
+	}
+	return frames, nil
+}

pkg/aflow/tool/syzlang/coverage_test.go

@@ -0,0 +1,103 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+package syzlang
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/syzkaller/pkg/aflow"
+	"github.com/google/syzkaller/pkg/osutil"
+	"github.com/google/syzkaller/pkg/symbolizer"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCoverageFiles(t *testing.T) {
+	ctx := aflow.NewTestContext(t)
+
+	covID := "feedfacefeedfacefeedfacefeedfacefeedface" // 40 chars
+
+	// Mock a cached coverage file.
+	covDir := ctx.CacheDir("coverage", covID)
+	err := osutil.MkdirAll(covDir)
+	require.NoError(t, err)
+
+	dummyCov := [][]symbolizer.Frame{
+		{
+			{File: "kernel/foo.c", Func: "foo", Line: 10},
+			{File: "kernel/bar.c", Func: "bar", Line: 20},
+		},
+		{
+			{File: "kernel/foo.c", Func: "foo2", Line: 30},
+		},
+	}
+	err = osutil.WriteJSON(filepath.Join(covDir, "coverage.json"), dummyCov)
+	require.NoError(t, err)
+
+	res, err := getCoverageFiles(ctx, reproduceState{}, CoverageFilesArgs{
+		CoverageID: covID,
+	})
+	require.NoError(t, err)
+
+	require.Equal(t, []string{"kernel/bar.c", "kernel/foo.c"}, res.Files)
+}
+
+func TestFileCoverage(t *testing.T) {
+	ctx := aflow.NewTestContext(t)
+
+	covID := "feedfacefeedfacefeedfacefeedfacefeedface"
+
+	// Mock a cached coverage file.
+	covDir := ctx.CacheDir("coverage", covID)
+	err := osutil.MkdirAll(covDir)
+	require.NoError(t, err)
+
+	dummyCov := [][]symbolizer.Frame{
+		{
+			{File: "foo.c", Func: "foo", Line: 5},
+			{File: "foo.c", Func: "foo", Line: 6},
+			{File: "foo.c", Func: "foo", Line: 7},
+		},
+	}
+	err = osutil.WriteJSON(filepath.Join(covDir, "coverage.json"), dummyCov)
+	require.NoError(t, err)
+
+	kernelSrc := t.TempDir()
+	err = osutil.MkdirAll(kernelSrc)
+	require.NoError(t, err)
+
+	srcContent := `1
+2
+3
+4
+void foo(void) {
+    int a = 1;
+    a++;
+}
+`
+	err = os.WriteFile(filepath.Join(kernelSrc, "foo.c"), []byte(srcContent), 0644)
+	require.NoError(t, err)
+
+	res, err := getFileCoverage(ctx, reproduceState{KernelSrc: kernelSrc}, FileCoverageArgs{
+		CoverageID: covID,
+		Filename:   "foo.c",
+	})
+	require.NoError(t, err)
+
+	require.Len(t, res.Snippets, 1)
+
+	expectedSnippet := `Function: foo
+     1: 1
+     2: 2
+     3: 3
+     4: 4
+*    5: void foo(void) {
+*    6:     int a = 1;
+*    7:     a++;
+     8: }
+     9: 
+`
+	require.Equal(t, expectedSnippet, res.Snippets[0])
+}