[v2] fuzz: Add a sparse-memory device to accelerate fuzzing

[PATCH v2 0/3] fuzz: Add a sparse-memory device to accelerate fuzzing

Alexander Bulekov posted 3 patches 3 years, 1 month ago

Diff against v1 v3
Download series mbox

Test checkpatch passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20210313231859.941263-1-alxndr@bu.edu

Maintainers: "Michael S. Tsirkin" <mst@redhat.com>, Bandan Das <bsd@redhat.com>, Laurent Vivier <lvivier@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Igor Mammedov <imammedo@redhat.com>, Alexander Bulekov <alxndr@bu.edu>, Thomas Huth <thuth@redhat.com>

There is a newer version of this series

MAINTAINERS                     |   1 +
hw/mem/meson.build              |   1 +
hw/mem/sparse-mem.c             | 152 ++++++++++++++++++++++++++++++++
include/hw/mem/sparse-mem.h     |  19 ++++
softmmu/memory.c                |   1 -
softmmu/physmem.c               |   2 +-
tests/qtest/fuzz/generic_fuzz.c |  14 ++-
7 files changed, 185 insertions(+), 5 deletions(-)
create mode 100644 hw/mem/sparse-mem.c
create mode 100644 include/hw/mem/sparse-mem.h

Expand all Fold all

[PATCH v2 0/3] fuzz: Add a sparse-memory device to accelerate fuzzing

Posted by Alexander Bulekov 3 years, 1 month ago

v2:
    - Make the device a TYPE_SYS_BUS_DEVICE device
    - Remove the qtest (the device cannot be enabled for testing outside
      of the fuzzing code).
    - Since this will only be used for short-lived fuzzing processes, do
      not keep track of empty regions.
    - Move some DMA callbacks to properly fill DMA buffers in sparse
      memory

The generic-fuzzer often provides virtual-devices with bogus DMA
addresses (e.g. 0x4141414141414141). The probability that these fuzzed
addresses actually land within RAM is quite small. The fuzzer eventually
finds valid addresses, however, this takes some time, and this problem is
compounded when the device accesses multiple DMA regions. This series
adds a "sparse" memory device, and configures it for the generic-fuzzer.
This allows us to simulate 16 EB ram (only a tiny portion actually
populated). Thus, almost any randomly generated 64-bit address will land
in memory that the fuzzer can populate with data.

Alexander Bulekov (3):
  memory: add a sparse memory device for fuzzing
  fuzz: configure a sparse-mem device, by default
  fuzz: move some DMA hooks

 MAINTAINERS                     |   1 +
 hw/mem/meson.build              |   1 +
 hw/mem/sparse-mem.c             | 152 ++++++++++++++++++++++++++++++++
 include/hw/mem/sparse-mem.h     |  19 ++++
 softmmu/memory.c                |   1 -
 softmmu/physmem.c               |   2 +-
 tests/qtest/fuzz/generic_fuzz.c |  14 ++-
 7 files changed, 185 insertions(+), 5 deletions(-)
 create mode 100644 hw/mem/sparse-mem.c
 create mode 100644 include/hw/mem/sparse-mem.h

-- 
2.28.0