From nobody Tue Nov 18 07:44:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass(p=none dis=none) header.from=outlook.com ARC-Seal: i=2; a=rsa-sha256; t=1608404441; cv=pass; d=zohomail.com; s=zohoarc; b=JriyDLV+MaEL/lYwhTtRAFdcvVVOsKGJnVoddNZmXnNYgoJBSDIgI2JdLgdhPdmhNhkR8u0D6slC+v+jpkUGwrXvP0/oF2YVxBn/T/g4V8ywF9+Gw/iADqgsLpbuqP9hKIi7uCRFemvf+iiliJVcscbGV6sik6lnpjvl491F+Dk= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1608404441; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=K4COuRNlH0U3x+uAA6WkZnDDGyJnIzTiOPY2Yvmjv6Y=; b=YTiwWu6faE2dCCY4g0CkXuimYSGNWak6kOTiN07LYJVoaagnGVMXWunqXGtpgwrOOfVb2Y4puDkAvDKOaXNvDxtVfeKQ4puFQ1GJ5BtHoT67q79hgmmmvoFJelobhq+pJajYMYKnFIOI8kEAnkeT4yKu5Pc1hnmVSe65pSJ2NEE= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1608404441416166.6460805889759; Sat, 19 Dec 2020 11:00:41 -0800 (PST) Received: from localhost ([::1]:60704 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kqhT6-0007FR-AA for importer@patchew.org; Sat, 19 Dec 2020 14:00:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35114) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPS-0005j9-2n for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:54 -0500 Received: from mail-sg2apc01olkn0805.outbound.protection.outlook.com ([2a01:111:f400:febd::805]:6102 helo=APC01-SG2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPP-00053y-P4 for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:53 -0500 Received: from SG2APC01FT053.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::52) by SG2APC01HT102.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Sat, 19 Dec 2020 18:56:33 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (10.152.250.58) by SG2APC01FT053.mail.protection.outlook.com (10.152.250.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22 via Frontend Transport; Sat, 19 Dec 2020 18:56:33 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7]) by ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7%5]) with mapi id 15.20.3676.025; Sat, 19 Dec 2020 18:56:33 +0000 Received: from pc (2001:250:fe01:130:1079:e2bc:42d3:a57e) by TY2PR06CA0019.apcprd06.prod.outlook.com (2603:1096:404:42::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.29 via Frontend Transport; Sat, 19 Dec 2020 18:56:32 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U0M/aQb4f9VLCdpiVP+gw8kVq5O4mVm6vhgZHsMIp8wck3BsomuaYXuhj6d3SonIngKKbHBTKUo9RgzgZgxQNAj0Gz0fkGvvVsLIBXcPOPEBunW9LyvvTIFCCoYXfe6Cpl5R4HuI12OQatKfwcFAiiceeJSzaYpN4q6yFyQQZv4YdFLUoeJto+zKwHSRBI4VD29IZ5z6aeHhQxS7+HdBGJxwh0OCWNtFQBu61XY9bNoIel/SXdkLeKsgCu6CvLbMKuOQ0cEOXAOaTNS5HYjODMbOijnnMDjZJZ1S5UmdeQqa1LMOHbzDrd0A1LT09qPtchTMGC8+IUvRFds6rXfTIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K4COuRNlH0U3x+uAA6WkZnDDGyJnIzTiOPY2Yvmjv6Y=; b=MlmG6w1yeTPr7jXO68K+KxB8u0y9fip+dFzhc9isOIIfnAG8CWFi0XEhWeV6x3aVqK31SDnWIWVJfYTdTaalkqmew2lCu91UcVrR3jtwL+uOYDPJ4TlOuAEFjQh8mQorOSB7wo8bvs90zEFqvxA81pium/APeW8CR/HMfzLZBFnL1BIUxnvv2akrna1gMAbul0AD8BXTt50FLVLjODkFNG+/qRam1VECXBLHh5qJGjlkl6kIeH44ilLv4l3+2ESi0AidpNQ/CP8Im8Q+ppOG8uqZUXAgU43soo3GkOJSOHNgUx9g27Ens82U7gWrH9ODDzWL1002qXh4nw4Lwrp1EQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K4COuRNlH0U3x+uAA6WkZnDDGyJnIzTiOPY2Yvmjv6Y=; b=TSn36DNY00hv3nF2O6spDEwiJ+rgOry4snyuW8MRNTftcfW1kfliFoz80P0x3CSLbrUI7xmkF1duPi7U79Mlvee9BvRiXI6/f/aH4aYAp92NDHSe6lCIxFY/oFFOK2oQQ3Dfb7bKY+cpeVdf3ibcwvEcsaoUe5EQmiytD2Z0T2Z3Kmxe8sk8cEYBzWphl534fYhHTkU2Sq+nqeYOq9JNzQXbs1YjxQYjOMLzRrnJTt24Bn/t8+t7yPJLmjeVPH3eWaOyDTNC1dhgXRy1M6wCNxnbt2inNlC9XdJ0cKzyGTwJk1+vcr+vlJ7KEp88QR0EpPUYOuxp9IDk0sxnZpaJNw== X-IncomingTopHeaderMarker: OriginalChecksum:7782C5DAF034113D8BF60F55FD3C7979E032494DABCDA5D9949D935A44E2F80D; UpperCasedChecksum:1C4A6562CAA0035725C4004B66DC987367855FF74B7DBFE1E2D0AAEA11186482; SizeAsReceived:7644; Count:47 From: Qiuhao Li To: alxndr@bu.edu, qemu-devel@nongnu.org Subject: [PATCH 1/4] fuzz: refine crash detection mechanism Date: Sun, 20 Dec 2020 02:56:24 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-TMN: [Gz29zdfRJ9CQqjVM072V1OkU6mnrPpQ2F11iposnh3trjv7w/s6cn3eha9vikojL] X-ClientProxiedBy: TY2PR06CA0019.apcprd06.prod.outlook.com (2603:1096:404:42::31) To ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a0::14) X-Microsoft-Original-Message-ID: <20201219185627.426615-1-Qiuhao.Li@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 65e94c4e-1e8a-4cf9-5c63-08d8a44fcde5 X-MS-TrafficTypeDiagnostic: SG2APC01HT102: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 8gv7xPxhDJbSGfERRoKHqX/PlnGOKmRkLnS3LGxR9e9aLtH/QrEqo/DbZoSbsOy9BeUlfFg6qYcyAPmIkWKl/WjvvU08/CgHhSdwbL7Oo8ObX9BeAZoNSFAK/ubKpLyUNu4qUukrcUtjbPb+5gsezsNRBqx8QfQ1XYiUWyx1fr5pBCDHSY+M65LcqdEPp42P50PmwAtfdEFSSmJRc2qCIEcS+2QSLhDi0fIlM3R+D8iOa7zGJdCTdWG6RKEx9CfoOCmSbHRkff0zn7Cthtj0cr6C6YmGg+oHmunht6i31m0= X-MS-Exchange-AntiSpam-MessageData: DlYdASImjoKS4I97RQUs1HZsb76rcap8LnfB2KWS8T4cNHTkQJP+8b+EFsyJzKhKxXvjHmLNkaNsHSeBprVy0HnScxQLODIVvKJLkt8lHkjXI2jtMqqEe4MBUnP9ehq3fs1z7dBuKJ3HwMozoBQqa4gTPZqw+wVllfYlLCx0CTglf3RVmczN1qcUYEIk7bea67T/Gd7GH2Bik5gWCZNGmA== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2020 18:56:33.5641 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-Network-Message-Id: 65e94c4e-1e8a-4cf9-5c63-08d8a44fcde5 X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT053.eop-APC01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT102 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a01:111:f400:febd::805; envelope-from=Qiuhao.Li@outlook.com; helo=APC01-SG2-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: darren.kenny@oracle.com, bsd@redhat.com, thuth@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @outlook.com) Content-Type: text/plain; charset="utf-8" The original crash detection method is to fork a process to test our new trace input. If the child process exits in time and the second-to-last line is the same as the first crash, we think it is a crash triggered by the same bug. However, in some situations, it doesn't work since it is a hardcoded-offset string comparison. For example, suppose an assertion failure makes the crash. In that case, the second-to-last line will be 'timeout: the monitored command dumped core', which doesn't contain any information about the assertion failure like where it happened or the assertion statement. This may lead to a minimized input triggers assertion failure but may indicate another bug. As for some sanitizers' crashes, the direct string comparison may stop us from getting a smaller input, since they may have a different leaf stack frame. Perhaps we can detect crashes using both precise output string comparison and rough pattern string match and info the user when the trace input triggers different but a seminar output. Tested: Assertion failure, https://bugs.launchpad.net/qemu/+bug/1908062 AddressSanitizer, https://bugs.launchpad.net/qemu/+bug/1907497 Trace input that doesn't crash Trace input that crashes Qtest Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 59 ++++++++++++++++++------ 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/mi= nimize_qtest_trace.py index 5e405a0d5f..d3b09e6567 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -10,11 +10,16 @@ import os import subprocess import time import struct +import re =20 QEMU_ARGS =3D None QEMU_PATH =3D None TIMEOUT =3D 5 -CRASH_TOKEN =3D None + +crash_patterns =3D ("Assertion.+failed", + "SUMMARY.+Sanitizer") +crash_pattern =3D None +crash_string =3D None =20 write_suffix_lookup =3D {"b": (1, "B"), "w": (2, "H"), @@ -24,13 +29,12 @@ write_suffix_lookup =3D {"b": (1, "B"), def usage(): sys.exit("""\ Usage: QEMU_PATH=3D"/path/to/qemu" QEMU_ARGS=3D"args" {} input_trace outpu= t_trace -By default, will try to use the second-to-last line in the output to ident= ify -whether the crash occred. Optionally, manually set a string that idenitife= s the -crash by setting CRASH_TOKEN=3D +By default, we will try to search predefined crash patterns through the +tracing output to see whether the crash occred. Optionally, manually set a +string that idenitifes the crash by setting CRASH_PATTERN=3D """.format((sys.argv[0]))) =20 def check_if_trace_crashes(trace, path): - global CRASH_TOKEN with open(path, "w") as tracefile: tracefile.write("".join(trace)) =20 @@ -42,17 +46,47 @@ def check_if_trace_crashes(trace, path): shell=3DTrue, stdin=3Dsubprocess.PIPE, stdout=3Dsubprocess.PIPE) + if rc.returncode =3D=3D 137: # Timed Out + return False + stdo =3D rc.communicate()[0] output =3D stdo.decode('unicode_escape') - if rc.returncode =3D=3D 137: # Timed Out - return False - if len(output.splitlines()) < 2: + output_lines =3D output.splitlines() + # Usually we care about the summary info in the last few lines, revers= e. + output_lines.reverse() + + global crash_pattern, crash_patterns, crash_string + if crash_pattern is None: # Initialization + for line in output_lines: + for c in crash_patterns: + if re.search(c, line) is not None: + crash_pattern =3D c + crash_string =3D line + print("Identifying crash pattern by this string: ",\ + crash_string) + print("Using regex pattern: ", crash_pattern) + return True + print("Failed to initialize crash pattern: no match.") return False =20 - if CRASH_TOKEN is None: - CRASH_TOKEN =3D output.splitlines()[-2] + # First, we search exactly the previous crash string. + for line in output_lines: + if crash_string =3D=3D line: + return True + + # Then we decide whether a similar (same pattern) crash happened. + # Slower now :( + for line in output_lines: + if re.search(crash_pattern, line) is not None: + print("\nINFO: The crash string changed during our minimizatio= n process.") + print("Before: ", crash_string) + print("After: ", line) + print("The original regex pattern can still match, updated the= crash string.") + crash_string =3D line + return True =20 - return CRASH_TOKEN in output + # The input did not trigger (the same type) bug. + return False =20 =20 def minimize_trace(inpath, outpath): @@ -66,7 +100,6 @@ def minimize_trace(inpath, outpath): print("Crashed in {} seconds".format(end-start)) TIMEOUT =3D (end-start)*5 print("Setting the timeout for {} seconds".format(TIMEOUT)) - print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) =20 i =3D 0 newtrace =3D trace[:] @@ -152,6 +185,6 @@ if __name__ =3D=3D '__main__': usage() # if "accel" not in QEMU_ARGS: # QEMU_ARGS +=3D " -accel qtest" - CRASH_TOKEN =3D os.getenv("CRASH_TOKEN") + crash_pattern =3D os.getenv("CRASH_PATTERN") QEMU_ARGS +=3D " -qtest stdio -monitor none -serial none " minimize_trace(sys.argv[1], sys.argv[2]) --=20 2.25.1 From nobody Tue Nov 18 07:44:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass(p=none dis=none) header.from=outlook.com ARC-Seal: i=2; a=rsa-sha256; t=1608404742; cv=pass; d=zohomail.com; s=zohoarc; b=adGoV24N2vLN9cofH44OfTVIug/zr5Z9SDruhkpWELJHG0WC+aTW5yl7idZurkNBFttgdlCerNZY01l7ALEyXLVuPWmI4AsZqhsqoKIsFIyzbWGPsRLz4IicCCbYddvaYwq1WU1OIzsSrEpOoS0ubUb56hD+X3VACE2IfnPm6A0= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1608404742; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=BbXD7nJRBh+aBV9kpgMFpgs/dVx/+dfExKu+I9kH/iQ=; b=fomlylacSmrC4unNLFafwcJv10qopISdhCARPlO2eP+Xlj67mCYb8d0zvzj7qQCLLN0VDboPXBQuYz02CEo37WME2YvQ8fSRfsYbHRLd1maR+VLjCytecN4y4s3DbirJbiNA2xxD0Vshtyma3sZ3vWUiP6ENk5kU4NgVqXZVCeY= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 160840474224590.1292531159803; Sat, 19 Dec 2020 11:05:42 -0800 (PST) Received: from localhost ([::1]:35836 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kqhXx-0000Pd-76 for importer@patchew.org; Sat, 19 Dec 2020 14:05:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35082) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPL-0005h4-VQ for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:48 -0500 Received: from mail-oln040092255040.outbound.protection.outlook.com ([40.92.255.40]:42752 helo=APC01-HK2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPK-000533-2M for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:47 -0500 Received: from SG2APC01FT053.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::4d) by SG2APC01HT057.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::294) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Sat, 19 Dec 2020 18:56:38 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (10.152.250.58) by SG2APC01FT053.mail.protection.outlook.com (10.152.250.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22 via Frontend Transport; Sat, 19 Dec 2020 18:56:38 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7]) by ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7%5]) with mapi id 15.20.3676.025; Sat, 19 Dec 2020 18:56:38 +0000 Received: from pc (2001:250:fe01:130:1079:e2bc:42d3:a57e) by HK2PR0401CA0018.apcprd04.prod.outlook.com (2603:1096:202:2::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.28 via Frontend Transport; Sat, 19 Dec 2020 18:56:37 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yn+F2nx2eYOIGzf0Us5RDvIe4If3A4jUl2PBmKqlkJLIObPHwmEdzBrbZzFhyLnL0DWS5zqVMwN5Wxi3Q3cIE+k849PrgKk2RHdWnQWzMxOLTE1ZloPwUHHDRSRF1PAWv4BUTBRi5y4oUgWtt9yiuALRJVCZn09RcVFEFTO9rRgmzHyANrBvp4s7uLOzI1S95fVrCWF3BIWvn7SfKFnBnkq3HXQ5ly6Wrtn4dCT9R8jmDnc7m2G6G19tUkXKWY0wx3LfiJZftfGZWVXVqTfk2vuYez3BRuaTyCRZNGpeFhtYOzI+txyvKMIVYVIzS7RQg6OOoTxh+VA/IbLQyfdiMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BbXD7nJRBh+aBV9kpgMFpgs/dVx/+dfExKu+I9kH/iQ=; b=i1Mw7yu9+Mi0gp/LO0hHvr05BVY4PTCpZja9u8Ynl/EETGaxOXLQDdGAq1ml48aRaSBpZXGQDkoF9fLBd+ojcSHRd45s9+KPxtrywzyJUpRQg1c5XiX4eNed9f0LczcJER7bqnkrjKEyD+SVvptQqqXpWLSV021g9PCDfbUlBl77OcsI+cuPvCFBUdqjcC0jAf98J3Osfl1y6sAx4LiCwBChpmuKNY2/DAk7Vf+madbVdFTJCN8ObQjdl/EvvsRDv1WIUiW/Nop9EluNHk1hzGi08Hoo3R8Dvd+Dx/Bgi5IrnqQklqabZSKa+wkh81CZSn8CPUvPwCAebdckVim4Jw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BbXD7nJRBh+aBV9kpgMFpgs/dVx/+dfExKu+I9kH/iQ=; b=fBIToY3qk0ioIlYftUHIB2iao6f+aOfOB0+pLFPt/eCVwKwbO8tCydaQIHMbp1m6sv5fO2F8YrNr3MJF2l/gQy3VBagb5lQ6x07AmVfo6Q18FYJOngBsBwQxiiBNMo/lOxN1xkwKNnSShiApHF7FTmnzNpb2HKxXZOnQmnocFyAACD2rR3/0t++iyZM5sFTZVeBryGSRx/UWcd7HfvaMqhCvd0g7zdMiCBwNqX2JvnZ8keCnL0fPhUY8G2tCAItSdbIR3NsnAsKPWhsAHlsAI0guQANElRASIcsDuidd76FsyX4QHhQxHqYmzgOn7HuD7HCyp9LNTc1/ocIf2ysqEQ== X-IncomingTopHeaderMarker: OriginalChecksum:0D5F90FD6C5CD639638846DDDC41779085427FE59809E71B2CBA565801537764; UpperCasedChecksum:333E3C4EBAF4ED471C97CB45951C3FD76D26155192F6A20CAB84F8D580B8D0A8; SizeAsReceived:7654; Count:47 From: Qiuhao Li To: alxndr@bu.edu, qemu-devel@nongnu.org Subject: [PATCH 2/4] fuzz: split QTest writes from the rightmost byte Date: Sun, 20 Dec 2020 02:56:25 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-TMN: [W5anXRpZJMIKpmSCzQjlq1T+Ic4pQD3T+mpaAdy6mYqEW5fIyRfA2rI8TOzF+XcD] X-ClientProxiedBy: HK2PR0401CA0018.apcprd04.prod.outlook.com (2603:1096:202:2::28) To ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a0::14) X-Microsoft-Original-Message-ID: <20201219185627.426615-2-Qiuhao.Li@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 17bb6789-c32f-45c5-553c-08d8a44fd0d2 X-MS-TrafficTypeDiagnostic: SG2APC01HT057: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: X0F1JJfSWK5c1iDnVGlQKQZBm1rPcWxBdOLJ/pd63R5bk+qjU4wIlz+1OeE1QDIi7sd9ekMbXw7J3Jei9NbWGKJxvrxCZAcCNQSDCEdjulU+Jxqd/Ue+vhv2OzZ3LUCteePQKR4JCHWeS5yG+XLbFK2ci4qrWx/hh+BqlmJAiujnMOxh89HNXgkZwJT7HNCgHe8RINElNl038K0cKKggZfw2OpBPlaqIEUv5tPGjnnIRXRXqWZDIALBkW0VeY497 X-MS-Exchange-AntiSpam-MessageData: vlOGbmYwc74bqhzBZfF1i+bgg/75Kb2f3B+V2mds9X3k0a02t7Lg0iZcfKTrRUweFJ/xm59ia27vtk9nAWLhK//h7GXLnE6wtHLdMOis1WoGiXa+1WfoT8Djf0J51AMwSkpyg2TYtgEtYWwq4xUzuGtBVDjf4ZeeO33D4+G7gVAxbnONAX/xcPSr003x9K9oe97m8a/uNsbBPEMkRjHs4g== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2020 18:56:38.4537 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-Network-Message-Id: 17bb6789-c32f-45c5-553c-08d8a44fd0d2 X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT053.eop-APC01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT057 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=40.92.255.40; envelope-from=Qiuhao.Li@outlook.com; helo=APC01-HK2-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: darren.kenny@oracle.com, bsd@redhat.com, thuth@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @outlook.com) Content-Type: text/plain; charset="utf-8" Currently, we split the write commands' data from the middle. If it does not work, try to move the pivot "left" and retry until there is no space left. But, this is complete for ram writes but not for IO writes. For example, there is an IO write command: write addr uuxxxxuu u is the unnecessary byte for the crash. Unlike ram write commands, in most case, a split IO write won't trigger the same crash, So if we split from the middle, we will get: write addr uu (will be removed in next round) write addr xxxxuu For xxxxuu, since split it from the middle and retry to the leftmost byte won't get the same crash, we will be stopped from removing the last two bytes. Therefore, we should split QTest writes from the rightmost byte. Tested with Bug 1908062. Refined vs. Original result: outl 0xcf8 0x8000081c outl 0xcf8 0x8000081c outb 0xcfc 0xc3 outb 0xcfc 0xc3 outl 0xcf8 0x8000082f outl 0xcf8 0x8000082f outl 0xcf8 0x80000804 outl 0xcf8 0x80000804 outl 0xcfc 0x9b2765be outl 0xcfc 0x9b2765be write 0xc300001024 0x2 0x0055 write 0xc300001024 0x2 0x0055 write 0xc300001028 0x1 0x5a write 0xc300001028 0x1 0x5a write 0xc30000101c 0x1 0x01 write 0xc30000101c 0x1 0x01 writel 0xc30000100c 0x2a6f6c63 writel 0xc30000100c 0x2a6f6c63 write 0xc300001018 0x1 0xa4 <-- write 0xc300001016 0x3 0xa4a4a4 write 0x5c 0x1 0x19 write 0x5c 0x1 0x19 write 0xc300003002 0x1 0x8a write 0xc300003002 0x1 0x8a Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/mi= nimize_qtest_trace.py index d3b09e6567..855c3bcb54 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -140,7 +140,7 @@ def minimize_trace(inpath, outpath): =20 # 3.) If it is a qtest write command: write addr len data, try to = split # it into two separate write commands. If splitting the write down= the - # middle does not work, try to move the pivot "left" and retry, un= til + # rightmost does not work, try to move the pivot "left" and retry,= until # there is no space left. The idea is to prune unneccessary bytes = from # long writes, while accommodating arbitrary MemoryRegion access s= izes # and alignments. @@ -149,7 +149,7 @@ def minimize_trace(inpath, outpath): length =3D int(newtrace[i].split()[2], 16) data =3D newtrace[i].split()[3][2:] if length > 1: - leftlength =3D int(length/2) + leftlength =3D length - 1 rightlength =3D length - leftlength newtrace.insert(i+1, "") while leftlength > 0: --=20 2.25.1 From nobody Tue Nov 18 07:44:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass(p=none dis=none) header.from=outlook.com ARC-Seal: i=2; a=rsa-sha256; t=1608404436; cv=pass; d=zohomail.com; s=zohoarc; b=kSRTHuvprvNQ4SsHHIo/ETPIbDirPTon2UJIJQFldoeKn+ftvmW6l0XBjJ+Nx2Hq2ajceIDl4LDtvXLJZcOXDjhEaWEGY3v8dRGsIVvBlGPCNEav5UsRFf3BHb5ajvUSsw2THesEByN0F4+eDYrFyzssTyTAoUgeqquHcnMmzAo= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1608404436; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Md22MKEr96xc8yPL9OQe5UF0ttF2V88OlS/F08ekX6Y=; b=TQp4wtfqPviw/WZ/GXymD04AzVPXvCW/GFmH+/mYp/+GZmENb6NocLLXl/r99xwtWPV8jQYe2aaKb7BdEJevSEN+cNo3oM6wzgtubLqIeKS/nL+wNJeOTCOaEvODfcD3bsTtw8go4uP/6ABd//fU8pxeJ9919EUN3mqJzwDvgMg= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1608404436141394.43027886813775; Sat, 19 Dec 2020 11:00:36 -0800 (PST) Received: from localhost ([::1]:60676 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kqhT0-0007Eu-UZ for importer@patchew.org; Sat, 19 Dec 2020 14:00:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35100) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPP-0005i0-LX for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:51 -0500 Received: from mail-oln040092255040.outbound.protection.outlook.com ([40.92.255.40]:42752 helo=APC01-HK2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPN-000533-DK for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:56:51 -0500 Received: from SG2APC01FT053.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::4d) by SG2APC01HT057.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::294) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Sat, 19 Dec 2020 18:56:43 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (10.152.250.58) by SG2APC01FT053.mail.protection.outlook.com (10.152.250.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22 via Frontend Transport; Sat, 19 Dec 2020 18:56:43 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7]) by ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7%5]) with mapi id 15.20.3676.025; Sat, 19 Dec 2020 18:56:43 +0000 Received: from pc (2001:250:fe01:130:1079:e2bc:42d3:a57e) by HK2PR03CA0046.apcprd03.prod.outlook.com (2603:1096:202:17::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.19 via Frontend Transport; Sat, 19 Dec 2020 18:56:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h2py5ssXlwYW/v+J8q9na0kZxyGzrhm5jdtD/GRdgb0QnlhBJAfzOxgeBgTJs2EhfX+vtBRuWSAa6ee1GyHikHAXZAxVGVvt4VfU/SrJNnxECfNw0y2QdkzMNVj0/76MmXtaQUaDGIRCsBY5vsiSzzR/8Qd2WQLuJDAq71+uLenK485kSYNjwJqyZ7J+LIz2CXQEdNX3lb223dRYMTh8EvjXoTZAXqbsyI0wi4qzUCSfvDXg7xzsK3MeaHsp69R5xDMOry1knQv6CQbei73O/1GzTzGUMOJNbgNY/CIBcCpzGCjr7JG3sFZkb/i6h3myoNK6OBJOIf4TFRAn+lyxjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Md22MKEr96xc8yPL9OQe5UF0ttF2V88OlS/F08ekX6Y=; b=MIPOV7VnlDEudG9TS4olyYBt+cOOB6npv9BL/09sN0NDQUWw4YTnhf+cD6hmNn3pYXXLra3O6CAo7gH6qBREmnF7pvgE8lhAvL6hOI3ENC4E3hcBsFkFmwIXv21+EnEzhAzHzweETE9fD5eJnWDQkvcU9Q0B71GgBQ6UrUHX0c93jiJ7tAluxLTpqR3vkcrN3FtRsMVn6S2PUZaGt/hVTbL4bRsQ9vlV4L62RvL6afqS3jDrKs3/kt5qUQMsk16U5kTOzZFjt0/i4Cr3YSHmxtlYDwCQ/L9gtxHfOd4SJjuhXvmZ2S8iwwqGtj84K2m/IFLn0AIsKvyhPz+9ekESQg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Md22MKEr96xc8yPL9OQe5UF0ttF2V88OlS/F08ekX6Y=; b=jo57fynt0XlYiM7JojEYReYRDRVUigIVZheNRrl4YJtKRfgPbjTpkFRVQxgsL6kTwV6Dfzcr3eRDosxaTVBaqKRRXzks7Tq4+XFRYas7ZfETZhZlsbPDmw4cfQ2VOPgK1i3HigvUaGrBezk3N0YzQCYjgd/FhxY23cFfGwjq6DHhnG/T5xemwkEs5jWBxSU4BCgNGixMcmfLgqlCFpgM3z7/HWlIp/RUrmrRVjChOMkGaHJ2EtQwqgQpT8bpHE+olA4j9nHphdMp3WivJD5piSoMEqH1UjOvX4jJrCgq5Em40VcxGux7sG6ha3ljpXKJC5s6NJhW1F35ANDeBegkIw== X-IncomingTopHeaderMarker: OriginalChecksum:40D016675D38349A92E9850C116998C115744606F41047D728EDAC9BA33D73A1; UpperCasedChecksum:A165AA084CEA924A0715052D70EDB61C8C313E7A33F0A2606822E0BF2C1CB8AF; SizeAsReceived:7655; Count:47 From: Qiuhao Li To: alxndr@bu.edu, qemu-devel@nongnu.org Subject: [PATCH 3/4] fuzz: setting bits in operand of out/write to zero Date: Sun, 20 Dec 2020 02:56:26 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-TMN: [wESVYiO0TFHioIepoU1gqzh5zN/QDEN0P9lzz4N8ui9jInR1ld5ciIJdNPCr1pg5] X-ClientProxiedBy: HK2PR03CA0046.apcprd03.prod.outlook.com (2603:1096:202:17::16) To ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a0::14) X-Microsoft-Original-Message-ID: <20201219185627.426615-3-Qiuhao.Li@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 79d19edd-842e-4ac8-c15e-08d8a44fd39b X-MS-TrafficTypeDiagnostic: SG2APC01HT057: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tfRHtcX5UuZE7Q9TMVeMz7ff5FSzELRk2hmCxt6ly3KlSqhnc+Zlkwz6mtIf1LQplQwxH54KwEjT8hUGzzKo07UIYTqmIpQorABFGYdoJs72NIhsW2GUOEFGU1AeO7+hUErDUA6pGDlgFHbaVT9ClNTjyRLZe4fwJtIOEKpe/arLb2HQ8jjpSwMyDEKUl9YhEqcHwd57AXy7JvoItIdRccBWn7wvGAvTHKKpUaSLcx+l/oD62xiaV5rd+60wgCKt X-MS-Exchange-AntiSpam-MessageData: F7+PBdmJL+GucIDDQLnwrfl/WsaVvE0Nt5+b42nhmoqLYrxCqz03GC/GCXwxyuOCk+Rd5TbyTOu+qGSywN0whbkXZDDRSGkaXplGniqfd+gIcbpcffNA6hAyy3XLe7dyvVVTh/lSQtkYdf8qnTT/cBRP4CEM+fNEKS4o6MjYK2NAPlpPGMq8L233yMEcW3Y6GC+ZWbcTVuLafe+GEu0SdA== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2020 18:56:43.1561 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-Network-Message-Id: 79d19edd-842e-4ac8-c15e-08d8a44fd39b X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT053.eop-APC01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT057 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=40.92.255.40; envelope-from=Qiuhao.Li@outlook.com; helo=APC01-HK2-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: darren.kenny@oracle.com, bsd@redhat.com, thuth@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @outlook.com) Content-Type: text/plain; charset="utf-8" Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Refined vs. Original result: outl 0xcf8 0x8000081c outl 0xcf8 0x8000081c outb 0xcfc 0xc3 outb 0xcfc 0xc3 outl 0xcf8 0x0 <-- outl 0xcf8 0x8000082f outl 0xcf8 0x80000804 outl 0xcf8 0x80000804 outl 0xcfc 0x10000006 <-- outl 0xcfc 0x9b2765be write 0xc300001024 0x2 0x10 <-- write 0xc300001024 0x2 0x0055 write 0xc300001028 0x1 0x5a write 0xc300001028 0x1 0x5a write 0xc30000101c 0x1 0x01 write 0xc30000101c 0x1 0x01 writel 0xc30000100c 0x2a6f6c63 writel 0xc30000100c 0x2a6f6c63 write 0xc300001018 0x1 0x80 <-- write 0xc300001018 0x1 0xa4 write 0x5c 0x1 0x10 <-- write 0x5c 0x1 0x19 write 0xc300003002 0x1 0x0 <-- write 0xc300003002 0x1 0x8a Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 42 +++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/mi= nimize_qtest_trace.py index 855c3bcb54..f3e88064c4 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -172,7 +172,47 @@ def minimize_trace(inpath, outpath): newtrace[i] =3D prior del newtrace[i+1] i +=3D 1 - check_if_trace_crashes(newtrace, outpath) + + assert(check_if_trace_crashes(newtrace, outpath)) + + TIMEOUT =3D (end-start)*2 # input is short now + + # try setting bits in operands of out/write to zero + i =3D 0 + while i < len(newtrace): + if (not newtrace[i].startswith("write ") and not + newtrace[i].startswith("out")): + i +=3D 1 + continue + # write ADDR SIZE DATA + # outx ADDR VALUE + print("\nzero setting bits: {}".format(newtrace[i])) + + prefix =3D " ".join(newtrace[i].split()[:-1]) + data =3D newtrace[i].split()[-1] + data_bin =3D bin(int(data, 16)) + data_bin_list =3D list(data_bin) + + for j in range(2, len(data_bin_list)): + prior =3D newtrace[i] + if (data_bin_list[j] =3D=3D '1'): + data_bin_list[j] =3D '0' + data_try =3D hex(int("".join(data_bin_list), 2)) + # It seems qtest only accect hex with one byte zero padding + if len(data_try) % 2 =3D=3D 1: + data_try =3D data_try[:2] + "0" + data_try[2:-1] + + newtrace[i] =3D "{prefix} {data_try}\n".format( + prefix=3Dprefix, + data_try=3Ddata_try) + + if not check_if_trace_crashes(newtrace, outpath): + data_bin_list[j] =3D '1' + newtrace[i] =3D prior + + i +=3D 1 + + assert(check_if_trace_crashes(newtrace, outpath)) =20 =20 if __name__ =3D=3D '__main__': --=20 2.25.1 From nobody Tue Nov 18 07:44:07 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass(p=none dis=none) header.from=outlook.com ARC-Seal: i=2; a=rsa-sha256; t=1608405078; cv=pass; d=zohomail.com; s=zohoarc; b=XyjX5jNHdNykDvjPVOQBHr16wX6A/S8ZGTqrDcZaZ9r+AIQ0UwyylZLu78lSyvquywzBGYA86x95nWNYKH2NbGeeXDlgPAJ+/n16ooT0XrR9tWLcfmT4Zdi5xGPIAZ8FE0264EIUAisVvieFGtu+eOr6mhbPoU9v6+Rd1VkA7HU= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1608405078; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/O01NKbmuqTHCDxTUZiKCsxg4wQTydouSBGYUzUjxCE=; b=G6CEVbRIwVyg+QA1tl9BOhVF7aS7hIswDT5b2kJ2+u5XU/PyV+FeCwnhI+dFUfcxK2yTz9KcXWwjLLwjUQs7ZJyIR+f2x616AqDHSggIPA57ceM0n1OCW7KfotJzW0ouBYuLTiSrl2XNYRNKuJp5yQgpylDWJgVsquCdUul/sZI= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=outlook.com); dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1608405078154870.6134981997823; Sat, 19 Dec 2020 11:11:18 -0800 (PST) Received: from localhost ([::1]:40780 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kqhdM-0002hI-U2 for importer@patchew.org; Sat, 19 Dec 2020 14:11:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35130) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPZ-0005sZ-Vw for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:57:02 -0500 Received: from mail-oln040092254092.outbound.protection.outlook.com ([40.92.254.92]:24149 helo=APC01-PU1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kqhPY-00055L-1i for qemu-devel@nongnu.org; Sat, 19 Dec 2020 13:57:01 -0500 Received: from SG2APC01FT053.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::51) by SG2APC01HT106.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebd::366) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Sat, 19 Dec 2020 18:56:47 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (10.152.250.58) by SG2APC01FT053.mail.protection.outlook.com (10.152.250.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22 via Frontend Transport; Sat, 19 Dec 2020 18:56:47 +0000 Received: from ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7]) by ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM ([fe80::d86c:2255:e334:54f7%5]) with mapi id 15.20.3676.025; Sat, 19 Dec 2020 18:56:47 +0000 Received: from pc (2001:250:fe01:130:1079:e2bc:42d3:a57e) by HK2PR03CA0053.apcprd03.prod.outlook.com (2603:1096:202:17::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.19 via Frontend Transport; Sat, 19 Dec 2020 18:56:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TV1aFEgxhcXznb1RWUmUrkODbVWPkL68Q8ORmH8WCjxUyderc/T9sRAXYusbwILACa1kd3Oa6xj763whIJ5quqNwyyZAqzjWsxI2QkYrfdu+OGi2nIItQTd/1ZXer5lAIDdjxGEg9tdt985m/ah6Iw0hmiu5XpvDE/pLdTVHXJUj0TyjV5HW0HV+y+rhpxY62GeNFN9obt0AWLSexjxjwPIf8y6hXpNlNrd/GqPx3BO14K78N4o4bCA3EAXlHGazNNI5iJwsqpa+UEw1vSHb2ynUOTmegCfpug9AX7r7dS9q01MU/po/nSj9CeZRQR+I1AVCLI59T6FAbqGiQFAs/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/O01NKbmuqTHCDxTUZiKCsxg4wQTydouSBGYUzUjxCE=; b=REHt9l4sZ5bjCBNjuxM7R0xQolr6v2vN3oZ5hbR3UhTlGQw8Uw7P2HRCoSMxfqXnubT31cZuhd/i5VC700S+8C1CChPJ6MkqUxLSiWmJ2GBqscxeRl76NESvRINcHW+X4hE7sUZeEvOJpZouONjoRjJCFcJfBC6dZCMRLHke4PT2aQ6uCaa+1y8+UYKmlxQSWz+Pjzdy5hga6kPpspqcGScnLBKw555UWJCLTgYXGoN1XfDrYT/Nl2DLYfOzvADh4CERqmjQlp7YPg2ouqkCakeefYXbuFGPnp09HZlskjFgHji3SuMfOFPcz4+hfOWrVXwSoF6rqxR+/bEs3sgTCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/O01NKbmuqTHCDxTUZiKCsxg4wQTydouSBGYUzUjxCE=; b=YMgPsvhfrAAAQYO8QtvjQh1j1yCmaWbC1+HlJdANWCKDKqjIyvdLm44VHY5aR3aHyer9iNOWkLQuITqkNrq1Sg8BAV81FThITgRXvyXYJ78bpa3vQjYs7w3ll+DB8RUfRw1zF05rWwkMDdFdbETOFu/D11mmsE8sO9qfNABJ2G0024EtbVsqONaLSPpq8ae2dq5QD7kuUum+9FMv9hF7LNhUJz6/C7ZTjeHFKMegaN+ty0PUd/9t23J/I2I3sXxoT5r1uKFTSjseyKs6M/gMhjXEo1ZVxRHwNmxONhONzy7dPBUyF11wZJxUY4puBzUjuEfdvcGHhtW3aas6bpcvkw== X-IncomingTopHeaderMarker: OriginalChecksum:C7F0F7D503A3264E2484D22E18B6010CFA2156AB0FF06CC7EF680D242776FE7D; UpperCasedChecksum:D970A6621A2DD60698B6D2B0358724384CCAEBD8315F4B70C212E9B976191E46; SizeAsReceived:7646; Count:47 From: Qiuhao Li To: alxndr@bu.edu, qemu-devel@nongnu.org Subject: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash Date: Sun, 20 Dec 2020 02:56:27 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-TMN: [5gEi2XxWoLtq1h9lbQEJQ3eNiy+duYVMTJ4CqQH9plhAueF9Wlr1mSgS5wJ5+Gr2] X-ClientProxiedBy: HK2PR03CA0053.apcprd03.prod.outlook.com (2603:1096:202:17::23) To ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a0::14) X-Microsoft-Original-Message-ID: <20201219185627.426615-4-Qiuhao.Li@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: a2bda46b-7e8c-4cc9-2629-08d8a44fd64f X-MS-TrafficTypeDiagnostic: SG2APC01HT106: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /K9j9It8fYR6+edx2WzQ68/rcQPhYkij+zOfT9VSq5lft6TIin3srY1o5Sd2TeTW35NBi8pN/uSPWFiysdlGif12b2D9NTuCzGmAXgh0YbgwL+MN2LsDPOMGL29tuzfDr35oGHC2oJ+Ixk46zX5wj5hPqIzOhmFqcXcgjoV+iZpwXxZvbwohDPmmjbDp0tKzqLk+SHsxaZNQN/LbjNclM5tTm9g76s2iisD2q404Op/chQaiEFUJVSbetlAAPDoy X-MS-Exchange-AntiSpam-MessageData: ef2+HdtEHADD0ati5CgZzbjCKP5mjwS/xSDnhuYu0oMc+BAdLXvuzLEtbgubeE6x4QPI6RSoqtFkkUx7ibb+C/iNQnAlzucRGSBGv7Rl+GM69Ywgl/eXZvwlUG2gRKGM3FLuelYGCUp+ghTHDk97/RxqKbMBSlQmdHflMq2GqYRAsJLRaXUh5aXPrMx47RIsOAQp+dA+KsM8YTuimq/myQ== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2020 18:56:47.7429 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-Network-Message-Id: a2bda46b-7e8c-4cc9-2629-08d8a44fd64f X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT053.eop-APC01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT106 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=40.92.254.92; envelope-from=Qiuhao.Li@outlook.com; helo=APC01-PU1-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: darren.kenny@oracle.com, bsd@redhat.com, thuth@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @outlook.com) Content-Type: text/plain; charset="utf-8" Since programmers usually trigger an IO just before they need it. Try to delay some IO instructions may help us better understanding the timing context when debug. Tested with Bug 1908062. Refined vs. Original result: outl 0xcf8 0x8000081c outl 0xcf8 0x0 outb 0xcfc 0xc3 | outl 0xcf8 0x8000081c outl 0xcf8 0x80000804 | outb 0xcfc 0xc3 outl 0xcfc 0x10000006 | outl 0xcf8 0x80000804 write 0xc300001028 0x1 0x5a | outl 0xcfc 0x10000006 write 0xc300001024 0x2 0x10 | write 0xc300001028 0x1 0x5a write 0xc30000101c 0x1 0x01 | writel 0xc30000100c 0x2a6f6c63 write 0xc300003002 0x1 0x0 v write 0xc300001024 0x2 0x10 write 0x5c 0x1 0x10 write 0xc30000101c 0x1 0x01 writel 0xc30000100c 0x2a6f6c63 write 0xc300001018 0x1 0x80 write 0xc300001018 0x1 0x80 write 0x5c 0x1 0x10 outl 0xcf8 0x0 write 0xc300003002 0x1 0x0 Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/mi= nimize_qtest_trace.py index f3e88064c4..da7aa73b3c 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -214,6 +214,27 @@ def minimize_trace(inpath, outpath): =20 assert(check_if_trace_crashes(newtrace, outpath)) =20 + # delay IO instructions until they can't trigger the crash + # Note: O(n^2) and many timeouts, kinda slow + i =3D len(newtrace) - 1 + while i >=3D 0: + tmp_i =3D newtrace[i] + if len(tmp_i) < 2: + i -=3D 1 + continue + print("Delaying ", newtrace[i]) + for j in reversed(range(i+1, len(newtrace)+1)): + newtrace.insert(j, tmp_i) + del newtrace[i] + if check_if_trace_crashes(newtrace, outpath): + break + newtrace.insert(i, tmp_i) + del newtrace[j] + i -=3D 1 + + assert(check_if_trace_crashes(newtrace, outpath)) + # maybe another removing round + =20 if __name__ =3D=3D '__main__': if len(sys.argv) < 3: --=20 2.25.1