Simplifying the crash cases by opportunistically setting bits in operands of
out/write to zero may help to debug, since usually bit one means turn on or
trigger a function while zero is the default turn-off setting.

Tested Bug 1908062.

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 39 ++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py
index 59e91de7e2..219858a9e3 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -167,6 +167,42 @@ def remove_lines(newtrace, outpath):
         i += 1
 
 
+def clear_bits(newtrace, outpath):
+    # try setting bits in operands of out/write to zero
+    i = 0
+    while i < len(newtrace):
+        if (not newtrace[i].startswith("write ") and not
+           newtrace[i].startswith("out")):
+           i += 1
+           continue
+        # write ADDR SIZE DATA
+        # outx ADDR VALUE
+        print("\nzero setting bits: {}".format(newtrace[i]))
+
+        prefix = " ".join(newtrace[i].split()[:-1])
+        data = newtrace[i].split()[-1]
+        data_bin = bin(int(data, 16))
+        data_bin_list = list(data_bin)
+
+        for j in range(2, len(data_bin_list)):
+            prior = newtrace[i]
+            if (data_bin_list[j] == '1'):
+                data_bin_list[j] = '0'
+                data_try = hex(int("".join(data_bin_list), 2))
+                # It seems qtest only accepts padded hex-values.
+                if len(data_try) % 2 == 1:
+                    data_try = data_try[:2] + "0" + data_try[2:-1]
+
+                newtrace[i] = "{prefix} {data_try}\n".format(
+                        prefix=prefix,
+                        data_try=data_try)
+
+                if not check_if_trace_crashes(newtrace, outpath):
+                    data_bin_list[j] = '1'
+                    newtrace[i] = prior
+        i += 1
+
+
 def minimize_trace(inpath, outpath):
     global TIMEOUT
     with open(inpath) as f:
@@ -187,7 +223,10 @@ def minimize_trace(inpath, outpath):
         old_len = len(newtrace)
         remove_lines(newtrace, outpath)
         newtrace = list(filter(lambda s: s != "", newtrace))
+    assert(check_if_trace_crashes(newtrace, outpath))
 
+    # set bits to zero
+    clear_bits(newtrace, outpath)
     assert(check_if_trace_crashes(newtrace, outpath))
 
 
-- 
2.25.1

On 1/11/21 7:11 AM, Qiuhao Li wrote:
> Simplifying the crash cases by opportunistically setting bits in operands of
> out/write to zero may help to debug, since usually bit one means turn on or
> trigger a function while zero is the default turn-off setting.
> 
> Tested Bug 1908062.

Please use the full link as reference:
https://bugs.launchpad.net/qemu/+bug/1908062

(since this series is fully reviewed, can the
maintainer applying the series do the change
in place?)

Thanks,

Phil.

> 
> Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
> Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
> Tested-by: Alexander Bulekov <alxndr@bu.edu>
> ---
>  scripts/oss-fuzz/minimize_qtest_trace.py | 39 ++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)

On Mon, 2021-01-11 at 10:01 +0100, Philippe Mathieu-Daudé wrote:
> On 1/11/21 7:11 AM, Qiuhao Li wrote:
> > Simplifying the crash cases by opportunistically setting bits in
> > operands of
> > out/write to zero may help to debug, since usually bit one means
> > turn on or
> > trigger a function while zero is the default turn-off setting.
> > 
> > Tested Bug 1908062.
> 
> Please use the full link as reference:
> https://bugs.launchpad.net/qemu/+bug/1908062

Ok, should I submit a new version patch? Or just change the commit
messages and submit this series again?

Thank you.

> 
> (since this series is fully reviewed, can the
> maintainer applying the series do the change
> in place?)
> 
> Thanks,
> 
> Phil.
> 
> > Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
> > Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
> > Tested-by: Alexander Bulekov <alxndr@bu.edu>
> > ---
> >  scripts/oss-fuzz/minimize_qtest_trace.py | 39
> > ++++++++++++++++++++++++
> >  1 file changed, 39 insertions(+)
> 
> 

On 11/01/2021 10.39, Qiuhao Li wrote:
> On Mon, 2021-01-11 at 10:01 +0100, Philippe Mathieu-Daudé wrote:
>> On 1/11/21 7:11 AM, Qiuhao Li wrote:
>>> Simplifying the crash cases by opportunistically setting bits in
>>> operands of
>>> out/write to zero may help to debug, since usually bit one means
>>> turn on or
>>> trigger a function while zero is the default turn-off setting.
>>>
>>> Tested Bug 1908062.
>>
>> Please use the full link as reference:
>> https://bugs.launchpad.net/qemu/+bug/1908062
> 
> Ok, should I submit a new version patch? Or just change the commit
> messages and submit this series again?

I can fix this when picking up the patches, no need to respin just because 
of this.

  Thomas

On Mon, 2021-01-11 at 11:26 +0100, Thomas Huth wrote:
> On 11/01/2021 10.39, Qiuhao Li wrote:
> > On Mon, 2021-01-11 at 10:01 +0100, Philippe Mathieu-Daudé wrote:
> > > On 1/11/21 7:11 AM, Qiuhao Li wrote:
> > > > Simplifying the crash cases by opportunistically setting bits
> > > > in
> > > > operands of
> > > > out/write to zero may help to debug, since usually bit one
> > > > means
> > > > turn on or
> > > > trigger a function while zero is the default turn-off setting.
> > > > 
> > > > Tested Bug 1908062.
> > > 
> > > Please use the full link as reference:
> > > https://bugs.launchpad.net/qemu/+bug/1908062
> > 
> > Ok, should I submit a new version patch? Or just change the commit
> > messages and submit this series again?
> 
> I can fix this when picking up the patches, no need to respin just
> because 
> of this.
> 
>   Thomas
> 

Thank you.

>