How to fuzz devices that use timers?

[Philippe Mathieu-Daudé]

Hi,

Some devices use timers (QEMUTimer) to emulate hardware precise timings.
i.e. with a flash device, the guest orders erasing it, the physical
erasure takes some time - let say 200ms - and upon completion a bit is
set in a register, and an interruption is eventually raised.
When not multi-tasking, a guest usually poll the register until bit set.

While fuzzing, a payload schedule triggers an erase, then (if we don't
reset the device) thousands of payloads are tested in vain until the
device is ready to process further requests. It is then hard to
understand the patterns used (in 200ms libFuzzer tried ~5000 I/O
other accesses). Even if we can reproduce the pattern with proper
timings, it is also hard to reproduce.

Since we run the fuzzer with the QTest accelerator, my first idea was to
check for 'if (qtest_enabled())' in the timer code, and directly expire
a timer instead of scheduling it. This way we can test reproducers.
However various tests require/verify precise timing, so this would break
various qtests.

Second idea was to add a fuzzer_enabled() method, and check it. But then
I noticed some devices use timers the other way, they start a timer and
wait an event to happen in a correct amount of time, else the timer kick
and error bit is set (this is the watchdog style). If I modify the
timers to directly expire checking fuzzer_enabled(), then these devices
enter failure mode directly without processing further requests.

So I guess I have to go thru each device and check for fuzzer_enabled()
where appropriate...
Any clever ideas?

Thanks

Phil.