[PATCH 4/4] fuzz: delay IO until they can't trigger the crash

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 4/4] fuzz: delay IO until they can't trigger the crash

From:	Qiuhao Li
Subject:	[PATCH 4/4] fuzz: delay IO until they can't trigger the crash
Date:	Sun, 20 Dec 2020 02:56:27 +0800

Since programmers usually trigger an IO just before they need it. Try to
delay some IO instructions may help us better understanding the timing
context when debug.

Tested with Bug 1908062. Refined vs. Original result:

outl 0xcf8 0x8000081c            outl 0xcf8 0x0
outb 0xcfc 0xc3                | outl 0xcf8 0x8000081c
outl 0xcf8 0x80000804          | outb 0xcfc 0xc3
outl 0xcfc 0x10000006          | outl 0xcf8 0x80000804
write 0xc300001028 0x1 0x5a    | outl 0xcfc 0x10000006
write 0xc300001024 0x2 0x10    | write 0xc300001028 0x1 0x5a
write 0xc30000101c 0x1 0x01    | writel 0xc30000100c 0x2a6f6c63
write 0xc300003002 0x1 0x0     v write 0xc300001024 0x2 0x10
write 0x5c 0x1 0x10              write 0xc30000101c 0x1 0x01
writel 0xc30000100c 0x2a6f6c63   write 0xc300001018 0x1 0x80
write 0xc300001018 0x1 0x80      write 0x5c 0x1 0x10
outl 0xcf8 0x0                   write 0xc300003002 0x1 0x0

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py 
b/scripts/oss-fuzz/minimize_qtest_trace.py
index f3e88064c4..da7aa73b3c 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -214,6 +214,27 @@ def minimize_trace(inpath, outpath):
 
     assert(check_if_trace_crashes(newtrace, outpath))
 
+    # delay IO instructions until they can't trigger the crash
+    # Note: O(n^2) and many timeouts, kinda slow
+    i = len(newtrace) - 1
+    while i >= 0:
+        tmp_i = newtrace[i]
+        if len(tmp_i) < 2:
+            i -= 1
+            continue
+        print("Delaying ", newtrace[i])
+        for j in reversed(range(i+1, len(newtrace)+1)):
+            newtrace.insert(j, tmp_i)
+            del newtrace[i]
+            if check_if_trace_crashes(newtrace, outpath):
+                break
+            newtrace.insert(i, tmp_i)
+            del newtrace[j]
+        i -= 1
+
+    assert(check_if_trace_crashes(newtrace, outpath))
+    # maybe another removing round
+
 
 if __name__ == '__main__':
     if len(sys.argv) < 3:
-- 
2.25.1

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 2/4] fuzz: split QTest writes from the rightmost byte, (continued)
- [PATCH 3/4] fuzz: setting bits in operand of out/write to zero, Qiuhao Li, 2020/12/19
  - Re: [PATCH 3/4] fuzz: setting bits in operand of out/write to zero, Alexander Bulekov, 2020/12/21
    - Re: [PATCH 3/4] fuzz: setting bits in operand of out/write to zero, Qiuhao Li, 2020/12/22
- [PATCH 1/4] fuzz: refine crash detection mechanism, Qiuhao Li, 2020/12/19
  - Re: [PATCH 1/4] fuzz: refine crash detection mechanism, Alexander Bulekov, 2020/12/21
    - Re: [PATCH 1/4] fuzz: refine crash detection mechanism, Qiuhao Li, 2020/12/22
  - Re: [PATCH 1/4] fuzz: refine crash detection mechanism, Alexander Bulekov, 2020/12/22
    - Re: [PATCH 1/4] fuzz: refine crash detection mechanism, Li Qiuhao, 2020/12/23
- [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Qiuhao Li <=
  - Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Alexander Bulekov, 2020/12/21
    - Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Qiuhao Li, 2020/12/22
    - Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Alexander Bulekov, 2020/12/22
    - Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Qiuhao Li, 2020/12/23
    - Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash, Alexander Bulekov, 2020/12/24

Prev by Date: [PATCH 1/4] fuzz: refine crash detection mechanism
Next by Date: Re: [PATCH v2 8/8] tests/acceptance: Test boot_linux_console for fuloong2e
Previous by thread: Re: [PATCH 1/4] fuzz: refine crash detection mechanism
Next by thread: Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash
Index(es):
- Date
- Thread