[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 7/7] fuzz: heuristic split write based on past IOs
From: |
Qiuhao Li |
Subject: |
[PATCH v2 7/7] fuzz: heuristic split write based on past IOs |
Date: |
Mon, 28 Dec 2020 13:56:46 +0800 |
If previous write commands write the same length of data with the same step,
we view it as a hint.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
---
scripts/oss-fuzz/minimize_qtest_trace.py | 55 ++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py
b/scripts/oss-fuzz/minimize_qtest_trace.py
index 7947eb1d40..98bcd0cc8a 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -83,6 +83,42 @@ def check_if_trace_crashes(trace, path):
return False
+# If previous write commands write the same length of data at the same
+# interval, we view it as a hint.
+def split_write_hint(newtrace, i):
+ HINT_LEN = 3 # > 2
+ if i <=(HINT_LEN-1):
+ return None
+
+ #find previous continuous write traces
+ k = 0
+ l = i-1
+ writes = []
+ while (k != HINT_LEN and l >= 0):
+ if newtrace[l].startswith("write "):
+ writes.append(newtrace[l])
+ k += 1
+ l -= 1
+ elif newtrace[l] == "":
+ l -= 1
+ else:
+ return None
+ if k != HINT_LEN:
+ return None
+
+ length = int(writes[0].split()[2], 16)
+ for j in range(1, HINT_LEN):
+ if length != int(writes[j].split()[2], 16):
+ return None
+
+ step = int(writes[0].split()[1], 16) - int(writes[1].split()[1], 16)
+ for j in range(1, HINT_LEN-1):
+ if step != int(writes[j].split()[1], 16) - \
+ int(writes[j+1].split()[1], 16):
+ return None
+
+ return (int(writes[0].split()[1], 16)+step, length)
+
def remove_minimizer(newtrace, outpath):
remove_step = 1
@@ -147,6 +183,25 @@ def remove_minimizer(newtrace, outpath):
length = int(newtrace[i].split()[2], 16)
data = newtrace[i].split()[3][2:]
if length > 1:
+
+ # Can we get a hint from previous writes?
+ hint = split_write_hint(newtrace, i)
+ if hint is not None:
+ hint_addr = hint[0]
+ hint_len = hint[1]
+ if hint_addr >= addr and hint_addr+hint_len <= addr+length:
+ newtrace[i] = "write {addr} {size} 0x{data}\n".format(
+ addr=hex(hint_addr),
+ size=hex(hint_len),
+ data=data[(hint_addr-addr)*2:\
+ (hint_addr-addr)*2+hint_len*2])
+ if check_if_trace_crashes(newtrace, outpath):
+ # next round
+ i += 1
+ continue
+ newtrace[i] = prior[0]
+
+ # Try splitting it using a binary approach
leftlength = int(length/2)
rightlength = length - leftlength
newtrace.insert(i+1, "")
--
2.25.1
- [PATCH v2 0/7] fuzz: improve crash case minimization, Qiuhao Li, 2020/12/28
- [PATCH v2 1/7] fuzz: accelerate non-crash detection, Qiuhao Li, 2020/12/28
- [PATCH v2 3/7] fuzz: split write operand using binary approach, Qiuhao Li, 2020/12/28
- [PATCH v2 2/7] fuzz: double the IOs to remove for every loop, Qiuhao Li, 2020/12/28
- [PATCH v2 4/7] fuzz: loop the remove minimizer and refactoring, Qiuhao Li, 2020/12/28
- [PATCH v2 5/7] fuzz: set bits in operand of write/out to zero, Qiuhao Li, 2020/12/28
- [PATCH v2 6/7] fuzz: add minimization options, Qiuhao Li, 2020/12/28
- [PATCH v2 7/7] fuzz: heuristic split write based on past IOs,
Qiuhao Li <=
- Re: [PATCH v2 0/7] fuzz: improve crash case minimization, no-reply, 2020/12/28