Re: [PATCH 0/6] tests/fuzz: Review notes

From: Alexander Bulekov <alxndr@bu.edu>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: Laurent Vivier <lvivier@redhat.com>,
	Thomas Huth <thuth@redhat.com>,
	qemu-devel@nongnu.org, Bandan Das <bsd@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 0/6] tests/fuzz: Review notes
Date: Fri, 15 May 2020 11:10:36 -0400	[thread overview]
Message-ID: <20200515151036.e5h26s65fokygbvr@mozz.bu.edu> (raw)
In-Reply-To: <20200514143433.18569-1-philmd@redhat.com>

On 200514 1634, Philippe Mathieu-Daudé wrote:
> I took some code notes while testing Alex's toy.
> Sending them as patches.

Thank you for these! I'd send my review tags, if they weren't already
pulled.

> Alex, I had theses issues while building following
> docs/devel/fuzzing.txt:
> 
>     CC      nbd/server.o
>   nbd/server.c:1937:1: error: unused function 'glib_listautoptr_cleanup_NBDExtentArray' [-Werror,-Wunused-function]
>   G_DEFINE_AUTOPTR_CLEANUP_FUNC(NBDExtentArray, nbd_extent_array_free);
>   ^
>   /usr/include/glib-2.0/glib/gmacros.h:462:22: note: expanded from macro 'G_DEFINE_AUTOPTR_CLEANUP_FUNC'
>     static inline void _GLIB_AUTOPTR_LIST_FUNC_NAME(TypeName) (GList **_l) { g_list_free_full (*_l, (GDestroyNotify) func); } \
>                        ^
>   /usr/include/glib-2.0/glib/gmacros.h:443:48: note: expanded from macro '_GLIB_AUTOPTR_LIST_FUNC_NAME'
>   #define _GLIB_AUTOPTR_LIST_FUNC_NAME(TypeName) glib_listautoptr_cleanup_##TypeName
>                                                  ^
> Solved by using './configure ... --extra-cflags=-Wno-unused-function'

Interesting that this doesn't show up for standard builds. I'll have to
look into this more.

>     LINK    i386-softmmu/qemu-fuzz-i386
>   /usr/lib64/clang/9.0.1/lib/linux/libclang_rt.asan-aarch64.a(asan_interceptors_vfork.S.o): warning: common of `__interception::real_vfork' overridden by definition
>   /usr/lib64/clang/9.0.1/lib/linux/libclang_rt.asan-aarch64.a(asan_interceptors.cc.o): warning: defined here
> 
> I simply ignore this warning.

Yes, I get the same warning with this:

cat << EOF | clang-9 -Wl,--warn-common  -fsanitize=fuzzer,address -x c -
#include <sys/types.h>
#include <stdint.h>
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; }
EOF

Might report this to the LLVM/compiler-rt folks.

> Alex, could you provide few more examples (in particular about
> instantiating devices, or useful libfuzzer arguments)?

Yes - I'll send this out with my next fuzzing patches.

> Also, I suppose you are using a script to generate the bug reports:
> 
>   I can reproduce it in qemu 5.0 using:
> 
>   cat << EOF | qemu-system ...
>   outl 0xcf8 ...
>   outl 0xcfc ...
>   ...
>   EOF
> 
> Is this script available in the QEMU repository? I couldn't find it.

Right now I just added some unbuffered writes to qtest.c. I'll try to
find a clean way of doing this and I'll add a way to automatically
convert a crashing input to qemu arguments + qtest command sequence.

Thanks again!
-Alex

> Regards,
> 
> Phil.
> 
> Philippe Mathieu-Daudé (6):
>   tests/fuzz/Makefile: Do not link code using unavailable devices
>   Makefile: List fuzz targets in 'make help'
>   tests/fuzz: Add missing space in test description
>   tests/fuzz: Remove unuseful/unused typedefs
>   tests/fuzz: Extract pciconfig_fuzz_qos() method
>   tests/fuzz: Extract ioport_fuzz_qtest() method
> 
>  Makefile                          |  6 +++-
>  tests/qtest/fuzz/i440fx_fuzz.c    | 47 ++++++++++++++++++++-----------
>  tests/qtest/fuzz/Makefile.include |  6 ++--
>  3 files changed, 38 insertions(+), 21 deletions(-)
> 
> -- 
> 2.21.3
> 