* [PATCH v2 0/2] fuzz: Skip QTest serialization
@ 2020-05-29 18:02 Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 1/2] fuzz: skip " Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 2/2] fuzz: Add support for logging QTest commands Alexander Bulekov
0 siblings, 2 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-05-29 18:02 UTC (permalink / raw)
To: qemu-devel; +Cc: darren.kenny, bsd, f4bug, stefanha, Alexander Bulekov
In the same vein as Philippe's patch:
https://patchew.org/QEMU/20200528165303.1877-1-f4bug@amsat.org/
This uses linker trickery to wrap calls to libqtest functions and
directly call the corresponding read/write functions, rather than
relying on the ASCII-serialized QTest protocol.
v2: applies properly
Alexander Bulekov (2):
fuzz: skip QTest serialization
fuzz: Add support for logging QTest commands
tests/qtest/fuzz/Makefile.include | 21 +++++++++++++++++++++
tests/qtest/fuzz/fuzz.c | 22 +++++++++++++++++++++-
tests/qtest/fuzz/fuzz.h | 3 +++
3 files changed, 45 insertions(+), 1 deletion(-)
--
2.26.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/2] fuzz: skip QTest serialization
2020-05-29 18:02 [PATCH v2 0/2] fuzz: Skip QTest serialization Alexander Bulekov
@ 2020-05-29 18:02 ` Alexander Bulekov
2020-05-29 22:04 ` Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 2/2] fuzz: Add support for logging QTest commands Alexander Bulekov
1 sibling, 1 reply; 4+ messages in thread
From: Alexander Bulekov @ 2020-05-29 18:02 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, Alexander Bulekov, f4bug,
darren.kenny, bsd, stefanha, Paolo Bonzini
The QTest server usually parses ASCII commands from clients. Since we
fuzz within the QEMU process, skip the QTest serialization and server
for most QTest commands. Leave the option to use the ASCII protocol, to
generate readable traces for crash reproducers.
Inspired-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/Makefile.include | 21 +++++++++++++++++++++
tests/qtest/fuzz/fuzz.c | 14 +++++++++++++-
tests/qtest/fuzz/fuzz.h | 3 +++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index f259d866c9..5bde793bf2 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -5,6 +5,7 @@ fuzz-obj-y += $(libqos-obj-y)
fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/qtest_wrappers.o
# Targets
fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o
@@ -16,3 +17,23 @@ FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
# Linker Script to force coverage-counters into known regions which we can mark
# shared
FUZZ_LDFLAGS += -Xlinker -T$(SRC_PATH)/tests/qtest/fuzz/fork_fuzz.ld
+
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readq
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writew
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writel
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeq
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memread
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufread
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memwrite
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufwrite
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memset
diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
index f5c923852e..cf76a6636f 100644
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -91,7 +91,10 @@ static void usage(char *path)
printf(" * %s : %s\n", tmp->target->name,
tmp->target->description);
}
- printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n");
+ printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n\n"
+ "Set the environment variable FUZZ_SERIALIZE_QTEST=1 to serialize\n"
+ "QTest commands into an ASCII protocol. Useful for building crash\n"
+ "reproducers, but slows down execution.\n");
exit(0);
}
@@ -137,6 +140,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
{
char *target_name;
+ char *dir;
+ bool serialize = false;
/* Initialize qgraph and modules */
qos_graph_init();
@@ -157,6 +162,13 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
usage(**argv);
}
+ /* Should we always serialize qtest commands? */
+ if (getenv("FUZZ_SERIALIZE_QTEST")) {
+ serialize = true;
+ }
+
+ fuzz_qtest_set_serialize(serialize);
+
/* Identify the fuzz target */
fuzz_target = fuzz_get_target(target_name);
if (!fuzz_target) {
diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
index 03901d414e..72d5710f6c 100644
--- a/tests/qtest/fuzz/fuzz.h
+++ b/tests/qtest/fuzz/fuzz.h
@@ -82,6 +82,9 @@ typedef struct FuzzTarget {
void flush_events(QTestState *);
void reboot(QTestState *);
+/* Use the QTest ASCII protocol or call address_space API directly?*/
+void fuzz_qtest_set_serialize(bool option);
+
/*
* makes a copy of *target and adds it to the target-list.
* i.e. fine to set up target on the caller's stack
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] fuzz: Add support for logging QTest commands
2020-05-29 18:02 [PATCH v2 0/2] fuzz: Skip QTest serialization Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 1/2] fuzz: skip " Alexander Bulekov
@ 2020-05-29 18:02 ` Alexander Bulekov
1 sibling, 0 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-05-29 18:02 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, Alexander Bulekov, f4bug,
darren.kenny, bsd, stefanha, Paolo Bonzini
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/fuzz.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
index cf76a6636f..4842fbe7c7 100644
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -95,6 +95,9 @@ static void usage(char *path)
"Set the environment variable FUZZ_SERIALIZE_QTEST=1 to serialize\n"
"QTest commands into an ASCII protocol. Useful for building crash\n"
"reproducers, but slows down execution.\n");
+ "reproducers, but slows down execution.\n\n"
+ "Set the environment variable QTEST_LOG=1 to log all qtest commands"
+ "\n");
exit(0);
}
@@ -183,6 +186,11 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
/* Run QEMU's softmmu main with the fuzz-target dependent arguments */
const char *init_cmdline = fuzz_target->get_init_cmdline(fuzz_target);
+ init_cmdline = g_strdup_printf("%s -qtest /dev/null -qtest-log %s",
+ init_cmdline,
+ getenv("QTEST_LOG") ? "/dev/fd/2"
+ : "/dev/null");
+
/* Split the runcmd into an argv and argc */
wordexp_t result;
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/2] fuzz: skip QTest serialization
2020-05-29 18:02 ` [PATCH v2 1/2] fuzz: skip " Alexander Bulekov
@ 2020-05-29 22:04 ` Alexander Bulekov
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Bulekov @ 2020-05-29 22:04 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, f4bug, darren.kenny, bsd, stefanha,
Paolo Bonzini
This is missing the actual wrapper functions... Sending v3
On 200529 1402, Alexander Bulekov wrote:
> The QTest server usually parses ASCII commands from clients. Since we
> fuzz within the QEMU process, skip the QTest serialization and server
> for most QTest commands. Leave the option to use the ASCII protocol, to
> generate readable traces for crash reproducers.
>
> Inspired-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> tests/qtest/fuzz/Makefile.include | 21 +++++++++++++++++++++
> tests/qtest/fuzz/fuzz.c | 14 +++++++++++++-
> tests/qtest/fuzz/fuzz.h | 3 +++
> 3 files changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
> index f259d866c9..5bde793bf2 100644
> --- a/tests/qtest/fuzz/Makefile.include
> +++ b/tests/qtest/fuzz/Makefile.include
> @@ -5,6 +5,7 @@ fuzz-obj-y += $(libqos-obj-y)
> fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
> fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
> fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
> +fuzz-obj-y += tests/qtest/fuzz/qtest_wrappers.o
>
> # Targets
> fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o
> @@ -16,3 +17,23 @@ FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
> # Linker Script to force coverage-counters into known regions which we can mark
> # shared
> FUZZ_LDFLAGS += -Xlinker -T$(SRC_PATH)/tests/qtest/fuzz/fork_fuzz.ld
> +
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_inb
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_inw
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_inl
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_outb
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_outw
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_outl
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_readb
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_readw
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_readl
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_readq
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeb
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_writew
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_writel
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeq
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_memread
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufread
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_memwrite
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufwrite
> +FUZZ_LDFLAGS += -Wl,-wrap,qtest_memset
> diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
> index f5c923852e..cf76a6636f 100644
> --- a/tests/qtest/fuzz/fuzz.c
> +++ b/tests/qtest/fuzz/fuzz.c
> @@ -91,7 +91,10 @@ static void usage(char *path)
> printf(" * %s : %s\n", tmp->target->name,
> tmp->target->description);
> }
> - printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n");
> + printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n\n"
> + "Set the environment variable FUZZ_SERIALIZE_QTEST=1 to serialize\n"
> + "QTest commands into an ASCII protocol. Useful for building crash\n"
> + "reproducers, but slows down execution.\n");
> exit(0);
> }
>
> @@ -137,6 +140,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
> {
>
> char *target_name;
> + char *dir;
> + bool serialize = false;
>
> /* Initialize qgraph and modules */
> qos_graph_init();
> @@ -157,6 +162,13 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
> usage(**argv);
> }
>
> + /* Should we always serialize qtest commands? */
> + if (getenv("FUZZ_SERIALIZE_QTEST")) {
> + serialize = true;
> + }
> +
> + fuzz_qtest_set_serialize(serialize);
> +
> /* Identify the fuzz target */
> fuzz_target = fuzz_get_target(target_name);
> if (!fuzz_target) {
> diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
> index 03901d414e..72d5710f6c 100644
> --- a/tests/qtest/fuzz/fuzz.h
> +++ b/tests/qtest/fuzz/fuzz.h
> @@ -82,6 +82,9 @@ typedef struct FuzzTarget {
> void flush_events(QTestState *);
> void reboot(QTestState *);
>
> +/* Use the QTest ASCII protocol or call address_space API directly?*/
> +void fuzz_qtest_set_serialize(bool option);
> +
> /*
> * makes a copy of *target and adds it to the target-list.
> * i.e. fine to set up target on the caller's stack
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-29 22:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-29 18:02 [PATCH v2 0/2] fuzz: Skip QTest serialization Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 1/2] fuzz: skip " Alexander Bulekov
2020-05-29 22:04 ` Alexander Bulekov
2020-05-29 18:02 ` [PATCH v2 2/2] fuzz: Add support for logging QTest commands Alexander Bulekov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.