From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Alexander Bulekov <alxndr@bu.edu>,
Darren Kenny <darren.kenny@oracle.com>
Subject: [PULL 07/16] fuzz: add instructions for building reproducers
Date: Tue, 16 Mar 2021 17:15:22 -0400 [thread overview]
Message-ID: <20210316211531.1649909-8-pbonzini@redhat.com> (raw)
In-Reply-To: <20210316211531.1649909-1-pbonzini@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
We have several scripts that help build reproducers, but no
documentation for how they should be used. Add some documentation
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
docs/devel/fuzzing.rst | 56 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 97797c4f8c..2749bb9bed 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel/fuzzing.rst
@@ -210,6 +210,62 @@ Build details:
- The script responsible for building the fuzzers can be found in the
QEMU source tree at ``scripts/oss-fuzz/build.sh``
+Building Crash Reproducers
+-----------------------------------------
+When we find a crash, we should try to create an independent reproducer, that
+can be used on a non-fuzzer build of QEMU. This filters out any potential
+false-positives, and improves the debugging experience for developers.
+Here are the steps for building a reproducer for a crash found by the
+generic-fuzz target.
+
+- Ensure the crash reproduces::
+
+ qemu-fuzz-i386 --fuzz-target... ./crash-...
+
+- Gather the QTest output for the crash::
+
+ QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
+ qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace
+
+- Reorder and clean-up the resulting trace::
+
+ scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer
+
+- Get the arguments needed to start qemu, and provide a path to qemu::
+
+ less /tmp/trace # The args should be logged at the top of this file
+ export QEMU_ARGS="-machine ..."
+ export QEMU_PATH="path/to/qemu-system"
+
+- Ensure the crash reproduces in qemu-system::
+
+ $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer
+
+- From the crash output, obtain some string that identifies the crash. This
+ can be a line in the stack-trace, for example::
+
+ export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865"
+
+- Minimize the reproducer::
+
+ scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \
+ /tmp/reproducer /tmp/reproducer-minimized
+
+- Confirm that the minimized reproducer still crashes::
+
+ $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized
+
+- Create a one-liner reproducer that can be sent over email::
+
+ ./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized
+
+- Output the C source code for a test case that will reproduce the bug::
+
+ ./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\
+ -name "test_function_name" /tmp/reproducer-minimized
+
+- Report the bug and send a patch with the C reproducer upstream
+
Implementation Details / Fuzzer Lifecycle
-----------------------------------------
--
2.26.2
next prev parent reply other threads:[~2021-03-16 21:22 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 21:15 [PULL 00/16] Fuzzing + bugfix patches for QEMU 6.0 soft freeze Paolo Bonzini
2021-03-16 21:15 ` [PULL 01/16] tests/qtest: Only run fuzz-megasas-test if megasas device is available Paolo Bonzini
2021-03-16 21:15 ` [PULL 02/16] tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi " Paolo Bonzini
2021-03-16 21:15 ` [PULL 03/16] MAINTAINERS: Cover fuzzer reproducer tests within 'Device Fuzzing' Paolo Bonzini
2021-03-16 21:15 ` [PULL 04/16] fuzz: fix the pro100 generic-fuzzer config Paolo Bonzini
2021-03-16 21:15 ` [PULL 05/16] fuzz: don't leave orphan llvm-symbolizers around Paolo Bonzini
2021-03-16 21:15 ` [PULL 06/16] fuzz: add a script to build reproducers Paolo Bonzini
2021-03-16 21:15 ` Paolo Bonzini [this message]
2021-03-16 21:15 ` [PULL 08/16] fuzz: add a am53c974 generic-fuzzer config Paolo Bonzini
2021-03-16 21:15 ` [PULL 09/16] memory: add a sparse memory device for fuzzing Paolo Bonzini
2021-04-06 13:29 ` Philippe Mathieu-Daudé
2021-03-16 21:15 ` [PULL 10/16] fuzz: configure a sparse-mem device, by default Paolo Bonzini
2021-03-16 21:15 ` [PULL 11/16] fuzz: move some DMA hooks Paolo Bonzini
2021-03-16 21:15 ` [PULL 12/16] configure: add option to explicitly enable/disable libgio Paolo Bonzini
2021-03-16 21:15 ` [PULL 13/16] Revert "accel: kvm: Add aligment assert for kvm_log_clear_one_slot" Paolo Bonzini
2021-03-16 21:15 ` [PULL 14/16] scsi: fix sense code for EREMOTEIO Paolo Bonzini
2021-03-16 21:15 ` [PULL 15/16] hw/i8254: fix vmstate load Paolo Bonzini
2021-03-16 21:15 ` [PULL 16/16] qemu-timer: allow freeing a NULL timer Paolo Bonzini
2021-03-18 10:05 ` [PULL 00/16] Fuzzing + bugfix patches for QEMU 6.0 soft freeze Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210316211531.1649909-8-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=alxndr@bu.edu \
--cc=darren.kenny@oracle.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.