* [PATCH 0/4] Miscellaneous fuzzer changes
@ 2021-06-17 19:53 Alexander Bulekov
2021-06-17 19:53 ` [PATCH 1/4] fuzz: adjust timeout to allow for longer inputs Alexander Bulekov
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-06-17 19:53 UTC (permalink / raw)
To: qemu-devel; +Cc: Alexander Bulekov, f4bug
Hello,
These patches
1.) Change generic-fuzzer timeouts so they are reconfigured prior to
each individual IO command, to allow for longer-running inputs
2.) Add an instrumentation filter to prevent libfuzzer from tracking
noisy/irrelevant parts of the code.
3.) Fix the AC97 and ES1370 fuzzer configs
-Alex
Alexander Bulekov (4):
fuzz: adjust timeout to allow for longer inputs
fuzz: add an instrumentation filter
fuzz: fix the AC97 generic-fuzzer config.
fuzz: fix the ES1370 generic-fuzzer config.
configure | 4 ++++
tests/qtest/fuzz/generic_fuzz.c | 13 +++++++++----
tests/qtest/fuzz/generic_fuzz_configs.h | 4 ++--
3 files changed, 15 insertions(+), 6 deletions(-)
--
2.28.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] fuzz: adjust timeout to allow for longer inputs
2021-06-17 19:53 [PATCH 0/4] Miscellaneous fuzzer changes Alexander Bulekov
@ 2021-06-17 19:53 ` Alexander Bulekov
2021-06-17 19:53 ` [PATCH 2/4] fuzz: add an instrumentation filter Alexander Bulekov
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-06-17 19:53 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, f4bug, Alexander Bulekov,
Bandan Das, Stefan Hajnoczi, Paolo Bonzini
Using a custom timeout is useful to continue fuzzing complex devices,
even after we run into some slow code-path. However, simply adding a
fixed timeout to each input effectively caps the maximum input
length/number of operations at some artificial value. There are two
major problems with this:
1. Some code might only be reachable through long IO sequences.
2. Longer inputs can actually be _better_ for performance. While the
raw number of fuzzer executions decreases with larger inputs, the
number of MMIO/PIO/DMA operation/second actually increases, since
were are speding proportionately less time fork()ing.
With this change, we keep the custom-timeout, but we renew it, prior to
each MMIO/PIO/DMA operation. Thus, we time-out only when a particaly
operation takes a long time.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/generic_fuzz.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index cea7d4058e..71d36e8f6f 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -661,15 +661,16 @@ static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
uint8_t op;
if (fork() == 0) {
+ struct sigaction sact;
+ struct itimerval timer;
/*
* Sometimes the fuzzer will find inputs that take quite a long time to
* process. Often times, these inputs do not result in new coverage.
* Even if these inputs might be interesting, they can slow down the
- * fuzzer, overall. Set a timeout to avoid hurting performance, too much
+ * fuzzer, overall. Set a timeout for each command to avoid hurting
+ * performance, too much
*/
if (timeout) {
- struct sigaction sact;
- struct itimerval timer;
sigemptyset(&sact.sa_mask);
sact.sa_flags = SA_NODEFER;
@@ -679,13 +680,17 @@ static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
memset(&timer, 0, sizeof(timer));
timer.it_value.tv_sec = timeout / USEC_IN_SEC;
timer.it_value.tv_usec = timeout % USEC_IN_SEC;
- setitimer(ITIMER_VIRTUAL, &timer, NULL);
}
op_clear_dma_patterns(s, NULL, 0);
pci_disabled = false;
while (cmd && Size) {
+ /* Reset the timeout, each time we run a new command */
+ if (timeout) {
+ setitimer(ITIMER_VIRTUAL, &timer, NULL);
+ }
+
/* Get the length until the next command or end of input */
nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR));
cmd_len = nextcmd ? nextcmd - cmd : Size;
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] fuzz: add an instrumentation filter
2021-06-17 19:53 [PATCH 0/4] Miscellaneous fuzzer changes Alexander Bulekov
2021-06-17 19:53 ` [PATCH 1/4] fuzz: adjust timeout to allow for longer inputs Alexander Bulekov
@ 2021-06-17 19:53 ` Alexander Bulekov
2021-06-18 7:20 ` Philippe Mathieu-Daudé
2021-06-17 19:53 ` [PATCH 3/4] fuzz: fix the AC97 generic-fuzzer config Alexander Bulekov
2021-06-17 19:53 ` [PATCH 4/4] fuzz: fix the ES1370 " Alexander Bulekov
3 siblings, 1 reply; 6+ messages in thread
From: Alexander Bulekov @ 2021-06-17 19:53 UTC (permalink / raw)
To: qemu-devel; +Cc: Alexander Bulekov, f4bug
By default, -fsanitize=fuzzer instruments all code with coverage
information. However, this means that libfuzzer will track coverage over
hundreds of source files that are unrelated to virtual-devices. This
means that libfuzzer will optimize inputs for coverage observed in timer
code, memory APIs etc. This slows down the fuzzer and stores many inputs
that are not relevant to the actual virtual-devices.
With this change, clang will only instrument a subset of the compiled
code, that is directly related to virtual-devices.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
configure | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/configure b/configure
index debd50c085..40412bcfcf 100755
--- a/configure
+++ b/configure
@@ -6089,6 +6089,10 @@ if test "$fuzzing" = "yes" ; then
# If LIB_FUZZING_ENGINE is set, assume we are running on OSS-Fuzz, and the
# needed CFLAGS have already been provided
if test -z "${LIB_FUZZING_ENGINE+xxx}" ; then
+ # Specify a filter to only instrument code that is directly related to
+ # virtual-devices.
+ QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=$source_path/scripts/oss-fuzz/instrumentation-filter"
+
# Add CFLAGS to tell clang to add fuzzer-related instrumentation to all the
# compiled code.
QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize=fuzzer-no-link"
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] fuzz: fix the AC97 generic-fuzzer config.
2021-06-17 19:53 [PATCH 0/4] Miscellaneous fuzzer changes Alexander Bulekov
2021-06-17 19:53 ` [PATCH 1/4] fuzz: adjust timeout to allow for longer inputs Alexander Bulekov
2021-06-17 19:53 ` [PATCH 2/4] fuzz: add an instrumentation filter Alexander Bulekov
@ 2021-06-17 19:53 ` Alexander Bulekov
2021-06-17 19:53 ` [PATCH 4/4] fuzz: fix the ES1370 " Alexander Bulekov
3 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-06-17 19:53 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, f4bug, Alexander Bulekov,
Bandan Das, Stefan Hajnoczi, Paolo Bonzini
TYPE_AC97 is "AC97", capitalized. Fix the config to account for that.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/generic_fuzz_configs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
index 004c701915..049697b974 100644
--- a/tests/qtest/fuzz/generic_fuzz_configs.h
+++ b/tests/qtest/fuzz/generic_fuzz_configs.h
@@ -218,7 +218,7 @@ const generic_fuzz_config predefined_configs[] = {
.name = "ac97",
.args = "-machine q35 -nodefaults "
"-device ac97,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
- .objects = "ac97*",
+ .objects = "ac97* AC97",
},{
.name = "cs4231a",
.args = "-machine q35 -nodefaults "
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] fuzz: fix the ES1370 generic-fuzzer config.
2021-06-17 19:53 [PATCH 0/4] Miscellaneous fuzzer changes Alexander Bulekov
` (2 preceding siblings ...)
2021-06-17 19:53 ` [PATCH 3/4] fuzz: fix the AC97 generic-fuzzer config Alexander Bulekov
@ 2021-06-17 19:53 ` Alexander Bulekov
3 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-06-17 19:53 UTC (permalink / raw)
To: qemu-devel
Cc: Laurent Vivier, Thomas Huth, f4bug, Alexander Bulekov,
Bandan Das, Stefan Hajnoczi, Paolo Bonzini
TYPE_ES1370 is "ES1370", capitalized. Fix the config to account for
that.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/generic_fuzz_configs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
index 049697b974..5070bc175a 100644
--- a/tests/qtest/fuzz/generic_fuzz_configs.h
+++ b/tests/qtest/fuzz/generic_fuzz_configs.h
@@ -228,7 +228,7 @@ const generic_fuzz_config predefined_configs[] = {
.name = "es1370",
.args = "-machine q35 -nodefaults "
"-device es1370,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
- .objects = "es1370*",
+ .objects = "es1370* ES1370",
},{
.name = "sb16",
.args = "-machine q35 -nodefaults "
--
2.28.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 2/4] fuzz: add an instrumentation filter
2021-06-17 19:53 ` [PATCH 2/4] fuzz: add an instrumentation filter Alexander Bulekov
@ 2021-06-18 7:20 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 6+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-06-18 7:20 UTC (permalink / raw)
To: Alexander Bulekov, qemu-devel
On 6/17/21 9:53 PM, Alexander Bulekov wrote:
> By default, -fsanitize=fuzzer instruments all code with coverage
> information. However, this means that libfuzzer will track coverage over
> hundreds of source files that are unrelated to virtual-devices. This
> means that libfuzzer will optimize inputs for coverage observed in timer
> code, memory APIs etc. This slows down the fuzzer and stores many inputs
> that are not relevant to the actual virtual-devices.
>
> With this change, clang will only instrument a subset of the compiled
> code, that is directly related to virtual-devices.
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
> configure | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/configure b/configure
> index debd50c085..40412bcfcf 100755
> --- a/configure
> +++ b/configure
> @@ -6089,6 +6089,10 @@ if test "$fuzzing" = "yes" ; then
> # If LIB_FUZZING_ENGINE is set, assume we are running on OSS-Fuzz, and the
> # needed CFLAGS have already been provided
> if test -z "${LIB_FUZZING_ENGINE+xxx}" ; then
> + # Specify a filter to only instrument code that is directly related to
> + # virtual-devices.
> + QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=$source_path/scripts/oss-fuzz/instrumentation-filter"
I'm getting:
cannot access 'scripts/oss-fuzz/instrumentation-filter': No such file or
directory
Did you forgot to add the file, or is this series based on another one?
Regards,
Phil.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-06-18 7:21 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-17 19:53 [PATCH 0/4] Miscellaneous fuzzer changes Alexander Bulekov
2021-06-17 19:53 ` [PATCH 1/4] fuzz: adjust timeout to allow for longer inputs Alexander Bulekov
2021-06-17 19:53 ` [PATCH 2/4] fuzz: add an instrumentation filter Alexander Bulekov
2021-06-18 7:20 ` Philippe Mathieu-Daudé
2021-06-17 19:53 ` [PATCH 3/4] fuzz: fix the AC97 generic-fuzzer config Alexander Bulekov
2021-06-17 19:53 ` [PATCH 4/4] fuzz: fix the ES1370 " Alexander Bulekov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.