From: Qiuhao Li <Qiuhao.Li@outlook.com>
To: alxndr@bu.edu, qemu-devel@nongnu.org
Cc: darren.kenny@oracle.com, bsd@redhat.com, thuth@redhat.com,
stefanha@redhat.com, pbonzini@redhat.com
Subject: [PATCH 2/4] fuzz: split QTest writes from the rightmost byte
Date: Sun, 20 Dec 2020 02:56:25 +0800 [thread overview]
Message-ID: <ME3P282MB1492172012FA8E0D08819C07FCC20@ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <ME3P282MB1492BFA2302041F2AB420EBEFCC20@ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM>
Currently, we split the write commands' data from the middle. If it does not
work, try to move the pivot "left" and retry until there is no space left.
But, this is complete for ram writes but not for IO writes.
For example, there is an IO write command:
write addr uuxxxxuu
u is the unnecessary byte for the crash. Unlike ram write commands, in most
case, a split IO write won't trigger the same crash, So if we split from the
middle, we will get:
write addr uu (will be removed in next round)
write addr xxxxuu
For xxxxuu, since split it from the middle and retry to the leftmost byte
won't get the same crash, we will be stopped from removing the last two
bytes.
Therefore, we should split QTest writes from the rightmost byte.
Tested with Bug 1908062. Refined vs. Original result:
outl 0xcf8 0x8000081c outl 0xcf8 0x8000081c
outb 0xcfc 0xc3 outb 0xcfc 0xc3
outl 0xcf8 0x8000082f outl 0xcf8 0x8000082f
outl 0xcf8 0x80000804 outl 0xcf8 0x80000804
outl 0xcfc 0x9b2765be outl 0xcfc 0x9b2765be
write 0xc300001024 0x2 0x0055 write 0xc300001024 0x2 0x0055
write 0xc300001028 0x1 0x5a write 0xc300001028 0x1 0x5a
write 0xc30000101c 0x1 0x01 write 0xc30000101c 0x1 0x01
writel 0xc30000100c 0x2a6f6c63 writel 0xc30000100c 0x2a6f6c63
write 0xc300001018 0x1 0xa4 <-- write 0xc300001016 0x3 0xa4a4a4
write 0x5c 0x1 0x19 write 0x5c 0x1 0x19
write 0xc300003002 0x1 0x8a write 0xc300003002 0x1 0x8a
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
---
scripts/oss-fuzz/minimize_qtest_trace.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py
index d3b09e6567..855c3bcb54 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -140,7 +140,7 @@ def minimize_trace(inpath, outpath):
# 3.) If it is a qtest write command: write addr len data, try to split
# it into two separate write commands. If splitting the write down the
- # middle does not work, try to move the pivot "left" and retry, until
+ # rightmost does not work, try to move the pivot "left" and retry, until
# there is no space left. The idea is to prune unneccessary bytes from
# long writes, while accommodating arbitrary MemoryRegion access sizes
# and alignments.
@@ -149,7 +149,7 @@ def minimize_trace(inpath, outpath):
length = int(newtrace[i].split()[2], 16)
data = newtrace[i].split()[3][2:]
if length > 1:
- leftlength = int(length/2)
+ leftlength = length - 1
rightlength = length - leftlength
newtrace.insert(i+1, "")
while leftlength > 0:
--
2.25.1
next prev parent reply other threads:[~2020-12-19 19:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 18:39 [PATCH 0/4] improve crash case minimization Qiuhao Li
2020-12-19 18:56 ` [PATCH 1/4] fuzz: refine crash detection mechanism Qiuhao Li
2020-12-21 18:46 ` Alexander Bulekov
2020-12-22 11:18 ` Qiuhao Li
2020-12-22 16:47 ` Alexander Bulekov
2020-12-23 5:58 ` Li Qiuhao
2020-12-19 18:56 ` Qiuhao Li [this message]
2020-12-21 20:01 ` [PATCH 2/4] fuzz: split QTest writes from the rightmost byte Alexander Bulekov
2020-12-22 11:20 ` Qiuhao Li
2020-12-19 18:56 ` [PATCH 3/4] fuzz: setting bits in operand of out/write to zero Qiuhao Li
2020-12-21 20:35 ` Alexander Bulekov
2020-12-22 11:21 ` Qiuhao Li
2020-12-19 18:56 ` [PATCH 4/4] fuzz: delay IO until they can't trigger the crash Qiuhao Li
2020-12-21 21:17 ` Alexander Bulekov
2020-12-22 11:22 ` Qiuhao Li
2020-12-22 18:30 ` Alexander Bulekov
2020-12-23 9:20 ` Qiuhao Li
2020-12-25 0:24 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ME3P282MB1492172012FA8E0D08819C07FCC20@ME3P282MB1492.AUSP282.PROD.OUTLOOK.COM \
--to=qiuhao.li@outlook.com \
--cc=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.