From: Qiuhao Li <Qiuhao.Li@outlook.com>
To: Alexander Bulekov <alxndr@bu.edu>
Cc: thuth@redhat.com, qemu-devel@nongnu.org, darren.kenny@oracle.com,
bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com
Subject: Re: [PATCH 3/4] fuzz: setting bits in operand of out/write to zero
Date: Tue, 22 Dec 2020 19:21:25 +0800 [thread overview]
Message-ID: <SYYP282MB1501A23C21301A8151E13AB1FCDF0@SYYP282MB1501.AUSP282.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20201221203543.vlezaw2sxiq7wpde@mozz.bu.edu>
On Mon, 2020-12-21 at 15:35 -0500, Alexander Bulekov wrote:
> On 201220 0256, Qiuhao Li wrote:
> > Simplifying the crash cases by opportunistically setting bits in
> > operands of
> > out/write to zero may help to debug, since usually bit one means
> > turn on
> > or
> > trigger a function while zero is the default turn-off setting.
> >
> > Tested Bug 1908062. Refined vs. Original result:
> >
> > outl 0xcf8 0x8000081c outl 0xcf8 0x8000081c
> > outb 0xcfc 0xc3 outb 0xcfc 0xc3
> > outl 0xcf8 0x0 <-- outl 0xcf8 0x8000082f
> > outl 0xcf8 0x80000804 outl 0xcf8 0x80000804
> > outl 0xcfc 0x10000006 <-- outl 0xcfc 0x9b2765be
> > write 0xc300001024 0x2 0x10 <-- write 0xc300001024 0x2 0x0055
> > write 0xc300001028 0x1 0x5a write 0xc300001028 0x1 0x5a
> > write 0xc30000101c 0x1 0x01 write 0xc30000101c 0x1 0x01
> > writel 0xc30000100c 0x2a6f6c63 writel 0xc30000100c 0x2a6f6c63
> > write 0xc300001018 0x1 0x80 <-- write 0xc300001018 0x1 0xa4
> > write 0x5c 0x1 0x10 <-- write 0x5c 0x1 0x19
> > write 0xc300003002 0x1 0x0 <-- write 0xc300003002 0x1 0x8a
> >
> > Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
>
> Looks good. One nit below.
>
> Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
>
>
> > ---
> > scripts/oss-fuzz/minimize_qtest_trace.py | 42
> > +++++++++++++++++++++++-
> > 1 file changed, 41 insertions(+), 1 deletion(-)
> >
> > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py
> > b/scripts/oss-fuzz/minimize_qtest_trace.py
> > index 855c3bcb54..f3e88064c4 100755
> > --- a/scripts/oss-fuzz/minimize_qtest_trace.py
> > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py
> > @@ -172,7 +172,47 @@ def minimize_trace(inpath, outpath):
> > newtrace[i] = prior
> > del newtrace[i+1]
> > i += 1
> > - check_if_trace_crashes(newtrace, outpath)
> > +
> > + assert(check_if_trace_crashes(newtrace, outpath))
> > +
> > + TIMEOUT = (end-start)*2 # input is short now
> > +
> > + # try setting bits in operands of out/write to zero
> > + i = 0
> > + while i < len(newtrace):
> > + if (not newtrace[i].startswith("write ") and not
> > + newtrace[i].startswith("out")):
> > + i += 1
> > + continue
> > + # write ADDR SIZE DATA
> > + # outx ADDR VALUE
> > + print("\nzero setting bits: {}".format(newtrace[i]))
> > +
> > + prefix = " ".join(newtrace[i].split()[:-1])
> > + data = newtrace[i].split()[-1]
> > + data_bin = bin(int(data, 16))
> > + data_bin_list = list(data_bin)
> > +
> > + for j in range(2, len(data_bin_list)):
> > + prior = newtrace[i]
> > + if (data_bin_list[j] == '1'):
> > + data_bin_list[j] = '0'
> > + data_try = hex(int("".join(data_bin_list), 2))
> > + # It seems qtest only accect hex with one byte
> > zero padding
> ^^ "accepts padded hex-
> values."
Thanks.
>
> > + if len(data_try) % 2 == 1:
> > + data_try = data_try[:2] + "0" + data_try[2:-1]
> > +
> > + newtrace[i] = "{prefix} {data_try}\n".format(
> > + prefix=prefix,
> > + data_try=data_try)
> > +
> > + if not check_if_trace_crashes(newtrace, outpath):
> > + data_bin_list[j] = '1'
> > + newtrace[i] = prior
> > +
> > + i += 1
> > +
> > + assert(check_if_trace_crashes(newtrace, outpath))
> >
> >
> > if __name__ == '__main__':
> > --
> > 2.25.1
> >
next prev parent reply other threads:[~2020-12-22 11:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 18:39 [PATCH 0/4] improve crash case minimization Qiuhao Li
2020-12-19 18:56 ` [PATCH 1/4] fuzz: refine crash detection mechanism Qiuhao Li
2020-12-21 18:46 ` Alexander Bulekov
2020-12-22 11:18 ` Qiuhao Li
2020-12-22 16:47 ` Alexander Bulekov
2020-12-23 5:58 ` Li Qiuhao
2020-12-19 18:56 ` [PATCH 2/4] fuzz: split QTest writes from the rightmost byte Qiuhao Li
2020-12-21 20:01 ` Alexander Bulekov
2020-12-22 11:20 ` Qiuhao Li
2020-12-19 18:56 ` [PATCH 3/4] fuzz: setting bits in operand of out/write to zero Qiuhao Li
2020-12-21 20:35 ` Alexander Bulekov
2020-12-22 11:21 ` Qiuhao Li [this message]
2020-12-19 18:56 ` [PATCH 4/4] fuzz: delay IO until they can't trigger the crash Qiuhao Li
2020-12-21 21:17 ` Alexander Bulekov
2020-12-22 11:22 ` Qiuhao Li
2020-12-22 18:30 ` Alexander Bulekov
2020-12-23 9:20 ` Qiuhao Li
2020-12-25 0:24 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SYYP282MB1501A23C21301A8151E13AB1FCDF0@SYYP282MB1501.AUSP282.PROD.OUTLOOK.COM \
--to=qiuhao.li@outlook.com \
--cc=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.