From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0C8B1C61DA4 for ; Tue, 14 Feb 2023 19:09:49 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pS0gM-0007QQ-Ea; Tue, 14 Feb 2023 14:09:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pS0gK-0007Ki-PT for qemu-devel@nongnu.org; Tue, 14 Feb 2023 14:09:36 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pS0gI-00049s-CV for qemu-devel@nongnu.org; Tue, 14 Feb 2023 14:09:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676401773; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tnClC130ZwtwfikFFqbu3HO7yaJYTOtP8W9S5FiLD9M=; b=YE6/PRBQqUkmiVkKEY+LTJDOOt+8ivET/2r4lmGqm4bhovJ4A+XgP2zdzLNBqbHpUa4h9Z oDA1vbH3xlWH1SM5F+gHCpRfMHi4HPeRrg7+Jad/bQ4uskAOusoVjIw74CKvEVg3TgkeXP bconyMUrekHgrovlgsLkBZ+Qsx2N/zM= Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-428-4MFq5u8MMxChb-esd8GENQ-1; Tue, 14 Feb 2023 14:09:31 -0500 X-MC-Unique: 4MFq5u8MMxChb-esd8GENQ-1 Received: by mail-qv1-f70.google.com with SMTP id w2-20020a0cc702000000b0055c8ef137ddso9223895qvi.0 for ; Tue, 14 Feb 2023 11:09:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tnClC130ZwtwfikFFqbu3HO7yaJYTOtP8W9S5FiLD9M=; b=3G4U80920rOGTaKmDVL+6s6BgUFP5b/lYw0th4VoQmGqgOSdafvUD3xZuwzs30SVuE 2fVb+gY1v27rzdZLEJFzIaQCLNQf6KN1vPWNWa2PuAAX9sCFnk/ZmwIDj4sDGECelhS+ AXrZbZGdF8sCdxFymIrgMoiLe4zIRIl+tiPTcXXGbuE80CtuQDmJjuQCbOpZt9Cr+6vS kTH5m2pzj+5TmOtMqsdBKLc2okeyokayw5iAvZ6GIc83kiA793zELfi2BuLlSfkMDtli tmhmzZzRU/T1VyxMFAFt2pODir1aSx4LZBCNAS03QBAzNY3NROHJOt0BhMr+juYdHYGN /ofA== X-Gm-Message-State: AO0yUKWj071uIY1S3VcDNgB4UwS/m4UNJlMCg3UiLyrUkRNv6ld2rnAy 8vm0STKzrDKeWL01W5gBXWOO1EXmJ2n8Irv6v92Tv921YBzCZphxOmsduBR+yZ7tfg5WOxeQ6Cs l6iOSN7YpLfMH6Lk= X-Received: by 2002:ad4:5e8e:0:b0:56b:fb0d:d8f0 with SMTP id jl14-20020ad45e8e000000b0056bfb0dd8f0mr7797023qvb.9.1676401771030; Tue, 14 Feb 2023 11:09:31 -0800 (PST) X-Google-Smtp-Source: AK7set+4ed0XTZX7YF6PWLB2cN80znd73LmkEjwQJ9aUw3i/mobxthJWqBk5OC08CoY1dPFxresPXw== X-Received: by 2002:ad4:5e8e:0:b0:56b:fb0d:d8f0 with SMTP id jl14-20020ad45e8e000000b0056bfb0dd8f0mr7796993qvb.9.1676401770747; Tue, 14 Feb 2023 11:09:30 -0800 (PST) Received: from [192.168.8.104] (tmo-116-175.customers.d1-online.com. [80.187.116.175]) by smtp.gmail.com with ESMTPSA id z13-20020a37650d000000b006fef61300fesm12279367qkb.16.2023.02.14.11.09.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Feb 2023 11:09:29 -0800 (PST) Message-ID: Date: Tue, 14 Feb 2023 20:09:25 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: [PATCH 00/10] Retire Fork-Based Fuzzing Content-Language: en-US To: =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= , Stefan Hajnoczi , Alexander Bulekov Cc: qemu-devel@nongnu.org, Bandan Das , Darren Kenny , Paolo Bonzini , Laurent Vivier References: <20230205042951.3570008-1-alxndr@bu.edu> From: Thomas Huth In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -4 X-Spam_score: -0.5 X-Spam_bar: / X-Spam_report: (-0.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.35, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_DOTEDU=1.999 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On 14/02/2023 17.08, Philippe Mathieu-Daudé wrote: > On 14/2/23 16:38, Stefan Hajnoczi wrote: >> On Sat, Feb 04, 2023 at 11:29:41PM -0500, Alexander Bulekov wrote: >>> Hello, >>> This series removes fork-based fuzzing. >>> How does fork-based fuzzing work? >>>   * A single parent process initializes QEMU >>>   * We identify the devices we wish to fuzz (fuzzer-dependent) >>>   * Use QTest to PCI enumerate the devices >>>   * After that we start a fork-server which forks the process and executes >>>     fuzzer inputs inside the disposable children. >>> >>> In a normal fuzzing process, everything happens in a single process. >>> >>> Pros of fork-based fuzzing: >>>   * We only need to do common configuration once (e.g. PCI enumeration). >>>   * Fork provides a strong guarantee that fuzzer inputs will not >>> interfere with >>>     each-other >>>   * The fuzzing process can continue even after a child-process crashes >>>   * We can apply our-own timers to child-processes to exit slow inputs, >>> early >>> >>> Cons of fork-based fuzzing: >>>   * Fork-based fuzzing is not supported by libfuzzer. We had to build our >>> own >>>     fork-server and rely on tricks using linker-scripts and shared-memory to >>>     support fuzzing. ( >>> https://physics.bu.edu/~alxndr/libfuzzer-forkserver/ ) >>>   * Fork-based fuzzing is currently the main blocker preventing us from >>> enabling >>>     other fuzzers such as AFL++ on OSS-Fuzz >>>   * Fork-based fuzzing may be a reason why coverage-builds are failing on >>>     OSS-Fuzz. Coverage is an important fuzzing metric which would allow >>> us to >>>     find parts of the code that are not well-covered. >>>   * Fork-based fuzzing has high overhead. fork() is an expensive >>> system-call, >>>     especially for processes running ASAN (with large/complex) VMA layouts. >>>   * Fork prevents us from effectively fuzzing devices that rely on >>>     threads (e.g. qxl). >>> >>> These patches remove fork-based fuzzing and replace it with reboot-based >>> fuzzing for most cases. Misc notes about this change: >>>   * libfuzzer appears to be no longer in active development. As such, the >>>     current implementation of fork-based fuzzing (while having some nice >>>     advantages) is likely to hold us back in the future. If these changes >>>     are approved and appear to run successfully on OSS-Fuzz, we should be >>>     able to easily experiment with other fuzzing engines (AFL++). >>>   * Some device do not completely reset their state. This can lead to >>>     non-reproducible crashes. However, in my local tests, most crashes >>>     were reproducible. OSS-Fuzz shouldn't send us reports unless it can >>>     consistently reproduce a crash. >>>   * In theory, the corpus-format should not change, so the existing >>>     corpus-inputs on OSS-Fuzz will transfer to the new reset()-able >>>     fuzzers. >>>   * Each fuzzing process will now exit after a single crash is found. To >>>     continue the fuzzing process, use libfuzzer flags such as -jobs=-1 >>>   * We no long control input-timeouts (those are handled by libfuzzer). >>>     Since timeouts on oss-fuzz can be many seconds long, I added a limit >>>     on the number of DMA bytes written. >>> >>> Alexander Bulekov (10): >>>    hw/sparse-mem: clear memory on reset >>>    fuzz: add fuzz_reboot API >>>    fuzz/generic-fuzz: use reboots instead of forks to reset state >>>    fuzz/generic-fuzz: add a limit on DMA bytes written >>>    fuzz/virtio-scsi: remove fork-based fuzzer >>>    fuzz/virtio-net: remove fork-based fuzzer >>>    fuzz/virtio-blk: remove fork-based fuzzer >>>    fuzz/i440fx: remove fork-based fuzzer >>>    fuzz: remove fork-fuzzing scaffolding >>>    docs/fuzz: remove mentions of fork-based fuzzing >>> >>>   docs/devel/fuzzing.rst              |  22 +----- >>>   hw/mem/sparse-mem.c                 |  13 +++- >>>   meson.build                         |   4 - >>>   tests/qtest/fuzz/fork_fuzz.c        |  41 ---------- >>>   tests/qtest/fuzz/fork_fuzz.h        |  23 ------ >>>   tests/qtest/fuzz/fork_fuzz.ld       |  56 -------------- >>>   tests/qtest/fuzz/fuzz.c             |   6 ++ >>>   tests/qtest/fuzz/fuzz.h             |   2 +- >>>   tests/qtest/fuzz/generic_fuzz.c     | 111 +++++++--------------------- >>>   tests/qtest/fuzz/i440fx_fuzz.c      |  27 +------ >>>   tests/qtest/fuzz/meson.build        |   6 +- >>>   tests/qtest/fuzz/virtio_blk_fuzz.c  |  51 ++----------- >>>   tests/qtest/fuzz/virtio_net_fuzz.c  |  54 ++------------ >>>   tests/qtest/fuzz/virtio_scsi_fuzz.c |  51 ++----------- >>>   14 files changed, 72 insertions(+), 395 deletions(-) >>>   delete mode 100644 tests/qtest/fuzz/fork_fuzz.c >>>   delete mode 100644 tests/qtest/fuzz/fork_fuzz.h >>>   delete mode 100644 tests/qtest/fuzz/fork_fuzz.ld >>> >>> -- >>> 2.39.0 >>> >> >> Whose tree should this go through? Laurent's qtest tree? > > Do you mean Thomas? I thought Alexander would be doing pull requests for fuzzing-related patches nowadays (since he's the listed maintainer for these files)? Or did I get that wrong? Thomas