7906f11e | 20-Jul-2022 |
Alexander Bulekov <alxndr@bu.edu> |
oss-fuzz: ensure base_copy is a generic-fuzzer
Depending on how the target list is sorted in by qemu, the first target (used as the base copy of the fuzzer, to which all others are linked) might not
oss-fuzz: ensure base_copy is a generic-fuzzer
Depending on how the target list is sorted in by qemu, the first target (used as the base copy of the fuzzer, to which all others are linked) might not be a generic-fuzzer. Since we are trying to only use generic-fuzz, on oss-fuzz, fix that, to ensure the base copy is a generic-fuzzer.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20220720180946.2264253-1-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
4cc57523 | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: heuristic split write based on past IOs
If previous write commands write the same length of data with the same step, we view it as a hint.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Rev
fuzz: heuristic split write based on past IOs
If previous write commands write the same length of data with the same step, we view it as a hint.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB3502480AD07811A6A49B8FEAFCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
dd21ed0e | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: add minimization options
-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bule
fuzz: add minimization options
-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB350204C52E7A39E6B0EEC870FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
9d20f2af | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: set bits in operand of write/out to zero
Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on o
fuzz: set bits in operand of write/out to zero
Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting.
Tested bug https://bugs.launchpad.net/qemu/+bug/1908062
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB3502C84B6346A3E3DE708C7BFCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
247ab240 | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: remove IO commands iteratively
Now we use a one-time scan and remove strategy in the minimizer, which is not suitable for timing dependent instructions.
For example, instruction A will indica
fuzz: remove IO commands iteratively
Now we use a one-time scan and remove strategy in the minimizer, which is not suitable for timing dependent instructions.
For example, instruction A will indicate an address where the config chunk locates, and instruction B will make the configuration active. If we have the following instruction sequence:
... A1 B1 A2 B2 ...
A2 and B2 are the actual instructions that trigger the bug.
If we scan from top to bottom, after we remove A1, the behavior of B1 might be unknowable, including not to crash the program. But we will successfully remove B1 later cause A2 and B2 will crash the process anyway:
... A1 A2 B2 ...
Now one more trimming will remove A1.
In the perfect case, we would need to be able to remove A and B (or C!) at the same time. But for now, let's just add a loop around the minimizer.
Since we only remove instructions, this iterative algorithm is converging.
Tested with Bug 1908062.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB350263004448040ACCB9A9F1FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
e72203ab | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: split write operand using binary approach
Currently, we split the write commands' data from the middle. If it does not work, try to move the pivot left by one byte and retry until there is no
fuzz: split write operand using binary approach
Currently, we split the write commands' data from the middle. If it does not work, try to move the pivot left by one byte and retry until there is no space.
But, this method has two flaws:
1. It may fail to trim all unnecessary bytes on the right side.
For example, there is an IO write command:
write addr uuxxxxuu
u is the unnecessary byte for the crash. Unlike ram write commands, in most case, a split IO write won't trigger the same crash, So if we split from the middle, we will get:
write addr uu (will be removed in next round) write addr xxxxuu
For xxxxuu, since split it from the middle and retry to the leftmost byte won't get the same crash, we will be stopped from removing the last two bytes.
2. The algorithm complexity is O(n) since we move the pivot byte by byte.
To solve the first issue, we can try a symmetrical position on the right if we fail on the left. As for the second issue, instead moving by one byte, we can approach the boundary exponentially, achieving O(log(n)).
Give an example:
xxxxuu len=6 + | + xxx,xuu 6/2=3 fail + +--------------+-------------+ | | + + xx,xxuu 6/2^2=1 fail xxxxu,u 6-1=5 success + + +------------------+----+ | | | +-------------+ u removed + + xx,xxu 5/2=2 fail xxxx,u 6-2=4 success + | +-----------+ u removed
In some rare cases, this algorithm will fail to trim all unnecessary bytes:
xxxxxxxxxuxxxxxx xxxxxxxx-xuxxxxxx Fail xxxx-xxxxxuxxxxxx Fail xxxxxxxxxuxx-xxxx Fail ...
I think the trade-off is worth it.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB3502D26F1BEB680CBBC169E5FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
7b339f28 | 11-Jan-2021 |
Qiuhao Li <Qiuhao.Li@outlook.com> |
fuzz: double the IOs to remove for every loop
Instead of removing IO instructions one by one, we can try deleting multiple instructions at once. According to the locality of reference, we double the
fuzz: double the IOs to remove for every loop
Instead of removing IO instructions one by one, we can try deleting multiple instructions at once. According to the locality of reference, we double the number of instructions to remove for the next round and recover it to one once we fail.
This patch is usually significant for large input.
Test with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1
Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s
Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB350280A67BB55C3FADF173E3FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
53e1a50d | 23-Oct-2020 |
Alexander Bulekov <alxndr@bu.edu> |
scripts/oss-fuzz: ignore the generic-fuzz target
generic-fuzz is not a standalone fuzzer - it requires some env variables to be set. On oss-fuzz, we set these with some predefined generic-fuzz-{...}
scripts/oss-fuzz: ignore the generic-fuzz target
generic-fuzz is not a standalone fuzzer - it requires some env variables to be set. On oss-fuzz, we set these with some predefined generic-fuzz-{...} targets, that are thin wrappers around generic-fuzz. Do not make a link for the generic-fuzz from the oss-fuzz build, so oss-fuzz does not treat it as a standalone fuzzer.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-18-alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> [thuth: Reformatted one comment to stay within the 80 columns limit] Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|