Re: [RFC PATCH] memory: Fix dma-reentrancy issues at the MMIO level

r may be enough. From: Klaus Jensen Sent: Friday, December 17, 2021 16:37 To: Qiuhao Li Cc: Alexander Bulekov; qemu-devel@nongnu.org; Laurent Vivier; Peter Maydell; Mauro Matteo Cascella; Daniel P. Berrangé; David Hildenbrand; Jason Wang; Bin Meng; Li Qiang; Thomas Huth; Peter Xu;

Re: [RFC PATCH] memory: Fix dma-reentrancy issues at the MMIO level

ilippe Mathieu-Daudé. Should we put the reproducer above to https://gitlab.com/qemu-project/qemu/-/issues/556? From: Alexander Bulekov Sent: Friday, December 17, 2021 11:08 To: qemu-devel@nongnu.org Cc: Alexander Bulekov ; Philippe Mathieu-Daudé ; Mauro Matteo C

Re: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program

rg Cc: Paolo Bonzini ; Bandan Das ; Stefan Hajnoczi ; Thomas Huth ; Darren Kenny ; Qiuhao Li Subject: Possible reward for fuzzer bug fixes? Secure Open Source Rewards Program Recently a pilot for the Secure Open Source Rewards program was announced [1]. Currently this program is run by the Linux F

[PATCH] MAINTAINERS: add fuzzing reviewer

To keep me cc-ed when something changes. Suggested by Alexander. https://lists.gnu.org/archive/html/qemu-devel/2021-08/msg03631.html Signed-off-by: Qiuhao Li --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 6b3697962c..3a979b1bc7 100644 --- a

Re: fuzz: fuzz_dma_read_cb() may overlap with MMIO regions

Aha! Nice patch. My fault. I will search first next time :) Thanks. Qiuhao Li On Mon, 2021-08-23 at 08:41 -0400, Alexander Bulekov wrote: > On 210823 2034, Qiuhao Li wrote: > > I think the check in fuzz_dma_read_cb() is buggy because it doesn't > > consider when the wri

fuzz: fuzz_dma_read_cb() may overlap with MMIO regions

/* ROM/RAM case */ // mr1 == sparse_mem_mr but it's not RAM or ROM <-- // May overlap with mmio regions<-- ... qtest_memwrite(qts_global, addr, buf, l); Thanks. Qiuhao Li On Mon, 2021-08-23 at 04:14 -0400, Alexander Bulekov wrote: > I'm not su

Re: [Question] fuzz: double-fetches in a memory region map session

/technical-sessions/presentation/wang-pengfei [2] https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html Thanks, Qiuhao Li

Re: About libfuzzer in qemu

e run each input in a forked process. Maybe you need to run > "set follow-fork-mode child" in gdb? Hi Alex, Just curious why you choose to use the libfuzzer at first instead of AFL and its descendants like AFL++ since they use a forkserver by design, and the performance also seems better [1]. [1] https://www.fuzzbench.com/reports/2021-02-13-paper/index.html Thank you. Qiuhao Li

[Bug 1913510] [NEW] [Fuzz] qemu-system-i386 virtio-mouse: Assertion in address_space_lduw_le_cached failed

Public bug reported: --[ Reproducer cat << EOF | ./build/qemu-system-i386 -machine q35,accel=qtest -nodefaults \ -device virtio-mouse -display none -qtest stdio outl 0xcf8 0x8820 outl 0xcfc 0xe0004000 outl 0xcf8 0x8804 outb 0xcfc 0x02 write 0xe000400c 0x4 0x003fe62e write 0xe0004016 0x1 0

[PATCH] fuzz: fix wrong index in clear_bits

Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 4cba96dee2..20825768c2 100755 --- a/scripts/oss-fuzz

Re: [RFC PATCH] rtl8139: fix stack overflow if RxBuf overlaps MMIO

On Tue, 2021-01-12 at 16:02 +, Peter Maydell wrote: > On Tue, 12 Jan 2021 at 15:23, Qiuhao Li > wrote: > > Fix Bug 1910826 [1] / OSS-Fuzz Issue 29224 [2]. > > > > In rtl8139.c, the function rtl8139_RxBuf_write, which sets the > > RxBuf > > (Receive Buf

[RFC PATCH] rtl8139: fix stack overflow if RxBuf overlaps MMIO

.launchpad.net/bugs/1910826 [2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29224 [3] https://www.cs.usfca.edu/~cruse/cs326f04/RTL8139D_DataSheet.pdf 5.7 Transmit Configuration Register [4] https://bugs.launchpad.net/qemu/+bug/1910826/comments/1 Signed-off-by: Qiuhao Li Reported-by: A

[Bug 1910826] Re: [OSS-Fuzz] Issue 29224 rtl8139: Stack-overflow in rtlNUMBER_transmit_one

A more concise version and corresponding notes. Might help :) -- [ Reproducer cat << EOF | ../build/qemu-system-i386 -machine q35 \ -nodefaults -device rtl8139,netdev=net0 \ -netdev user,id=net0 -display none -qtest stdio outl 0xcf8 0x8804 outb 0xcfc 0x06 outl 0xcf8 0x8817 outb 0xcfc 0xf

Re: [PATCH v8 5/7] fuzz: set bits in operand of write/out to zero

On Mon, 2021-01-11 at 11:26 +0100, Thomas Huth wrote: > On 11/01/2021 10.39, Qiuhao Li wrote: > > On Mon, 2021-01-11 at 10:01 +0100, Philippe Mathieu-Daudé wrote: > > > On 1/11/21 7:11 AM, Qiuhao Li wrote: > > > > Simplifying the crash cases by opportunist

Re: [PATCH v8 5/7] fuzz: set bits in operand of write/out to zero

On Mon, 2021-01-11 at 10:01 +0100, Philippe Mathieu-Daudé wrote: > On 1/11/21 7:11 AM, Qiuhao Li wrote: > > Simplifying the crash cases by opportunistically setting bits in > > operands of > > out/write to zero may help to debug, since usually bit one means > > turn o

[PATCH v8 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 56 1 file changed, 56 insertions

[PATCH v8 6/7] fuzz: add minimization options

-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 26 insertions(+), 4

[PATCH v8 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v8 4/7] fuzz: remove IO commands iteratively

ested with Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/script

[PATCH v8 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 f

[PATCH v8 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v8 1/7] fuzz: accelerate non-crash detection

[1] https://bugs.launchpad.net/qemu/+bug/1910826 Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 42 +--- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtes

[PATCH v8 0/7] fuzz: improve crash case minimization

nder Bulekov Qiuhao Li (7): fuzz: accelerate non-crash detection fuzz: double the IOs to remove for every loop fuzz: split write operand using binary approach fuzz: remove IO commands iteratively fuzz: set bits in operand of write/out to zero fuzz: add minimization options fuzz: heu

Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection

On Sun, 2021-01-10 at 11:00 -0500, Alexander Bulekov wrote: > On 210110 2110, Qiuhao Li wrote: > > On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > > > On 201229 1240, Qiuhao Li wrote: > > > > We spend much time waiting for the timeout program d

[PATCH v7 0/7] fuzz: improve crash case minimization

: [PATCH 3/4] typo in comments Discard: [PATCH 1/4] the hardcoded regex match for crash detection Discard: [PATCH 4/4] the delaying minimizer Thanks for the suggestions from: Alexander Bulekov Qiuhao Li (7): fuzz: accelerate non-crash detection fuzz: double the IOs to remove for every

[PATCH v7 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 56 1 file changed, 56 insertions

[PATCH v7 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 f

[PATCH v7 6/7] fuzz: add minimization options

-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 26 insertions(+), 4

[PATCH v7 4/7] fuzz: remove IO commands iteratively

ested with Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/script

[PATCH v7 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v7 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v7 1/7] fuzz: accelerate non-crash detection

[1] https://bugs.launchpad.net/qemu/+bug/1910826 Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 43 +--- 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index

Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection

On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > On 201229 1240, Qiuhao Li wrote: > > We spend much time waiting for the timeout program during the > > minimization > > process until it passes a time limit. This patch hacks the CLOSED > > (indicates >

[PATCH v6 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 56 1 file changed, 56 insertions

[PATCH v6 6/7] fuzz: add minimization options

-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 26 insertions(+), 4

[PATCH v6 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v6 4/7] fuzz: remove IO commands iteratively

ested with Bug 1908062. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/script

[PATCH v6 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 f

[PATCH v6 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov

[PATCH v6 1/7] fuzz: accelerate non-crash detection

t: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li Reviewed-by: Alexander Bulekov Tested-by: Alexander Bulekov --- script

[PATCH v6 0/7] fuzz: improve crash case minimization

he hardcoded regex match for crash detection Discard: [PATCH 4/4] the delaying minimizer Thanks for the suggestions from: Alexander Bulekov Qiuhao Li (7): fuzz: accelerate non-crash detection fuzz: double the IOs to remove for every loop fuzz: split write operand using binary approach fuz

Re: [PATCH v5 0/7] fuzz: improve crash case minimization

On Thu, 2021-01-07 at 23:30 -0500, Alexander Bulekov wrote: > Hi Qiuhao, > Can you add my Reviewed-by: tags to the patches that I have reviewed? > Thanks > -Alex Ok, fixed in version 6, thanks. > > On 210108 1044, Qiuhao Li wrote: > > Extend and refine the crash c

[PATCH v5 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 56 1 file changed, 56 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b

[PATCH v5 6/7] fuzz: add minimization options

-M1: remove IO commands iteratively -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py

[PATCH v5 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v5 4/7] fuzz: remove IO commands iteratively

ested with Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 5cf39f4e6e..45c16

[PATCH v5 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/s

[PATCH v5 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v5 1/7] fuzz: accelerate non-crash detection

t: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 39 1 file c

[PATCH v5 0/7] fuzz: improve crash case minimization

rd: [PATCH 4/4] the delaying minimizer Thanks for the suggestions from: Alexander Bulekov Qiuhao Li (7): fuzz: accelerate non-crash detection fuzz: double the IOs to remove for every loop fuzz: split write operand using binary approach fuzz: remove IO commands iteratively fuzz:

Re: [PATCH v4 4/7] fuzz: loop the remove minimizer and refactoring

On Wed, 2021-01-06 at 23:53 -0500, Alexander Bulekov wrote: > On 201229 1240, Qiuhao Li wrote: > > Now we use a one-time scan and remove strategy in the remval > > minimizer, > > which is not suitable for timing dependent instructions. > > > > For example, instr

Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection

On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > On 201229 1240, Qiuhao Li wrote: > > We spend much time waiting for the timeout program during the > > minimization > > process until it passes a time limit. This patch hacks the CLOSED > > (indicates >

Ping: [PATCH v4 0/7] fuzz: improve crash case minimization

Kindly ping :) Wondering if there is anything wrong with this patch? On Tue, 2020-12-29 at 12:39 +0800, Qiuhao Li wrote: > Extend and refine the crash case minimization process. > > Test input: > Bug 1909261 full_reproducer > 6500 QTest instructions (write mostly) &g

[PATCH v4 6/7] fuzz: add minimization options

-M1: loop around the remove minimizer -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 32 +++- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py

[PATCH v4 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v4 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/s

[PATCH v4 4/7] fuzz: loop the remove minimizer and refactoring

rging. Tested with Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 1a26b

[PATCH v4 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 56 1 file changed, 56 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b

[PATCH v4 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v4 1/7] fuzz: accelerate non-crash detection

t: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 1 file c

[PATCH v4 0/7] fuzz: improve crash case minimization

estions from: Alexander Bulekov Qiuhao Li (7): fuzz: accelerate non-crash detection fuzz: double the IOs to remove for every loop fuzz: split write operand using binary approach fuzz: loop the remove minimizer and refactoring fuzz: set bits in operand of write/out to zero fuzz: add minimiza

[PATCH v3 6/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v3 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 55 1 file changed, 55 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b

[PATCH v3 4/7] fuzz: loop the remove minimizer and refactoring

rging. Tested with Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 80 +++- 1 file changed, 65 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 1a26b

[PATCH v3 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/s

[PATCH v3 5/7] fuzz: add minimization options

-M1: loop around the remove minimizer -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/scripts/oss-fuzz

[PATCH v3 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v3 1/7] fuzz: accelerate non-crash detection

t: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 1 file c

[PATCH v3 0/7] fuzz: improve crash case minimization

4/7] New: [PATCH v2 6/7] New: [PATCH v2 7/7] Fix: [PATCH 2/4] split using binary approach Fix: [PATCH 3/4] typo in comments Discard: [PATCH 1/4] the hardcoded regex match for crash detection Discard: [PATCH 4/4] the delaying minimizer Thanks for the suggestions from: Alexander Bul

[PATCH v2 7/7] fuzz: heuristic split write based on past IOs

If previous write commands write the same length of data with the same step, we view it as a hint. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 55 1 file changed, 55 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b

[PATCH v2 5/7] fuzz: set bits in operand of write/out to zero

Simplifying the crash cases by opportunistically setting bits in operands of out/write to zero may help to debug, since usually bit one means turn on or trigger a function while zero is the default turn-off setting. Tested Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v2 6/7] fuzz: add minimization options

-M1: loop around the remove minimizer -M2: try setting bits in operand of write/out to zero Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 30 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py

[PATCH v2 2/7] fuzz: double the IOs to remove for every loop

with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Patched 1/6 version: real 0m45.904s user 0m16.874s sys 0m10.042s Refined version: real 0m11.412s user 0m6.888s sys 0m3.325s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz

[PATCH v2 4/7] fuzz: loop the remove minimizer and refactoring

rging. Tested with Bug 1908062. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 +++- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index dd6ee

[PATCH v2 3/7] fuzz: split write operand using binary approach

uxx -xuxx Fail -xuxx Fail xuxx- Fail ... I think the trade-off is worth it. Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 29 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/s

[PATCH v2 1/7] fuzz: accelerate non-crash detection

t: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 1 file c

[PATCH v2 0/7] fuzz: improve crash case minimization

H v2 7/7] Fix: [PATCH 2/4] split using binary approach Fix: [PATCH 3/4] typo in comments Discard: [PATCH 1/4] the hardcoded regex match for crash detection Discard: [PATCH 4/4] the delaying minimizer Thanks for the suggestions from: Alexander Bulekov Qiuhao Li (7): fuzz: accelerate non-

Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash

On Tue, 2020-12-22 at 13:30 -0500, Alexander Bulekov wrote: > On 201222 1922, Qiuhao Li wrote: > > On Mon, 2020-12-21 at 16:17 -0500, Alexander Bulekov wrote: > > > On 201220 0256, Qiuhao Li wrote: > > > > Since programmers usually trigger an IO just before they n

Re: [PATCH 1/4] fuzz: refine crash detection mechanism

This email looks empty. Is this intentional? On Mon, 2020-12-21 at 13:46 -0500, Alexander Bulekov wrote: >

Re: [PATCH 4/4] fuzz: delay IO until they can't trigger the crash

On Mon, 2020-12-21 at 16:17 -0500, Alexander Bulekov wrote: > On 201220 0256, Qiuhao Li wrote: > > Since programmers usually trigger an IO just before they need it. > > Try to > > delay some IO instructions may help us better understanding the > > timing > > co

Re: [PATCH 3/4] fuzz: setting bits in operand of out/write to zero

On Mon, 2020-12-21 at 15:35 -0500, Alexander Bulekov wrote: > On 201220 0256, Qiuhao Li wrote: > > Simplifying the crash cases by opportunistically setting bits in > > operands of > > out/write to zero may help to debug, since usually bit one means > > turn on > >

Re: [PATCH 2/4] fuzz: split QTest writes from the rightmost byte

On Mon, 2020-12-21 at 15:01 -0500, Alexander Bulekov wrote: > Qiuhao Li writes: > > > Currently, we split the write commands' data from the middle. If it > > does not > > work, try to move the pivot "left" and retry until there is no > > space left.

[PATCH 4/4] fuzz: delay IO until they can't trigger the crash

0x0 Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 21 + 1 file changed, 21 insertions(+) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index f3e88064c4..da7aa73b3c 100755 --- a/scripts/oss-fuzz

[PATCH 2/4] fuzz: split QTest writes from the rightmost byte

write 0xc33002 0x1 0x8a Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index d3b09e6567..855c3bcb54 1

[PATCH 3/4] fuzz: setting bits in operand of out/write to zero

e 0x5c 0x1 0x19 write 0xc33002 0x1 0x0 <-- write 0xc33002 0x1 0x8a Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 42 +++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py

[PATCH 1/4] fuzz: refine crash detection mechanism

input that doesn't crash Trace input that crashes Qtest Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 59 ++-- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_q

[PATCH 0/4] improve crash case minimization

Extend and refine the crash case minimization process. I forgot to cc some reviewers in the last patch, so I merge it as the first on in this patch series. Qiuhao Li (4): fuzz: refine crash detection mechanism fuzz: split QTest writes from the rightmost byte fuzz: setting bits in operand

[PATCH] fuzz: refine crash detection mechanism

input that doesn't crash Trace input that crashes Qtest Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 60 +++- 1 file changed, 47 insertions(+), 13 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_q

[Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

There is a new bug that fails the same assertion, and maybe its minimized producer will help: https://bugs.launchpad.net/qemu/+bug/1908062 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1890333 Tit

[Bug 1890333] Re: [OSS-Fuzz] Issue 26797: qemu:qemu-fuzz-i386-target-generic-fuzz-virtio-blk: ASSERT: addr < cache->len && 2 <= cache->len - addr

Hi, It seems while the minimized producer doesn't fail the assertion now, the original reproducer provided by OSS-Fuzz[1] can still crash the latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable- fuzzing). Could anyone check if they trigger different bugs? Tested on: Ubuntu: 20

[Bug 1908062] Re: qemu-system-i386 virtio-vga: Assertion in address_space_stw_le_cached failed again

--[ Original Fuzzing output ./build/qemu-fuzz-i386 --fuzz-target=generic-fuzz-virtio-vga ../fuzz/20201208/crash-da778083c63d2b24d8f7780383b2602a7a156352 qemu-fuzz-i386: /home/qiuhao/hack/qemu/include/exec/memory_ldst_cached.h.inc:88: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr,

[Bug 1908062] [NEW] qemu-system-i386 virtio-vga: Assertion in address_space_stw_le_cached failed again

Public bug reported: When I was fuzzing virtio-vga device of the latest QEMU (1758428, Dec 12, built with --enable-sanitizers --enable-fuzzing), an assertion failed in include/exec/memory_ldst_cached.h.inc. --[ Reproducer cat << EOF | ./build/i386-softmmu/qemu-system-i386 -machine accel=qtest \