diff options
author | Qiuhao Li <Qiuhao.Li@outlook.com> | 2021-01-11 14:11:51 +0800 |
---|---|---|
committer | Thomas Huth <thuth@redhat.com> | 2021-01-11 14:59:21 +0100 |
commit | dd21ed0edfe3e70aed3d672728198d2825963796 (patch) | |
tree | a192da9de0ef55c0f398475e5d8f925344b34b58 /scripts/oss-fuzz | |
parent | 9d20f2af535a928a20eb4e5fcb782f9d43dae5ac (diff) | |
download | qemu-dd21ed0edfe3e70aed3d672728198d2825963796.zip qemu-dd21ed0edfe3e70aed3d672728198d2825963796.tar.gz qemu-dd21ed0edfe3e70aed3d672728198d2825963796.tar.bz2 |
fuzz: add minimization options
-M1: remove IO commands iteratively
-M2: try setting bits in operand of write/out to zero
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <SYCPR01MB350204C52E7A39E6B0EEC870FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Diffstat (limited to 'scripts/oss-fuzz')
-rwxr-xr-x | scripts/oss-fuzz/minimize_qtest_trace.py | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 219858a..0e59bdb 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -16,6 +16,10 @@ QEMU_PATH = None TIMEOUT = 5 CRASH_TOKEN = None +# Minimization levels +M1 = False # try removing IO commands iteratively +M2 = False # try setting bits in operand of write/out to zero + write_suffix_lookup = {"b": (1, "B"), "w": (2, "H"), "l": (4, "L"), @@ -23,10 +27,20 @@ write_suffix_lookup = {"b": (1, "B"), def usage(): sys.exit("""\ -Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace +Usage: + +QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} [Options] input_trace output_trace + By default, will try to use the second-to-last line in the output to identify whether the crash occred. Optionally, manually set a string that idenitifes the crash by setting CRASH_TOKEN= + +Options: + +-M1: enable a loop around the remove minimizer, which may help decrease some + timing dependant instructions. Off by default. +-M2: try setting bits in operand of write/out to zero. Off by default. + """.format((sys.argv[0]))) deduplication_note = """\n\ @@ -216,24 +230,32 @@ def minimize_trace(inpath, outpath): print("Setting the timeout for {} seconds".format(TIMEOUT)) newtrace = trace[:] + global M1, M2 # remove lines old_len = len(newtrace) + 1 while(old_len > len(newtrace)): old_len = len(newtrace) + print("trace lenth = ", old_len) remove_lines(newtrace, outpath) + if not M1 and not M2: + break newtrace = list(filter(lambda s: s != "", newtrace)) assert(check_if_trace_crashes(newtrace, outpath)) # set bits to zero - clear_bits(newtrace, outpath) + if M2: + clear_bits(newtrace, outpath) assert(check_if_trace_crashes(newtrace, outpath)) if __name__ == '__main__': if len(sys.argv) < 3: usage() - + if "-M1" in sys.argv: + M1 = True + if "-M2" in sys.argv: + M2 = True QEMU_PATH = os.getenv("QEMU_PATH") QEMU_ARGS = os.getenv("QEMU_ARGS") if QEMU_PATH is None or QEMU_ARGS is None: @@ -242,4 +264,4 @@ if __name__ == '__main__': # QEMU_ARGS += " -accel qtest" CRASH_TOKEN = os.getenv("CRASH_TOKEN") QEMU_ARGS += " -qtest stdio -monitor none -serial none " - minimize_trace(sys.argv[1], sys.argv[2]) + minimize_trace(sys.argv[-2], sys.argv[-1]) |