search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
target/mips: Simplify decode_opc_mxu() ifdef'ry
[qemu/ar7.git] / scripts / oss-fuzz / reorder_fuzzer_qtest_trace.py
blob890e1def856bfe9db2d37a9e334550e41f9dde07
1 #!/usr/bin/env python3
2 # -*- coding: utf-8 -*-
3
4 """
5 Use this to convert qtest log info from a generic fuzzer input into a qtest
6 trace that you can feed into a standard qemu-system process. Example usage:
7
8 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
9 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
10 # .. Finds some crash
11 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
12 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
13 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
14 /path/to/crash 2> qtest_log_output
15 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace
16 ./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \
17 -qtest stdin < qtest_trace
18
19 ### Details ###
20
21 Some fuzzer make use of hooks that allow us to populate some memory range, just
22 before a DMA read from that range. This means that the fuzzer can produce
23 activity that looks like:
24 [start] read from mmio addr
25 [end] read from mmio addr
26 [start] write to pio addr
27 [start] fill a DMA buffer just in time
28 [end] fill a DMA buffer just in time
29 [start] fill a DMA buffer just in time
30 [end] fill a DMA buffer just in time
31 [end] write to pio addr
32 [start] read from mmio addr
33 [end] read from mmio addr
34
35 We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace
36 might look something like:
37 [R +0.028431] readw 0x10000
38 [R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00
39 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
40 [DMA][R +0.034639] write 0xbf00 0x2 0xBBBB
41 [R +0.028431] readw 0xfc000
42
43 This script would reorder the above trace so it becomes:
44 readw 0x10000
45 write 0xbeef 0x2 0xAAAA
46 write 0xbf00 0x2 0xBBBB
47 outl 0xc000 0xbeef
48 readw 0xfc000
49
50 I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already
51 been set up, removing the need for the DMA hooks. We can simply provide this
52 reordered trace via -qtest stdio to reproduce the input
53
54 Note: this won't work for traces where the device tries to read from the same
55 DMA region twice in between MMIO/PIO commands. E.g:
56 [R +0.028434] outl 0xc000 0xbeef
57 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
58 [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB
59
60 The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This
61 script looks for these tags and warns the users that the resulting trace might
62 not reproduce the bug.
63 """
64
65 import sys
66
67 __author__ = "Alexander Bulekov <alxndr@bu.edu>"
68 __copyright__ = "Copyright (C) 2020, Red Hat, Inc."
69 __license__ = "GPL version 2 or (at your option) any later version"
70
71 __maintainer__ = "Alexander Bulekov"
72 __email__ = "alxndr@bu.edu"
73
74
75 def usage():
76 sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0])))
77
78
79 def main(filename):
80 with open(filename, "r") as f:
81 trace = f.readlines()
82
83 # Leave only lines that look like logged qtest commands
84 trace[:] = [x.strip() for x in trace if "[R +" in x
85 or "[S +" in x and "CLOSED" not in x]
86
87 for i in range(len(trace)):
88 if i+1 < len(trace):
89 if "[DMA]" in trace[i+1]:
90 if "[DOUBLE-FETCH]" in trace[i+1]:
91 sys.stderr.write("Warning: Likely double fetch on line"
92 "{}.\n There will likely be problems "
93 "reproducing behavior with the "
94 "resulting qtest trace\n\n".format(i+1))
95 trace[i], trace[i+1] = trace[i+1], trace[i]
96 for line in trace:
97 print(line.split("]")[-1].strip())
98
99
100 if __name__ == '__main__':
101 if len(sys.argv) == 1:
102 usage()
103 main(sys.argv[1])
AR7 emulation for QEMU