diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2021-03-17 22:18:54 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2021-03-17 22:18:54 +0000 |
commit | 56b89f455894e4628ad7994fe5dd348145d1a9c5 (patch) | |
tree | 63092421a2db4aa8d6405072a74cef28f76192b4 /docs | |
parent | 571d413b5da6bc6f1c2aaca8484717642255ddb0 (diff) | |
parent | 8b858f9998a9d59a9a7188f2c5c6ffb99eff6115 (diff) |
Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
* add --enable/--disable-libgio to configure (Denis)
* small fixes (Pavel, myself)
* fuzzing update (Alexander)
# gpg: Signature made Tue 16 Mar 2021 18:30:38 GMT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini-gitlab/tags/for-upstream:
qemu-timer: allow freeing a NULL timer
hw/i8254: fix vmstate load
scsi: fix sense code for EREMOTEIO
Revert "accel: kvm: Add aligment assert for kvm_log_clear_one_slot"
configure: add option to explicitly enable/disable libgio
fuzz: move some DMA hooks
fuzz: configure a sparse-mem device, by default
memory: add a sparse memory device for fuzzing
fuzz: add a am53c974 generic-fuzzer config
fuzz: add instructions for building reproducers
fuzz: add a script to build reproducers
fuzz: don't leave orphan llvm-symbolizers around
fuzz: fix the pro100 generic-fuzzer config
MAINTAINERS: Cover fuzzer reproducer tests within 'Device Fuzzing'
tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available
tests/qtest: Only run fuzz-megasas-test if megasas device is available
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/devel/fuzzing.rst | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst index 97797c4f8c..2749bb9bed 100644 --- a/docs/devel/fuzzing.rst +++ b/docs/devel/fuzzing.rst @@ -210,6 +210,62 @@ Build details: - The script responsible for building the fuzzers can be found in the QEMU source tree at ``scripts/oss-fuzz/build.sh`` +Building Crash Reproducers +----------------------------------------- +When we find a crash, we should try to create an independent reproducer, that +can be used on a non-fuzzer build of QEMU. This filters out any potential +false-positives, and improves the debugging experience for developers. +Here are the steps for building a reproducer for a crash found by the +generic-fuzz target. + +- Ensure the crash reproduces:: + + qemu-fuzz-i386 --fuzz-target... ./crash-... + +- Gather the QTest output for the crash:: + + QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ + qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace + +- Reorder and clean-up the resulting trace:: + + scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer + +- Get the arguments needed to start qemu, and provide a path to qemu:: + + less /tmp/trace # The args should be logged at the top of this file + export QEMU_ARGS="-machine ..." + export QEMU_PATH="path/to/qemu-system" + +- Ensure the crash reproduces in qemu-system:: + + $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer + +- From the crash output, obtain some string that identifies the crash. This + can be a line in the stack-trace, for example:: + + export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865" + +- Minimize the reproducer:: + + scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \ + /tmp/reproducer /tmp/reproducer-minimized + +- Confirm that the minimized reproducer still crashes:: + + $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized + +- Create a one-liner reproducer that can be sent over email:: + + ./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized + +- Output the C source code for a test case that will reproduce the bug:: + + ./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\ + -name "test_function_name" /tmp/reproducer-minimized + +- Report the bug and send a patch with the C reproducer upstream + Implementation Details / Fuzzer Lifecycle ----------------------------------------- |