From patchwork Fri Aug 25 16:43:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: George Dunlap X-Patchwork-Id: 9922507 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 540446022E for ; Fri, 25 Aug 2017 16:48:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 43FD5281D2 for ; Fri, 25 Aug 2017 16:48:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 386A0283CB; Fri, 25 Aug 2017 16:48:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BD885281D2 for ; Fri, 25 Aug 2017 16:48:32 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dlHkj-00069g-1Q; Fri, 25 Aug 2017 16:46:37 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dlHkh-00067L-Hf for xen-devel@lists.xenproject.org; Fri, 25 Aug 2017 16:46:35 +0000 Received: from [85.158.143.35] by server-5.bemta-6.messagelabs.com id 18/88-03368-A6450A95; Fri, 25 Aug 2017 16:46:34 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnkeJIrShJLcpLzFFi42JxWrohUjcrZEG kwes3Ihbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8asYzdYCj7LV5ybuJmlgXGuZBcjJ4eEgL/E +RPL2EFsNgE9iXnHv7J0MXJwiAioSNzea9DFyMXBLLCfUaL36w82kBphgWSJnYv+MoHYLAKqE q9Pf2cEsXkF7CQ+n1rGCDFTXuLcg9vMIHM4geK7TnKBmEICthIvzuiBVAgBdS5+cJQdolNQ4u TMJywgNrOAhMTBFy+YJzDyzkKSmoUktYCRaRWjRnFqUVlqka6hhV5SUWZ6RkluYmaOrqGBmV5 uanFxYnpqTmJSsV5yfu4mRmDgMADBDsabGwMOMUpyMCmJ8lq/nB8pxJeUn1KZkVicEV9UmpNa fIhRhoNDSYKXPXhBpJBgUWp6akVaZg4whGHSEhw8SiK8ZiBp3uKCxNzizHSI1ClGXY45v3d8Y RJiycvPS5US5+UFKRIAKcoozYMbAYunS4yyUsK8jEBHCfEUpBblZpagyr9iFOdgVBLm1QCZwp OZVwK36RXQEUxAR0w6MQfkiJJEhJRUA6ObYJL7LptFZu4znZbN6k9uZljEuLxypcCJ9e+FBHk 1+VkvXlX/fN/zz/OdtjmbE+2fB/zftNjcJ6h8655DiX8eNcdxHqhSYDz61EdkWm9S0KSGm7vS vyf9eKO48tYrhwVXPj1i0LvUX2lTIBqW+9EroiJ35u/JjmuWi3D2X7X4fu9DQNLnL2uVWIozE g21mIuKEwFsesWPogIAAA== X-Env-Sender: prvs=4030414b0=George.Dunlap@citrix.com X-Msg-Ref: server-5.tower-21.messagelabs.com!1503679591!71624617!2 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5837 invoked from network); 25 Aug 2017 16:46:34 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-5.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 25 Aug 2017 16:46:34 -0000 X-IronPort-AV: E=Sophos;i="5.41,426,1498521600"; d="scan'208";a="436909620" From: George Dunlap To: Date: Fri, 25 Aug 2017 17:43:43 +0100 Message-ID: <20170825164343.29015-14-george.dunlap@citrix.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20170825164343.29015-1-george.dunlap@citrix.com> References: <20170825164343.29015-1-george.dunlap@citrix.com> MIME-Version: 1.0 Cc: Ian Jackson , Wei Liu , George Dunlap , Jan Beulich , Andrew Cooper Subject: [Xen-devel] [PATCH 14/14] fuzz/x86_emulate: Add an option to limit the number of instructions executed X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP AFL considers a testcase to be a useful addition not only if there are tuples exercised by that testcase which were not exercised otherwise, but also if the *number* of times an individual tuple is exercised changes significantly; in particular, if the number of the highes bit changes (i.e., if it is run 1, 2-3, 4-7, 8-15, &c). Unfortunately, one simple way to increase these stats it to execute the same (or similar) instructions multiple times. Such long testcases take exponentially longer to fuzz: the fuzzer spends more time flipping bits looking for meaningful changes, and each execution takes longer because it is doing more things. So long paths which add nothing to the actual code coverage but effectively "distract" the fuzzer, making it less effective. Experiments have shown that not allowing infinite number of instruction retries for the old (non-compact) format does indeed speed up and increase code coverage. However, it has also shown that on the new, more compact format, having no instruction limit causes the highest throughput in code coverage. So leave the option in, but have it default to 0 (no limit). Signed-off-by: George Dunlap --- CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: Jan Beulich --- tools/fuzz/x86_instruction_emulator/afl-harness.c | 9 ++++++++- tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 7 ++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c index 86c1241784..5cc6ba39ff 100644 --- a/tools/fuzz/x86_instruction_emulator/afl-harness.c +++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c @@ -15,6 +15,7 @@ static uint8_t input[INPUT_SIZE]; extern bool opt_compact; extern bool opt_rerun; +extern int opt_instruction_limit; int main(int argc, char **argv) { @@ -34,11 +35,13 @@ int main(int argc, char **argv) OPT_MIN_SIZE, OPT_COMPACT, OPT_RERUN, + OPT_INSTRUCTION_LIMIT, }; static const struct option lopts[] = { { "min-input-size", no_argument, NULL, OPT_MIN_SIZE }, { "compact", required_argument, NULL, OPT_COMPACT }, { "rerun", no_argument, NULL, OPT_RERUN }, + { "instruction-limit", required_argument, NULL, OPT_INSTRUCTION_LIMIT }, { 0, 0, 0, 0 } }; int c = getopt_long_only(argc, argv, "", lopts, NULL); @@ -61,8 +64,12 @@ int main(int argc, char **argv) opt_rerun = true; break; + case OPT_INSTRUCTION_LIMIT: + opt_instruction_limit = atoi(optarg); + break; + case '?': - printf("Usage: %s [--compact=0|1] [--rerun] $FILE [$FILE...] | [--min-input-size]\n", argv[0]); + printf("Usage: %s [--compact=0|1] [--rerun] [--instruction-limit=N] $FILE [$FILE...] | [--min-input-size]\n", argv[0]); exit(-1); break; diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index 7a07e7e37a..46c382db11 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -960,10 +960,13 @@ void setup_fuzz_state(struct fuzz_state *state, const uint8_t *data_p, size_t si state->data_num = size; } +int opt_instruction_limit = 0; + int runtest(struct fuzz_state *state) { int rc; struct x86_emulate_ctxt *ctxt = &state->ctxt; + int icount = 0; state->ops = all_fuzzer_ops; @@ -988,7 +991,9 @@ int runtest(struct fuzz_state *state) { rc = x86_emulate(ctxt, &state->ops); printf("Emulation result: %d\n", rc); - } while ( rc == X86EMUL_OKAY ); + } while ( rc == X86EMUL_OKAY && + (!opt_instruction_limit || + (++icount < opt_instruction_limit)) ); save_fpu_state(state->fxsave);