Re: [Qemu-devel] Internship idea: virtio-blk oss-fuzz support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bandan Das <bsd@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Andrey Konovalov <andreyknvl@google.com>,
	qemu-devel <qemu-devel@nongnu.org>,
	Kostya Serebryany <kcc@google.com>,
	Jonathan Metzman <metzman@google.com>,
	Max Moroz <mmoroz@google.com>, Dmitry Vyukov <dvyukov@google.com>,
	Oliver Chang <ochang@google.com>,
	Nitesh Narayan Lal <nitesh@redhat.com>
Subject: Re: [Qemu-devel] Internship idea: virtio-blk oss-fuzz support
Date: Fri, 18 Jan 2019 02:51:23 -0500	[thread overview]
Message-ID: <jpgh8e6o138.fsf@linux.bootlegged.copy> (raw)
In-Reply-To: <20190114092459.GA7038@stefanha-x1.localdomain> (Stefan Hajnoczi's message of "Mon, 14 Jan 2019 09:24:59 +0000")

[Ccing Nitesh]
Stefan Hajnoczi <stefanha@gmail.com> writes:

> On Fri, Jan 11, 2019 at 05:16:40PM +0100, Paolo Bonzini wrote:
>> On 11/01/19 16:41, Max Moroz wrote:
>> > On Fri, Jan 11, 2019 at 7:34 AM Paolo Bonzini <pbonzini@redhat.com
>> > <mailto:pbonzini@redhat.com>> wrote:
>> > 
>> >     On 11/01/19 16:04, Max Moroz wrote:
>> >     > We usually have a single fuzzing process, it starts with a fuzzing
>> >     > engine's main function and is calling LLVMFuzzerTestOneInput with
>> >     > various inputs and keep mutating them based on the coverage feedback.
>> >     > Running a second process which you don't care too much about might be
>> >     > fine, but the fuzzing process should be "replacing" or should I say
>> >     > "imitating" the process whose coverage you're interested in.
>> > 
>> >     What do you mean by replacing or imitating?
>> > 
>> > To give you an example, when we fuzz ffmpeg, we do not run ffmpeg's main
>> > function. We write LLVMFuzzerTestOneInput that would do the necessary
>> > initialization, reset the state, etc, and then would pass (data, size)
>> > provided by a fuzzing engine to the API(s) we're trying to fuzz. So, in
>> > your case, there should not be a regular QEMU process, and instead the
>> > fuzz target (i.e. LLVMFuzzerTestOneInput) should be doing certain
>> > initialization (which is usually done by the QEMU process) and then call
>> > the API you want to fuzz.
>> 
>> The main issue is that we are not really testing an API and QEMU has a
>> lot of global state.
>
> With regards to the GSoC/Outreachy project, I think the mentors (me?)
> need to figure this out beforehand by experimentation.  The QEMU folks
> don't know the details of oss-fuzz and vice versa.  But with a weekend
> or two's worth of playing around we could figure out a reasonable way of
> integrating qtest/oss-fuzz.
>

If you recall, Nitesh and myself did experiment with the plumbing although
our entry point in qtest for calling the fuzzing function was simpler. Figuring out
the right entry point with a subset of absolutely necessary initialization
is what's next.

Bandan

> Then the intern has a clear direction to follow this summer and won't be
> demotivated by failed attempts at working with two codebases they are
> unfamiliar with :).
>
> Stefan

     prev parent reply	other threads:[~2019-01-18  7:58 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-09 17:34 [Qemu-devel] Internship idea: virtio-blk oss-fuzz support Stefan Hajnoczi
2019-01-10 10:46 ` Dmitry Vyukov
2019-01-10 13:40 ` Bandan Das
2019-01-10 14:01   ` Dmitry Vyukov
2019-01-10 16:07     ` Max Moroz
2019-01-10 23:25       ` Paolo Bonzini
2019-01-11  6:49         ` Stefan Hajnoczi
2019-01-11 15:04           ` Max Moroz
2019-01-11 15:33             ` Paolo Bonzini
2019-01-11 15:41               ` Max Moroz
2019-01-11 16:16                 ` Paolo Bonzini
2019-01-11 19:09                   ` Jonathan Metzman
2019-01-11 20:27                     ` Paolo Bonzini
2019-01-11 22:56                       ` Jonathan Metzman
2019-01-14  9:24                   ` Stefan Hajnoczi
2019-01-18  7:51                     ` Bandan Das [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=jpgh8e6o138.fsf@linux.bootlegged.copy \
    --to=bsd@redhat.com \
    --cc=andreyknvl@google.com \
    --cc=dvyukov@google.com \
    --cc=kcc@google.com \
    --cc=metzman@google.com \
    --cc=mmoroz@google.com \
    --cc=nitesh@redhat.com \
    --cc=ochang@google.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.