Re: [PATCH 2/2] fuzz: add instructions for building reproducers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Darren Kenny <darren.kenny@oracle.com>
To: Alexander Bulekov <alxndr@bu.edu>, qemu-devel@nongnu.org
Cc: Thomas Huth <thuth@redhat.com>,
	f4bug@amsat.org, Alexander Bulekov <alxndr@bu.edu>,
	bsd@redhat.com, stefanha@redhat.com,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 2/2] fuzz: add instructions for building reproducers
Date: Mon, 15 Mar 2021 11:42:21 +0000	[thread overview]
Message-ID: <m24khctzhe.fsf@oracle.com> (raw)
In-Reply-To: <20210314042358.682136-3-alxndr@bu.edu>

On Saturday, 2021-03-13 at 23:23:57 -05, Alexander Bulekov wrote:
> We have several scripts that help build reproducers, but no
> documentation for how they should be used. Add some documentation
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

> ---
>  docs/devel/fuzzing.rst | 45 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 45 insertions(+)
>
> diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
> index 97797c4f8c..025fb0c19b 100644
> --- a/docs/devel/fuzzing.rst
> +++ b/docs/devel/fuzzing.rst
> @@ -210,6 +210,51 @@ Build details:
>  - The script responsible for building the fuzzers can be found in the
>    QEMU source tree at ``scripts/oss-fuzz/build.sh``
>  
> +Building Crash Reproducers
> +-----------------------------------------
> +When we find a crash, we should try to create an independent reproducer, that
> +can be used on a non-fuzzer build of QEMU. This filters out any potential
> +false-positives, and improves the debugging experience for developers.
> +Here are the steps for building a reproducer for a crash found by the
> +generic-fuzz target.
> + - Ensure the crash reproduces::
> +   qemu-fuzz-i386 --fuzz-target... ./crash-...
> +
> + - Gather the QTest output for the crash::
> +   QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
> +   qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace
> +
> + - Reorder and clean-up the resulting trace::
> +   scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer
> +
> + - Get the arguments needed to start qemu, and provide a path to qemu::
> +   less /tmp/trace # The args should be logged at the top of this file
> +   export QEMU_ARGS="-machine ..."
> +   export QEMU_PATH="path/to/qemu-system"
> +
> + - Ensure the crash reproduces in qemu-system::
> +   $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer
> +
> + - From the crash output, obtain some string that identifies the crash. This
> +   can be a line in the stack-trace, for example::
> +   export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865"
> +
> + - Minimize the reproducer::
> +   scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \
> +   /tmp/reproducer /tmp/reproducer-minimized
> +
> + - Confirm that the minimized reproducer still crashes::
> +   $QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized
> +
> + - Create a one-liner reproducer that can be sent over email::
> +   ./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized
> +
> + - Output the C source code for a test case that will reproduce the bug ::
> +   ./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\
> +    -name "test_function_name" /tmp/reproducer-minimized
> +
> + - Report the bug and send a patch with the C reproducer upstream
> +
>  Implementation Details / Fuzzer Lifecycle
>  -----------------------------------------
>  
> -- 
> 2.28.0

next prev parent reply	other threads:[~2021-03-15 11:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-14  4:23 [PATCH 0/2] fuzz: add a script to help build reproducers Alexander Bulekov
2021-03-14  4:23 ` [PATCH 1/2] fuzz: add a script to " Alexander Bulekov
2021-03-15 11:41   ` Darren Kenny
2021-03-14  4:23 ` [PATCH 2/2] fuzz: add instructions for building reproducers Alexander Bulekov
2021-03-15 11:42   ` Darren Kenny [this message]
2021-03-14  4:28 ` [PATCH 0/2] fuzz: add a script to help build reproducers Alexander Bulekov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m24khctzhe.fsf@oracle.com \
    --to=darren.kenny@oracle.com \
    --cc=alxndr@bu.edu \
    --cc=bsd@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.