From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33)
	id 1CflCI-0001Wx-Vy
	for qemu-devel@nongnu.org; Sat, 18 Dec 2004 15:29:03 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33)
	id 1CflCI-0001Wh-F1
	for qemu-devel@nongnu.org; Sat, 18 Dec 2004 15:29:02 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33) id 1CflCI-0001WX-BP
	for qemu-devel@nongnu.org; Sat, 18 Dec 2004 15:29:02 -0500
Received: from [64.105.49.83] (helo=claudius.sentinelchicken.org)
	by monty-python.gnu.org with smtp (Exim 4.34) id 1Cfl1s-0000yV-Tp
	for qemu-devel@nongnu.org; Sat, 18 Dec 2004 15:18:18 -0500
Date: Sat, 18 Dec 2004 15:18:15 -0500
From: Tim <tim@sentinelchicken.org>
Subject: Re: [Qemu-devel] Test Scaffolding
Message-ID: <20041218201815.GE2546@sentinelchicken.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

> I have a bit of free time over the next few weeks, and thought it might
> be interesting and useful to implement some type of randomized tests for
> Qemu's system emmulation.  One thought I had was to generate a large
> number of small disk images with (partially or fully) randomized boot
> sectors and then try booting off of those.  Basically it would be a raw
> stability test to see if Qemu falls over under weird circumstances.


Ok, so in throwing caution to the wind, I put together this really quick
shell script (I will improve on it later): 

#!/bin/sh

OUTPUT_FILE=$1

qemu-img create -f raw "$OUTPUT_FILE" 1K
( dd bs=1 count=510 if=/dev/urandom 2>/dev/null;\
  echo | sed 's/^$/\x55\xAA/'; )\
  | dd bs=1 count=512 conv=notrunc "of=$OUTPUT_FILE" 2>/dev/null
###EOF####


Which creates a 1K disk image with a random boot sector.  I tested
qemu (i386-softmmu) on a number of these images, and in general it holds
up really well.  However, I did have several images crash qemu.  Two of
these appear to occur when program execution makes it past the main 512
byte boot sector, and begins trying to generate code for 0's, which
appear to disassemble as:

add [bx+si],al

In taking large blocks of these and converting them, qemu crashes.
Perhaps there is a bound checking problem on large blocks?  I don't
know, I haven't looked that deep into it yet.  (What file should I start
in?)  The bzipped tar of three files can be downloaded at
http://www.sentinelchicken.org/projects/qemu/add-crash.tar.bz2 .  
It contains an image that consistently crashes, the logfile which was
written to /tmp/qemu.log with the `-d all' option, and the disassembly
(via ndisasm) of the boot sector.

thanks,
tim