[PATCH 0/4] tests/qtest: Fixes fuzz-tests

[PATCH 0/4] tests/qtest: Fixes fuzz-tests

[Philippe Mathieu-Daudé]

tests/qtest/fuzz-test seems to have bitrotten.
Fix it to make it useful.

Philippe Mathieu-Daudé (4):
  tests/qtest: Remove TPM tests
  tests/qtest: Make fuzz-test generic to all targets
  tests/qtest: Only run fuzz-megasas-test if megasas device is available
  tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available

 tests/qtest/fuzz-megasas-test.c     | 49 +++++++++++++++++++
 tests/qtest/fuzz-test.c             | 76 -----------------------------
 tests/qtest/fuzz-virtio-scsi-test.c | 75 ++++++++++++++++++++++++++++
 MAINTAINERS                         |  2 +
 tests/qtest/meson.build             | 12 ++---
 5 files changed, 132 insertions(+), 82 deletions(-)
 create mode 100644 tests/qtest/fuzz-megasas-test.c
 create mode 100644 tests/qtest/fuzz-virtio-scsi-test.c

-- 
2.26.2

[PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

The TPM tests are failing, and no further tests are run,
making the rest of the testsuite pointless:

  $ make check-qtest
  =================================================================
  ==3330026==ERROR: LeakSanitizer: detected memory leaks

  Indirect leak of 444960 byte(s) in 108 object(s) allocated from:
      #0 0x55a2df5adb87 in calloc (tests/qtest/tpm-crb-swtpm-test+0x266b87)
      #1 0x7f507bbff9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
      #2 0x55a2df898766 in parse_object qobject/json-parser.c:318:12
      #3 0x55a2df897d86 in parse_value qobject/json-parser.c:546:16
      #4 0x55a2df8979be in json_parser_parse qobject/json-parser.c:580:14
      #5 0x55a2df81ccc1 in json_message_process_token qobject/json-streamer.c:92:12
      #6 0x55a2df85f773 in json_lexer_feed_char qobject/json-lexer.c:313:13
      #7 0x55a2df85eb04 in json_lexer_feed qobject/json-lexer.c:350:9
      #8 0x55a2df81d7ed in json_message_parser_feed qobject/json-streamer.c:121:5
      #9 0x55a2df5f15f9 in qmp_fd_receive tests/qtest/libqtest.c:614:9
      #10 0x55a2df5f1dda in qtest_qmp_receive_dict tests/qtest/libqtest.c:636:12
      #11 0x55a2df5ef444 in qtest_qmp_receive tests/qtest/libqtest.c:624:27
      #12 0x55a2df5f3a2d in qtest_vqmp tests/qtest/libqtest.c:715:12
      #13 0x55a2df5efa62 in qtest_qmp tests/qtest/libqtest.c:756:16
      #14 0x55a2df5eb480 in tpm_util_wait_for_migration_complete tests/qtest/tpm-util.c:245:15
      #15 0x55a2df5e4167 in tpm_test_swtpm_migration_test tests/qtest/tpm-tests.c:117:5
      #16 0x55a2df5e340c in tpm_crb_swtpm_migration_test tests/qtest/tpm-crb-swtpm-test.c:44:5
      #17 0x7f507bc2229d  (/lib64/libglib-2.0.so.0+0x7b29d)

  Indirect leak of 3456 byte(s) in 108 object(s) allocated from:
      #0 0x55a2df5adb87 in calloc (tests/qtest/tpm-crb-swtpm-test+0x266b87)
      #1 0x7f507bbff9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
      #2 0x55a2df7886af in qdict_put_obj qobject/qdict.c:126:17
      #3 0x55a2df89d706 in parse_pair qobject/json-parser.c:300:5
      #4 0x55a2df898889 in parse_object qobject/json-parser.c:327:13
      #5 0x55a2df897d86 in parse_value qobject/json-parser.c:546:16
      #6 0x55a2df8979be in json_parser_parse qobject/json-parser.c:580:14
      #7 0x55a2df81ccc1 in json_message_process_token qobject/json-streamer.c:92:12
      #8 0x55a2df85f773 in json_lexer_feed_char qobject/json-lexer.c:313:13
      #9 0x55a2df85eb04 in json_lexer_feed qobject/json-lexer.c:350:9
      #10 0x55a2df81d7ed in json_message_parser_feed qobject/json-streamer.c:121:5
      #11 0x55a2df5f15f9 in qmp_fd_receive tests/qtest/libqtest.c:614:9
      #12 0x55a2df5f1dda in qtest_qmp_receive_dict tests/qtest/libqtest.c:636:12
      #13 0x55a2df5ef444 in qtest_qmp_receive tests/qtest/libqtest.c:624:27
      #14 0x55a2df5f3a2d in qtest_vqmp tests/qtest/libqtest.c:715:12
      #15 0x55a2df5efa62 in qtest_qmp tests/qtest/libqtest.c:756:16
      #16 0x55a2df5eb480 in tpm_util_wait_for_migration_complete tests/qtest/tpm-util.c:245:15
      #17 0x55a2df5e4167 in tpm_test_swtpm_migration_test tests/qtest/tpm-tests.c:117:5
      #18 0x55a2df5e340c in tpm_crb_swtpm_migration_test tests/qtest/tpm-crb-swtpm-test.c:44:5
      #19 0x7f507bc2229d  (/lib64/libglib-2.0.so.0+0x7b29d)

  Indirect leak of 756 byte(s) in 108 object(s) allocated from:
      #0 0x55a2df5ad9cf in malloc (tests/qtest/tpm-crb-swtpm-test+0x2669cf)
      #1 0x7f507bbff958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)

  SUMMARY: AddressSanitizer: 449172 byte(s) leaked in 324 allocation(s).
  make: *** [Makefile.mtest:1025: run-test-126] Error 1

Remove these tests to be able to run the rest.

Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 tests/qtest/meson.build | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index 16d04625b8b..bcbb04d2bb4 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -41,10 +41,6 @@
   (config_all_devices.has_key('CONFIG_USB_UHCI') and                                        \
    config_all_devices.has_key('CONFIG_USB_EHCI') ? ['usb-hcd-ehci-test'] : []) +            \
   (config_all_devices.has_key('CONFIG_USB_XHCI_NEC') ? ['usb-hcd-xhci-test'] : []) +        \
-  (config_all_devices.has_key('CONFIG_TPM_CRB') ? ['tpm-crb-test'] : []) +                  \
-  (config_all_devices.has_key('CONFIG_TPM_CRB') ? ['tpm-crb-swtpm-test'] : []) +            \
-  (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-test'] : []) +              \
-  (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test'] : []) +        \
   (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : []) +              \
   qtests_pci +                                                                              \
   ['fdc-test',
-- 
2.26.2

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

Subject is incorrect, this is not a removal of the tests, but
removal of their execution. The tests are still in the repository.
This is more of a disablement.

On 1/15/21 4:09 PM, Philippe Mathieu-Daudé wrote:
> The TPM tests are failing, and no further tests are run,
> making the rest of the testsuite pointless:
> 
>   $ make check-qtest
>   =================================================================
>   ==3330026==ERROR: LeakSanitizer: detected memory leaks
...
>   SUMMARY: AddressSanitizer: 449172 byte(s) leaked in 324 allocation(s).
>   make: *** [Makefile.mtest:1025: run-test-126] Error 1
> 
> Remove these tests to be able to run the rest.
> 
> Cc: Stefan Berger <stefanb@linux.ibm.com>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
>  tests/qtest/meson.build | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index 16d04625b8b..bcbb04d2bb4 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -41,10 +41,6 @@
>    (config_all_devices.has_key('CONFIG_USB_UHCI') and                                        \
>     config_all_devices.has_key('CONFIG_USB_EHCI') ? ['usb-hcd-ehci-test'] : []) +            \
>    (config_all_devices.has_key('CONFIG_USB_XHCI_NEC') ? ['usb-hcd-xhci-test'] : []) +        \
> -  (config_all_devices.has_key('CONFIG_TPM_CRB') ? ['tpm-crb-test'] : []) +                  \
> -  (config_all_devices.has_key('CONFIG_TPM_CRB') ? ['tpm-crb-swtpm-test'] : []) +            \
> -  (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-test'] : []) +              \
> -  (config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test'] : []) +        \
>    (config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : []) +              \
>    qtests_pci +                                                                              \
>    ['fdc-test',
> 

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Stefan Berger]

On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
> Subject is incorrect, this is not a removal of the tests, but
> removal of their execution. The tests are still in the repository.
> This is more of a disablement.

How do you compile / run them to have the LeakSanitizer checks?

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

On 1/15/21 4:53 PM, Stefan Berger wrote:
> On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
>> Subject is incorrect, this is not a removal of the tests, but
>> removal of their execution. The tests are still in the repository.
>> This is more of a disablement.
> 
> How do you compile / run them to have the LeakSanitizer checks?

I used:

../configure --cc=clang --enable-sanitizers && make check-qtest

$ clang -v
clang version 10.0.1 (Fedora 10.0.1-3.fc32)

This was previously covered by patchew CI. I just figured
patchew is running without the LeakSanitizer since commit
6f89ec7442e ("docker: test-debug: disable LeakSanitizer"):

 docker: test-debug: disable LeakSanitizer

 There are just too many leaks in device-introspect-test (especially for
 the plethora of arm and aarch64 boards) to make LeakSanitizer useful;
 disable it for now.

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

On 1/15/21 5:06 PM, Philippe Mathieu-Daudé wrote:
> On 1/15/21 4:53 PM, Stefan Berger wrote:
>> On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
>>> Subject is incorrect, this is not a removal of the tests, but
>>> removal of their execution. The tests are still in the repository.
>>> This is more of a disablement.
>>
>> How do you compile / run them to have the LeakSanitizer checks?
> 
> I used:
> 
> ../configure --cc=clang --enable-sanitizers && make check-qtest
> 
> $ clang -v
> clang version 10.0.1 (Fedora 10.0.1-3.fc32)
> 
> This was previously covered by patchew CI. I just figured
> patchew is running without the LeakSanitizer since commit
> 6f89ec7442e ("docker: test-debug: disable LeakSanitizer"):
> 
>  docker: test-debug: disable LeakSanitizer
> 
>  There are just too many leaks in device-introspect-test (especially for
>  the plethora of arm and aarch64 boards) to make LeakSanitizer useful;
>  disable it for now.

So if this expected, maybe the correct fix is to have meson use
ASAN_OPTIONS=detect_leaks=0 automatically when running the qtests?

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Stefan Berger]

On 1/15/21 11:06 AM, Philippe Mathieu-Daudé wrote:
> On 1/15/21 4:53 PM, Stefan Berger wrote:
>> On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
>>> Subject is incorrect, this is not a removal of the tests, but
>>> removal of their execution. The tests are still in the repository.
>>> This is more of a disablement.
>> How do you compile / run them to have the LeakSanitizer checks?
> I used:
>
> ../configure --cc=clang --enable-sanitizers && make check-qtest
>
> $ clang -v
> clang version 10.0.1 (Fedora 10.0.1-3.fc32)
>
> This was previously covered by patchew CI. I just figured
> patchew is running without the LeakSanitizer since commit
> 6f89ec7442e ("docker: test-debug: disable LeakSanitizer"):
>
>   docker: test-debug: disable LeakSanitizer
>
>   There are just too many leaks in device-introspect-test (especially for
>   the plethora of arm and aarch64 boards) to make LeakSanitizer useful;
>   disable it for now.
>
I only get short stack traces:


Indirect leak of 852840 byte(s) in 207 object(s) allocated from:
     #0 0x561a8c2f8b57 in calloc 
(/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
     #2 0x561a8c4c2508 in json_parser_parse 
/home/stefanb/tmp/qemu-tip/build/../qobject/json-parser.c:580:14
     #3 0x561a8c4a99aa in json_message_process_token 
/home/stefanb/tmp/qemu-tip/build/../qobject/json-streamer.c:92:12
     #4 0x561a8c4b6cfb in json_lexer_feed_char 
/home/stefanb/tmp/qemu-tip/build/../qobject/json-lexer.c:313:13

Indirect leak of 6624 byte(s) in 207 object(s) allocated from:
     #0 0x561a8c2f8b57 in calloc 
(/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)

Indirect leak of 1449 byte(s) in 207 object(s) allocated from:
     #0 0x561a8c2f899f in malloc 
(/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23f99f)
     #1 0x14f096306958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)

How can I see more of those?


    Stefan

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Stefan Berger]

On 1/15/21 1:40 PM, Stefan Berger wrote:
> On 1/15/21 11:06 AM, Philippe Mathieu-Daudé wrote:
>> On 1/15/21 4:53 PM, Stefan Berger wrote:
>>> On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
>>>> Subject is incorrect, this is not a removal of the tests, but
>>>> removal of their execution. The tests are still in the repository.
>>>> This is more of a disablement.
>>> How do you compile / run them to have the LeakSanitizer checks?
>> I used:
>>
>> ../configure --cc=clang --enable-sanitizers && make check-qtest
>>
>> $ clang -v
>> clang version 10.0.1 (Fedora 10.0.1-3.fc32)
>>
>> This was previously covered by patchew CI. I just figured
>> patchew is running without the LeakSanitizer since commit
>> 6f89ec7442e ("docker: test-debug: disable LeakSanitizer"):
>>
>>   docker: test-debug: disable LeakSanitizer
>>
>>   There are just too many leaks in device-introspect-test (especially 
>> for
>>   the plethora of arm and aarch64 boards) to make LeakSanitizer useful;
>>   disable it for now.
>>
> I only get short stack traces:
>
>
> Indirect leak of 852840 byte(s) in 207 object(s) allocated from:
>     #0 0x561a8c2f8b57 in calloc 
> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
>     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
>     #2 0x561a8c4c2508 in json_parser_parse 
> /home/stefanb/tmp/qemu-tip/build/../qobject/json-parser.c:580:14
>     #3 0x561a8c4a99aa in json_message_process_token 
> /home/stefanb/tmp/qemu-tip/build/../qobject/json-streamer.c:92:12
>     #4 0x561a8c4b6cfb in json_lexer_feed_char 
> /home/stefanb/tmp/qemu-tip/build/../qobject/json-lexer.c:313:13
>
> Indirect leak of 6624 byte(s) in 207 object(s) allocated from:
>     #0 0x561a8c2f8b57 in calloc 
> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
>     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
>
> Indirect leak of 1449 byte(s) in 207 object(s) allocated from:
>     #0 0x561a8c2f899f in malloc 
> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23f99f)
>     #1 0x14f096306958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
>
> How can I see more of those?


I now added -fno-omit-frame-pointer to configure (should it not be 
there?) and it now shows some useful stacktraces.


diff --git a/configure b/configure
index 155dda124c..ed86b5ca32 100755
--- a/configure
+++ b/configure
@@ -5308,7 +5308,7 @@ if test "$gprof" = "yes" ; then
  fi

  if test "$have_asan" = "yes"; then
-  QEMU_CFLAGS="-fsanitize=address $QEMU_CFLAGS"
+  QEMU_CFLAGS="-fsanitize=address -fno-omit-frame-pointer $QEMU_CFLAGS"
    QEMU_LDFLAGS="-fsanitize=address $QEMU_LDFLAGS"
    if test "$have_asan_iface_h" = "no" ; then
        echo "ASAN build enabled, but ASAN header missing." \
diff --git a/tests/qtest/tpm-util.c b/tests/qtest/tpm-util.c


This is my TPM related fix. Maybe it resolve the issue for you also?


index 5a33a6ef0f..b70cc32d60 100644
--- a/tests/qtest/tpm-util.c
+++ b/tests/qtest/tpm-util.c
@@ -250,7 +250,7 @@ void tpm_util_wait_for_migration_complete(QTestState 
*who)
          status = qdict_get_str(rsp_return, "status");
          completed = strcmp(status, "completed") == 0;
          g_assert_cmpstr(status, !=,  "failed");
-        qobject_unref(rsp_return);
+        qobject_unref(rsp);
          if (completed) {
              return;
          }

Now I see ppc64 related leaks:

Direct leak of 200 byte(s) in 1 object(s) allocated from:
     #0 0x14c9b743c837 in __interceptor_calloc (/lib64/libasan.so.6+0xb0837)
     #1 0x14c9b6e8b9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
     #2 0x55c5e7130a1a in qemu_init_vcpu ../softmmu/cpus.c:618
     #3 0x55c5e68b30c0 in ppc_cpu_realize 
../target/ppc/translate_init.c.inc:10146
     #4 0x55c5e7539c08 in device_set_realized ../hw/core/qdev.c:761
     #5 0x55c5e714aa38 in property_set_bool ../qom/object.c:2255
     #6 0x55c5e7145d52 in object_property_set ../qom/object.c:1400
     #7 0x55c5e714f99f in object_property_set_qobject 
../qom/qom-qobject.c:28
     #8 0x55c5e71465f4 in object_property_set_bool ../qom/object.c:1470
     #9 0x55c5e666ae21 in spapr_realize_vcpu ../hw/ppc/spapr_cpu_core.c:254
     #10 0x55c5e666ae21 in spapr_cpu_core_realize 
../hw/ppc/spapr_cpu_core.c:337
     #11 0x55c5e7539c08 in device_set_realized ../hw/core/qdev.c:761
     #12 0x55c5e714aa38 in property_set_bool ../qom/object.c:2255
     #13 0x55c5e7145d52 in object_property_set ../qom/object.c:1400
     #14 0x55c5e714f99f in object_property_set_qobject 
../qom/qom-qobject.c:28
     #15 0x55c5e71465f4 in object_property_set_bool ../qom/object.c:1470
     #16 0x55c5e5c7553c in qdev_device_add ../softmmu/qdev-monitor.c:665
     #17 0x55c5e6fd4cc4 in device_init_func ../softmmu/vl.c:1201
     #18 0x55c5e78fc7bb in qemu_opts_foreach ../util/qemu-option.c:1147
     #19 0x55c5e6fc8912 in qemu_create_cli_devices ../softmmu/vl.c:2488
     #20 0x55c5e6fc8912 in qmp_x_exit_preconfig ../softmmu/vl.c:2527
     #21 0x55c5e6fcfb4b in qemu_init ../softmmu/vl.c:3533
     #22 0x55c5e5b18e78 in main ../softmmu/main.c:49
     #23 0x14c9b50fa041 in __libc_start_main (/lib64/libc.so.6+0x27041)

[..]


>
>
>    Stefan
>
>

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

Hi Stefan,

On 1/15/21 8:56 PM, Stefan Berger wrote:
> On 1/15/21 1:40 PM, Stefan Berger wrote:
>> On 1/15/21 11:06 AM, Philippe Mathieu-Daudé wrote:
>>> On 1/15/21 4:53 PM, Stefan Berger wrote:
>>>> On 1/15/21 10:52 AM, Philippe Mathieu-Daudé wrote:
>>>>> Subject is incorrect, this is not a removal of the tests, but
>>>>> removal of their execution. The tests are still in the repository.
>>>>> This is more of a disablement.
>>>> How do you compile / run them to have the LeakSanitizer checks?
>>> I used:
>>>
>>> ../configure --cc=clang --enable-sanitizers && make check-qtest
>>>
>>> $ clang -v
>>> clang version 10.0.1 (Fedora 10.0.1-3.fc32)
>>>
>>> This was previously covered by patchew CI. I just figured
>>> patchew is running without the LeakSanitizer since commit
>>> 6f89ec7442e ("docker: test-debug: disable LeakSanitizer"):
>>>
>>>   docker: test-debug: disable LeakSanitizer
>>>
>>>   There are just too many leaks in device-introspect-test (especially
>>> for
>>>   the plethora of arm and aarch64 boards) to make LeakSanitizer useful;
>>>   disable it for now.
>>>
>> I only get short stack traces:
>>
>>
>> Indirect leak of 852840 byte(s) in 207 object(s) allocated from:
>>     #0 0x561a8c2f8b57 in calloc
>> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
>>
>>     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
>>     #2 0x561a8c4c2508 in json_parser_parse
>> /home/stefanb/tmp/qemu-tip/build/../qobject/json-parser.c:580:14
>>     #3 0x561a8c4a99aa in json_message_process_token
>> /home/stefanb/tmp/qemu-tip/build/../qobject/json-streamer.c:92:12
>>     #4 0x561a8c4b6cfb in json_lexer_feed_char
>> /home/stefanb/tmp/qemu-tip/build/../qobject/json-lexer.c:313:13
>>
>> Indirect leak of 6624 byte(s) in 207 object(s) allocated from:
>>     #0 0x561a8c2f8b57 in calloc
>> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23fb57)
>>
>>     #1 0x14f0963069b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
>>
>> Indirect leak of 1449 byte(s) in 207 object(s) allocated from:
>>     #0 0x561a8c2f899f in malloc
>> (/home/stefanb/tmp/qemu-tip/build/tests/qtest/tpm-crb-swtpm-test+0x23f99f)
>>
>>     #1 0x14f096306958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
>>
>> How can I see more of those?
> 
> 
> I now added -fno-omit-frame-pointer to configure (should it not be
> there?) and it now shows some useful stacktraces.

No idea... Cc'ing Marc-André.

If the issue is only with ASan we could add the flag locally
to avoid generic problems with _FORTIFY_SOURCE:

-- >8 --
@@ -5309,6 +5309,9 @@ fi

 if test "$have_asan" = "yes"; then
   QEMU_CFLAGS="-fsanitize=address $QEMU_CFLAGS"
+  if test "$debug" = "no" ; then
+    QEMU_CFLAGS="-fno-omit-frame-pointer $QEMU_CFLAGS"
+  fi
   QEMU_LDFLAGS="-fsanitize=address $QEMU_LDFLAGS"
   if test "$have_asan_iface_h" = "no" ; then
       echo "ASAN build enabled, but ASAN header missing." \
---

> 
> 
> diff --git a/configure b/configure
> index 155dda124c..ed86b5ca32 100755
> --- a/configure
> +++ b/configure
> @@ -5308,7 +5308,7 @@ if test "$gprof" = "yes" ; then
>  fi
> 
>  if test "$have_asan" = "yes"; then
> -  QEMU_CFLAGS="-fsanitize=address $QEMU_CFLAGS"
> +  QEMU_CFLAGS="-fsanitize=address -fno-omit-frame-pointer $QEMU_CFLAGS"
>    QEMU_LDFLAGS="-fsanitize=address $QEMU_LDFLAGS"
>    if test "$have_asan_iface_h" = "no" ; then
>        echo "ASAN build enabled, but ASAN header missing." \
> diff --git a/tests/qtest/tpm-util.c b/tests/qtest/tpm-util.c
> 
> 
> This is my TPM related fix. Maybe it resolve the issue for you also?

Great, a trivial diff :) I'll try it next week.

> 
> 
> index 5a33a6ef0f..b70cc32d60 100644
> --- a/tests/qtest/tpm-util.c
> +++ b/tests/qtest/tpm-util.c
> @@ -250,7 +250,7 @@ void tpm_util_wait_for_migration_complete(QTestState
> *who)
>          status = qdict_get_str(rsp_return, "status");
>          completed = strcmp(status, "completed") == 0;
>          g_assert_cmpstr(status, !=,  "failed");
> -        qobject_unref(rsp_return);
> +        qobject_unref(rsp);
>          if (completed) {
>              return;
>          }
> 
> Now I see ppc64 related leaks:
> 
> Direct leak of 200 byte(s) in 1 object(s) allocated from:
>     #0 0x14c9b743c837 in __interceptor_calloc (/lib64/libasan.so.6+0xb0837)
>     #1 0x14c9b6e8b9b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
>     #2 0x55c5e7130a1a in qemu_init_vcpu ../softmmu/cpus.c:618
>     #3 0x55c5e68b30c0 in ppc_cpu_realize
> ../target/ppc/translate_init.c.inc:10146
>     #4 0x55c5e7539c08 in device_set_realized ../hw/core/qdev.c:761
>     #5 0x55c5e714aa38 in property_set_bool ../qom/object.c:2255
>     #6 0x55c5e7145d52 in object_property_set ../qom/object.c:1400
>     #7 0x55c5e714f99f in object_property_set_qobject
> ../qom/qom-qobject.c:28
>     #8 0x55c5e71465f4 in object_property_set_bool ../qom/object.c:1470
>     #9 0x55c5e666ae21 in spapr_realize_vcpu ../hw/ppc/spapr_cpu_core.c:254
>     #10 0x55c5e666ae21 in spapr_cpu_core_realize
> ../hw/ppc/spapr_cpu_core.c:337
>     #11 0x55c5e7539c08 in device_set_realized ../hw/core/qdev.c:761
>     #12 0x55c5e714aa38 in property_set_bool ../qom/object.c:2255
>     #13 0x55c5e7145d52 in object_property_set ../qom/object.c:1400
>     #14 0x55c5e714f99f in object_property_set_qobject
> ../qom/qom-qobject.c:28
>     #15 0x55c5e71465f4 in object_property_set_bool ../qom/object.c:1470
>     #16 0x55c5e5c7553c in qdev_device_add ../softmmu/qdev-monitor.c:665
>     #17 0x55c5e6fd4cc4 in device_init_func ../softmmu/vl.c:1201
>     #18 0x55c5e78fc7bb in qemu_opts_foreach ../util/qemu-option.c:1147
>     #19 0x55c5e6fc8912 in qemu_create_cli_devices ../softmmu/vl.c:2488
>     #20 0x55c5e6fc8912 in qmp_x_exit_preconfig ../softmmu/vl.c:2527
>     #21 0x55c5e6fcfb4b in qemu_init ../softmmu/vl.c:3533
>     #22 0x55c5e5b18e78 in main ../softmmu/main.c:49
>     #23 0x14c9b50fa041 in __libc_start_main (/lib64/libc.so.6+0x27041)
> 
> [..]

Currently the fuzzed qtests are only reported for X86, so I didn't
bother testing the other targets. Cc'ing qemu-ppc@ however.

Thanks for the quick feedbacks,

Phil.

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Paolo Bonzini]

On 15/01/21 16:09, Philippe Mathieu-Daudé wrote:
> |The TPM tests are failing, and no further tests are run, making the 
> rest of the testsuite pointless:|

Just use -k when running tests, it's a good idea in general.

Paolo

Re: [PATCH 1/4] tests/qtest: Remove TPM tests

[Philippe Mathieu-Daudé]

On 1/17/21 7:47 PM, Paolo Bonzini wrote:
> On 15/01/21 16:09, Philippe Mathieu-Daudé wrote:
>> |The TPM tests are failing, and no further tests are run, making the
>> rest of the testsuite pointless:|
> 
> Just use -k when running tests, it's a good idea in general.

Yes, this used to be the default. I still see it in the
Meson conversion in commit a2ce7dbd917 ("meson: convert
ests/qtest to meson"), see tests/qtest/meson.build:

265     test('qtest-@0@/@1@'.format(target_base, test),
266          qtest_executables[test],
267          depends: [test_deps, qtest_emulator],
268          env: qtest_env,
269          args: ['--tap', '-k'],
270          protocol: 'tap',
271          suite: ['qtest', 'qtest-' + target_base])
272   endforeach
273 endforeach

Not sure what is going on.

[PATCH 2/4] tests/qtest: Make fuzz-test generic to all targets

[Philippe Mathieu-Daudé]

Tests in fuzz-test's main() already check for the supported
architecture before adding tests, therefore this test is not
specific to the X86 target. Move it to the generic set.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 tests/qtest/meson.build | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index bcbb04d2bb4..874f5d34674 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -13,7 +13,9 @@
   'qom-test',
   'test-hmp',
   'qos-test',
+  'fuzz-test',
 ]
+
 if config_host.has_key('CONFIG_MODULES')
   qtests_generic += [ 'modules-test' ]
 endif
@@ -50,7 +52,6 @@
    'bios-tables-test',
    'rtc-test',
    'i440fx-test',
-   'fuzz-test',
    'fw_cfg-test',
    'device-plug-test',
    'drive_del-test',
-- 
2.26.2

Re: [PATCH 2/4] tests/qtest: Make fuzz-test generic to all targets

[Thomas Huth]

On 15/01/2021 16.09, Philippe Mathieu-Daudé wrote:
> Tests in fuzz-test's main() already check for the supported
> architecture before adding tests, therefore this test is not
> specific to the X86 target. Move it to the generic set.

As long as it does not run any test on non-x86, it does not make sense to 
move it to the generic set, does it? We'd only waste compile cycles that way?

  Thomas

Re: [PATCH 2/4] tests/qtest: Make fuzz-test generic to all targets

[Philippe Mathieu-Daudé]

On 1/15/21 11:21 PM, Thomas Huth wrote:
> On 15/01/2021 16.09, Philippe Mathieu-Daudé wrote:
>> Tests in fuzz-test's main() already check for the supported
>> architecture before adding tests, therefore this test is not
>> specific to the X86 target. Move it to the generic set.
> 
> As long as it does not run any test on non-x86, it does not make sense
> to move it to the generic set, does it? We'd only waste compile cycles
> that way?

OK, I'll resend this patch when the ARM reproducers are posted.

[PATCH 3/4] tests/qtest: Only run fuzz-megasas-test if megasas device is available

[Philippe Mathieu-Daudé]

This test fails when QEMU is built without the megasas device,
restrict it to its availability.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 tests/qtest/fuzz-megasas-test.c | 49 +++++++++++++++++++++++++++++++++
 tests/qtest/fuzz-test.c         | 25 -----------------
 MAINTAINERS                     |  1 +
 tests/qtest/meson.build         |  4 ++-
 4 files changed, 53 insertions(+), 26 deletions(-)
 create mode 100644 tests/qtest/fuzz-megasas-test.c

diff --git a/tests/qtest/fuzz-megasas-test.c b/tests/qtest/fuzz-megasas-test.c
new file mode 100644
index 00000000000..940a76bf25a
--- /dev/null
+++ b/tests/qtest/fuzz-megasas-test.c
@@ -0,0 +1,49 @@
+/*
+ * QTest fuzzer-generated testcase for megasas device
+ *
+ * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqos/libqtest.h"
+
+/*
+ * This used to trigger the assert in scsi_dma_complete
+ * https://bugs.launchpad.net/qemu/+bug/1878263
+ */
+static void test_lp1878263_megasas_zero_iov_cnt(void)
+{
+    QTestState *s;
+
+    s = qtest_init("-nographic -monitor none -serial none "
+                   "-M q35 -device megasas -device scsi-cd,drive=null0 "
+                   "-blockdev driver=null-co,read-zeroes=on,node-name=null0");
+    qtest_outl(s, 0xcf8, 0x80001818);
+    qtest_outl(s, 0xcfc, 0xc101);
+    qtest_outl(s, 0xcf8, 0x8000181c);
+    qtest_outl(s, 0xcf8, 0x80001804);
+    qtest_outw(s, 0xcfc, 0x7);
+    qtest_outl(s, 0xcf8, 0x8000186a);
+    qtest_writeb(s, 0x14, 0xfe);
+    qtest_writeb(s, 0x0, 0x02);
+    qtest_outb(s, 0xc1c0, 0x17);
+    qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+    if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+        qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt",
+                       test_lp1878263_megasas_zero_iov_cnt);
+    }
+
+    return g_test_run();
+}
diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
index cdb1100a0b8..6188fbb8e96 100644
--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
@@ -11,29 +11,6 @@
 
 #include "libqos/libqtest.h"
 
-/*
- * This used to trigger the assert in scsi_dma_complete
- * https://bugs.launchpad.net/qemu/+bug/1878263
- */
-static void test_lp1878263_megasas_zero_iov_cnt(void)
-{
-    QTestState *s;
-
-    s = qtest_init("-nographic -monitor none -serial none "
-                   "-M q35 -device megasas -device scsi-cd,drive=null0 "
-                   "-blockdev driver=null-co,read-zeroes=on,node-name=null0");
-    qtest_outl(s, 0xcf8, 0x80001818);
-    qtest_outl(s, 0xcfc, 0xc101);
-    qtest_outl(s, 0xcf8, 0x8000181c);
-    qtest_outl(s, 0xcf8, 0x80001804);
-    qtest_outw(s, 0xcfc, 0x7);
-    qtest_outl(s, 0xcf8, 0x8000186a);
-    qtest_writeb(s, 0x14, 0xfe);
-    qtest_writeb(s, 0x0, 0x02);
-    qtest_outb(s, 0xc1c0, 0x17);
-    qtest_quit(s);
-}
-
 static void test_lp1878642_pci_bus_get_irq_level_assert(void)
 {
     QTestState *s;
@@ -104,8 +81,6 @@ int main(int argc, char **argv)
     g_test_init(&argc, &argv, NULL);
 
     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
-        qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt",
-                       test_lp1878263_megasas_zero_iov_cnt);
         qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
                        test_lp1878642_pci_bus_get_irq_level_assert);
         qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
diff --git a/MAINTAINERS b/MAINTAINERS
index cb0656aec3d..b2ef820a9fa 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1925,6 +1925,7 @@ S: Supported
 F: hw/scsi/megasas.c
 F: hw/scsi/mfi.h
 F: tests/qtest/megasas-test.c
+F: tests/qtest/fuzz-megasas-test.c
 
 Network packet abstractions
 M: Dmitry Fleytman <dmitry.fleytman@gmail.com>
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index 874f5d34674..a24e7f1c34a 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -4,7 +4,9 @@
   subdir_done()
 endif
 
-qtests_generic = [
+qtests_generic = \
+  (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
+  [
   'cdrom-test',
   'device-introspect-test',
   'machine-none-test',
-- 
2.26.2

Re: [PATCH 3/4] tests/qtest: Only run fuzz-megasas-test if megasas device is available

[Alexander Bulekov]

On 210115 1609, Philippe Mathieu-Daudé wrote:
> This test fails when QEMU is built without the megasas device,
> restrict it to its availability.

Should we just make a separate directory for fuzzer tests and have a
separate source file for each reproducer (or for each device)? That way,
we avoid confusion about what to do with new reproducers: they always go
into e.g. tests/qtest/reproducers/device_name.c 

Re: [PATCH 3/4] tests/qtest: Only run fuzz-megasas-test if megasas device is available

[Philippe Mathieu-Daudé]

On 1/15/21 11:39 PM, Alexander Bulekov wrote:
> On 210115 1609, Philippe Mathieu-Daudé wrote:
>> This test fails when QEMU is built without the megasas device,
>> restrict it to its availability.
> 
> Should we just make a separate directory for fuzzer tests and have a
> separate source file for each reproducer (or for each device)? That way,
> we avoid confusion about what to do with new reproducers: they always go
> into e.g. tests/qtest/reproducers/device_name.c 

Yes probably. Do you mind sending a patch series?

[PATCH 4/4] tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available

[Philippe Mathieu-Daudé]

This test fails when QEMU is built without the virtio-scsi device,
restrict it to its availability.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
Cc: "Michael S. Tsirkin" <mst@redhat.com>

Note when running check-qtest-i386 I still get this failure:

  qemu-system-i386: Cannot map used

it comes from virtio_init_region_cache().
---
 tests/qtest/fuzz-test.c             | 51 --------------------
 tests/qtest/fuzz-virtio-scsi-test.c | 75 +++++++++++++++++++++++++++++
 MAINTAINERS                         |  1 +
 tests/qtest/meson.build             |  1 +
 4 files changed, 77 insertions(+), 51 deletions(-)
 create mode 100644 tests/qtest/fuzz-virtio-scsi-test.c

diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
index 6188fbb8e96..d112798afe3 100644
--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
@@ -25,55 +25,6 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
     qtest_quit(s);
 }
 
-/*
- * Here a MemoryRegionCache pointed to an MMIO region but had a
- * larger size than the underlying region.
- */
-static void test_mmio_oob_from_memory_region_cache(void)
-{
-    QTestState *s;
-
-    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
-		   "-device virtio-scsi,num_queues=8,addr=03.0 ");
-
-    qtest_outl(s, 0xcf8, 0x80001811);
-    qtest_outb(s, 0xcfc, 0x6e);
-    qtest_outl(s, 0xcf8, 0x80001824);
-    qtest_outl(s, 0xcf8, 0x80001813);
-    qtest_outl(s, 0xcfc, 0xa080000);
-    qtest_outl(s, 0xcf8, 0x80001802);
-    qtest_outl(s, 0xcfc, 0x5a175a63);
-    qtest_outb(s, 0x6e08, 0x9e);
-    qtest_writeb(s, 0x9f003, 0xff);
-    qtest_writeb(s, 0x9f004, 0x01);
-    qtest_writeb(s, 0x9e012, 0x0e);
-    qtest_writeb(s, 0x9e01b, 0x0e);
-    qtest_writeb(s, 0x9f006, 0x01);
-    qtest_writeb(s, 0x9f008, 0x01);
-    qtest_writeb(s, 0x9f00a, 0x01);
-    qtest_writeb(s, 0x9f00c, 0x01);
-    qtest_writeb(s, 0x9f00e, 0x01);
-    qtest_writeb(s, 0x9f010, 0x01);
-    qtest_writeb(s, 0x9f012, 0x01);
-    qtest_writeb(s, 0x9f014, 0x01);
-    qtest_writeb(s, 0x9f016, 0x01);
-    qtest_writeb(s, 0x9f018, 0x01);
-    qtest_writeb(s, 0x9f01a, 0x01);
-    qtest_writeb(s, 0x9f01c, 0x01);
-    qtest_writeb(s, 0x9f01e, 0x01);
-    qtest_writeb(s, 0x9f020, 0x01);
-    qtest_writeb(s, 0x9f022, 0x01);
-    qtest_writeb(s, 0x9f024, 0x01);
-    qtest_writeb(s, 0x9f026, 0x01);
-    qtest_writeb(s, 0x9f028, 0x01);
-    qtest_writeb(s, 0x9f02a, 0x01);
-    qtest_writeb(s, 0x9f02c, 0x01);
-    qtest_writeb(s, 0x9f02e, 0x01);
-    qtest_writeb(s, 0x9f030, 0x01);
-    qtest_outb(s, 0x6e10, 0x00);
-    qtest_quit(s);
-}
-
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -83,8 +34,6 @@ int main(int argc, char **argv)
     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
         qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
                        test_lp1878642_pci_bus_get_irq_level_assert);
-        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
-                       test_mmio_oob_from_memory_region_cache);
     }
 
     return g_test_run();
diff --git a/tests/qtest/fuzz-virtio-scsi-test.c b/tests/qtest/fuzz-virtio-scsi-test.c
new file mode 100644
index 00000000000..aaf6d10e189
--- /dev/null
+++ b/tests/qtest/fuzz-virtio-scsi-test.c
@@ -0,0 +1,75 @@
+/*
+ * QTest fuzzer-generated testcase for virtio-scsi device
+ *
+ * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "libqos/libqtest.h"
+
+/*
+ * Here a MemoryRegionCache pointed to an MMIO region but had a
+ * larger size than the underlying region.
+ */
+static void test_mmio_oob_from_memory_region_cache(void)
+{
+    QTestState *s;
+
+    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
+                   "-device virtio-scsi,num_queues=8,addr=03.0 ");
+
+    qtest_outl(s, 0xcf8, 0x80001811);
+    qtest_outb(s, 0xcfc, 0x6e);
+    qtest_outl(s, 0xcf8, 0x80001824);
+    qtest_outl(s, 0xcf8, 0x80001813);
+    qtest_outl(s, 0xcfc, 0xa080000);
+    qtest_outl(s, 0xcf8, 0x80001802);
+    qtest_outl(s, 0xcfc, 0x5a175a63);
+    qtest_outb(s, 0x6e08, 0x9e);
+    qtest_writeb(s, 0x9f003, 0xff);
+    qtest_writeb(s, 0x9f004, 0x01);
+    qtest_writeb(s, 0x9e012, 0x0e);
+    qtest_writeb(s, 0x9e01b, 0x0e);
+    qtest_writeb(s, 0x9f006, 0x01);
+    qtest_writeb(s, 0x9f008, 0x01);
+    qtest_writeb(s, 0x9f00a, 0x01);
+    qtest_writeb(s, 0x9f00c, 0x01);
+    qtest_writeb(s, 0x9f00e, 0x01);
+    qtest_writeb(s, 0x9f010, 0x01);
+    qtest_writeb(s, 0x9f012, 0x01);
+    qtest_writeb(s, 0x9f014, 0x01);
+    qtest_writeb(s, 0x9f016, 0x01);
+    qtest_writeb(s, 0x9f018, 0x01);
+    qtest_writeb(s, 0x9f01a, 0x01);
+    qtest_writeb(s, 0x9f01c, 0x01);
+    qtest_writeb(s, 0x9f01e, 0x01);
+    qtest_writeb(s, 0x9f020, 0x01);
+    qtest_writeb(s, 0x9f022, 0x01);
+    qtest_writeb(s, 0x9f024, 0x01);
+    qtest_writeb(s, 0x9f026, 0x01);
+    qtest_writeb(s, 0x9f028, 0x01);
+    qtest_writeb(s, 0x9f02a, 0x01);
+    qtest_writeb(s, 0x9f02c, 0x01);
+    qtest_writeb(s, 0x9f02e, 0x01);
+    qtest_writeb(s, 0x9f030, 0x01);
+    qtest_outb(s, 0x6e10, 0x00);
+    qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+    const char *arch = qtest_get_arch();
+
+    g_test_init(&argc, &argv, NULL);
+
+    if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
+                       test_mmio_oob_from_memory_region_cache);
+    }
+
+    return g_test_run();
+}
diff --git a/MAINTAINERS b/MAINTAINERS
index b2ef820a9fa..fcbe3ac79a8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1717,6 +1717,7 @@ S: Supported
 F: include/hw/scsi/*
 F: hw/scsi/*
 F: tests/qtest/virtio-scsi-test.c
+F: tests/qtest/fuzz-virtio-scsi-test.c
 T: git https://github.com/bonzini/qemu.git scsi-next
 
 SSI
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index a24e7f1c34a..fedce3ee3c1 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -6,6 +6,7 @@
 
 qtests_generic = \
   (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
+  (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
   [
   'cdrom-test',
   'device-introspect-test',
-- 
2.26.2

Re: [PATCH 4/4] tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available

[Michael S. Tsirkin]

On Fri, Jan 15, 2021 at 04:09:36PM +0100, Philippe Mathieu-Daudé wrote:
> This test fails when QEMU is built without the virtio-scsi device,
> restrict it to its availability.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>

Are you merging this with rest of patchset?


> ---
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> 
> Note when running check-qtest-i386 I still get this failure:
> 
>   qemu-system-i386: Cannot map used
> 
> it comes from virtio_init_region_cache().


Not sure I understand this part.

> ---
>  tests/qtest/fuzz-test.c             | 51 --------------------
>  tests/qtest/fuzz-virtio-scsi-test.c | 75 +++++++++++++++++++++++++++++
>  MAINTAINERS                         |  1 +
>  tests/qtest/meson.build             |  1 +
>  4 files changed, 77 insertions(+), 51 deletions(-)
>  create mode 100644 tests/qtest/fuzz-virtio-scsi-test.c
> 
> diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
> index 6188fbb8e96..d112798afe3 100644
> --- a/tests/qtest/fuzz-test.c
> +++ b/tests/qtest/fuzz-test.c
> @@ -25,55 +25,6 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
>      qtest_quit(s);
>  }
>  
> -/*
> - * Here a MemoryRegionCache pointed to an MMIO region but had a
> - * larger size than the underlying region.
> - */
> -static void test_mmio_oob_from_memory_region_cache(void)
> -{
> -    QTestState *s;
> -
> -    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
> -		   "-device virtio-scsi,num_queues=8,addr=03.0 ");
> -
> -    qtest_outl(s, 0xcf8, 0x80001811);
> -    qtest_outb(s, 0xcfc, 0x6e);
> -    qtest_outl(s, 0xcf8, 0x80001824);
> -    qtest_outl(s, 0xcf8, 0x80001813);
> -    qtest_outl(s, 0xcfc, 0xa080000);
> -    qtest_outl(s, 0xcf8, 0x80001802);
> -    qtest_outl(s, 0xcfc, 0x5a175a63);
> -    qtest_outb(s, 0x6e08, 0x9e);
> -    qtest_writeb(s, 0x9f003, 0xff);
> -    qtest_writeb(s, 0x9f004, 0x01);
> -    qtest_writeb(s, 0x9e012, 0x0e);
> -    qtest_writeb(s, 0x9e01b, 0x0e);
> -    qtest_writeb(s, 0x9f006, 0x01);
> -    qtest_writeb(s, 0x9f008, 0x01);
> -    qtest_writeb(s, 0x9f00a, 0x01);
> -    qtest_writeb(s, 0x9f00c, 0x01);
> -    qtest_writeb(s, 0x9f00e, 0x01);
> -    qtest_writeb(s, 0x9f010, 0x01);
> -    qtest_writeb(s, 0x9f012, 0x01);
> -    qtest_writeb(s, 0x9f014, 0x01);
> -    qtest_writeb(s, 0x9f016, 0x01);
> -    qtest_writeb(s, 0x9f018, 0x01);
> -    qtest_writeb(s, 0x9f01a, 0x01);
> -    qtest_writeb(s, 0x9f01c, 0x01);
> -    qtest_writeb(s, 0x9f01e, 0x01);
> -    qtest_writeb(s, 0x9f020, 0x01);
> -    qtest_writeb(s, 0x9f022, 0x01);
> -    qtest_writeb(s, 0x9f024, 0x01);
> -    qtest_writeb(s, 0x9f026, 0x01);
> -    qtest_writeb(s, 0x9f028, 0x01);
> -    qtest_writeb(s, 0x9f02a, 0x01);
> -    qtest_writeb(s, 0x9f02c, 0x01);
> -    qtest_writeb(s, 0x9f02e, 0x01);
> -    qtest_writeb(s, 0x9f030, 0x01);
> -    qtest_outb(s, 0x6e10, 0x00);
> -    qtest_quit(s);
> -}
> -
>  int main(int argc, char **argv)
>  {
>      const char *arch = qtest_get_arch();
> @@ -83,8 +34,6 @@ int main(int argc, char **argv)
>      if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
>          qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
>                         test_lp1878642_pci_bus_get_irq_level_assert);
> -        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
> -                       test_mmio_oob_from_memory_region_cache);
>      }
>  
>      return g_test_run();
> diff --git a/tests/qtest/fuzz-virtio-scsi-test.c b/tests/qtest/fuzz-virtio-scsi-test.c
> new file mode 100644
> index 00000000000..aaf6d10e189
> --- /dev/null
> +++ b/tests/qtest/fuzz-virtio-scsi-test.c
> @@ -0,0 +1,75 @@
> +/*
> + * QTest fuzzer-generated testcase for virtio-scsi device
> + *
> + * Copyright (c) 2020 Li Qiang <liq3ea@gmail.com>
> + *
> + * This work is licensed under the terms of the GNU GPL, version 2 or later.
> + * See the COPYING file in the top-level directory.
> + */
> +
> +#include "qemu/osdep.h"
> +
> +#include "libqos/libqtest.h"
> +
> +/*
> + * Here a MemoryRegionCache pointed to an MMIO region but had a
> + * larger size than the underlying region.
> + */
> +static void test_mmio_oob_from_memory_region_cache(void)
> +{
> +    QTestState *s;
> +
> +    s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
> +                   "-device virtio-scsi,num_queues=8,addr=03.0 ");
> +
> +    qtest_outl(s, 0xcf8, 0x80001811);
> +    qtest_outb(s, 0xcfc, 0x6e);
> +    qtest_outl(s, 0xcf8, 0x80001824);
> +    qtest_outl(s, 0xcf8, 0x80001813);
> +    qtest_outl(s, 0xcfc, 0xa080000);
> +    qtest_outl(s, 0xcf8, 0x80001802);
> +    qtest_outl(s, 0xcfc, 0x5a175a63);
> +    qtest_outb(s, 0x6e08, 0x9e);
> +    qtest_writeb(s, 0x9f003, 0xff);
> +    qtest_writeb(s, 0x9f004, 0x01);
> +    qtest_writeb(s, 0x9e012, 0x0e);
> +    qtest_writeb(s, 0x9e01b, 0x0e);
> +    qtest_writeb(s, 0x9f006, 0x01);
> +    qtest_writeb(s, 0x9f008, 0x01);
> +    qtest_writeb(s, 0x9f00a, 0x01);
> +    qtest_writeb(s, 0x9f00c, 0x01);
> +    qtest_writeb(s, 0x9f00e, 0x01);
> +    qtest_writeb(s, 0x9f010, 0x01);
> +    qtest_writeb(s, 0x9f012, 0x01);
> +    qtest_writeb(s, 0x9f014, 0x01);
> +    qtest_writeb(s, 0x9f016, 0x01);
> +    qtest_writeb(s, 0x9f018, 0x01);
> +    qtest_writeb(s, 0x9f01a, 0x01);
> +    qtest_writeb(s, 0x9f01c, 0x01);
> +    qtest_writeb(s, 0x9f01e, 0x01);
> +    qtest_writeb(s, 0x9f020, 0x01);
> +    qtest_writeb(s, 0x9f022, 0x01);
> +    qtest_writeb(s, 0x9f024, 0x01);
> +    qtest_writeb(s, 0x9f026, 0x01);
> +    qtest_writeb(s, 0x9f028, 0x01);
> +    qtest_writeb(s, 0x9f02a, 0x01);
> +    qtest_writeb(s, 0x9f02c, 0x01);
> +    qtest_writeb(s, 0x9f02e, 0x01);
> +    qtest_writeb(s, 0x9f030, 0x01);
> +    qtest_outb(s, 0x6e10, 0x00);
> +    qtest_quit(s);
> +}
> +
> +int main(int argc, char **argv)
> +{
> +    const char *arch = qtest_get_arch();
> +
> +    g_test_init(&argc, &argv, NULL);
> +
> +    if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
> +        qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
> +                       test_mmio_oob_from_memory_region_cache);
> +    }
> +
> +    return g_test_run();
> +}
> diff --git a/MAINTAINERS b/MAINTAINERS
> index b2ef820a9fa..fcbe3ac79a8 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1717,6 +1717,7 @@ S: Supported
>  F: include/hw/scsi/*
>  F: hw/scsi/*
>  F: tests/qtest/virtio-scsi-test.c
> +F: tests/qtest/fuzz-virtio-scsi-test.c
>  T: git https://github.com/bonzini/qemu.git scsi-next
>  
>  SSI
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index a24e7f1c34a..fedce3ee3c1 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -6,6 +6,7 @@
>  
>  qtests_generic = \
>    (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
> +  (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
>    [
>    'cdrom-test',
>    'device-introspect-test',
> -- 
> 2.26.2