Re: [PATCH 1/2] libqos: pci: Avoid fatal assert on zero-sized BARs in fuzz builds

[Navid Emamdoost <navidem@google.com>]

On Mon, Oct 13, 2025 at 6:14 PM Navid Emamdoost <navidem@google.com> wrote:
>
> Hi Alexander,
>
> On Fri, Oct 10, 2025 at 8:59 AM Alexander Bulekov <alxndr@bu.edu> wrote:
> >
> > On 251008 1919, Navid Emamdoost wrote:
> > > The qpci_iomap() function fails with a fatal g_assert(addr) if it
> > > probes a PCI BAR that has a size of zero. This is expected behavior
> > > for certain devices, like the Q35 PCI Host Bridge, which have valid but
> > > unimplemented BARs.
> > > This assertion blocks the creation of fuzz targets for complex machine
> > > types that include these devices.
> > > Make the check conditional on !CONFIG_FUZZ. In fuzzing builds, a
> > > zero-sized BAR is now handled gracefully by returning an empty BAR
> > > struct, allowing fuzzing to proceed. The original assertion is kept for
> > > all other builds to maintain strict checking for qtest and production
> > > environments.
> >
> > Is there a way to determine whether a BAR is unimplememnted from the
> > PCIDev in generic_fuzz.c:pci_enum so that we can skip the call to iomap?
> >
>
> Fair point. I don't think we have a reliable way to determine if a BAR
> is truly unimplemented from the PCIDevice model without probing it. If
> we moved that hardware probe into pci_enum, it would become
> inefficient for all the BARs that are implemented, as they would be
> probed twice: once in pci_enum just to check, and then again inside
> qpci_iomap to do the actual mapping. That's why I think delegating
> this check to qpci_iomap is the cleaner approach.
>

Friendly ping.

> > >
> > > Signed-off-by: Navid Emamdoost <navidem@google.com>
> > > ---
> > >  tests/qtest/libqos/pci.c | 16 ++++++++++++++++
> > >  1 file changed, 16 insertions(+)
> > >
> > > diff --git a/tests/qtest/libqos/pci.c b/tests/qtest/libqos/pci.c
> > > index a59197b992..df9e2a3993 100644
> > > --- a/tests/qtest/libqos/pci.c
> > > +++ b/tests/qtest/libqos/pci.c
> > > @@ -541,6 +541,22 @@ QPCIBar qpci_iomap(QPCIDevice *dev, int barno, uint64_t *sizeptr)
> > >          addr &= PCI_BASE_ADDRESS_MEM_MASK;
> > >      }
> > >
> > > +#ifdef CONFIG_FUZZ
> > > +    /*
> > > +     * During fuzzing runs, an unimplemented BAR (addr=0) is not a fatal
> > > +     * error. This occurs when probing devices like the Q35 host bridge. We
> > > +     * return gracefully to allow fuzzing to continue. In non-fuzzing builds,
> > > +     * we retain the original g_assert() to catch unexpected behavior.
> > > +     */
> > > +    if (!addr) {
> > > +        if (sizeptr) {
> > > +            *sizeptr = 0;
> > > +        }
> > > +        memset(&bar, 0, sizeof(bar));
> > > +        return bar;
> > > +    }
> > > +#endif
> > > +
> > >      g_assert(addr); /* Must have *some* size bits */
> > >
> > >      size = 1U << ctz32(addr);
> > > --
> > > 2.51.0.710.ga91ca5db03-goog
> > >
> > >
>
>
>
> --
> Thank you,
> Navid.



-- 
Thank you,
Navid.