mirror of
https://github.com/qemu/qemu.git
synced 2025-07-27 12:20:07 +00:00
247ab240c2
Now we use a one-time scan and remove strategy in the minimizer, which is not suitable for timing dependent instructions. For example, instruction A will indicate an address where the config chunk locates, and instruction B will make the configuration active. If we have the following instruction sequence: ... A1 B1 A2 B2 ... A2 and B2 are the actual instructions that trigger the bug. If we scan from top to bottom, after we remove A1, the behavior of B1 might be unknowable, including not to crash the program. But we will successfully remove B1 later cause A2 and B2 will crash the process anyway: ... A1 A2 B2 ... Now one more trimming will remove A1. In the perfect case, we would need to be able to remove A and B (or C!) at the same time. But for now, let's just add a loop around the minimizer. Since we only remove instructions, this iterative algorithm is converging. Tested with Bug 1908062. Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <SYCPR01MB350263004448040ACCB9A9F1FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
207 lines
7.6 KiB
Python
Executable File
207 lines
7.6 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
"""
|
|
This takes a crashing qtest trace and tries to remove superflous operations
|
|
"""
|
|
|
|
import sys
|
|
import os
|
|
import subprocess
|
|
import time
|
|
import struct
|
|
|
|
QEMU_ARGS = None
|
|
QEMU_PATH = None
|
|
TIMEOUT = 5
|
|
CRASH_TOKEN = None
|
|
|
|
write_suffix_lookup = {"b": (1, "B"),
|
|
"w": (2, "H"),
|
|
"l": (4, "L"),
|
|
"q": (8, "Q")}
|
|
|
|
def usage():
|
|
sys.exit("""\
|
|
Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace
|
|
By default, will try to use the second-to-last line in the output to identify
|
|
whether the crash occred. Optionally, manually set a string that idenitifes the
|
|
crash by setting CRASH_TOKEN=
|
|
""".format((sys.argv[0])))
|
|
|
|
deduplication_note = """\n\
|
|
Note: While trimming the input, sometimes the mutated trace triggers a different
|
|
type crash but indicates the same bug. Under this situation, our minimizer is
|
|
incapable of recognizing and stopped from removing it. In the future, we may
|
|
use a more sophisticated crash case deduplication method.
|
|
\n"""
|
|
|
|
def check_if_trace_crashes(trace, path):
|
|
with open(path, "w") as tracefile:
|
|
tracefile.write("".join(trace))
|
|
|
|
rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} 2>&1\
|
|
< {trace_path}".format(timeout=TIMEOUT,
|
|
qemu_path=QEMU_PATH,
|
|
qemu_args=QEMU_ARGS,
|
|
trace_path=path),
|
|
shell=True,
|
|
stdin=subprocess.PIPE,
|
|
stdout=subprocess.PIPE,
|
|
encoding="utf-8")
|
|
global CRASH_TOKEN
|
|
if CRASH_TOKEN is None:
|
|
try:
|
|
outs, _ = rc.communicate(timeout=5)
|
|
CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3])
|
|
except subprocess.TimeoutExpired:
|
|
print("subprocess.TimeoutExpired")
|
|
return False
|
|
print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
|
|
global deduplication_note
|
|
print(deduplication_note)
|
|
return True
|
|
|
|
for line in iter(rc.stdout.readline, ""):
|
|
if "CLOSED" in line:
|
|
return False
|
|
if CRASH_TOKEN in line:
|
|
return True
|
|
|
|
print("\nWarning:")
|
|
print(" There is no 'CLOSED'or CRASH_TOKEN in the stdout of subprocess.")
|
|
print(" Usually this indicates a different type of crash.\n")
|
|
return False
|
|
|
|
|
|
def remove_lines(newtrace, outpath):
|
|
remove_step = 1
|
|
i = 0
|
|
while i < len(newtrace):
|
|
# 1.) Try to remove lines completely and reproduce the crash.
|
|
# If it works, we're done.
|
|
if (i+remove_step) >= len(newtrace):
|
|
remove_step = 1
|
|
prior = newtrace[i:i+remove_step]
|
|
for j in range(i, i+remove_step):
|
|
newtrace[j] = ""
|
|
print("Removing {lines} ...\n".format(lines=prior))
|
|
if check_if_trace_crashes(newtrace, outpath):
|
|
i += remove_step
|
|
# Double the number of lines to remove for next round
|
|
remove_step *= 2
|
|
continue
|
|
# Failed to remove multiple IOs, fast recovery
|
|
if remove_step > 1:
|
|
for j in range(i, i+remove_step):
|
|
newtrace[j] = prior[j-i]
|
|
remove_step = 1
|
|
continue
|
|
newtrace[i] = prior[0] # remove_step = 1
|
|
|
|
# 2.) Try to replace write{bwlq} commands with a write addr, len
|
|
# command. Since this can require swapping endianness, try both LE and
|
|
# BE options. We do this, so we can "trim" the writes in (3)
|
|
|
|
if (newtrace[i].startswith("write") and not
|
|
newtrace[i].startswith("write ")):
|
|
suffix = newtrace[i].split()[0][-1]
|
|
assert(suffix in write_suffix_lookup)
|
|
addr = int(newtrace[i].split()[1], 16)
|
|
value = int(newtrace[i].split()[2], 16)
|
|
for endianness in ['<', '>']:
|
|
data = struct.pack("{end}{size}".format(end=endianness,
|
|
size=write_suffix_lookup[suffix][1]),
|
|
value)
|
|
newtrace[i] = "write {addr} {size} 0x{data}\n".format(
|
|
addr=hex(addr),
|
|
size=hex(write_suffix_lookup[suffix][0]),
|
|
data=data.hex())
|
|
if(check_if_trace_crashes(newtrace, outpath)):
|
|
break
|
|
else:
|
|
newtrace[i] = prior[0]
|
|
|
|
# 3.) If it is a qtest write command: write addr len data, try to split
|
|
# it into two separate write commands. If splitting the data operand
|
|
# from length/2^n bytes to the left does not work, try to move the pivot
|
|
# to the right side, then add one to n, until length/2^n == 0. The idea
|
|
# is to prune unneccessary bytes from long writes, while accommodating
|
|
# arbitrary MemoryRegion access sizes and alignments.
|
|
|
|
# This algorithm will fail under some rare situations.
|
|
# e.g., xxxxxxxxxuxxxxxx (u is the unnecessary byte)
|
|
|
|
if newtrace[i].startswith("write "):
|
|
addr = int(newtrace[i].split()[1], 16)
|
|
length = int(newtrace[i].split()[2], 16)
|
|
data = newtrace[i].split()[3][2:]
|
|
if length > 1:
|
|
leftlength = int(length/2)
|
|
rightlength = length - leftlength
|
|
newtrace.insert(i+1, "")
|
|
power = 1
|
|
while leftlength > 0:
|
|
newtrace[i] = "write {addr} {size} 0x{data}\n".format(
|
|
addr=hex(addr),
|
|
size=hex(leftlength),
|
|
data=data[:leftlength*2])
|
|
newtrace[i+1] = "write {addr} {size} 0x{data}\n".format(
|
|
addr=hex(addr+leftlength),
|
|
size=hex(rightlength),
|
|
data=data[leftlength*2:])
|
|
if check_if_trace_crashes(newtrace, outpath):
|
|
break
|
|
# move the pivot to right side
|
|
if leftlength < rightlength:
|
|
rightlength, leftlength = leftlength, rightlength
|
|
continue
|
|
power += 1
|
|
leftlength = int(length/pow(2, power))
|
|
rightlength = length - leftlength
|
|
if check_if_trace_crashes(newtrace, outpath):
|
|
i -= 1
|
|
else:
|
|
newtrace[i] = prior[0]
|
|
del newtrace[i+1]
|
|
i += 1
|
|
|
|
|
|
def minimize_trace(inpath, outpath):
|
|
global TIMEOUT
|
|
with open(inpath) as f:
|
|
trace = f.readlines()
|
|
start = time.time()
|
|
if not check_if_trace_crashes(trace, outpath):
|
|
sys.exit("The input qtest trace didn't cause a crash...")
|
|
end = time.time()
|
|
print("Crashed in {} seconds".format(end-start))
|
|
TIMEOUT = (end-start)*5
|
|
print("Setting the timeout for {} seconds".format(TIMEOUT))
|
|
|
|
newtrace = trace[:]
|
|
|
|
# remove lines
|
|
old_len = len(newtrace) + 1
|
|
while(old_len > len(newtrace)):
|
|
old_len = len(newtrace)
|
|
remove_lines(newtrace, outpath)
|
|
newtrace = list(filter(lambda s: s != "", newtrace))
|
|
|
|
assert(check_if_trace_crashes(newtrace, outpath))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
if len(sys.argv) < 3:
|
|
usage()
|
|
|
|
QEMU_PATH = os.getenv("QEMU_PATH")
|
|
QEMU_ARGS = os.getenv("QEMU_ARGS")
|
|
if QEMU_PATH is None or QEMU_ARGS is None:
|
|
usage()
|
|
# if "accel" not in QEMU_ARGS:
|
|
# QEMU_ARGS += " -accel qtest"
|
|
CRASH_TOKEN = os.getenv("CRASH_TOKEN")
|
|
QEMU_ARGS += " -qtest stdio -monitor none -serial none "
|
|
minimize_trace(sys.argv[1], sys.argv[2])
|