Re: [Xen-devel] [PATCH 12/14] fuzz/x86_emulate: Add --rerun option to try to track down instability

[Wei Liu <wei.liu2@xxxxxxxxxx>]

On Fri, Aug 25, 2017 at 05:43:41PM +0100, George Dunlap wrote:
> Current stability numbers are not 100%.  In order to help track this
> down, add a --rerun option which will run the same input twice,
> resetting the state in between each run, and comparing the state
> afterwards.  If the state differs, call abort().
> 
> This allows AFL to help the process of tracking down what state is not
> being reset properly between runs by proving testcases that
> demonstrate the behavior.
> 
> To do this:
> 
> - Move ctxt into struct fuzz-state to simplify handling
> 
> - Rather than copying the data into input, treat the data handed as
>   immutable and point each "copy" to it
> 
> - Factor out various steps (setting up fuzz state, running an
>   individual test) so that they can be efficiently run either once or
>   twice (as necessary)
> 
> - Compare the states afterwards, printing what's different and calling
>   abort() if anything is found.
> 

FWIW I think this is an useful option to have. Since this patch depends
on previous ones which have comments I only skim-read it.

> +
> +void compare_states(struct fuzz_state state[2])
> +{
> +    // First zero any "internal" pointers
> +    state[0].corpus = state[1].corpus = NULL;
> +    state[0].ctxt.data = state[1].ctxt.data = NULL;
> +    state[0].ctxt.regs = state[1].ctxt.regs = NULL;
> +
> +    
> +    if ( memcmp(&state[0], &state[1], sizeof(struct fuzz_state)) )
> +    {
> +        int i;
> +
> +        printf("State mismatch\n");
> +
> +        for ( i=0; i<5; i++)
> +            if (state[0].cr[i] != state[1].cr[i])
> +                printf("cr[%d]: %lx != %lx\n",
> +                       i, state[0].cr[i], state[1].cr[i]);

Coding style issues here and below.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel