restructure results

author: Christian Krinitsin <mail@krinitsin.com> 2025-07-03 19:39:53 +0200
committer: Christian Krinitsin <mail@krinitsin.com> 2025-07-03 19:39:53 +0200
commit: dee4dcba78baf712cab403d47d9db319ab7f95d6 (patch)
tree: 418478faf06786701a56268672f73d6b0b4eb239 /results/classifier/zero-shot/118/KVM/1878323
parent: 4d9e26c0333abd39bdbd039dcdb30ed429c475ba (diff)
download: qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.tar.gz
qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.zip
1 files changed, 99 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/118/KVM/1878323 b/results/classifier/zero-shot/118/KVM/1878323
new file mode 100644
index 000000000..b904d1d08
--- /dev/null
+++ b/results/classifier/zero-shot/118/KVM/1878323
@@ -0,0 +1,99 @@
+KVM: 0.834
+mistranslation: 0.833
+peripherals: 0.824
+x86: 0.811
+user-level: 0.805
+hypervisor: 0.799
+graphic: 0.794
+VMM: 0.781
+register: 0.779
+risc-v: 0.773
+files: 0.771
+performance: 0.754
+ppc: 0.750
+vnc: 0.741
+TCG: 0.741
+semantic: 0.735
+virtual: 0.734
+device: 0.729
+arm: 0.717
+architecture: 0.714
+i386: 0.698
+permissions: 0.697
+assembly: 0.694
+debug: 0.662
+socket: 0.657
+PID: 0.637
+kernel: 0.622
+network: 0.593
+boot: 0.573
+
+Assertion-failure in usb_detach
+
+Hello,
+While fuzzing, I found an input that triggers an assertion-failure in usb_detach
+
+/home/alxndr/Development/qemu/hw/usb/core.c:69: void usb_detach(USBPort *): Assertion `dev->state != USB_STATE_NOTATTACHED' failed.
+#3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557fd2040 <str> "dev->state != USB_STATE_NOTATTACHED", file=0x555557fd1ec0 <str> "/home/alxndr/Development/qemu/hw/usb/core.c", line=0x45, function=0x555557fd2000 <__PRETTY_FUNCTION__.usb_detach> "void usb_detach(USBPort *)") at assert.c:101
+#4  0x000055555723f0ce in usb_detach (port=0x62100002df30) at /home/alxndr/Development/qemu/hw/usb/core.c:69
+#5  0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
+#6  0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, val=0xbebebebe, size=0x4) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
+#7  0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, addr=0x0, value=0x7fffffffaad0, size=0x4, shift=0x0, mask=0xffffffff, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
+#8  0x000055555649328a in access_with_adjusted_size (addr=0x0, value=0x7fffffffaad0, size=0x4, access_size_min=0x1, access_size_max=0x4, access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
+#9  0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
+#10 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
+#11 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3177
+#12 0x00005555562bb609 in address_space_write (as=0x62100002d328, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3268
+#13 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at /home/alxndr/Development/qemu/exec.c:3592
+#14 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
+#15 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
+#16 0x00005555572a5953 in ehci_free_packet (p=0x611000048480) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:536
+#17 0x00005555572a4ed4 in ehci_cancel_queue (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:584
+#18 0x00005555572a49ab in ehci_free_queue (q=0x60d000004f10, warn=0x0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:611
+#19 0x00005555572b102d in ehci_queues_rip_device (ehci=0x62100002d9f0, dev=0x623000001d00, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:674
+#20 0x00005555572af7a3 in ehci_detach (port=0x62100002df78) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:733
+#21 0x000055555723f15c in usb_detach (port=0x62100002df78) at /home/alxndr/Development/qemu/hw/usb/core.c:70
+#22 0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
+#23 0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, val=0xbebebebe, size=0x4) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
+#24 0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, addr=0x0, value=0x7fffffffc410, size=0x4, shift=0x0, mask=0xffffffff, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
+#25 0x000055555649328a in access_with_adjusted_size (addr=0x0, value=0x7fffffffc410, size=0x4, access_size_min=0x1, access_size_max=0x4, access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
+#26 0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
+#27 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
+#28 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3177
+#29 0x00005555562bb609 in address_space_write (as=0x62100002d328, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3268
+#30 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at /home/alxndr/Development/qemu/exec.c:3592
+#31 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
+#32 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
+#33 0x00005555572aa87e in ehci_execute_complete (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1324
+#34 0x00005555572a7b8c in ehci_state_executing (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1973
+#35 0x00005555572b3685 in ehci_advance_state (ehci=0x62100002d9f0, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2094
+#36 0x00005555572b2db9 in ehci_advance_async_state (ehci=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2152
+#37 0x00005555572a29c3 in ehci_work_bh (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2320
+#38 0x0000555557bfba60 in aio_bh_call (bh=0x60400001cd90) at /home/alxndr/Development/qemu/util/async.c:136
+
+
+I can reproduce it in qemu 5.0 using the commands in the attachment:
+
+qemu-system-i386 \
+-qtest stdio -nographic -monitor none -serial none \
+-M pc-q35-5.0 -machine q35 \
+-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
+-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \
+-device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,multifunction=on,masterbus=ich9-ehci-1.0,firstport=2 \
+-device ich9-usb-uhci3,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport=4 \
+-drive if=none,id=usbcdrom,media=cdrom \
+-device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \
+-device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom \
+-display none -nodefaults -nographic < attachment
+
+Please let me know if I can provide any further info.
+-Alex
+
+
+
+I can reproduce this crash with QEMU v5.0, but with the current version from the master branch, this does not trigger anymore. I assume this has been fixed. Could you please have a try and confirm that it does not happen anymore?
+
+OSS-Fuzz never found it, though we are fuzzing a slightly different ehci configuration there. I made a note of the arguments we should start fuzzing on OSS-Fuzz, but I think this is safe to close.
+
+Ok, thanks, then let's close this ticket now.
+
author	Christian Krinitsin <mail@krinitsin.com>	2025-07-03 19:39:53 +0200
committer	Christian Krinitsin <mail@krinitsin.com>	2025-07-03 19:39:53 +0200
commit	dee4dcba78baf712cab403d47d9db319ab7f95d6 (patch)
tree	418478faf06786701a56268672f73d6b0b4eb239 /results/classifier/zero-shot/118/KVM/1878323
parent	4d9e26c0333abd39bdbd039dcdb30ed429c475ba (diff)
download	qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.tar.gz qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.zip