summary refs log tree commit diff stats
path: root/results/classifier/105/mistranslation/1692
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/105/mistranslation/1692')
-rw-r--r--results/classifier/105/mistranslation/1692115
1 files changed, 115 insertions, 0 deletions
diff --git a/results/classifier/105/mistranslation/1692 b/results/classifier/105/mistranslation/1692
new file mode 100644
index 000000000..877f88181
--- /dev/null
+++ b/results/classifier/105/mistranslation/1692
@@ -0,0 +1,115 @@
+mistranslation: 0.923
+other: 0.837
+graphic: 0.834
+instruction: 0.810
+KVM: 0.792
+device: 0.783
+semantic: 0.780
+boot: 0.756
+socket: 0.735
+assembly: 0.706
+network: 0.706
+vnc: 0.617
+
+Got "Assertion `bus->irq_count[i] == 0` failed" when running fuzzing
+Description of problem:
+When running the fuzzer on ac97, it always stops with "Assertion `bus->irq_count[i] == 0` failed".
+Steps to reproduce:
+Run `./qemu-fuzz-x86_64 --fuzz-target=generic-fuzz-ac97`
+Additional information:
+The logs triggered by the crash report are:
+```
+==2330108==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
+[I 0.000000] OPENED
+INFO: libFuzzer ignores flags that start with '--'
+INFO: Running with entropic power schedule (0xFF, 100).
+INFO: Seed: 1879893091
+INFO: Loaded 1 modules   (358762 inline 8-bit counters): 358762 [0x55bec313a1a0, 0x55bec3191b0a), 
+INFO: Loaded 1 PC tables (358762 PCs): 358762 [0x55bec3191b10,0x55bec370b1b0), 
+./qemu-fuzz-x86_64: Running 1 inputs 1 time(s) each.
+Running: ./crash-55e7a160b7c66d5b41718e22c7620a29e9f568f1
+Starting x86_64 with Arguments: -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -device ac97,audiodev=snd0 -audiodev none,id=snd0 -nodefaults -qtest /dev/null
+Matching objects by name ac97*
+This process will try to fuzz the following MemoryRegions:
+  * bus master[0] (size 0xffffffffffffffff)
+  * ac97-nabm[0] (size 0x100)
+  * bus master container[0] (size 0xffffffffffffffff)
+  * ac97-nam[0] (size 0x400)
+[R +0.033680] outl 0xcf8 0x80000800
+[S +0.033714] [R +0.033729] inw 0xcfc
+[S +0.033750] [R +0.033766] outl 0xcf8 0x80000810
+[S +0.033781] [R +0.033792] outl 0xcfc 0xffffffff
+[S +0.033816] [R +0.033827] outl 0xcf8 0x80000810
+[S +0.033841] [R +0.033852] inl 0xcfc
+[S +0.033866] [R +0.033879] outl 0xcf8 0x80000810
+[S +0.033894] [R +0.033904] outl 0xcfc 0xc001
+[S +0.033920] [R +0.033935] outl 0xcf8 0x80000814
+[S +0.033952] [R +0.033967] outl 0xcfc 0xffffffff
+[S +0.033984] [R +0.033994] outl 0xcf8 0x80000814
+[S +0.034008] [R +0.034017] inl 0xcfc
+[S +0.034031] [R +0.034043] outl 0xcf8 0x80000814
+[S +0.034057] [R +0.034067] outl 0xcfc 0xc401
+[S +0.034085] [R +0.034096] outl 0xcf8 0x80000804
+[S +0.034110] [R +0.034120] inw 0xcfc
+[S +0.034133] [R +0.034145] outl 0xcf8 0x80000804
+[S +0.034159] [R +0.034170] outw 0xcfc 0x7 
+[S +0.035259] [R +0.035272] outl 0xcf8 0x80000804
+[S +0.035285] [R +0.035291] inw 0xcfc
+[S +0.035300] [I +0.035389] CLOSED
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xcf8 0x80000805
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xcfc 0x5050505
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outw 0xc40b 0x6f0d
+[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] write 0x0 0x8 0x2a256c5a2c008425
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xcf8 0x80000805
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] outl 0xcfc 0x8468920
+x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
+[R +0.000000] clock_step
+qemu-fuzz-x86_64: ../../../../hw/pci/pci.c:435: void pcibus_reset(BusState *): Assertion `bus->irq_count[i] == 0' failed.
+==2330108== ERROR: libFuzzer: deadly signal
+    #0 0x55bebf2624de in __sanitizer_print_stack_trace ../../llvm-project-15.0.0.src/compiler-rt/lib/asan/asan_stack.cpp:87:3
+    #1 0x55bebf1a4b31 in fuzzer::PrintStackTrace() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38
+    #2 0x55bebf17f406 in fuzzer::Fuzzer::CrashCallback() (.part.0) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:18
+    #3 0x55bebf17f4cd in fuzzer::Fuzzer::CrashCallback() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:205:1
+    #4 0x55bebf17f4cd in fuzzer::Fuzzer::StaticCrashSignalCallback() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:204:19
+    #5 0x7fae9f8a441f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
+    #6 0x7fae9f69800a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
+    #7 0x7fae9f69800a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
+    #8 0x7fae9f677858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
+    #9 0x7fae9f677728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
+    #10 0x7fae9f688fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
+    #11 0x55bebfab33a7 in pcibus_reset ../hw/pci/pci.c:435:9
+    #12 0x55bec0c75ae3 in resettable_phase_hold ../hw/core/resettable.c
+    #13 0x55bec0c6e543 in device_reset_child_foreach ../hw/core/qdev.c:276:9
+    #14 0x55bec0c757c5 in resettable_phase_hold ../hw/core/resettable.c:173:5
+    #15 0x55bec0c5c421 in bus_reset_child_foreach ../hw/core/bus.c:97:13
+    #16 0x55bec0c757c5 in resettable_phase_hold ../hw/core/resettable.c:173:5
+    #17 0x55bec0c73729 in resettable_assert_reset ../hw/core/resettable.c:60:5
+    #18 0x55bec0c7336a in resettable_reset ../hw/core/resettable.c:45:5
+    #19 0x55bec0c7309a in qemu_devices_reset ../hw/core/reset.c:84:9
+    #20 0x55bec02d95bb in pc_machine_reset ../hw/i386/pc.c:1901:5
+    #21 0x55bebff4ede6 in qemu_system_reset ../softmmu/runstate.c:451:9
+    #22 0x55bec0c49684 in fuzz_reset ../tests/qtest/fuzz/fuzz.c:56:5
+    #23 0x55bec0c55641 in generic_fuzz ../tests/qtest/fuzz/generic_fuzz.c:676:5
+    #24 0x55bec0c4a0f7 in LLVMFuzzerTestOneInput ../tests/qtest/fuzz/fuzz.c:158:5
+    #25 0x55bebf17fc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) .. /../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:612:15
+    #26 0x55bebf1630a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:21
+    #27 0x55bebf16fa8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:19
+    #28 0x55bebf15a856 in main ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
+    #29 0x7fae9f679082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
+    #30 0x55bebf15a8dd in _start (../qemu-fuzz-x86_64+0x1e938dd)
+
+NOTE: libFuzzer has rudimentary signal handlers.
+      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
+SUMMARY: libFuzzer: deadly signal
+
+```
+
+After some manual checks, I find out that the instruction `outl 0xcf8 0x80000805` and `outl 0xcfc 0x8468920` will set irq_count[5] to -1 while the pcibus_reset() doesn't set it back to 0 so it will fail the assertion.