summary refs log tree commit diff stats
path: root/results/classifier/118/unknown/1892962
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/unknown/1892962')
-rw-r--r--results/classifier/118/unknown/1892962166
1 files changed, 166 insertions, 0 deletions
diff --git a/results/classifier/118/unknown/1892962 b/results/classifier/118/unknown/1892962
new file mode 100644
index 000000000..1aa971313
--- /dev/null
+++ b/results/classifier/118/unknown/1892962
@@ -0,0 +1,166 @@
+risc-v: 0.964
+peripherals: 0.929
+permissions: 0.915
+user-level: 0.915
+i386: 0.902
+device: 0.892
+register: 0.889
+architecture: 0.888
+vnc: 0.882
+hypervisor: 0.882
+performance: 0.873
+TCG: 0.872
+graphic: 0.862
+KVM: 0.859
+ppc: 0.854
+socket: 0.854
+assembly: 0.852
+files: 0.852
+virtual: 0.850
+arm: 0.848
+VMM: 0.838
+mistranslation: 0.837
+debug: 0.836
+semantic: 0.831
+kernel: 0.827
+PID: 0.823
+x86: 0.811
+boot: 0.796
+network: 0.782
+
+Segfault in usb_bus_from_device
+
+Hello,
+Reproducer:
+
+cat << EOF | ./qemu-system-i386 -machine q35 \
+-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
+multifunction=on,id=ich9-ehci-1 \
+-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,\
+multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \
+-device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \
+-display none -nodefaults -qtest stdio -accel qtest
+outl 0xcf8 0x8000e803
+outl 0xcfc 0xff00ff00
+outl 0xcf8 0x8000e821
+outb 0xcfc 0xff
+outl 0xff10 0x8500057e
+clock_step
+clock_step
+outb 0xff00 0x49
+write 0x2 0x1 0x40
+write 0x400006 0x1 0xfb
+write 0x400008 0x1 0x2d
+write 0x40000a 0x1 0xe0
+write 0x40000c 0x1 0x16
+write 0x40000e 0x1 0xfa
+write 0xfa001c 0x1 0x04
+clock_step
+write 0x400006 0x1 0xfb
+write 0xfa001d 0x1 0xff
+clock_step
+write 0x8 0x1 0xe0
+write 0xa 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x1600e8 0x1 0xe1
+write 0x1600eb 0x1 0x30
+clock_step
+clock_step
+write 0x10 0x1 0xe0
+write 0x12 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x6 0x1 0x9c
+write 0x8 0x1 0xe1
+write 0xa 0x1 0x40
+write 0xb 0x1 0x30
+clock_step
+write 0x14 0x1 0xe0
+write 0x16 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x6 0x1 0x9c
+clock_step
+write 0x18 0x1 0xe0
+write 0x1a 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x6 0x1 0x9c
+clock_step
+write 0x1c 0x1 0xe0
+write 0x1e 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x6 0x1 0x9c
+clock_step
+write 0x20 0x1 0xe0
+write 0x22 0x1 0x16
+write 0x1600e6 0x1 0x9c
+write 0x6 0x1 0x9c
+clock_step
+EOF
+
+The trace:
+
+...
+[S +0.087589] OK
+[R +0.087596] write 0x1600e6 0x1 0x9c
+OK
+[S +0.087603] OK
+[R +0.087655] write 0x6 0x1 0x9c
+OK
+[S +0.087667] OK
+[R +0.087675] clock_step
+784168@1598406646.189133:usb_uhci_frame_start nr 8
+784168@1598406646.189141:usb_uhci_td_load qh 0x0, td 0x1600e0, ctrl 0x9c0180, token 0x300000e1
+784168@1598406646.189147:usb_uhci_packet_add token 0x0, td 0x1600e0
+784168@1598406646.189151:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state undef -> setup
+784168@1598406646.189161:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state setup -> complete
+784168@1598406646.189165:usb_uhci_packet_complete_success token 0x0, td 0x1600e0
+784168@1598406646.189168:usb_uhci_packet_del token 0x0, td 0x1600e0
+784168@1598406646.189174:usb_uhci_td_complete qh 0x0, td 0x1600e0
+784168@1598406646.189179:usb_uhci_td_load qh 0x0, td 0x0, ctrl 0x9c0182, token 0x304000e1
+784168@1598406646.189183:usb_uhci_packet_add token 0x0, td 0x0
+784168@1598406646.189187:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043d40, state undef -> setup
+/home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'USBDevice' (aka 'struct USBDevice')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in 
+/home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'DeviceState' (aka 'struct DeviceState')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in 
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==784168==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x5599c43df445 bp 0x7ffec2833e50 sp 0x7ffec2833dc0 T0)
+==784168==The signal is caused by a READ memory access.
+==784168==Hint: address points to the zero page.
+    #0 0x5599c43df445 in usb_bus_from_device /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12
+    #1 0x5599c43ea95c in usb_packet_set_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:549:23
+    #2 0x5599c43e8abd in usb_handle_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:438:17
+    #3 0x5599c4b02497 in uhci_handle_td /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:892:9
+    #4 0x5599c4afbd26 in uhci_process_frame /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1075:15
+    #5 0x5599c4aed2e3 in uhci_frame_timer /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1174:9
+    #6 0x5599c7620917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
+    #7 0x5599c7620e51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
+    #8 0x5599c5f35a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
+    #9 0x5599c61225d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
+    #10 0x5599c611063e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
+    #11 0x5599c610f3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
+    #12 0x5599c7215762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
+    #13 0x5599c72158aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
+    #14 0x5599c723b514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
+    #15 0x5599c7127736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
+    #16 0x7f62623914cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
+    #17 0x5599c76b2c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
+    #18 0x5599c76b0567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
+    #19 0x5599c76aff47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
+    #20 0x5599c5e8e08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
+    #21 0x5599c382051c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
+    #22 0x7f6261b9acc9 in __libc_start_main csu/../csu/libc-start.c:308:16
+    #23 0x5599c3775cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in usb_bus_from_device
+==784168==ABORTING
+
+-Alex
+
+This does not crash for me anymore, so I guess it has been fixed already. Could you still reproduce the crash with the latest version of QEMU?
+
+OSS-Fuzz never came across this one. Probably fixed
+
+Ok, let's assume it's fixed - so I'm closing this now.
+