id = 1692
title = "Got \"Assertion `bus->irq_count[i] == 0` failed\" when running fuzzing"
state = "opened"
created_at = "2023-06-06T19:14:16.413Z"
closed_at = "n/a"
labels = []
url = "https://gitlab.com/qemu-project/qemu/-/issues/1692"
host-os = "Ubuntu 20.04"
host-arch = "x86_64"
qemu-version = "commit at b52daaf2c868f2b"
guest-os = "n/a"
guest-arch = "n/a"
description = """When running the fuzzer on ac97, it always stops with "Assertion `bus->irq_count[i] == 0` failed"."""
reproduce = """Run `./qemu-fuzz-x86_64 --fuzz-target=generic-fuzz-ac97`"""
additional = """The logs triggered by the crash report are:
```
==2330108==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
[I 0.000000] OPENED
INFO: libFuzzer ignores flags that start with '--'
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1879893091
INFO: Loaded 1 modules   (358762 inline 8-bit counters): 358762 [0x55bec313a1a0, 0x55bec3191b0a), 
INFO: Loaded 1 PC tables (358762 PCs): 358762 [0x55bec3191b10,0x55bec370b1b0), 
./qemu-fuzz-x86_64: Running 1 inputs 1 time(s) each.
Running: ./crash-55e7a160b7c66d5b41718e22c7620a29e9f568f1
Starting x86_64 with Arguments: -display none -machine accel=qtest, -m 512M -machine q35 -nodefaults -device ac97,audiodev=snd0 -audiodev none,id=snd0 -nodefaults -qtest /dev/null
Matching objects by name ac97*
This process will try to fuzz the following MemoryRegions:
  * bus master[0] (size 0xffffffffffffffff)
  * ac97-nabm[0] (size 0x100)
  * bus master container[0] (size 0xffffffffffffffff)
  * ac97-nam[0] (size 0x400)
[R +0.033680] outl 0xcf8 0x80000800
[S +0.033714] [R +0.033729] inw 0xcfc
[S +0.033750] [R +0.033766] outl 0xcf8 0x80000810
[S +0.033781] [R +0.033792] outl 0xcfc 0xffffffff
[S +0.033816] [R +0.033827] outl 0xcf8 0x80000810
[S +0.033841] [R +0.033852] inl 0xcfc
[S +0.033866] [R +0.033879] outl 0xcf8 0x80000810
[S +0.033894] [R +0.033904] outl 0xcfc 0xc001
[S +0.033920] [R +0.033935] outl 0xcf8 0x80000814
[S +0.033952] [R +0.033967] outl 0xcfc 0xffffffff
[S +0.033984] [R +0.033994] outl 0xcf8 0x80000814
[S +0.034008] [R +0.034017] inl 0xcfc
[S +0.034031] [R +0.034043] outl 0xcf8 0x80000814
[S +0.034057] [R +0.034067] outl 0xcfc 0xc401
[S +0.034085] [R +0.034096] outl 0xcf8 0x80000804
[S +0.034110] [R +0.034120] inw 0xcfc
[S +0.034133] [R +0.034145] outl 0xcf8 0x80000804
[S +0.034159] [R +0.034170] outw 0xcfc 0x7 
[S +0.035259] [R +0.035272] outl 0xcf8 0x80000804
[S +0.035285] [R +0.035291] inw 0xcfc
[S +0.035300] [I +0.035389] CLOSED
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xcf8 0x80000805
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xcfc 0x5050505
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outw 0xc40b 0x6f0d
[DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] write 0x0 0x8 0x2a256c5a2c008425
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xcf8 0x80000805
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] outl 0xcfc 0x8468920
x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed
[R +0.000000] clock_step
qemu-fuzz-x86_64: ../../../../hw/pci/pci.c:435: void pcibus_reset(BusState *): Assertion `bus->irq_count[i] == 0' failed.
==2330108== ERROR: libFuzzer: deadly signal
    #0 0x55bebf2624de in __sanitizer_print_stack_trace ../../llvm-project-15.0.0.src/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55bebf1a4b31 in fuzzer::PrintStackTrace() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38
    #2 0x55bebf17f406 in fuzzer::Fuzzer::CrashCallback() (.part.0) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:18
    #3 0x55bebf17f4cd in fuzzer::Fuzzer::CrashCallback() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:205:1
    #4 0x55bebf17f4cd in fuzzer::Fuzzer::StaticCrashSignalCallback() ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:204:19
    #5 0x7fae9f8a441f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #6 0x7fae9f69800a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #7 0x7fae9f69800a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #8 0x7fae9f677858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
    #9 0x7fae9f677728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
    #10 0x7fae9f688fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
    #11 0x55bebfab33a7 in pcibus_reset ../hw/pci/pci.c:435:9
    #12 0x55bec0c75ae3 in resettable_phase_hold ../hw/core/resettable.c
    #13 0x55bec0c6e543 in device_reset_child_foreach ../hw/core/qdev.c:276:9
    #14 0x55bec0c757c5 in resettable_phase_hold ../hw/core/resettable.c:173:5
    #15 0x55bec0c5c421 in bus_reset_child_foreach ../hw/core/bus.c:97:13
    #16 0x55bec0c757c5 in resettable_phase_hold ../hw/core/resettable.c:173:5
    #17 0x55bec0c73729 in resettable_assert_reset ../hw/core/resettable.c:60:5
    #18 0x55bec0c7336a in resettable_reset ../hw/core/resettable.c:45:5
    #19 0x55bec0c7309a in qemu_devices_reset ../hw/core/reset.c:84:9
    #20 0x55bec02d95bb in pc_machine_reset ../hw/i386/pc.c:1901:5
    #21 0x55bebff4ede6 in qemu_system_reset ../softmmu/runstate.c:451:9
    #22 0x55bec0c49684 in fuzz_reset ../tests/qtest/fuzz/fuzz.c:56:5
    #23 0x55bec0c55641 in generic_fuzz ../tests/qtest/fuzz/generic_fuzz.c:676:5
    #24 0x55bec0c4a0f7 in LLVMFuzzerTestOneInput ../tests/qtest/fuzz/fuzz.c:158:5
    #25 0x55bebf17fc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) .. /../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:612:15
    #26 0x55bebf1630a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:21
    #27 0x55bebf16fa8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:19
    #28 0x55bebf15a856 in main ../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
    #29 0x7fae9f679082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #30 0x55bebf15a8dd in _start (../qemu-fuzz-x86_64+0x1e938dd)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

```

After some manual checks, I find out that the instruction `outl 0xcf8 0x80000805` and `outl 0xcfc 0x8468920` will set irq_count[5] to -1 while the pcibus_reset() doesn't set it back to 0 so it will fail the assertion."""