blob: b918926d762ab6d7ac2a86cd066b57da0b6655db (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
"code should not be reached" in ati_2d_blt()
Description of problem:
My fuzzer detected a "code should not be reached" bug in ati_2d_blt()
The stack trace is:
```
ERROR:include/qemu/bswap.h:418:stn_he_p: code should not be reached
Bail out! ERROR:include/qemu/bswap.h:418:stn_he_p: code should not be reached
==69534== ERROR: libFuzzer: deadly signal
#0 0x559e65667f5e in __sanitizer_print_stack_trace llvm-project-15.0.0.src/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x559e655a73bc in fuzzer::PrintStackTrace() llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38
#2 0x559e65585a66 in fuzzer::Fuzzer::CrashCallback() (.part.0) llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:236:18
#3 0x559e65585b2b in fuzzer::Fuzzer::CrashCallback() llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:208:1
#4 0x559e65585b2b in fuzzer::Fuzzer::StaticCrashSignalCallback() llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:207:19
#5 0x7fa8835e351f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#6 0x7fa8836379fb in __pthread_kill_implementation nptl/pthread_kill.c:43:17
#7 0x7fa8836379fb in __pthread_kill_internal nptl/pthread_kill.c:78:10
#8 0x7fa8836379fb in pthread_kill nptl/pthread_kill.c:89:10
#9 0x7fa8835e3475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#10 0x7fa8835c97f2 in abort stdlib/abort.c:79:7
#11 0x7fa8848e5b56 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1eb56) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#12 0x7fa88493f70e in g_assertion_message_expr (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7870e) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#13 0x559e65fc7d70 in stn_he_p include/qemu/bswap.h:418:1
#14 0x559e65fc55dc in ati_2d_blt hw/display/ati_2d.c:224:21
#15 0x559e65faccff in ati_mm_write hw/display/ati.c:857:9
#16 0x559e685b8363 in memory_region_write_accessor system/memory.c:497:5
#17 0x559e685b7a45 in access_with_adjusted_size system/memory.c:573:18
#18 0x559e685b59a9 in memory_region_dispatch_write system/memory.c:1521:16
#19 0x559e6865938e in flatview_write_continue_step system/physmem.c:2757:18
#20 0x559e68658c24 in flatview_write_continue system/physmem.c:2787:19
#21 0x559e6863024b in flatview_write system/physmem.c:2818:12
#22 0x559e6862fd18 in address_space_write system/physmem.c:2938:18
...
```
Steps to reproduce:
Arguments: `export QEMU_ARGS="-machine q35 -nodefaults -device ati-vga,romfile=\"\" -display vnc=localhost:99 -L ../pc-bios/"`
The base addresses of memory regions:
ati.mmregs: 0xe1000000
Reproducer:
```
writew 0xe100146c 0x44e4c5c1
writeb 0xe10016c0 0x773b93cf
writeb 0xe10016e4 0x2beb6e13
writel 0xe100143c 0x118b71f6
EOF
```
Additional information:
Ack: Chuhong Yuan (hslester96@gmail.com)
|