Syx snapshot fixes and tuning #112
Conversation
The reason is that CONFIG_SOFTMMU is not available for the "block" source set. And it is not required, because "block" will only be built for system mode and tools, which we can deactivate using configure.
…me DEBUG print statements
…pshot restore Also flush TLB and TB more specifically
accel/tcg/cputlb.c
Outdated
| return flags; | ||
| } | ||
|
|
||
| //// --- Begin LibAFL code --- | ||
| // Use this snippet multiple times below | ||
| #define SYX_SNAPSHOT_DIRTY_LIST_ADD_HOSTADDR_PROBE(dbg, access_type, addr, entry_full, phost) { \ |
There was a problem hiding this comment.
this should be moved to top of this file
block/block-backend.c
Outdated
| @@ -29,9 +29,8 @@ | |||
| #include "migration/misc.h" | |||
|
|
|||
| //// --- Begin LibAFL code --- | |||
| #ifdef CONFIG_SOFTMMU | |||
| //#define CONFIG_DEBUG_SYX | |||
| @@ -16,6 +16,7 @@ | |||
| #include "device-save.h" | |||
| #include "syx-cow-cache.h" | |||
|
|
|||
| //#define CONFIG_DEBUG_SYX | |||
| *(int *)opaque = ret; | ||
| } | ||
|
|
||
| int libafl_blk_write(BlockBackend *blk, void *buf, int64_t offset, int64_t sz) |
There was a problem hiding this comment.
why do we need this? i don't see it used anywhere else in your pr.
There was a problem hiding this comment.
Ah yes you are right, it is not related directly to SYX.
I placed this in system.h.
I use it a lot in my branches for writing the fuzzing input to blockdev. The write is catched by SYX.
Often in embedded firmwares, fuzzing blocks of Flash or EMMC (firmware headers, partition tables, structures, etc.)
Think of it as cpu_physical_memory_rw for blockdev.
This is only low-level api yet, I can remove it of course.
libafl/syx-snapshot/syx-cow-cache.c
Outdated
| @@ -227,9 +227,12 @@ void syx_cow_cache_read_entry(SyxCowCache* scc, BlockBackend* blk, | |||
| if (!QTAILQ_EMPTY(&scc->layers)) { | |||
| for (; qiov_offset < qiov->size; | |||
| blk_offset += chunk_size, qiov_offset += chunk_size) { | |||
| int i = 0; | |||
libafl/syx-snapshot/syx-cow-cache.c
Outdated
| QTAILQ_FOREACH(layer, &scc->layers, next) | ||
| { | ||
| chunk_size = layer->chunk_size; | ||
| //printf("[SYX] check cache layer %d\n", i); |
libafl/syx-snapshot/syx-cow-cache.c
Outdated
| @@ -217,8 +218,7 @@ void syx_cow_cache_read_entry(SyxCowCache* scc, BlockBackend* blk, | |||
| size_t qiov_offset = 0; | |||
| uint64_t chunk_size = 0; | |||
|
|
|||
| // printf("[%s] Read 0x%zx bytes @addr %lx\n", blk_name(blk), qiov->size, | |||
| // offset); | |||
| //printf("[SYX] [%s] Read 0x%zx bytes @addr %lx\n", blk_name(blk), qiov->size, offset); | |||
| @@ -0,0 +1,34 @@ | |||
| #include "libafl/syx-snapshot/syx-snapshot.h" | |||
There was a problem hiding this comment.
it this useful? for full snapshots i'd use qemu snapshots instead, which are already available with hmp.
may be useful for debugging maybe?
There was a problem hiding this comment.
It is for debugging only. I used it to resolve the issues fixed in this PR. I have a personal branch with more features and also many more HMP commands.
As SYX (still don't know what that stands for ;-) ) is quite complicated I cannot debug it via the fuzzer lib. I usually compile the brigde stand-alone and do manual tests.
| @@ -1406,16 +1412,19 @@ static int probe_access_internal(CPUState *cpu, vaddr addr, | |||
|
|
|||
| /* Everything else is RAM. */ | |||
| *phost = (void *)((uintptr_t)addr + entry->addend); | |||
| //// --- Begin LibAFL code --- | |||
There was a problem hiding this comment.
why move this to higher-level functions?
i start to think we should not keep this call in probe, there are many places where memory gets probed for write but it in fact never written to.
it's only a matter of optimization though, nothing too problematic.
There was a problem hiding this comment.
The probes are used by guest helpers. Even though not every probe may lead to an actual write, we have no way to get this feedback as of now. This is how the QEMU TCG is set up.
A rule of thumb for me was the following:
Whenever QEMU uses notdirty_write, we want to make a backup of the page (syx_snapshot_dirty_list_add_hostaddr). Because these are mostly the same features.
But we cannot use notdirty_write, it misses hostaddr, so I came up with this.
|
Hi, thanks for the review! I did some cleanup. Also, please note that I removed |
notdirty_write, this is essentially the same as what we wantlibafl_blk_writeto write to blkdev with SYX enabled