[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL v2 2/8] fuzz: adjust timeout to allow for longer inputs
From: |
Alexander Bulekov |
Subject: |
[PULL v2 2/8] fuzz: adjust timeout to allow for longer inputs |
Date: |
Wed, 25 Aug 2021 09:42:26 -0400 |
Using a custom timeout is useful to continue fuzzing complex devices,
even after we run into some slow code-path. However, simply adding a
fixed timeout to each input effectively caps the maximum input
length/number of operations at some artificial value. There are two
major problems with this:
1. Some code might only be reachable through long IO sequences.
2. Longer inputs can actually be _better_ for performance. While the
raw number of fuzzer executions decreases with larger inputs, the
number of MMIO/PIO/DMA operation/second actually increases, since
were are speding proportionately less time fork()ing.
With this change, we keep the custom-timeout, but we renew it, prior to
each MMIO/PIO/DMA operation. Thus, we time-out only when a specific
operation takes a long time.
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/generic_fuzz.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 0ea47298b7..80eb29bd2d 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -668,15 +668,16 @@ static void generic_fuzz(QTestState *s, const unsigned
char *Data, size_t Size)
uint8_t op;
if (fork() == 0) {
+ struct sigaction sact;
+ struct itimerval timer;
/*
* Sometimes the fuzzer will find inputs that take quite a long time to
* process. Often times, these inputs do not result in new coverage.
* Even if these inputs might be interesting, they can slow down the
- * fuzzer, overall. Set a timeout to avoid hurting performance, too
much
+ * fuzzer, overall. Set a timeout for each command to avoid hurting
+ * performance, too much
*/
if (timeout) {
- struct sigaction sact;
- struct itimerval timer;
sigemptyset(&sact.sa_mask);
sact.sa_flags = SA_NODEFER;
@@ -686,13 +687,17 @@ static void generic_fuzz(QTestState *s, const unsigned
char *Data, size_t Size)
memset(&timer, 0, sizeof(timer));
timer.it_value.tv_sec = timeout / USEC_IN_SEC;
timer.it_value.tv_usec = timeout % USEC_IN_SEC;
- setitimer(ITIMER_VIRTUAL, &timer, NULL);
}
op_clear_dma_patterns(s, NULL, 0);
pci_disabled = false;
while (cmd && Size) {
+ /* Reset the timeout, each time we run a new command */
+ if (timeout) {
+ setitimer(ITIMER_VIRTUAL, &timer, NULL);
+ }
+
/* Get the length until the next command or end of input */
nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR));
cmd_len = nextcmd ? nextcmd - cmd : Size;
--
2.30.2
- [PULL v2 0/8] Fuzzing Patches for 2021-08-25, Alexander Bulekov, 2021/08/25
- [PULL v2 1/8] fuzz: fix sparse memory access in the DMA callback, Alexander Bulekov, 2021/08/25
- [PULL v2 2/8] fuzz: adjust timeout to allow for longer inputs,
Alexander Bulekov <=
- [PULL v2 3/8] fuzz: make object-name matching case-insensitive, Alexander Bulekov, 2021/08/25
- [PULL v2 4/8] fuzz: add an instrumentation filter, Alexander Bulekov, 2021/08/25
- [PULL v2 5/8] fuzz: use ITIMER_REAL for timeouts, Alexander Bulekov, 2021/08/25
- [PULL v2 6/8] fuzz: unblock SIGALRM so the timeout works, Alexander Bulekov, 2021/08/25
- [PULL v2 7/8] MAINTAINERS: Add myself as a reviewer for Device Fuzzing, Alexander Bulekov, 2021/08/25
- [PULL v2 8/8] MAINTAINERS: add fuzzing reviewer, Alexander Bulekov, 2021/08/25
- Re: [PULL SUBSYSTEM v2 0/8] Fuzzing Patches for 2021-08-25, Alexander Bulekov, 2021/08/25