[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer

To: Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Tue, 31 Jan 2017 15:57:42 +0000
Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
Delivery-date: Tue, 31 Jan 2017 15:57:46 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 31/01/17 15:51, Wei Liu wrote:
> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>>> +static void setup_fpu_exception_handler(void)
>>> +{
>>> +    /* FIXME - just disable exceptions for now */
>>> +    unsigned long a;
>>> +
>>> +    asm volatile ( "fnclex");
>>> +    a=0x37f;                    /* FCW_DEFAULT in Xen */
>>> +    asm volatile ( "fldcw %0" :: "m" (a));
>>> +    a=0x1f80;                   /* MXCSR_DEFAULT in Xen */
>>> +    asm volatile ( "ldmxcsr %0" :: "m" (a) );
>>> +}
>> While I see that the FCW value has changed, the strange local
>> variable is still there. If you really want to keep it, please at least
>> add the missing spaces around the = signs. But I'd prefer
>>
>>     asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>>     asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
>>
> This doesn't work.
>
> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly 
> addressable

Indeed.  Both fldcw and ldmxcsr can only take memory operands, so cannot
take immediate values in the inline asm.

>> And then - doesn't the ABI require these settings to be in effect
>> upon program startup anyway?
>>
> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
> much for me. But having the code arranged like this hasn't caused any
> SIGFPE so far.
>
> What do you suggest I do here?

The issue George hit was that AFL managed to emulate alternative loads,
which then caused SIGFPE's to start happening to the test harness.

IIRC, the easy fix was to reset this state before emulating each
instruction.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: George Dunlap

References:
- [Xen-devel] [PATCH v2 00/12] fuzz: update x86emul fuzzer
  - From: Wei Liu
- [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Wei Liu
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Wei Liu

Prev by Date: Re: [Xen-devel] [PATCH] acpi: Switch to dynamic mapping at SYS_STATE_boot
Next by Date: Re: [Xen-devel] [early RFC] ARM PCI Passthrough design document
Previous by thread: Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
Next by thread: Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.