[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer

To: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 31 Jan 2017 09:05:37 -0700
Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 31 Jan 2017 16:05:48 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 31.01.17 at 16:57, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 31/01/17 15:51, Wei Liu wrote:
>> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>>>> +static void setup_fpu_exception_handler(void)
>>>> +{
>>>> +    /* FIXME - just disable exceptions for now */
>>>> +    unsigned long a;
>>>> +
>>>> +    asm volatile ( "fnclex");
>>>> +    a=0x37f;                    /* FCW_DEFAULT in Xen */
>>>> +    asm volatile ( "fldcw %0" :: "m" (a));
>>>> +    a=0x1f80;                   /* MXCSR_DEFAULT in Xen */
>>>> +    asm volatile ( "ldmxcsr %0" :: "m" (a) );
>>>> +}
>>> While I see that the FCW value has changed, the strange local
>>> variable is still there. If you really want to keep it, please at least
>>> add the missing spaces around the = signs. But I'd prefer
>>>
>>>     asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>>>     asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) 
>>> );
>>>
>> This doesn't work.
>>
>> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly 
>> addressable
> 
> Indeed.  Both fldcw and ldmxcsr can only take memory operands, so cannot
> take immediate values in the inline asm.

Nevertheless I don't understand: The constraint correctly says
memory only. I'd have expected the compiler to materialize a
memory object (initialized with the given value) in order to hand
it to the asm().

>>> And then - doesn't the ABI require these settings to be in effect
>>> upon program startup anyway?
>>>
>> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
>> much for me. But having the code arranged like this hasn't caused any
>> SIGFPE so far.
>>
>> What do you suggest I do here?
> 
> The issue George hit was that AFL managed to emulate alternative loads,
> which then caused SIGFPE's to start happening to the test harness.
> 
> IIRC, the easy fix was to reset this state before emulating each
> instruction.

Oh, right, this isn't done just once at startup.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v2 00/12] fuzz: update x86emul fuzzer
  - From: Wei Liu
- [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Wei Liu
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Wei Liu
- Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH] acpi: Switch to dynamic mapping at SYS_STATE_boot
Next by Date: Re: [Xen-devel] [PATCH 09/28] ARM: GICv3 ITS: map device and LPIs to the ITS on physdev_op hypercall
Previous by thread: Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
Next by thread: Re: [Xen-devel] [PATCH v2 10/12] fuzz/x86emul: update fuzzer
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.