QEMU 5 #2
Comments
|
referencing PR #39 I accepted ... might influence this (at least for a decision :) ) |
|
Yeah i see now the PR #39 , the fix is included in QEMU 4.1.0 (the release of 2 days ago) and so I think that the fix fro afl++ will be the transition to this version. |
|
QEMU 4.1.0 seems to ignore the cached blocks in the parent. |
|
tb_htable_lookup always returns NULL in the parent, even if called just after tb_gen_code. mmap_lock();
tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask);
fprintf(stderr, " GEN CODE %d %p : %lx %lx %lx %lx \n", getpid(), tb, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask);
tb = tb_htable_lookup(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, 0);
fprintf(stderr, " LOOKUP %p : %lx %lx %lx %lx \n", tb, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask);
mmap_unlock();Gives: |
|
Porting the 3.1.0 tb_gen_code() routine to 4.1.0 seems to solve this issue and now the speed is double (160 exec/s vs. 80 exec/s) but not already comparable with 3.1.0 speed (1000 exec/s). |
|
This is going to be an hell... |
|
qemu 5 is out now, maybe the performance is better now? |
Also define what an experiment is and improve the running_an_experiment.md doc.
* Add stats information about locations in CMPLOG * Add CMP Differences Logging * Improve CMP differences logging * First sketch * Fill the taint map * Fill map working, not filtered yet * Take smallets hits * Filtering done * Add extra optimisations * Disable optimisations by default * EXTRA_OPTIMISATIONS * COURSE_GRAINT * Disable coarse_taint_map * Debug cmplog done (#1) * Disable coarse_taint_map * Add debug information * Extra logging * Add free-taint-map * Disable logging * Disable extra optimisations * Disable extra_optimisations * New debug * extra logging * Extra debug logging * New debug output * Debug update * Remove linked_list taint ref * Enable fuzzing * Bug fix * Enable extra logging * Debug done, bug fixed * Debug done, bug fixed (#2) * Add debug information * Extra logging * Add free-taint-map * Disable logging * Disable extra optimisations * Disable extra_optimisations * New debug * extra logging * Extra debug logging * New debug output * Debug update * Remove linked_list taint ref * Enable fuzzing * Bug fix * Enable extra logging * Debug done, bug fixed * EXTRA_OPTIMISATIONS * COURSE_GRAIND * Bug cause fix * COURSE GRAIND * EXTRA_CACHE_TRYOUT * EXTRA_CACHE FIX * Remove bool type * Bug fix; CACHE_TRY * EXTRA * IMPR * COURSEGRAIND * TRY OUT * Cleanup
I had some trouble porting to QEMU 4. It works but the exec/sec decrease drammatically.
For example, on tcpdump exec/sec are dropped from ~1650 to ~60.
I can't figure out why this happens and if someone will find why please tag me.
As a note for the future, I didn' use the QEMU helpers cause a patched version of
tcg_gen_callN(tcg_gen_afl_maybe_log_call) that only generates calls toafl_maybe_logis faster. It avoids an hashtable lookup for flags and sizemask (I hardcoded them) and many operations related to arguments preparation will be simplified by the compiler.The text was updated successfully, but these errors were encountered: