[panda-users] about scissors

Brendan Dolan-Gavitt brendandg at gatech.edu
Wed Apr 22 11:36:43 EDT 2015 

Hi,

>From the output you posted it looks like you also have the
stringsearch plugin enabled ("stringsearch: added string of length 14
to search set"). Could you try again with that turned off?

-Brendan

On Wed, Apr 22, 2015 at 2:01 AM, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
> Hi,
> i want to reflect a problem about scissor plugin:
> I found that scissor plugin did not work, cannot extract a part from the
> original snp.
> i use the command line:
> scissors:start=4335499535,end=5244538335,name=api21-256-scissor...
>
> Adding PANDA arg scissors:start=4335499535.
> Adding PANDA arg scissors:end=5244538335.
> Adding PANDA arg scissors:name=api21-256-scissor.
> adding
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_scissors.so to
> panda_plugin_files 0
> Adding PANDA arg stringsearch:name=test.
> adding
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> to panda_plugin_files 1
> emulator: registered 'boot-properties' qemud service
> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_scissors.so
> Success
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> Initializing plugin stringsearch
> panda_require: callstack_instr
> loading
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> Initializing plugin callstack_instr
> Success
> stringsearch: added string of length 14 to search set
> Success
>
>
>  when it reaches the 4335499535,it prints:
>
> api214-20-256:  4335499535 ( 62.00%) instrs.  296.73 sec.  0.89 GB ram.
> Original ending prog point: {guest_instr_count=6992494441 pc=0xc00158c4,
> secondary=0x00000000}
> Saving snapshot at instr count 4335499535...
> Beginning cut-and-paste process at prog point:
> {guest_instr_count=4335499535 pc=0xc000db0c, secondary=0x00000000}
> Writing entries to api21-256-scissor-rr-nondet.log...
> Reached end of old nondet log.
> Continuing with replay.
>
> then when it reaches the end, it shows:
>
> api214-20-256:  5244538335 ( 75.00%) instrs.  377.58 sec.  1.09 GB ram.
> Ending cut-and-paste on prog point:
> {guest_instr_count=5244538336 pc=0xffff0008, secondary=0x00000000}
> api214-20-256:  5244538336 ( 75.00%) instrs.  377.59 sec.  1.09 GB ram.
> Replay completed successfully.
> Time taken was: 380 seconds.
> Stats:
> RR_INPUT_1 number = 634, size = 17118 bytes
> RR_INPUT_2 number = 237, size = 6636 bytes
> RR_INPUT_4 number = 659406, size = 19782180 bytes
> RR_INPUT_8 number = 0, size = 0 bytes
> RR_INTERRUPT_REQUEST number = 1343219, size = 37610132 bytes
> RR_EXIT_REQUEST number = 0, size = 0 bytes
> RR_SKIPPED_CALL number = 424454, size = 238156678 bytes
> RR_DEBUG number = 0, size = 0 bytes
> max_queue_len = 747
> 746 items on recycle list, 65648 bytes total
> Replay terminated at user request.
>
> Logging all cpu states
>
>
> it exits.and when i check the scissor file, it is the same size as the
> original one.
>
>
>
> Please correct me!
> Thanks a lot!
>
>
> 2015-04-21 7:48 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>
>> excuse me,  scissors failed again:
>> api214-20-256:  4268808000 ( 61.05%) instrs.  329.84 sec.  0.88 GB ram.
>> api214-20-256:  4335499535 ( 62.00%) instrs.  335.77 sec.  0.89 GB ram.
>> Original ending prog point: {guest_instr_count=6992494441 pc=0xc00158c4,
>> secondary=0x00000000}
>> Saving snapshot at instr count 4335499535...
>> Beginning cut-and-paste process at prog point:
>> {guest_instr_count=4335499535 pc=0xc000db0c, secondary=0x00000000}
>> Writing entries to api4-21-rr-nondet.log...
>> Assertion failure @ count 2656994906!
>> api214-20-256:  4335499535 ( 62.00%) instrs.  336.32 sec.  1.08 GB ram.
>> ERROR: replay failed!
>> Time taken was: 337 seconds.
>> Stats:
>>
>>
>> now i use taint encounter 2 errors:aborted and killed.
>>
>> the first one may caused malloc(),but i donnot know why killed.
>>
>> so i want to scissor it to a smaller one (just use the stringseach) and
>> then use the smaller to taint, but scissor failed too.
>>
>>
>> 2015-04-20 22:06 GMT-04:00 Brendan Dolan-Gavitt <mooyix at gmail.com>:
>>>
>>> This might be caused by a bug that was just fixed today:
>>>
>>> https://github.com/moyix/panda/issues/58
>>>
>>> Could you do a git pull and try again?
>>>
>>> -Brendan
>>>
>>> On Sun, Apr 19, 2015 at 8:29 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>>> wrote:
>>> > HI,Brendan,
>>> > I am the one sending emails asking for help about the taint segfault.
>>> > Till
>>> > now, it haven't been fixed.(have tried your suggestions,but seems does
>>> > not
>>> > work)
>>> > during my solving this problem,i find another problem about scissors
>>> > plugin:
>>> > using qemu-system-arm  *** -replay ***** -panda
>>> > "scissor:start=*,end=**,name=name" failed to get the cut one. does it
>>> > have
>>> > something wrong?
>>> >
>>> > Thanks for your patience.
>>> > Best wishes.
>>> >
>>> >
>>> > --
>>> > wait and hope~~
>>
>>
>>
>>
>> --
>> wait and hope~~
>
>
>
>
> --
> wait and hope~~

More information about the panda-users mailing list