On Wed, Oct 30, 2019 at 02:50:03PM +0000, Oleinik, Alexander wrote:
> +static void i440fx_fuzz_qos_fork(QTestState *s,
> +        const unsigned char *Data, size_t Size) {
> +    if (fork() == 0) {
> +        i440fx_fuzz_qos(s, Data, Size);
> +        _Exit(0);
> +    } else {
> +        wait(NULL);
> +    }
> +}
> +
> +static const char *i440fx_qtest_argv = "qemu_system_i386 -machine accel=qtest"

Binaries are named qemu-system-TARGET.  I guess nothing looks at argv[0]
but it should use hyphens instead of underscores.

> +                                       "-m 0 -display none";
> +static char *i440fx_argv(FuzzTarget *t)
> +{
> +    return (char *)i440fx_qtest_argv;

.get_init_cmdline() should probably return const char *.

Otherwise:

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>