From: Darren Kenny <darren.kenny@oracle.com>
To: Alexander Bulekov <alxndr@bu.edu>, qemu-devel@nongnu.org
Cc: "Alexander Bulekov" <alxndr@bu.edu>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Bandan Das" <bsd@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Laurent Vivier" <lvivier@redhat.com>
Subject: Re: [PATCH 09/10] fuzz: remove fork-fuzzing scaffolding
Date: Mon, 13 Feb 2023 14:47:08 +0000 [thread overview]
Message-ID: <m27cwlr5ar.fsf@oracle.com> (raw)
In-Reply-To: <20230205042951.3570008-10-alxndr@bu.edu>
On Saturday, 2023-02-04 at 23:29:50 -05, Alexander Bulekov wrote:
> Fork-fuzzing provides a few pros, but our implementation prevents us
> from using fuzzers other than libFuzzer, and may be causing issues such
> as coverage-failure builds on OSS-Fuzz. It is not a great long-term
> solution as it depends on internal implementation details of libFuzzer
> (which is no longer in active development). Remove it in favor of other
> methods of resetting state between inputs.
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Thanks,
Darren.
> ---
> meson.build | 4 ---
> tests/qtest/fuzz/fork_fuzz.c | 41 -------------------------
> tests/qtest/fuzz/fork_fuzz.h | 23 --------------
> tests/qtest/fuzz/fork_fuzz.ld | 56 -----------------------------------
> tests/qtest/fuzz/meson.build | 6 ++--
> 5 files changed, 3 insertions(+), 127 deletions(-)
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.c
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.h
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.ld
>
> diff --git a/meson.build b/meson.build
> index 6d3b665629..8be27c2408 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -215,10 +215,6 @@ endif
> # Specify linker-script with add_project_link_arguments so that it is not placed
> # within a linker --start-group/--end-group pair
> if get_option('fuzzing')
> - add_project_link_arguments(['-Wl,-T,',
> - (meson.current_source_dir() / 'tests/qtest/fuzz/fork_fuzz.ld')],
> - native: false, language: all_languages)
> -
> # Specify a filter to only instrument code that is directly related to
> # virtual-devices.
> configure_file(output: 'instrumentation-filter',
> diff --git a/tests/qtest/fuzz/fork_fuzz.c b/tests/qtest/fuzz/fork_fuzz.c
> deleted file mode 100644
> index 6ffb2a7937..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.c
> +++ /dev/null
> @@ -1,41 +0,0 @@
> -/*
> - * Fork-based fuzzing helpers
> - *
> - * Copyright Red Hat Inc., 2019
> - *
> - * Authors:
> - * Alexander Bulekov <alxndr@bu.edu>
> - *
> - * This work is licensed under the terms of the GNU GPL, version 2 or later.
> - * See the COPYING file in the top-level directory.
> - *
> - */
> -
> -#include "qemu/osdep.h"
> -#include "fork_fuzz.h"
> -
> -
> -void counter_shm_init(void)
> -{
> - /* Copy what's in the counter region to a temporary buffer.. */
> - void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> - memcpy(copy,
> - &__FUZZ_COUNTERS_START,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> -
> - /* Map a shared region over the counter region */
> - if (mmap(&__FUZZ_COUNTERS_START,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
> - PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS,
> - 0, 0) == MAP_FAILED) {
> - perror("Error: ");
> - exit(1);
> - }
> -
> - /* Copy the original data back to the counter-region */
> - memcpy(&__FUZZ_COUNTERS_START, copy,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> - free(copy);
> -}
> -
> -
> diff --git a/tests/qtest/fuzz/fork_fuzz.h b/tests/qtest/fuzz/fork_fuzz.h
> deleted file mode 100644
> index 9ecb8b58ef..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.h
> +++ /dev/null
> @@ -1,23 +0,0 @@
> -/*
> - * Fork-based fuzzing helpers
> - *
> - * Copyright Red Hat Inc., 2019
> - *
> - * Authors:
> - * Alexander Bulekov <alxndr@bu.edu>
> - *
> - * This work is licensed under the terms of the GNU GPL, version 2 or later.
> - * See the COPYING file in the top-level directory.
> - *
> - */
> -
> -#ifndef FORK_FUZZ_H
> -#define FORK_FUZZ_H
> -
> -extern uint8_t __FUZZ_COUNTERS_START;
> -extern uint8_t __FUZZ_COUNTERS_END;
> -
> -void counter_shm_init(void);
> -
> -#endif
> -
> diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
> deleted file mode 100644
> index cfb88b7fdb..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.ld
> +++ /dev/null
> @@ -1,56 +0,0 @@
> -/*
> - * We adjust linker script modification to place all of the stuff that needs to
> - * persist across fuzzing runs into a contiguous section of memory. Then, it is
> - * easy to re-map the counter-related memory as shared.
> - */
> -
> -SECTIONS
> -{
> - .data.fuzz_start : ALIGN(4K)
> - {
> - __FUZZ_COUNTERS_START = .;
> - __start___sancov_cntrs = .;
> - *(_*sancov_cntrs);
> - __stop___sancov_cntrs = .;
> -
> - /* Lowest stack counter */
> - *(__sancov_lowest_stack);
> - }
> -}
> -INSERT AFTER .data;
> -
> -SECTIONS
> -{
> - .data.fuzz_ordered :
> - {
> - /*
> - * Coverage counters. They're not necessary for fuzzing, but are useful
> - * for analyzing the fuzzing performance
> - */
> - __start___llvm_prf_cnts = .;
> - *(*llvm_prf_cnts);
> - __stop___llvm_prf_cnts = .;
> -
> - /* Internal Libfuzzer TracePC object which contains the ValueProfileMap */
> - FuzzerTracePC*(.bss*);
> - /*
> - * In case the above line fails, explicitly specify the (mangled) name of
> - * the object we care about
> - */
> - *(.bss._ZN6fuzzer3TPCE);
> - }
> -}
> -INSERT AFTER .data.fuzz_start;
> -
> -SECTIONS
> -{
> - .data.fuzz_end : ALIGN(4K)
> - {
> - __FUZZ_COUNTERS_END = .;
> - }
> -}
> -/*
> - * Don't overwrite the SECTIONS in the default linker script. Instead insert the
> - * above into the default script
> - */
> -INSERT AFTER .data.fuzz_ordered;
> diff --git a/tests/qtest/fuzz/meson.build b/tests/qtest/fuzz/meson.build
> index 189901d4a2..4d10b47b8f 100644
> --- a/tests/qtest/fuzz/meson.build
> +++ b/tests/qtest/fuzz/meson.build
> @@ -2,7 +2,7 @@ if not get_option('fuzzing')
> subdir_done()
> endif
>
> -specific_fuzz_ss.add(files('fuzz.c', 'fork_fuzz.c', 'qos_fuzz.c',
> +specific_fuzz_ss.add(files('fuzz.c', 'qos_fuzz.c',
> 'qtest_wrappers.c'), qos)
>
> # Targets
> @@ -12,7 +12,7 @@ specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio_scsi_fuz
> specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_BLK', if_true: files('virtio_blk_fuzz.c'))
> specific_fuzz_ss.add(files('generic_fuzz.c'))
>
> -fork_fuzz = declare_dependency(
> +fuzz_ld = declare_dependency(
> link_args: fuzz_exe_ldflags +
> ['-Wl,-wrap,qtest_inb',
> '-Wl,-wrap,qtest_inw',
> @@ -35,4 +35,4 @@ fork_fuzz = declare_dependency(
> '-Wl,-wrap,qtest_memset']
> )
>
> -specific_fuzz_ss.add(fork_fuzz)
> +specific_fuzz_ss.add(fuzz_ld)
> --
> 2.39.0
next prev parent reply other threads:[~2023-02-13 14:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-05 4:29 [PATCH 00/10] Retire Fork-Based Fuzzing Alexander Bulekov
2023-02-05 4:29 ` [PATCH 01/10] hw/sparse-mem: clear memory on reset Alexander Bulekov
2023-02-05 10:40 ` Philippe Mathieu-Daudé
2023-02-13 14:15 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 02/10] fuzz: add fuzz_reboot API Alexander Bulekov
2023-02-05 10:50 ` Philippe Mathieu-Daudé
2023-02-13 14:19 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 03/10] fuzz/generic-fuzz: use reboots instead of forks to reset state Alexander Bulekov
2023-02-13 14:26 ` Darren Kenny
2023-02-17 4:01 ` Alexander Bulekov
2023-02-05 4:29 ` [PATCH 04/10] fuzz/generic-fuzz: add a limit on DMA bytes written Alexander Bulekov
2023-02-05 10:42 ` Philippe Mathieu-Daudé
2023-02-13 14:38 ` Darren Kenny
2023-02-17 3:59 ` Alexander Bulekov
2023-02-05 4:29 ` [PATCH 05/10] fuzz/virtio-scsi: remove fork-based fuzzer Alexander Bulekov
2023-02-13 14:42 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 06/10] fuzz/virtio-net: " Alexander Bulekov
2023-02-13 14:44 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 07/10] fuzz/virtio-blk: " Alexander Bulekov
2023-02-13 14:45 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 08/10] fuzz/i440fx: " Alexander Bulekov
2023-02-13 14:46 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 09/10] fuzz: remove fork-fuzzing scaffolding Alexander Bulekov
2023-02-13 14:47 ` Darren Kenny [this message]
2023-02-05 4:29 ` [PATCH 10/10] docs/fuzz: remove mentions of fork-based fuzzing Alexander Bulekov
2023-02-13 14:48 ` Darren Kenny
2023-02-05 10:39 ` [PATCH 00/10] Retire Fork-Based Fuzzing Philippe Mathieu-Daudé
2023-02-06 14:09 ` Alexander Bulekov
2023-02-13 2:11 ` Alexander Bulekov
2023-02-14 15:38 ` Stefan Hajnoczi
2023-02-14 16:08 ` Philippe Mathieu-Daudé
2023-02-14 17:58 ` Laurent Vivier
2023-02-14 18:46 ` Stefan Hajnoczi
2023-02-14 19:09 ` Thomas Huth
2023-02-14 19:14 ` Alexander Bulekov
2023-02-14 21:08 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m27cwlr5ar.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=Qiuhao.Li@outlook.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=bsd@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.