From: Darren Kenny <darren.kenny@oracle.com>
To: Alexander Bulekov <alxndr@bu.edu>, qemu-devel@nongnu.org
Cc: "Alexander Bulekov" <alxndr@bu.edu>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Bandan Das" <bsd@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Laurent Vivier" <lvivier@redhat.com>
Subject: Re: [PATCH 09/10] fuzz: remove fork-fuzzing scaffolding
Date: Mon, 13 Feb 2023 14:47:08 +0000 [thread overview]
Message-ID: <m27cwlr5ar.fsf@oracle.com> (raw)
In-Reply-To: <20230205042951.3570008-10-alxndr@bu.edu>
On Saturday, 2023-02-04 at 23:29:50 -05, Alexander Bulekov wrote:
> Fork-fuzzing provides a few pros, but our implementation prevents us
> from using fuzzers other than libFuzzer, and may be causing issues such
> as coverage-failure builds on OSS-Fuzz. It is not a great long-term
> solution as it depends on internal implementation details of libFuzzer
> (which is no longer in active development). Remove it in favor of other
> methods of resetting state between inputs.
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Thanks,
Darren.
> ---
> meson.build | 4 ---
> tests/qtest/fuzz/fork_fuzz.c | 41 -------------------------
> tests/qtest/fuzz/fork_fuzz.h | 23 --------------
> tests/qtest/fuzz/fork_fuzz.ld | 56 -----------------------------------
> tests/qtest/fuzz/meson.build | 6 ++--
> 5 files changed, 3 insertions(+), 127 deletions(-)
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.c
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.h
> delete mode 100644 tests/qtest/fuzz/fork_fuzz.ld
>
> diff --git a/meson.build b/meson.build
> index 6d3b665629..8be27c2408 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -215,10 +215,6 @@ endif
> # Specify linker-script with add_project_link_arguments so that it is not placed
> # within a linker --start-group/--end-group pair
> if get_option('fuzzing')
> - add_project_link_arguments(['-Wl,-T,',
> - (meson.current_source_dir() / 'tests/qtest/fuzz/fork_fuzz.ld')],
> - native: false, language: all_languages)
> -
> # Specify a filter to only instrument code that is directly related to
> # virtual-devices.
> configure_file(output: 'instrumentation-filter',
> diff --git a/tests/qtest/fuzz/fork_fuzz.c b/tests/qtest/fuzz/fork_fuzz.c
> deleted file mode 100644
> index 6ffb2a7937..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.c
> +++ /dev/null
> @@ -1,41 +0,0 @@
> -/*
> - * Fork-based fuzzing helpers
> - *
> - * Copyright Red Hat Inc., 2019
> - *
> - * Authors:
> - * Alexander Bulekov <alxndr@bu.edu>
> - *
> - * This work is licensed under the terms of the GNU GPL, version 2 or later.
> - * See the COPYING file in the top-level directory.
> - *
> - */
> -
> -#include "qemu/osdep.h"
> -#include "fork_fuzz.h"
> -
> -
> -void counter_shm_init(void)
> -{
> - /* Copy what's in the counter region to a temporary buffer.. */
> - void *copy = malloc(&__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> - memcpy(copy,
> - &__FUZZ_COUNTERS_START,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> -
> - /* Map a shared region over the counter region */
> - if (mmap(&__FUZZ_COUNTERS_START,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START,
> - PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS,
> - 0, 0) == MAP_FAILED) {
> - perror("Error: ");
> - exit(1);
> - }
> -
> - /* Copy the original data back to the counter-region */
> - memcpy(&__FUZZ_COUNTERS_START, copy,
> - &__FUZZ_COUNTERS_END - &__FUZZ_COUNTERS_START);
> - free(copy);
> -}
> -
> -
> diff --git a/tests/qtest/fuzz/fork_fuzz.h b/tests/qtest/fuzz/fork_fuzz.h
> deleted file mode 100644
> index 9ecb8b58ef..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.h
> +++ /dev/null
> @@ -1,23 +0,0 @@
> -/*
> - * Fork-based fuzzing helpers
> - *
> - * Copyright Red Hat Inc., 2019
> - *
> - * Authors:
> - * Alexander Bulekov <alxndr@bu.edu>
> - *
> - * This work is licensed under the terms of the GNU GPL, version 2 or later.
> - * See the COPYING file in the top-level directory.
> - *
> - */
> -
> -#ifndef FORK_FUZZ_H
> -#define FORK_FUZZ_H
> -
> -extern uint8_t __FUZZ_COUNTERS_START;
> -extern uint8_t __FUZZ_COUNTERS_END;
> -
> -void counter_shm_init(void);
> -
> -#endif
> -
> diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
> deleted file mode 100644
> index cfb88b7fdb..0000000000
> --- a/tests/qtest/fuzz/fork_fuzz.ld
> +++ /dev/null
> @@ -1,56 +0,0 @@
> -/*
> - * We adjust linker script modification to place all of the stuff that needs to
> - * persist across fuzzing runs into a contiguous section of memory. Then, it is
> - * easy to re-map the counter-related memory as shared.
> - */
> -
> -SECTIONS
> -{
> - .data.fuzz_start : ALIGN(4K)
> - {
> - __FUZZ_COUNTERS_START = .;
> - __start___sancov_cntrs = .;
> - *(_*sancov_cntrs);
> - __stop___sancov_cntrs = .;
> -
> - /* Lowest stack counter */
> - *(__sancov_lowest_stack);
> - }
> -}
> -INSERT AFTER .data;
> -
> -SECTIONS
> -{
> - .data.fuzz_ordered :
> - {
> - /*
> - * Coverage counters. They're not necessary for fuzzing, but are useful
> - * for analyzing the fuzzing performance
> - */
> - __start___llvm_prf_cnts = .;
> - *(*llvm_prf_cnts);
> - __stop___llvm_prf_cnts = .;
> -
> - /* Internal Libfuzzer TracePC object which contains the ValueProfileMap */
> - FuzzerTracePC*(.bss*);
> - /*
> - * In case the above line fails, explicitly specify the (mangled) name of
> - * the object we care about
> - */
> - *(.bss._ZN6fuzzer3TPCE);
> - }
> -}
> -INSERT AFTER .data.fuzz_start;
> -
> -SECTIONS
> -{
> - .data.fuzz_end : ALIGN(4K)
> - {
> - __FUZZ_COUNTERS_END = .;
> - }
> -}
> -/*
> - * Don't overwrite the SECTIONS in the default linker script. Instead insert the
> - * above into the default script
> - */
> -INSERT AFTER .data.fuzz_ordered;
> diff --git a/tests/qtest/fuzz/meson.build b/tests/qtest/fuzz/meson.build
> index 189901d4a2..4d10b47b8f 100644
> --- a/tests/qtest/fuzz/meson.build
> +++ b/tests/qtest/fuzz/meson.build
> @@ -2,7 +2,7 @@ if not get_option('fuzzing')
> subdir_done()
> endif
>
> -specific_fuzz_ss.add(files('fuzz.c', 'fork_fuzz.c', 'qos_fuzz.c',
> +specific_fuzz_ss.add(files('fuzz.c', 'qos_fuzz.c',
> 'qtest_wrappers.c'), qos)
>
> # Targets
> @@ -12,7 +12,7 @@ specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio_scsi_fuz
> specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_BLK', if_true: files('virtio_blk_fuzz.c'))
> specific_fuzz_ss.add(files('generic_fuzz.c'))
>
> -fork_fuzz = declare_dependency(
> +fuzz_ld = declare_dependency(
> link_args: fuzz_exe_ldflags +
> ['-Wl,-wrap,qtest_inb',
> '-Wl,-wrap,qtest_inw',
> @@ -35,4 +35,4 @@ fork_fuzz = declare_dependency(
> '-Wl,-wrap,qtest_memset']
> )
>
> -specific_fuzz_ss.add(fork_fuzz)
> +specific_fuzz_ss.add(fuzz_ld)
> --
> 2.39.0
next prev parent reply other threads:[~2023-02-13 14:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-05 4:29 [PATCH 00/10] Retire Fork-Based Fuzzing Alexander Bulekov
2023-02-05 4:29 ` [PATCH 01/10] hw/sparse-mem: clear memory on reset Alexander Bulekov
2023-02-05 10:40 ` Philippe Mathieu-Daudé
2023-02-13 14:15 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 02/10] fuzz: add fuzz_reboot API Alexander Bulekov
2023-02-05 10:50 ` Philippe Mathieu-Daudé
2023-02-13 14:19 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 03/10] fuzz/generic-fuzz: use reboots instead of forks to reset state Alexander Bulekov
2023-02-13 14:26 ` Darren Kenny
2023-02-17 4:01 ` Alexander Bulekov
2023-02-05 4:29 ` [PATCH 04/10] fuzz/generic-fuzz: add a limit on DMA bytes written Alexander Bulekov
2023-02-05 10:42 ` Philippe Mathieu-Daudé
2023-02-13 14:38 ` Darren Kenny
2023-02-17 3:59 ` Alexander Bulekov
2023-02-05 4:29 ` [PATCH 05/10] fuzz/virtio-scsi: remove fork-based fuzzer Alexander Bulekov
2023-02-13 14:42 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 06/10] fuzz/virtio-net: " Alexander Bulekov
2023-02-13 14:44 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 07/10] fuzz/virtio-blk: " Alexander Bulekov
2023-02-13 14:45 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 08/10] fuzz/i440fx: " Alexander Bulekov
2023-02-13 14:46 ` Darren Kenny
2023-02-05 4:29 ` [PATCH 09/10] fuzz: remove fork-fuzzing scaffolding Alexander Bulekov
2023-02-13 14:47 ` Darren Kenny [this message]
2023-02-05 4:29 ` [PATCH 10/10] docs/fuzz: remove mentions of fork-based fuzzing Alexander Bulekov
2023-02-13 14:48 ` Darren Kenny
2023-02-05 10:39 ` [PATCH 00/10] Retire Fork-Based Fuzzing Philippe Mathieu-Daudé
2023-02-06 14:09 ` Alexander Bulekov
2023-02-13 2:11 ` Alexander Bulekov
2023-02-14 15:38 ` Stefan Hajnoczi
2023-02-14 16:08 ` Philippe Mathieu-Daudé
2023-02-14 17:58 ` Laurent Vivier
2023-02-14 18:46 ` Stefan Hajnoczi
2023-02-14 19:09 ` Thomas Huth
2023-02-14 19:14 ` Alexander Bulekov
2023-02-14 21:08 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m27cwlr5ar.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=Qiuhao.Li@outlook.com \
--cc=alxndr@bu.edu \
--cc=berrange@redhat.com \
--cc=bsd@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).