diff options
| author | Alexander Bulekov <alxndr@bu.edu> | 2021-07-13 11:00:37 -0400 |
|---|---|---|
| committer | Alexander Bulekov <alxndr@bu.edu> | 2021-09-01 07:33:13 -0400 |
| commit | dfc86c0f25126ce3242b317087234c7228418eb2 (patch) | |
| tree | ad81753a114fd85bdb5434cac3c5ad9ffa8bb02a | |
| parent | f2e8b87a1afeec13157094909bf129c4b64192ba (diff) | |
| download | qemu-dfc86c0f25126ce3242b317087234c7228418eb2.zip qemu-dfc86c0f25126ce3242b317087234c7228418eb2.tar.gz qemu-dfc86c0f25126ce3242b317087234c7228418eb2.tar.bz2 | |
fuzz: add an instrumentation filter
By default, -fsanitize=fuzzer instruments all code with coverage
information. However, this means that libfuzzer will track coverage over
hundreds of source files that are unrelated to virtual-devices. This
means that libfuzzer will optimize inputs for coverage observed in timer
code, memory APIs etc. This slows down the fuzzer and stores many inputs
that are not relevant to the actual virtual-devices.
With this change, clang versions that support the
"-fsanitize-coverage-allowlist" will only instrument a subset of the
compiled code, that is directly related to virtual-devices.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
| -rwxr-xr-x | configure | 28 | ||||
| -rw-r--r-- | scripts/oss-fuzz/instrumentation-filter-template | 15 |
2 files changed, 37 insertions, 6 deletions
@@ -4198,13 +4198,21 @@ fi ########################################## # checks for fuzzer -if test "$fuzzing" = "yes" && test -z "${LIB_FUZZING_ENGINE+xxx}"; then +if test "$fuzzing" = "yes" ; then write_c_fuzzer_skeleton - if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then - have_fuzzer=yes - else - error_exit "Your compiler doesn't support -fsanitize=fuzzer" - exit 1 + if test -z "${LIB_FUZZING_ENGINE+xxx}"; then + if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then + have_fuzzer=yes + else + error_exit "Your compiler doesn't support -fsanitize=fuzzer" + exit 1 + fi + fi + + have_clang_coverage_filter=no + echo > $TMPTXT + if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer -fsanitize-coverage-allowlist=$TMPTXT" ""; then + have_clang_coverage_filter=yes fi fi @@ -4884,6 +4892,14 @@ if test "$fuzzing" = "yes" ; then else FUZZ_EXE_LDFLAGS="$LIB_FUZZING_ENGINE" fi + + # Specify a filter to only instrument code that is directly related to + # virtual-devices. + if test "$have_clang_coverage_filter" = "yes" ; then + cp "$source_path/scripts/oss-fuzz/instrumentation-filter-template" \ + instrumentation-filter + QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=instrumentation-filter" + fi fi if test "$plugins" = "yes" ; then diff --git a/scripts/oss-fuzz/instrumentation-filter-template b/scripts/oss-fuzz/instrumentation-filter-template new file mode 100644 index 0000000..76d2b61 --- /dev/null +++ b/scripts/oss-fuzz/instrumentation-filter-template @@ -0,0 +1,15 @@ +# Code that we actually want the fuzzer to target +# See: https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification +# +src:*/hw/* +src:*/include/hw/* +src:*/slirp/* +src:*/net/* + +# We don't care about coverage over fuzzer-specific code, however we should +# instrument the fuzzer entry-point so libFuzzer always sees at least some +# coverage - otherwise it will exit after the first input +src:*/tests/qtest/fuzz/fuzz.c + +# Enable instrumentation for all functions in those files +fun:* |