The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 105 +++
2 files
Signed-off-by: Alexander Bulekov
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
Signed-off-by: Alexander Bulekov
---
tests/libqtest.c | 54
tests/libqtest.h | 3 ++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index a7df92319a..e0bc5bbe0b 100644
--- a/tests/libqtest.c
Signed-off-by: Alexander Bulekov
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Previously, bufwrite used
socket_send, which bypasses the TransportOps enabling the call into
qtest.c. This change replaces the socket_send calls with ops->send,
maintaining the benefits of
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 6099be1d84..5fb2494a8e 100755
--- a/configure
+++ b/configure
@@ -504,6 +504,7 @@ debug_mutex="no"
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by:
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14 insertions(+)
diff --git
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by:
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
---
tests/libqos/i2c.c
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/Makefile.include | 1 +
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
In this version, I added a virtio-scsi fuzzer. The actual fuzzing code
is very similar to the the virtio-net fuzzer. I experimented with
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM
Signed-off-by: Alexander Bulekov
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by:
Signed-off-by: Alexander Bulekov
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
create mode 100644
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c | 168
Signed-off-by: Alexander Bulekov
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Previously, bufwrite used
socket_send, which bypasses the TransportOps enabling the call into
qtest.c. This change replaces the socket_send calls with ops->send,
maintaining the benefits of
Signed-off-by: Alexander Bulekov
---
tests/libqtest.c | 54
tests/libqtest.h | 3 ++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 6d3bcb6766..da0e5c7ef8 100644
--- a/tests/libqtest.c
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 100 +++
2 files
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
---
tests/libqos/i2c.c
Signed-off-by: Alexander Bulekov
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14 insertions(+)
diff --git
Signed-off-by: Alexander Bulekov
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 3be9e92a24..aeca632dd9 100755
--- a/configure
+++ b/configure
@@ -501,6 +501,7 @@ libxml2=""
debug_mutex="no"
libpmem=""
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
V5:
* misc fixes addressing V4 comments
* cleanup in-process handlers/globals in libqtest.c
* small fixes to fork-based fuzzing and
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by:
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM
From: Alexander Oleinik
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 123
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff
From: Alexander Oleinik
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where
From: Alexander Oleinik
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 3be9e92a24..aeca632dd9 100755
--- a/configure
+++ b/configure
@@ -501,6 +501,7 @@ libxml2=""
From: Alexander Oleinik
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file
From: Alexander Oleinik
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local
From: Alexander Oleinik
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
From: Alexander Oleinik
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Oleinik
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
From: Alexander Oleinik
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
From: Alexander Oleinik
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client
From: Alexander Oleinik
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at
From: Alexander Oleinik
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the
From: Alexander Oleinik
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
There's a particularily ugly line here:
qtest_client_set_tx_handler(qts,
(void (*)(QTestState *s, const char*, size_t)) send);
Since qtest.c has no knowledge of the QTestState, I'm not sure how to
avoid doing this, without
From: Alexander Oleinik
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by
From: Alexander Oleinik
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
V4:
* add/transfer license headers to new files
* restructure the added QTestClientTransportOps struct
* restructure the FuzzTarget
On Thu, 2019-09-19 at 14:56 -0400, John Snow wrote:
>
> On 9/19/19 6:37 AM, Stefan Hajnoczi wrote:
> > On Wed, Sep 18, 2019 at 11:19:40PM +0000, Oleinik, Alexander wrote:
> > > When using qtest "in-process" communication, qtest_sendf directly
> > > calls
On Thu, 2019-09-19 at 13:54 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:44PM +0000, Oleinik, Alexander wrote:
> > diff --git a/exec.c b/exec.c
> > index 235d6bc883..d3838f4ea4 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -2295,7 +2295,9 @@ s
On Thu, 2019-09-19 at 13:48 +0100, Stefan Hajnoczi wrote:
> > +
> > +void reboot(QTestState *s)
> > +{
> > +qemu_system_reset(SHUTDOWN_CAUSE_GUEST_RESET);
> > +}
>
> Why does reboot() take an unused argument?
It was needed when I had a reset_state(s) pointer which was separate
from fuzz().
On Thu, 2019-09-19 at 13:15 +0200, Paolo Bonzini wrote:
> On 19/09/19 01:19, Oleinik, Alexander wrote:
> > The names i2c_send and i2c_recv collide with functions defined in
> > hw/i2c/core.c. This causes an error when linking against libqos and
> > softmmu simultaneously (f
On Thu, 2019-09-19 at 13:18 +0200, Paolo Bonzini wrote:
> I think you can pass "s" to the tx handler as well, and remove the
> send_opaque and recv_opaque fields?
Qtest also uses this function to communicate over qmp (different fd).
I can probably make the tx handler a wrapper which accepts "s",
On Thu, 2019-09-19 at 11:28 +0100, Stefan Hajnoczi wrote:
> Is -fsanitize=fuzzer a clang-only option? If yes, then please ensure
> that there is a friendly error message when ./configure is run with
> gcc.
> You could probe if -fsanitize=fuzzer works and then check that
> fuzzing=no when this
On Thu, 2019-09-19 at 11:42 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:41PM +0000, Oleinik, Alexander wrote:
> > @@ -830,6 +832,9 @@ char *qtest_hmp(QTestState *s, const char *fmt,
> > ...)
> >
> > const char *qtest_get_arch(void)
>
> Maybe t
On Thu, 2019-09-19 at 11:03 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:28PM +0000, Oleinik, Alexander wrote:
> > #ifdef CONFIG_COCOA
> > #undef main
>
> This looks suspicious. Should the #ifdef CONFIG_COCOA be moved into
> main.c?
> The re
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c | 151
Signed-off-by: Alexander Oleinik
---
tests/libqtest.c | 46 ++
tests/libqtest.h | 5 +
2 files changed, 51 insertions(+)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index d770462869..fc10322d52 100644
--- a/tests/libqtest.c
+++
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 1 +
qtest.c| 7 +++
2 files changed, 8 insertions(+)
diff --git
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 114 +
1 file changed, 114 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 120 +++
2 files
Signed-off-by: Alexander Oleinik
---
configure | 13 +
1 file changed, 13 insertions(+)
diff --git a/configure b/configure
index 30aad233d1..775f46f55a 100755
--- a/configure
+++ b/configure
@@ -498,6 +498,7 @@ libxml2=""
debug_mutex="no"
libpmem=""
default_devices="yes"
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by:
Signed-off-by: Alexander Oleinik
---
Makefile| 12 +++-
Makefile.objs | 6 +-
Makefile.target | 1 +
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 3a43492340..5e5033a500 100644
--- a/Makefile
+++ b/Makefile
@@ -426,6 +426,7 @@
Signed-off-by: Alexander Oleinik
---
Note that with this you cannot configure with --enable-fuzzing to build
/all targets. Even if you could, you would need to clean all of the *.o
between builds, since fuzzing adds instrumentation CFLAGS.
Makefile| 15 ++-
This is needed for the qos-assisted fuzzers which walk the qos tree and
need a way to check if the current path matches the name of the fuzz
target.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzz.c | 3 +++
tests/fuzz/fuzz.h | 1 +
2 files changed, 4 insertions(+)
diff --git
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local buffer and
waiting for a
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c | 212 ++
tests/fuzz/qos_fuzz.h | 19
2 files changed, 231 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by:
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Oleinik
---
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
Build instructions in docs/devel/fuzzing.txt
V3:
* Rebased onto v4.1.0+
* Add the fuzzer as a new build-target type in the build-system
On Fri, 2019-08-09 at 10:04 +0100, Stefan Hajnoczi wrote:
> On Mon, Aug 05, 2019 at 07:11:05AM +0000, Oleinik, Alexander wrote:
> > Signed-off-by: Alexander Oleinik
> > ---
> > util/module.c | 7 +++
> > 1 file changed, 7 insertions(+)
>
> Why is this
On Mon, 2019-08-12 at 18:39 -0400, Bandan Das wrote:
> "Oleinik, Alexander" writes:
> ...
> > if test "$supported_cpu" = "no"; then
> > echo
> > @@ -7306,6 +7310,17 @@ fi
> > if test "$sheepdog" = "yes"
On Mon, 2019-08-05 at 03:24 +, Oleinik, Alexander wrote:
> The number of queues is 2n+1, where n == 1 when multiqueue is
> disabled
>
> Signed-off-by: Alexander Oleinik
> ---
>
> I split this commit out of the fuzz patch-series.
>
> tests/libqos/virtio-net.c |
Signed-off-by: Alexander Oleinik
---
tests/fuzz/virtio-net-fuzz.c | 254 +++
1 file changed, 254 insertions(+)
create mode 100644 tests/fuzz/virtio-net-fuzz.c
diff --git a/tests/fuzz/virtio-net-fuzz.c b/tests/fuzz/virtio-net-fuzz.c
new file mode 100644
index
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qtest_fuzz.c | 260
tests/fuzz/qtest_fuzz.h | 37 ++
2 files changed, 297 insertions(+)
create mode 100644 tests/fuzz/qtest_fuzz.c
create mode 100644 tests/fuzz/qtest_fuzz.h
diff --git
1 - 100 of 150 matches
Mail list logo