On Fri, 2019-08-09 at 10:04 +0100, Stefan Hajnoczi wrote:
> On Mon, Aug 05, 2019 at 07:11:05AM +0000, Oleinik, Alexander wrote:
> > Signed-off-by: Alexander Oleinik
> > ---
> > util/module.c | 7 +++
> > 1 file changed, 7 insertions(+)
>
> Why is this
On Mon, 2019-08-12 at 18:39 -0400, Bandan Das wrote:
> "Oleinik, Alexander" writes:
> ...
> > if test "$supported_cpu" = "no"; then
> > echo
> > @@ -7306,6 +7310,17 @@ fi
> > if test "$sheepdog" = "yes"
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
Build instructions in docs/devel/fuzzing.txt
V3:
* Rebased onto v4.1.0+
* Add the fuzzer as a new build-target type in the build-system
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Oleinik
---
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by:
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c | 212 ++
tests/fuzz/qos_fuzz.h | 19
2 files changed, 231 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git
Signed-off-by: Alexander Oleinik
---
configure | 13 +
1 file changed, 13 insertions(+)
diff --git a/configure b/configure
index 30aad233d1..775f46f55a 100755
--- a/configure
+++ b/configure
@@ -498,6 +498,7 @@ libxml2=""
debug_mutex="no"
libpmem=""
default_devices="yes"
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 114 +
1 file changed, 114 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 120 +++
2 files
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c | 151
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local buffer and
waiting for a
Signed-off-by: Alexander Oleinik
---
Note that with this you cannot configure with --enable-fuzzing to build
/all targets. Even if you could, you would need to clean all of the *.o
between builds, since fuzzing adds instrumentation CFLAGS.
Makefile| 15 ++-
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by:
This is needed for the qos-assisted fuzzers which walk the qos tree and
need a way to check if the current path matches the name of the fuzz
target.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzz.c | 3 +++
tests/fuzz/fuzz.h | 1 +
2 files changed, 4 insertions(+)
diff --git
Signed-off-by: Alexander Oleinik
---
Makefile| 12 +++-
Makefile.objs | 6 +-
Makefile.target | 1 +
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 3a43492340..5e5033a500 100644
--- a/Makefile
+++ b/Makefile
@@ -426,6 +426,7 @@
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 1 +
qtest.c| 7 +++
2 files changed, 8 insertions(+)
diff --git
Signed-off-by: Alexander Oleinik
---
tests/libqtest.c | 46 ++
tests/libqtest.h | 5 +
2 files changed, 51 insertions(+)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index d770462869..fc10322d52 100644
--- a/tests/libqtest.c
+++
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should
The number of queues is 2n+1, where n == 1 when multiqueue is disabled
Signed-off-by: Alexander Oleinik
---
I split this commit out of the fuzz patch-series.
tests/libqos/virtio-net.c | 1 +
tests/libqos/virtio-net.h | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git
Forking is a simple way of ensuring that state doesn't leak between
runs. This patch depends on a modification to libfuzzer:
https://reviews.llvm.org/D65672
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzzer_hooks.c | 62 +++
tests/fuzz/fuzzer_hooks.h |
Signed-off-by: Alexander Oleinik
---
tests/libqtest.c | 61 ++--
tests/libqtest.h | 6 +
2 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 3c5c3f49d8..a9c1dc4fb6 100644
--- a/tests/libqtest.c
Skip the header when saving device state, as the header isn't handled by
qemu_load_device_state
Signed-off-by: Alexander Oleinik
---
migration/savevm.c | 9 +++--
migration/savevm.h | 2 ++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/migration/savevm.c
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c| 58
tests/fuzz/qos_fuzz.h| 23 +
tests/fuzz/qos_helpers.c | 190 +++
tests/fuzz/qos_helpers.h | 17
4 files changed, 288 insertions(+)
create mode 100644
Signed-off-by: Alexander Oleinik
---
util/module.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/util/module.c b/util/module.c
index 142db7e911..3d4380fd47 100644
--- a/util/module.c
+++ b/util/module.c
@@ -30,6 +30,7 @@ typedef struct ModuleEntry
typedef QTAILQ_HEAD(, ModuleEntry)
The code defines the lifecycle of the fuzzer, and provides rebooting,
vmload and device_load as means of resetting state between fuzz runs
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzz.c | 245 ++
tests/fuzz/fuzz.h | 70 +
2 files
Signed-off-by: Alexander Oleinik
---
accel/fuzz.c | 48 +++
include/sysemu/fuzz.h | 15 ++
2 files changed, 63 insertions(+)
create mode 100644 accel/fuzz.c
create mode 100644 include/sysemu/fuzz.h
diff --git a/accel/fuzz.c
These functions are used by both qos-test.c, and the fuzzer.
Signed-off-by: Alexander Oleinik
---
tests/libqos/qos_external.c | 149
tests/libqos/qos_external.h | 8 ++
tests/qos-test.c| 132 +---
3 files changed,
On Mon, 2019-08-05 at 03:24 +, Oleinik, Alexander wrote:
> The number of queues is 2n+1, where n == 1 when multiqueue is
> disabled
>
> Signed-off-by: Alexander Oleinik
> ---
>
> I split this commit out of the fuzz patch-series.
>
> tests/libqos/virtio-net.c |
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index db3065381d..cb37ef647e 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qtest_fuzz.c | 260
tests/fuzz/qtest_fuzz.h | 37 ++
2 files changed, 297 insertions(+)
create mode 100644 tests/fuzz/qtest_fuzz.c
create mode 100644 tests/fuzz/qtest_fuzz.h
diff --git
Signed-off-by: Alexander Oleinik
---
tests/fuzz/virtio-net-fuzz.c | 254 +++
1 file changed, 254 insertions(+)
create mode 100644 tests/fuzz/virtio-net-fuzz.c
diff --git a/tests/fuzz/virtio-net-fuzz.c b/tests/fuzz/virtio-net-fuzz.c
new file mode 100644
index
Both the qtest client, libqtest.c, and server, qtest.c, used the same
name for initialization functions which can cause confusion.
Signed-off-by: Alexander Oleinik
---
Thank you, Thomas Huth for the suggestion.
include/sysemu/qtest.h | 2 +-
qtest.c| 3 +--
vl.c
Signed-off-by: Alexander Oleinik
---
migration/qemu-file.c | 84 +++
migration/qemu-file.h | 11 ++
2 files changed, 95 insertions(+)
diff --git a/migration/qemu-file.c b/migration/qemu-file.c
index 0431585502..453e2897d5 100644
---
The direct receive function qtest_server_recv is directly invoked by the
qtest client, when the server and client exist within the same process.
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 4
qtest.c| 14 ++
2 files changed, 18 insertions(+)
Temporary solution until there is a better build solution for fuzzers in
tests/Makefile.include
Signed-off-by: Alexander Oleinik
---
target/i386/Makefile.objs | 20
1 file changed, 20 insertions(+)
diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs
index
Using this, we avoid needing a special case to break out of main(),
early, when initializing the fuzzer, as we can just call qemu_init.
There is still a #define around main(), since it otherwise conflicts
with the libfuzzer main().
Signed-off-by: Alexander Oleinik
---
include/sysemu/sysemu.h |
Otherwise, the RAM is unmapped from the child-processes, which breaks
any fuzz tests relying on DMA.
Signed-off-by: Alexander Oleinik
---
exec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/exec.c b/exec.c
index 3e78de3b8f..b3b56db8f0 100644
--- a/exec.c
+++ b/exec.c
@@ -2317,7 +2317,9
Changes since v1
* Split off changes to qos virtio-net and qtest server to other patches
* Move vl:main initialization into new func: qemu_init
* Moved useful functions from qos-test.c to a separate object
* Use struct of function pointers for add_fuzz_target(), instead of
arguments
* Move
This adds sanitizer/fuzzer related cflags and adds tests/ to the include
path. This include change is needed for qos to build, and is normally
located in tests/Makefile.include, but currently the fuzzer builds from
the i386-softmmu target, not anything in tests.
Signed-off-by: Alexander Oleinik
On Tue, 2019-07-23 at 11:38 +0800, Jason Wang wrote:
> On 2019/7/20 上午2:52, Oleinik, Alexander wrote:
> > Virtual devices should not try to send zero-sized packets. The
> > caller
> > should check the size prior to calling qemu_sendv_packet_async.
> >
> >
While fuzzing the virtio-net tx vq, I ran into an assertion failure due
to iov_copy offsets larger than the total iov size. Though there is
a check to cover this, it does not execute when !n->has_vnet_hdr. This
change always copies the guest header into the mhdr buffer and checks its
length, even
virtio_net_flush_tx does not check that the packet size is nonzero,
which causes q->aysnc_tx.elem to be set. Then, when the device is reset, there
is an assertion failure since q->aysnc_tx.elem must be flushed/cleared.
Zero-sized packets are unsupported - check packet size, prior to
sending.
Virtual devices should not try to send zero-sized packets. The caller
should check the size prior to calling qemu_sendv_packet_async.
Signed-off-by: Alexander Oleinik
---
net/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/net.c b/net/net.c
index 7d4098254f..fad20bc611 100644
While fuzzing virtio-net I found that attempting to send
a zero-size packet leads to an assertion failure, when resetting the
device. These patches add an assertion to net/net.c to ensure that
virtual devices do not try to send zero-size packets and change
virtio-net to check that packets have
While fuzzing the virtio-net tx vq, I ran into an assertion failure due
to iov_copy offsets larger than the total iov size. Though there is
a check to cover this, it does not execute when !n->has_vnet_hdr. This
patch tries to fix this.
The call stack for the assertion failure:
#8 in
virtio-net checks that the "out" sg is longer than the guest header, but
this check can be skipped if has_net_hdr is 0. Also perform this check
if host_hdr_len != guest_hdr_len
Signed-off-by: Alexander Oleinik
---
hw/net/virtio-net.c | 13 -
1 file changed, 12 insertions(+), 1
Defines LLVMFuzzerInitialize and LLVMFuzzerTestOneInput
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzz.c | 262 ++
tests/fuzz/fuzz.h | 96 +
2 files changed, 358 insertions(+)
create mode 100644 tests/fuzz/fuzz.c
create mode
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 145 +
1 file changed, 145 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index
These fuzz targets perform a range of qtest operations over mmio and
port i/o addresses mapped to devices.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qtest_fuzz.c | 261
tests/fuzz/qtest_fuzz.h | 38 ++
2 files changed, 299 insertions(+)
Signed-off-by: Alexander Oleinik
---
util/main-loop.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/util/main-loop.c b/util/main-loop.c
index e3eaa55866..708e6be5eb 100644
--- a/util/main-loop.c
+++ b/util/main-loop.c
@@ -513,6 +513,9 @@ void main_loop_wait(int nonblocking)
Signed-off-by: Alexander Oleinik
---
tests/libqos/virtio-net.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/libqos/virtio-net.c b/tests/libqos/virtio-net.c
index 66405b646e..247a0a17a8 100644
--- a/tests/libqos/virtio-net.c
+++ b/tests/libqos/virtio-net.c
@@ -51,7
These virtio-net fuzz targets use libqos abstractions to virtio-net
virtqueues.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/virtio-net-fuzz.c | 226 +++
1 file changed, 226 insertions(+)
create mode 100644 tests/fuzz/virtio-net-fuzz.c
diff --git
Add -Wl,--wraps for the libfuzzer callees that we need to intercept
Signed-off-by: Alexander Oleinik
---
configure | 11 +++
target/i386/Makefile.objs | 19 +++
2 files changed, 30 insertions(+)
diff --git a/configure b/configure
index
As part of Google Summer of Code 2019, I'm working on integrating
fuzzing of virtual devices into QEMU [1]. This is a highly WIP patchset
adding this functionality.
Fuzzers provide random data to a program and monitor its execution for
errors. Coverage-guided fuzzers also observe the parts of the
The ramfile allows vmstate to be saved and restored directly onto the
heap.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/ramfile.c | 127 +++
tests/fuzz/ramfile.h | 20 +++
2 files changed, 147 insertions(+)
create mode 100644
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index db3065381d..531fe7ae29 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,9 @@ typedef
qos_helpers.c is largely a copy of tests/qos-test.c
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c| 63 +
tests/fuzz/qos_fuzz.h| 29
tests/fuzz/qos_helpers.c | 295 +++
tests/fuzz/qos_helpers.h | 17 +++
4 files changed,
Signed-off-by: Alexander Oleinik
---
migration/savevm.c | 8 ++--
migration/savevm.h | 3 +++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/migration/savevm.c b/migration/savevm.c
index 79ed44d475..80c00ea560 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@
Locate mmio and port i/o addresses that are mapped to devices so we can
limit the fuzzer to only these addresses. This should be replaced with
a sane way of enumaring these memory regions.
Signed-off-by: Alexander Oleinik
---
memory.c | 34 ++
1 file changed, 34
Much like the qtest accelerator, the fuzz accelerator skips the CPU
emulation
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/sysemu/qtest.h b/include/sysemu/qtest.h
index cd114b8d80..adfbd10d20 100644
libqtest directly invokes the qtest client and exposes a function to
accept responses.
Signed-off-by: Alexander Oleinik
---
tests/libqtest.c | 53 +++-
tests/libqtest.h | 6 ++
2 files changed, 58 insertions(+), 1 deletion(-)
diff --git
Intercept coverage buffer registration calls and use this information to
copy them to shared memory, if using fork() to avoid resetting device
state.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzzer_hooks.c | 106 ++
tests/fuzz/fuzzer_hooks.h | 9
Signed-off-by: Alexander Oleinik
---
accel/fuzz.c | 47 +++
include/sysemu/fuzz.h | 15 ++
2 files changed, 62 insertions(+)
create mode 100644 accel/fuzz.c
create mode 100644 include/sysemu/fuzz.h
diff --git a/accel/fuzz.c
Once the fuzzer is better-integrated into the build-system, this should
go away
Signed-off-by: Alexander Oleinik
---
target/i386/Makefile.objs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs
index 3d646848ef..c8834f6ad1
Export normal qemu-system main so it can be called from tests/fuzz/fuzz.c
Signed-off-by: Alexander Oleinik
---
include/sysemu/sysemu.h | 4
vl.c| 21 -
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/include/sysemu/sysemu.h
Directly interact with tests/libqtest.c functions
Signed-off-by: Alexander Oleinik
---
qtest.c | 19 ++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/qtest.c b/qtest.c
index 15e27e911f..a6134d3ed0 100644
--- a/qtest.c
+++ b/qtest.c
@@ -31,6 +31,9 @@
#ifdef
On Thu, 2019-07-25 at 12:25 -0400, John Snow wrote:
>
> On 7/24/19 11:23 PM, Oleinik, Alexander wrote:
> > Signed-off-by: Alexander Oleinik
>
> Is there some explanation for why the below patch does what the
> subject
> line claims for the uninitiated?
When multique
virtio_net_flush_tx does not check that the packet size is nonzero,
which causes q->aysnc_tx.elem to be set. Then, when the device is reset, there
is an assertion failure since q->aysnc_tx.elem must be flushed/cleared.
Zero-sized packets are unsupported - check packet size, prior to
sending.
Virtual devices should not try to send zero-sized packets. The caller
should check the size prior to calling qemu_sendv_packet_async.
Signed-off-by: Alexander Oleinik
---
v2:
* Improve the comment to explain the rationale for adding the assert.
net/net.c | 9 +
1 file changed, 9
While fuzzing the virtio-net tx vq, I ran into an assertion failure due
to iov_copy offsets larger than the total iov size. Though there is
a check to cover this, it does not execute when !n->has_vnet_hdr. This
patch tries to fix this.
The call stack for the assertion failure:
#8 in
On 7/26/19 8:47 AM, Stefan Hajnoczi wrote:
> On Thu, Jul 25, 2019 at 03:23:49AM +0000, Oleinik, Alexander wrote:
>> The ramfile allows vmstate to be saved and restored directly onto the
>> heap.
>>
>> Signed-off-by: Alexander Oleinik
>> --
On Thu, 2019-09-19 at 11:03 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:28PM +0000, Oleinik, Alexander wrote:
> > #ifdef CONFIG_COCOA
> > #undef main
>
> This looks suspicious. Should the #ifdef CONFIG_COCOA be moved into
> main.c?
> The re
On Thu, 2019-09-19 at 13:18 +0200, Paolo Bonzini wrote:
> I think you can pass "s" to the tx handler as well, and remove the
> send_opaque and recv_opaque fields?
Qtest also uses this function to communicate over qmp (different fd).
I can probably make the tx handler a wrapper which accepts "s",
On Thu, 2019-09-19 at 13:15 +0200, Paolo Bonzini wrote:
> On 19/09/19 01:19, Oleinik, Alexander wrote:
> > The names i2c_send and i2c_recv collide with functions defined in
> > hw/i2c/core.c. This causes an error when linking against libqos and
> > softmmu simultaneously (f
On Thu, 2019-09-19 at 11:28 +0100, Stefan Hajnoczi wrote:
> Is -fsanitize=fuzzer a clang-only option? If yes, then please ensure
> that there is a friendly error message when ./configure is run with
> gcc.
> You could probe if -fsanitize=fuzzer works and then check that
> fuzzing=no when this
On Thu, 2019-09-19 at 13:48 +0100, Stefan Hajnoczi wrote:
> > +
> > +void reboot(QTestState *s)
> > +{
> > +qemu_system_reset(SHUTDOWN_CAUSE_GUEST_RESET);
> > +}
>
> Why does reboot() take an unused argument?
It was needed when I had a reset_state(s) pointer which was separate
from fuzz().
On Thu, 2019-09-19 at 13:54 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:44PM +0000, Oleinik, Alexander wrote:
> > diff --git a/exec.c b/exec.c
> > index 235d6bc883..d3838f4ea4 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -2295,7 +2295,9 @@ s
On Thu, 2019-09-19 at 14:56 -0400, John Snow wrote:
>
> On 9/19/19 6:37 AM, Stefan Hajnoczi wrote:
> > On Wed, Sep 18, 2019 at 11:19:40PM +0000, Oleinik, Alexander wrote:
> > > When using qtest "in-process" communication, qtest_sendf directly
> > > calls
On Thu, 2019-09-19 at 11:42 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:41PM +0000, Oleinik, Alexander wrote:
> > @@ -830,6 +832,9 @@ char *qtest_hmp(QTestState *s, const char *fmt,
> > ...)
> >
> > const char *qtest_get_arch(void)
>
> Maybe t
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
From: Alexander Oleinik
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
There's a particularily ugly line here:
qtest_client_set_tx_handler(qts,
(void (*)(QTestState *s, const char*, size_t)) send);
Since qtest.c has no knowledge of the QTestState, I'm not sure how to
avoid doing this, without
From: Alexander Oleinik
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects
From: Alexander Oleinik
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@
From: Alexander Oleinik
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file
From: Alexander Oleinik
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local
From: Alexander Oleinik
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at
From: Alexander Oleinik
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client
From: Alexander Oleinik
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where
From: Alexander Oleinik
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies
From: Alexander Oleinik
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 3be9e92a24..aeca632dd9 100755
--- a/configure
+++ b/configure
@@ -501,6 +501,7 @@ libxml2=""
1 - 100 of 150 matches
Mail list logo