On Wed, Oct 30, 2019 at 02:50:04PM +0000, Oleinik, Alexander wrote: > +== Building the fuzzers == > + > +NOTE: If possible, build a 32-bit binary. When forking, the 32-bit fuzzer is > +much faster, since the page-map has a smaller size. This is due to the fact > that > +AddressSanitizer mmaps ~20TB of memory, as part of its detection. This > results > +in a large page-map, and a much slower fork(). O > + > +To build the fuzzers, install a recent version of clang: > +Configure with (substitute the clang binaries with the version you > installed): > + > + CC=clang-8 CXX=clang++-8 /path/to/configure --enable-fuzzing > + > +Fuzz targets are built similarly to system/softmmu: > + > + make i386-softmmu/fuzz > + > +This builds ./i386-softmmu/qemu-fuzz-i386
I'm surprised that "make i386-softmmu/fuzz" builds i386-softmmu/qemu-fuzz-i386. Should that be "make i386-softmmu/qemu-fuzz-i386"? > += Implmentation Details = s/Implmentation/Implementation/ > + > +== The Fuzzer's Lifecycle == > + > +The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it's > +own main(), which performs some setup, and calls the entrypoints: > + > +LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of the > +necessary state > + > +LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input and > +resets the state at the end of each run. > + > +In more detail: > + > +LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with two > +dashes, so they are ignored by libfuzzer main()). Currently, the arguments > +select the fuzz target. Then, the qtest client is initialized. If the target > +requires qos, qgraph is set up and the QOM/LIBQOS modules are initailized. s/initailized/initialized/
signature.asc
Description: PGP signature
