- create a document outlining specifications for a virtual device to manage snapshot/restore mechanism for fuzzing
Signed-off-by: Richard Liu <richy.liu.2...@gmail.com> --- docs/devel/snapshot.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/devel/snapshot.rst diff --git a/docs/devel/snapshot.rst b/docs/devel/snapshot.rst new file mode 100644 index 0000000000..a333de69b6 --- /dev/null +++ b/docs/devel/snapshot.rst @@ -0,0 +1,26 @@ +================ +Snapshot/restore +================ + +The ability to rapidly snapshot and restore guest VM state is a +crucial component of fuzzing applications with QEMU. A special virtual +device can be used by fuzzers to interface with snapshot/restores +commands in QEMU. The virtual device should have the following +commands supported that can be called by the guest: + +- snapshot: save a copy of the guest VM memory, registers, and virtual + device state +- restore: restore the saved copy of guest VM state +- coverage_location: given a location in guest memory, specifying + where the coverage data is to be passed to the fuzzer +- input_location: specify where in the guest memory the fuzzing input + should be stored +- done: indicates whether or not the run succeeded and that the + coverage data has been populated + +The first version of the virtual device will only accept snapshot and +restore commands from the guest. Coverage data will be collected by +code on the guest with source-based coverage tracking. + +Further expansions could include controlling the snapshot/restore from +host and gathering code coverage information directly from TCG. -- 2.35.1
