The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 105 +++
2 files change
Signed-off-by: Alexander Bulekov
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index 00..b0cceb2a6b
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_scsi
Signed-off-by: Alexander Bulekov
---
tests/libqtest.c | 54
tests/libqtest.h | 3 ++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index a7df92319a..e0bc5bbe0b 100644
--- a/tests/libqtest.c
+++
Signed-off-by: Alexander Bulekov
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git a/tests/fuzz/qos_fuzz
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Previously, bufwrite used
socket_send, which bypasses the TransportOps enabling the call into
qtest.c. This change replaces the socket_send calls with ops->send,
maintaining the benefits of t
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 6099be1d84..5fb2494a8e 100755
--- a/configure
+++ b/configure
@@ -504,6 +504,7 @@ debug_mutex="no"
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos obje
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by: Al
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should b
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These b
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14 insertions(+)
diff --git a/inc
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
c
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by: Alexand
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
---
tests/libqos/i2c.c
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/Makefile.include | 1 +
tests/libqos/qos_external
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific an
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
In this version, I added a virtio-scsi fuzzer. The actual fuzzing code
is very similar to the the virtio-net fuzzer. I experimented with usin
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to perfo
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM m
Signed-off-by: Alexander Bulekov
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git a/tests/fuzz/qos_fuzz
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should b
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by: Alexand
Signed-off-by: Alexander Bulekov
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
create mode 100644 tests/fuz
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These b
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific an
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c | 168 +
Signed-off-by: Alexander Bulekov
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index 00..b0cceb2a6b
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Previously, bufwrite used
socket_send, which bypasses the TransportOps enabling the call into
qtest.c. This change replaces the socket_send calls with ops->send,
maintaining the benefits of t
Signed-off-by: Alexander Bulekov
---
tests/libqtest.c | 54
tests/libqtest.h | 3 ++-
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 6d3bcb6766..da0e5c7ef8 100644
--- a/tests/libqtest.c
+++
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to perfo
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 100 +++
2 files change
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
---
tests/libqos/i2c.c
Signed-off-by: Alexander Bulekov
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef enu
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos obje
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14 insertions(+)
diff --git a/inc
Signed-off-by: Alexander Bulekov
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 3be9e92a24..aeca632dd9 100755
--- a/configure
+++ b/configure
@@ -501,6 +501,7 @@ libxml2=""
debug_mutex="no"
libpmem=""
defau
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
V5:
* misc fixes addressing V4 comments
* cleanup in-process handlers/globals in libqtest.c
* small fixes to fork-based fuzzing and suppor
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by: Al
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM m
From: Alexander Oleinik
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 123 +
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c | 232 ++
tests/fuzz/qos_fuzz.h | 33 ++
2 files changed, 265 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff -
From: Alexander Oleinik
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
From: Alexander Oleinik
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c |
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 3be9e92a24..aeca632dd9 100755
--- a/configure
+++ b/configure
@@ -501,6 +501,7 @@ libxml2=""
debug_mut
From: Alexander Oleinik
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file desc
From: Alexander Oleinik
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local buffe
From: Alexander Oleinik
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 119 +
1 file changed, 119 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
in
From: Alexander Oleinik
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Oleinik
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
Makefile| 15 ++-
Makefile.objs | 4 +++-
Makefile.target | 18 +-
tests/fuzz/Makefile.include | 4
4 files changed, 38 insertions(+), 3 deletions(-)
cr
From: Alexander Oleinik
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_targe
From: Alexander Oleinik
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client an
From: Alexander Oleinik
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at al
From: Alexander Oleinik
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the pr
From: Alexander Oleinik
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects t
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
There's a particularily ugly line here:
qtest_client_set_tx_handler(qts,
(void (*)(QTestState *s, const char*, size_t)) send);
Since qtest.c has no knowledge of the QTestState, I'm not sure how to
avoid doing this, without add
From: Alexander Oleinik
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by lib
From: Alexander Oleinik
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 1 +
qtest.c| 13 +
2 files changed, 14 inser
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
V4:
* add/transfer license headers to new files
* restructure the added QTestClientTransportOps struct
* restructure the FuzzTarget struct
On Thu, 2019-09-19 at 14:56 -0400, John Snow wrote:
>
> On 9/19/19 6:37 AM, Stefan Hajnoczi wrote:
> > On Wed, Sep 18, 2019 at 11:19:40PM +0000, Oleinik, Alexander wrote:
> > > When using qtest "in-process" communication, qtest_sendf directly
> > > calls
On Thu, 2019-09-19 at 13:54 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:44PM +0000, Oleinik, Alexander wrote:
> > diff --git a/exec.c b/exec.c
> > index 235d6bc883..d3838f4ea4 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -2295,7 +2295,9 @@ s
On Thu, 2019-09-19 at 13:48 +0100, Stefan Hajnoczi wrote:
> > +
> > +void reboot(QTestState *s)
> > +{
> > +qemu_system_reset(SHUTDOWN_CAUSE_GUEST_RESET);
> > +}
>
> Why does reboot() take an unused argument?
It was needed when I had a reset_state(s) pointer which was separate
from fuzz(). Si
On Thu, 2019-09-19 at 13:15 +0200, Paolo Bonzini wrote:
> On 19/09/19 01:19, Oleinik, Alexander wrote:
> > The names i2c_send and i2c_recv collide with functions defined in
> > hw/i2c/core.c. This causes an error when linking against libqos and
> > softmmu simultaneously (f
On Thu, 2019-09-19 at 13:18 +0200, Paolo Bonzini wrote:
> I think you can pass "s" to the tx handler as well, and remove the
> send_opaque and recv_opaque fields?
Qtest also uses this function to communicate over qmp (different fd).
I can probably make the tx handler a wrapper which accepts "s",
On Thu, 2019-09-19 at 11:28 +0100, Stefan Hajnoczi wrote:
> Is -fsanitize=fuzzer a clang-only option? If yes, then please ensure
> that there is a friendly error message when ./configure is run with
> gcc.
> You could probe if -fsanitize=fuzzer works and then check that
> fuzzing=no when this feat
On Thu, 2019-09-19 at 11:42 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:41PM +0000, Oleinik, Alexander wrote:
> > @@ -830,6 +832,9 @@ char *qtest_hmp(QTestState *s, const char *fmt,
> > ...)
> >
> > const char *qtest_get_arch(void)
>
> Maybe t
On Thu, 2019-09-19 at 11:03 +0100, Stefan Hajnoczi wrote:
> On Wed, Sep 18, 2019 at 11:19:28PM +0000, Oleinik, Alexander wrote:
> > #ifdef CONFIG_COCOA
> > #undef main
>
> This looks suspicious. Should the #ifdef CONFIG_COCOA be moved into
> main.c?
> The re
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should b
fork() is a simple way to ensure that state does not leak in between
fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
bitmaps which contain coverage information for each fuzzing run, and
these bitmaps should be copied from the child to the parent(where the
mutation occurs). These b
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Oleinik
---
tests/Makefile.include | 1 +
tests/libqos/qos_external.c | 151 +
Signed-off-by: Alexander Oleinik
---
tests/libqtest.c | 46 ++
tests/libqtest.h | 5 +
2 files changed, 51 insertions(+)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index d770462869..fc10322d52 100644
--- a/tests/libqtest.c
+++ b/tests/libqte
Before, when tests/Makefile.include was included, the contents would be
ignored if config-host.mak was defined. Moving the ifneq responsible for
this allows a target to depend on both testing-related and host-related
objects. For example the virtual-device fuzzer relies on both
libqtest/libqos obje
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Oleinik
---
include/sysemu/qtest.h | 1 +
qtest.c| 7 +++
2 files changed, 8 insertions(+)
diff --git a/include/syse
Signed-off-by: Alexander Oleinik
---
docs/devel/fuzzing.txt | 114 +
1 file changed, 114 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
new file mode 100644
index 00..53a1f858f5
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/Makefile.include | 1 +
tests/fuzz/virtio_net_fuzz.c | 120 +++
2 files change
Signed-off-by: Alexander Oleinik
---
configure | 13 +
1 file changed, 13 insertions(+)
diff --git a/configure b/configure
index 30aad233d1..775f46f55a 100755
--- a/configure
+++ b/configure
@@ -498,6 +498,7 @@ libxml2=""
debug_mutex="no"
libpmem=""
default_devices="yes"
+fuzzing=
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by: Alexand
Signed-off-by: Alexander Oleinik
---
Makefile| 12 +++-
Makefile.objs | 6 +-
Makefile.target | 1 +
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 3a43492340..5e5033a500 100644
--- a/Makefile
+++ b/Makefile
@@ -426,6 +426,7 @@ du
Signed-off-by: Alexander Oleinik
---
Note that with this you cannot configure with --enable-fuzzing to build
/all targets. Even if you could, you would need to clean all of the *.o
between builds, since fuzzing adds instrumentation CFLAGS.
Makefile| 15 ++-
Makef
This is needed for the qos-assisted fuzzers which walk the qos tree and
need a way to check if the current path matches the name of the fuzz
target.
Signed-off-by: Alexander Oleinik
---
tests/fuzz/fuzz.c | 3 +++
tests/fuzz/fuzz.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/tests/fuzz/
Most qos-related objects were specified in the qos-test-obj-y variable.
qos-test-obj-y also included qos-test.o which defines a main().
This made it difficult to repurpose qos-test-obj-y to link anything
beside tests/qos-test against libqos. This change separates objects that
are libqos-specific an
qtest_server_send is a function pointer specifying the handler used to
transmit data to the qtest client. In the standard configuration, this
calls the CharBackend handler, but now it is possible for other types of
handlers, e.g direct-function calls if the qtest client and server
exist within the
When using qtest "in-process" communication, qtest_sendf directly calls
a function in the server (qtest.c). Combining the contents of the
subsequent socket_sends into the qtest_sendf, makes it so the server can
immediately handle the command, without building a local buffer and
waiting for a newlin
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qos_fuzz.c | 212 ++
tests/fuzz/qos_fuzz.h | 19
2 files changed, 231 insertions(+)
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
diff --git a/tests/fuzz/qos_fuzz.c
This makes it simple to swap the transport functions for qtest commands
to and from the qtest client. For example, now it is possible to
directly pass qtest commands to a server handler that exists within the
same process, without the standard way of writing to a file descriptor.
Signed-off-by: Al
Signed-off-by: Alexander Oleinik
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -46,6 +46,7 @@ typedef enu
The virtual-device fuzzer must initialize QOM, prior to running
vl:qemu_init, so that it can use the qos_graph to identify the arguments
required to initialize a guest for libqos-assisted fuzzing. This change
prevents errors when vl:qemu_init tries to (re)initialize the previously
initialized QOM m
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about duplicate main()s when linking against vl.o. For
example, the virtual-device fuzzer uses a main() provided by libfuzzer,
and needs to perfo
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Oleinik
---
tests/libqos/i2c-imx
This series adds a framework for coverage-guided fuzzing of
virtual-devices. Fuzzing targets are based on qtest and can make use of
the libqos abstractions.
Build instructions in docs/devel/fuzzing.txt
V3:
* Rebased onto v4.1.0+
* Add the fuzzer as a new build-target type in the build-system
*
On Fri, 2019-08-09 at 10:04 +0100, Stefan Hajnoczi wrote:
> On Mon, Aug 05, 2019 at 07:11:05AM +0000, Oleinik, Alexander wrote:
> > Signed-off-by: Alexander Oleinik
> > ---
> > util/module.c | 7 +++
> > 1 file changed, 7 insertions(+)
>
> Why is this
On Mon, 2019-08-12 at 18:39 -0400, Bandan Das wrote:
> "Oleinik, Alexander" writes:
> ...
> > if test "$supported_cpu" = "no"; then
> > echo
> > @@ -7306,6 +7310,17 @@ fi
> > if test "$sheepdog" = "yes"
On Mon, 2019-08-05 at 03:24 +, Oleinik, Alexander wrote:
> The number of queues is 2n+1, where n == 1 when multiqueue is
> disabled
>
> Signed-off-by: Alexander Oleinik
> ---
>
> I split this commit out of the fuzz patch-series.
>
> tests/libqos/virtio-net.c |
Signed-off-by: Alexander Oleinik
---
tests/fuzz/virtio-net-fuzz.c | 254 +++
1 file changed, 254 insertions(+)
create mode 100644 tests/fuzz/virtio-net-fuzz.c
diff --git a/tests/fuzz/virtio-net-fuzz.c b/tests/fuzz/virtio-net-fuzz.c
new file mode 100644
index
Signed-off-by: Alexander Oleinik
---
tests/fuzz/qtest_fuzz.c | 260
tests/fuzz/qtest_fuzz.h | 37 ++
2 files changed, 297 insertions(+)
create mode 100644 tests/fuzz/qtest_fuzz.c
create mode 100644 tests/fuzz/qtest_fuzz.h
diff --git a/tests/fuzz/qt
1 - 100 of 150 matches
Mail list logo
