[Qemu-devel] [RFC PATCH v2 14/17] fuzz: Add forking support to the fuzzer

[Oleinik, Alexander]

Forking is a simple way of ensuring that state doesn't leak between
runs. This patch depends on a modification to libfuzzer:
https://reviews.llvm.org/D65672

Signed-off-by: Alexander Oleinik <address@hidden>
---
 tests/fuzz/fuzzer_hooks.c | 62 +++++++++++++++++++++++++++++++++++++++
 tests/fuzz/fuzzer_hooks.h | 21 +++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 tests/fuzz/fuzzer_hooks.c
 create mode 100644 tests/fuzz/fuzzer_hooks.h

diff --git a/tests/fuzz/fuzzer_hooks.c b/tests/fuzz/fuzzer_hooks.c
new file mode 100644
index 0000000000..87c94ef65f
--- /dev/null
+++ b/tests/fuzz/fuzzer_hooks.c
@@ -0,0 +1,62 @@
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "fuzzer_hooks.h"
+
+#include <dlfcn.h>
+#include <elf.h>
+
+
+
+void *counter_shm;
+size_t feature_shm_len;
+uintptr_t feature_shm;
+size_t offset;
+
+typedef struct CoverageRegion {
+    uint8_t *start;
+    size_t length;
+    bool store; /* Set this if it needs to be copied to the forked process */
+} CoverageRegion;
+
+CoverageRegion regions[10];
+int region_index;
+
+
+void counter_shm_init(void)
+{
+    LLVMFuzzerIterateFeatureRegions(&measure_shm_size);
+    feature_shm = (uintptr_t)mmap(NULL, feature_shm_len,
+            PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+}
+
+void counter_shm_store(void)
+{
+    offset = 0;
+    LLVMFuzzerIterateFeatureRegions(&feature_store);
+}
+
+void counter_shm_load(void)
+{
+    offset = 0;
+    LLVMFuzzerIterateFeatureRegions(&feature_load);
+}
+
+void feature_load(void *start, size_t len)
+{
+    memcpy(start, (void *)(feature_shm + offset), len);
+    offset += len;
+}
+
+void feature_store(void *start, size_t len)
+{
+    memcpy((void *)(feature_shm + offset), start, len);
+    offset += len;
+}
+
+void measure_shm_size(void *start, size_t len)
+{
+    feature_shm_len += len;
+}
+
diff --git a/tests/fuzz/fuzzer_hooks.h b/tests/fuzz/fuzzer_hooks.h
new file mode 100644
index 0000000000..2f411193dd
--- /dev/null
+++ b/tests/fuzz/fuzzer_hooks.h
@@ -0,0 +1,21 @@
+#ifndef FUZZER_HOOKS_H
+#define FUZZER_HOOKS_H
+
+
+/* NOTE: Pending https://reviews.llvm.org/D65672
+ * Alternatively, a similar functionality can be added fairly straightforwardly
+ * with AFL deferred fork mode, albeit requiring a different fuzzer and 
compiler
+ * https://github.com/mirrorer/afl/blob/master/llvm_mode/README.llvm#L82
+ */
+extern void LLVMFuzzerIterateFeatureRegions(void (*CB)(void *, size_t));
+
+void measure_shm_size(void *start, size_t len);
+
+void counter_shm_init(void);
+void counter_shm_store(void);
+void counter_shm_load(void);
+void feature_load(void *start, size_t len);
+void feature_store(void *start, size_t len);
+
+#endif
+
-- 
2.20.1