qemu-e2k/tests/qtest/fuzz/fork_fuzz.ld

/*
 * We adjust linker script modification to place all of the stuff that needs to
 * persist across fuzzing runs into a contiguous section of memory. Then, it is
 * easy to re-map the counter-related memory as shared.
 */

SECTIONS
{
  .data.fuzz_start : ALIGN(4K)
  {
      __FUZZ_COUNTERS_START = .;
      __start___sancov_cntrs = .;
      *(_*sancov_cntrs);
      __stop___sancov_cntrs = .;

      /* Lowest stack counter */
      *(__sancov_lowest_stack);
  }
}
INSERT AFTER .data;

SECTIONS
{
  .data.fuzz_ordered :
  {
      /*
       * Coverage counters. They're not necessary for fuzzing, but are useful
       * for analyzing the fuzzing performance
       */
      __start___llvm_prf_cnts = .;
      *(*llvm_prf_cnts);
      __stop___llvm_prf_cnts = .;

      /* Internal Libfuzzer TracePC object which contains the ValueProfileMap */
      FuzzerTracePC*(.bss*);
      /*
       * In case the above line fails, explicitly specify the (mangled) name of
       * the object we care about
       */
       *(.bss._ZN6fuzzer3TPCE);
  }
}
INSERT AFTER .data.fuzz_start;

SECTIONS
{
  .data.fuzz_end : ALIGN(4K)
  {
      __FUZZ_COUNTERS_END = .;
  }
}
/*
 * Don't overwrite the SECTIONS in the default linker script. Instead insert the
 * above into the default script
 */
INSERT AFTER .data.fuzz_ordered;
fuzz: fix style/typos in linker-script comments Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200227031439.31386-2-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-27 04:14:38 +01:00			`/*`
			`* We adjust linker script modification to place all of the stuff that needs to`
			`* persist across fuzzing runs into a contiguous section of memory. Then, it is`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00			`* easy to re-map the counter-related memory as shared.`
fuzz: fix style/typos in linker-script comments Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200227031439.31386-2-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-27 04:14:38 +01:00			`*/`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00
			`SECTIONS`
			`{`
			`.data.fuzz_start : ALIGN(4K)`
			`{`
			`__FUZZ_COUNTERS_START = .;`
			`__start___sancov_cntrs = .;`
			`(_sancov_cntrs);`
			`__stop___sancov_cntrs = .;`

			`/* Lowest stack counter */`
			`*(__sancov_lowest_stack);`
			`}`
fuzz: Make fork_fuzz.ld compatible with LLVM's LLD LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with version 11. However, when multiple sections are defined in the same "INSERT AFTER", they are added in a reversed order, compared to BFD's LD. This patch makes fork_fuzz.ld generic enough to work with both linkers. Each section now has its own "INSERT AFTER" keyword, so proper ordering is defined between the sections added. Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com> Message-Id: <20201105221905.1350-2-dbuono@linux.vnet.ibm.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com> 2020-11-05 23:18:57 +01:00			`}`
			`INSERT AFTER .data;`

			`SECTIONS`
			`{`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00			`.data.fuzz_ordered :`
			`{`
fuzz: fix style/typos in linker-script comments Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200227031439.31386-2-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-27 04:14:38 +01:00			`/*`
			`* Coverage counters. They're not necessary for fuzzing, but are useful`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00			`* for analyzing the fuzzing performance`
			`*/`
			`__start___llvm_prf_cnts = .;`
			`(llvm_prf_cnts);`
			`__stop___llvm_prf_cnts = .;`

			`/* Internal Libfuzzer TracePC object which contains the ValueProfileMap */`
			`FuzzerTracePC(.bss);`
fuzz: add mangled object name to linker script Previously, we relied on "FuzzerTracePC(.bss)" to place libfuzzer's fuzzer::TPC object into our contiguous shared-memory region. This does not work for some libfuzzer builds, so this addition identifies the region by its mangled name: *(.bss._ZN6fuzzer3TPCE); Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200512030133.29896-4-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-05-12 05:01:32 +02:00			`/*`
			`* In case the above line fails, explicitly specify the (mangled) name of`
			`* the object we care about`
			`*/`
			`*(.bss._ZN6fuzzer3TPCE);`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00			`}`
fuzz: Make fork_fuzz.ld compatible with LLVM's LLD LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with version 11. However, when multiple sections are defined in the same "INSERT AFTER", they are added in a reversed order, compared to BFD's LD. This patch makes fork_fuzz.ld generic enough to work with both linkers. Each section now has its own "INSERT AFTER" keyword, so proper ordering is defined between the sections added. Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com> Message-Id: <20201105221905.1350-2-dbuono@linux.vnet.ibm.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com> 2020-11-05 23:18:57 +01:00			`}`
			`INSERT AFTER .data.fuzz_start;`

			`SECTIONS`
			`{`
fuzz: support for fork-based fuzzing. fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These bitmaps are created through compile-time instrumentation and they are not shared with fork()-ed processes, by default. To address this, we create a shared memory region, adjust its size and map it _over_ the counter region. Furthermore, libfuzzer doesn't generally expose the globals that specify the location of the counters/coverage bitmap. As a workaround, we rely on a custom linker script which forces all of the bitmaps we care about to be placed in a contiguous region, which is easy to locate and mmap over. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200220041118.23264-16-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-20 05:11:11 +01:00			`.data.fuzz_end : ALIGN(4K)`
			`{`
			`__FUZZ_COUNTERS_END = .;`
			`}`
			`}`
fuzz: fix style/typos in linker-script comments Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-id: 20200227031439.31386-2-alxndr@bu.edu Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> 2020-02-27 04:14:38 +01:00			`/*`
			`* Don't overwrite the SECTIONS in the default linker script. Instead insert the`
			`* above into the default script`
			`*/`
fuzz: Make fork_fuzz.ld compatible with LLVM's LLD LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with version 11. However, when multiple sections are defined in the same "INSERT AFTER", they are added in a reversed order, compared to BFD's LD. This patch makes fork_fuzz.ld generic enough to work with both linkers. Each section now has its own "INSERT AFTER" keyword, so proper ordering is defined between the sections added. Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com> Message-Id: <20201105221905.1350-2-dbuono@linux.vnet.ibm.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com> 2020-11-05 23:18:57 +01:00			`INSERT AFTER .data.fuzz_ordered;`