fuzz: add an instrumentation filter
By default, -fsanitize=fuzzer instruments all code with coverage information. However, this means that libfuzzer will track coverage over hundreds of source files that are unrelated to virtual-devices. This means that libfuzzer will optimize inputs for coverage observed in timer code, memory APIs etc. This slows down the fuzzer and stores many inputs that are not relevant to the actual virtual-devices. With this change, clang versions that support the "-fsanitize-coverage-allowlist" will only instrument a subset of the compiled code, that is directly related to virtual-devices. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
This commit is contained in:
Alexander Bulekov
parent
f2e8b87a1a
commit
dfc86c0f25
|
|
@ -4198,13 +4198,21 @@ fi
|
|||
|
||||
##########################################
|
||||
# checks for fuzzer
|
||||
if test "$fuzzing" = "yes" && test -z "${LIB_FUZZING_ENGINE+xxx}"; then
|
||||
if test "$fuzzing" = "yes" ; then
|
||||
write_c_fuzzer_skeleton
|
||||
if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
|
||||
have_fuzzer=yes
|
||||
else
|
||||
error_exit "Your compiler doesn't support -fsanitize=fuzzer"
|
||||
exit 1
|
||||
if test -z "${LIB_FUZZING_ENGINE+xxx}"; then
|
||||
if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
|
||||
have_fuzzer=yes
|
||||
else
|
||||
error_exit "Your compiler doesn't support -fsanitize=fuzzer"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
have_clang_coverage_filter=no
|
||||
echo > $TMPTXT
|
||||
if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer -fsanitize-coverage-allowlist=$TMPTXT" ""; then
|
||||
have_clang_coverage_filter=yes
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
@ -4884,6 +4892,14 @@ if test "$fuzzing" = "yes" ; then
|
|||
else
|
||||
FUZZ_EXE_LDFLAGS="$LIB_FUZZING_ENGINE"
|
||||
fi
|
||||
|
||||
# Specify a filter to only instrument code that is directly related to
|
||||
# virtual-devices.
|
||||
if test "$have_clang_coverage_filter" = "yes" ; then
|
||||
cp "$source_path/scripts/oss-fuzz/instrumentation-filter-template" \
|
||||
instrumentation-filter
|
||||
QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=instrumentation-filter"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "$plugins" = "yes" ; then
|
||||
|
|
|
|||
|
|
@ -0,0 +1,15 @@
|
|||
# Code that we actually want the fuzzer to target
|
||||
# See: https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification
|
||||
#
|
||||
src:*/hw/*
|
||||
src:*/include/hw/*
|
||||
src:*/slirp/*
|
||||
src:*/net/*
|
||||
|
||||
# We don't care about coverage over fuzzer-specific code, however we should
|
||||
# instrument the fuzzer entry-point so libFuzzer always sees at least some
|
||||
# coverage - otherwise it will exit after the first input
|
||||
src:*/tests/qtest/fuzz/fuzz.c
|
||||
|
||||
# Enable instrumentation for all functions in those files
|
||||
fun:*
|
||||
Loading…
Reference in New Issue