Re: [PULL 24/31] fuzz: support for fork-based fuzzing.

[Stefan Hajnoczi]

On Sat, Feb 22, 2020 at 05:34:29AM -0600, Eric Blake wrote:
> On 2/22/20 2:50 AM, Stefan Hajnoczi wrote:
> > From: Alexander Bulekov <address@hidden>
> > 
> > fork() is a simple way to ensure that state does not leak in between
> > fuzzing runs. Unfortunately, the fuzzer mutation engine relies on
> > bitmaps which contain coverage information for each fuzzing run, and
> > these bitmaps should be copied from the child to the parent(where the
> > mutation occurs). These bitmaps are created through compile-time
> > instrumentation and they are not shared with fork()-ed processes, by
> > default. To address this, we create a shared memory region, adjust its
> > size and map it _over_ the counter region. Furthermore, libfuzzer
> > doesn't generally expose the globals that specify the location of the
> > counters/coverage bitmap. As a workaround, we rely on a custom linker
> > script which forces all of the bitmaps we care about to be placed in a
> > contiguous region, which is easy to locate and mmap over.
> > 
> > Signed-off-by: Alexander Bulekov <address@hidden>
> > Reviewed-by: Stefan Hajnoczi <address@hidden>
> > Reviewed-by: Darren Kenny <address@hidden>
> > Message-id: address@hidden
> > Signed-off-by: Stefan Hajnoczi <address@hidden>
> > ---
> 
> Random drive-by observation:
> 
> > +++ b/tests/qtest/fuzz/fork_fuzz.ld
> > @@ -0,0 +1,37 @@
> > +/* We adjust linker script modification to place all of the stuff that 
> > needs to
> > + * persist across fuzzing runs into a contiguous seciton of memory. Then, 
> > it is
> 
> section

Thanks, Eric!

Alex, please send follow-up patches to fix this typo and the 80
character line limit issues identified by patchew (see patch email reply
to this email thread).

Stefan

signature.asc
Description: PGP signature