new file mode 100644
@@ -0,0 +1,62 @@
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "fuzzer_hooks.h"
+
+#include <dlfcn.h>
+#include <elf.h>
+
+
+
+void *counter_shm;
+size_t feature_shm_len;
+uintptr_t feature_shm;
+size_t offset;
+
+typedef struct CoverageRegion {
+ uint8_t *start;
+ size_t length;
+ bool store; /* Set this if it needs to be copied to the forked process */
+} CoverageRegion;
+
+CoverageRegion regions[10];
+int region_index;
+
+
+void counter_shm_init(void)
+{
+ LLVMFuzzerIterateFeatureRegions(&measure_shm_size);
+ feature_shm = (uintptr_t)mmap(NULL, feature_shm_len,
+ PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+}
+
+void counter_shm_store(void)
+{
+ offset = 0;
+ LLVMFuzzerIterateFeatureRegions(&feature_store);
+}
+
+void counter_shm_load(void)
+{
+ offset = 0;
+ LLVMFuzzerIterateFeatureRegions(&feature_load);
+}
+
+void feature_load(void *start, size_t len)
+{
+ memcpy(start, (void *)(feature_shm + offset), len);
+ offset += len;
+}
+
+void feature_store(void *start, size_t len)
+{
+ memcpy((void *)(feature_shm + offset), start, len);
+ offset += len;
+}
+
+void measure_shm_size(void *start, size_t len)
+{
+ feature_shm_len += len;
+}
+
new file mode 100644
@@ -0,0 +1,21 @@
+#ifndef FUZZER_HOOKS_H
+#define FUZZER_HOOKS_H
+
+
+/* NOTE: Pending https://reviews.llvm.org/D65672
+ * Alternatively, a similar functionality can be added fairly straightforwardly
+ * with AFL deferred fork mode, albeit requiring a different fuzzer and compiler
+ * https://github.com/mirrorer/afl/blob/master/llvm_mode/README.llvm#L82
+ */
+extern void LLVMFuzzerIterateFeatureRegions(void (*CB)(void *, size_t));
+
+void measure_shm_size(void *start, size_t len);
+
+void counter_shm_init(void);
+void counter_shm_store(void);
+void counter_shm_load(void);
+void feature_load(void *start, size_t len);
+void feature_store(void *start, size_t len);
+
+#endif
+
Forking is a simple way of ensuring that state doesn't leak between runs. This patch depends on a modification to libfuzzer: https://reviews.llvm.org/D65672 Signed-off-by: Alexander Oleinik <alxndr@bu.edu> --- tests/fuzz/fuzzer_hooks.c | 62 +++++++++++++++++++++++++++++++++++++++ tests/fuzz/fuzzer_hooks.h | 21 +++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 tests/fuzz/fuzzer_hooks.c create mode 100644 tests/fuzz/fuzzer_hooks.h