Message ID | 20201021210922.572955-16-alxndr@bu.edu |
---|---|
State | New |
Headers | show |
Series | Add a Generic Virtual Device Fuzzer | expand |
On Wednesday, 2020-10-21 at 17:09:21 -04, Alexander Bulekov wrote: > We call get_generic_fuzz_configs, which fills an array with > predefined {name, args, objects} triples. For each of these, we add a > new FuzzTarget, that uses a small wrapper to set > QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values. > > Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> > --- > tests/qtest/fuzz/generic_fuzz.c | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c > index f739937827..bff98fe3c8 100644 > --- a/tests/qtest/fuzz/generic_fuzz.c > +++ b/tests/qtest/fuzz/generic_fuzz.c > @@ -26,6 +26,7 @@ > #include "hw/qdev-core.h" > #include "hw/pci/pci.h" > #include "hw/boards.h" > +#include "generic_fuzz_configs.h" > > /* > * SEPARATOR is used to separate "operations" in the fuzz input > @@ -901,6 +902,17 @@ static GString *generic_fuzz_cmdline(FuzzTarget *t) > return cmd_line; > } > > +static GString *generic_fuzz_predefined_config_cmdline(FuzzTarget *t) > +{ > + const generic_fuzz_config *config; > + g_assert(t->opaque); > + > + config = t->opaque; > + setenv("QEMU_FUZZ_ARGS", config->args, 1); > + setenv("QEMU_FUZZ_OBJECTS", config->objects, 1); > + return generic_fuzz_cmdline(t); > +} > + > static void register_generic_fuzz_targets(void) > { > fuzz_add_target(&(FuzzTarget){ > @@ -911,6 +923,26 @@ static void register_generic_fuzz_targets(void) > .fuzz = generic_fuzz, > .crossover = generic_fuzz_crossover > }); > + > + GString *name; > + const generic_fuzz_config *config; > + > + for (int i = 0; > + i < sizeof(predefined_configs) / sizeof(generic_fuzz_config); > + i++) { > + config = predefined_configs + i; > + name = g_string_new("generic-fuzz"); > + g_string_append_printf(name, "-%s", config->name); > + fuzz_add_target(&(FuzzTarget){ > + .name = name->str, > + .description = "Predefined generic-fuzz config.", > + .get_init_cmdline = generic_fuzz_predefined_config_cmdline, > + .pre_fuzz = generic_pre_fuzz, > + .fuzz = generic_fuzz, > + .crossover = generic_fuzz_crossover, > + .opaque = (void *)config > + }); > + } > } > > fuzz_target_init(register_generic_fuzz_targets); > -- > 2.28.0
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c index f739937827..bff98fe3c8 100644 --- a/tests/qtest/fuzz/generic_fuzz.c +++ b/tests/qtest/fuzz/generic_fuzz.c @@ -26,6 +26,7 @@ #include "hw/qdev-core.h" #include "hw/pci/pci.h" #include "hw/boards.h" +#include "generic_fuzz_configs.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -901,6 +902,17 @@ static GString *generic_fuzz_cmdline(FuzzTarget *t) return cmd_line; } +static GString *generic_fuzz_predefined_config_cmdline(FuzzTarget *t) +{ + const generic_fuzz_config *config; + g_assert(t->opaque); + + config = t->opaque; + setenv("QEMU_FUZZ_ARGS", config->args, 1); + setenv("QEMU_FUZZ_OBJECTS", config->objects, 1); + return generic_fuzz_cmdline(t); +} + static void register_generic_fuzz_targets(void) { fuzz_add_target(&(FuzzTarget){ @@ -911,6 +923,26 @@ static void register_generic_fuzz_targets(void) .fuzz = generic_fuzz, .crossover = generic_fuzz_crossover }); + + GString *name; + const generic_fuzz_config *config; + + for (int i = 0; + i < sizeof(predefined_configs) / sizeof(generic_fuzz_config); + i++) { + config = predefined_configs + i; + name = g_string_new("generic-fuzz"); + g_string_append_printf(name, "-%s", config->name); + fuzz_add_target(&(FuzzTarget){ + .name = name->str, + .description = "Predefined generic-fuzz config.", + .get_init_cmdline = generic_fuzz_predefined_config_cmdline, + .pre_fuzz = generic_pre_fuzz, + .fuzz = generic_fuzz, + .crossover = generic_fuzz_crossover, + .opaque = (void *)config + }); + } } fuzz_target_init(register_generic_fuzz_targets);
We call get_generic_fuzz_configs, which fills an array with predefined {name, args, objects} triples. For each of these, we add a new FuzzTarget, that uses a small wrapper to set QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- tests/qtest/fuzz/generic_fuzz.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)