aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xconfigure28
-rw-r--r--scripts/oss-fuzz/instrumentation-filter-template15
2 files changed, 37 insertions, 6 deletions
diff --git a/configure b/configure
index 9a79a004d7..dcdbe3f068 100755
--- a/configure
+++ b/configure
@@ -4198,13 +4198,21 @@ fi
##########################################
# checks for fuzzer
-if test "$fuzzing" = "yes" && test -z "${LIB_FUZZING_ENGINE+xxx}"; then
+if test "$fuzzing" = "yes" ; then
write_c_fuzzer_skeleton
- if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
- have_fuzzer=yes
- else
- error_exit "Your compiler doesn't support -fsanitize=fuzzer"
- exit 1
+ if test -z "${LIB_FUZZING_ENGINE+xxx}"; then
+ if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
+ have_fuzzer=yes
+ else
+ error_exit "Your compiler doesn't support -fsanitize=fuzzer"
+ exit 1
+ fi
+ fi
+
+ have_clang_coverage_filter=no
+ echo > $TMPTXT
+ if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer -fsanitize-coverage-allowlist=$TMPTXT" ""; then
+ have_clang_coverage_filter=yes
fi
fi
@@ -4884,6 +4892,14 @@ if test "$fuzzing" = "yes" ; then
else
FUZZ_EXE_LDFLAGS="$LIB_FUZZING_ENGINE"
fi
+
+ # Specify a filter to only instrument code that is directly related to
+ # virtual-devices.
+ if test "$have_clang_coverage_filter" = "yes" ; then
+ cp "$source_path/scripts/oss-fuzz/instrumentation-filter-template" \
+ instrumentation-filter
+ QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=instrumentation-filter"
+ fi
fi
if test "$plugins" = "yes" ; then
diff --git a/scripts/oss-fuzz/instrumentation-filter-template b/scripts/oss-fuzz/instrumentation-filter-template
new file mode 100644
index 0000000000..76d2b6139a
--- /dev/null
+++ b/scripts/oss-fuzz/instrumentation-filter-template
@@ -0,0 +1,15 @@
+# Code that we actually want the fuzzer to target
+# See: https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification
+#
+src:*/hw/*
+src:*/include/hw/*
+src:*/slirp/*
+src:*/net/*
+
+# We don't care about coverage over fuzzer-specific code, however we should
+# instrument the fuzzer entry-point so libFuzzer always sees at least some
+# coverage - otherwise it will exit after the first input
+src:*/tests/qtest/fuzz/fuzz.c
+
+# Enable instrumentation for all functions in those files
+fun:*