diff options
Diffstat (limited to '')
| -rwxr-xr-x | configure | 28 | ||||
| -rw-r--r-- | scripts/oss-fuzz/instrumentation-filter-template | 15 |
2 files changed, 37 insertions, 6 deletions
diff --git a/configure b/configure index 9a79a004d7..dcdbe3f068 100755 --- a/configure +++ b/configure @@ -4198,13 +4198,21 @@ fi ########################################## # checks for fuzzer -if test "$fuzzing" = "yes" && test -z "${LIB_FUZZING_ENGINE+xxx}"; then +if test "$fuzzing" = "yes" ; then write_c_fuzzer_skeleton - if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then - have_fuzzer=yes - else - error_exit "Your compiler doesn't support -fsanitize=fuzzer" - exit 1 + if test -z "${LIB_FUZZING_ENGINE+xxx}"; then + if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then + have_fuzzer=yes + else + error_exit "Your compiler doesn't support -fsanitize=fuzzer" + exit 1 + fi + fi + + have_clang_coverage_filter=no + echo > $TMPTXT + if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer -fsanitize-coverage-allowlist=$TMPTXT" ""; then + have_clang_coverage_filter=yes fi fi @@ -4884,6 +4892,14 @@ if test "$fuzzing" = "yes" ; then else FUZZ_EXE_LDFLAGS="$LIB_FUZZING_ENGINE" fi + + # Specify a filter to only instrument code that is directly related to + # virtual-devices. + if test "$have_clang_coverage_filter" = "yes" ; then + cp "$source_path/scripts/oss-fuzz/instrumentation-filter-template" \ + instrumentation-filter + QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize-coverage-allowlist=instrumentation-filter" + fi fi if test "$plugins" = "yes" ; then diff --git a/scripts/oss-fuzz/instrumentation-filter-template b/scripts/oss-fuzz/instrumentation-filter-template new file mode 100644 index 0000000000..76d2b6139a --- /dev/null +++ b/scripts/oss-fuzz/instrumentation-filter-template @@ -0,0 +1,15 @@ +# Code that we actually want the fuzzer to target +# See: https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification +# +src:*/hw/* +src:*/include/hw/* +src:*/slirp/* +src:*/net/* + +# We don't care about coverage over fuzzer-specific code, however we should +# instrument the fuzzer entry-point so libFuzzer always sees at least some +# coverage - otherwise it will exit after the first input +src:*/tests/qtest/fuzz/fuzz.c + +# Enable instrumentation for all functions in those files +fun:* |