On 210618 1148, Alexander Bulekov wrote:
<snip>
> diff --git a/configure b/configure
> index debd50c085..40412bcfcf 100755
> --- a/configure
> +++ b/configure
> @@ -6089,6 +6089,10 @@ if test "$fuzzing" = "yes" ; then
> # If LIB_FUZZING_ENGINE is set, assume we are running on OSS-Fuzz, and the
> # needed CFLAGS have already been provided
> if test -z "${LIB_FUZZING_ENGINE+xxx}" ; then
> + # Specify a filter to only instrument code that is directly related to
> + # virtual-devices.
> + QEMU_CFLAGS="$QEMU_CFLAGS
> -fsanitize-coverage-allowlist=$source_path/scripts/oss-fuzz/instrumentation-filter"
Hmm I just realized this flag seems to only be available for clang-11+.
We will need to do some probing before enabling it here..
> +
> # Add CFLAGS to tell clang to add fuzzer-related instrumentation to all
> the
> # compiled code.
> QEMU_CFLAGS="$QEMU_CFLAGS -fsanitize=fuzzer-no-link"
> diff --git a/scripts/oss-fuzz/instrumentation-filter
> b/scripts/oss-fuzz/instrumentation-filter
> new file mode 100644
> index 0000000000..44e853159c
> --- /dev/null
> +++ b/scripts/oss-fuzz/instrumentation-filter
> @@ -0,0 +1,14 @@
> +# Code that we actually want the fuzzer to target
> +# See:
> https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification
> +#
> +src:*/hw/*
> +src:*/include/hw/*
> +src:*/slirp/*
> +
> +# We don't care about coverage over fuzzer-specific code, however we should
> +# instrument the fuzzer entry-point so libFuzzer always sees at least some
> +# coverage - otherwise it will exit after the first input
> +src:*/tests/qtest/fuzz/fuzz.c
> +
> +# Enable instrumentation for all functions in those files
> +fun:*
> --
> 2.28.0
>
