Re: [PATCH 03/10] fuzz/generic-fuzz: use reboots instead of forks to reset state

Thu, 16 Feb 2023 20:02:13 -0800 

On 230213 1426, Darren Kenny wrote:
> Hi Alex,
> 
> On Saturday, 2023-02-04 at 23:29:44 -05, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov <alx...@bu.edu>
> > ---
> >  tests/qtest/fuzz/generic_fuzz.c | 106 +++++++-------------------------
> >  1 file changed, 23 insertions(+), 83 deletions(-)
> >
> > diff --git a/tests/qtest/fuzz/generic_fuzz.c 
> > b/tests/qtest/fuzz/generic_fuzz.c
> > index 7326f6840b..c2e5642150 100644
> > --- a/tests/qtest/fuzz/generic_fuzz.c
> > +++ b/tests/qtest/fuzz/generic_fuzz.c
> > @@ -18,7 +18,6 @@
> >  #include "tests/qtest/libqtest.h"
> >  #include "tests/qtest/libqos/pci-pc.h"
> >  #include "fuzz.h"
> > -#include "fork_fuzz.h"
> >  #include "string.h"
> >  #include "exec/memory.h"
> >  #include "exec/ramblock.h"
> > @@ -29,6 +28,8 @@
> >  #include "generic_fuzz_configs.h"
> >  #include "hw/mem/sparse-mem.h"
> >  
> > +static void pci_enum(gpointer pcidev, gpointer bus);
> > +
> >  /*
> >   * SEPARATOR is used to separate "operations" in the fuzz input
> >   */
> > @@ -589,30 +590,6 @@ static void op_disable_pci(QTestState *s, const 
> > unsigned char *data, size_t len)
> >      pci_disabled = true;
> >  }
> >  
> > -static void handle_timeout(int sig)
> > -{
> > -    if (qtest_log_enabled) {
> > -        fprintf(stderr, "[Timeout]\n");
> > -        fflush(stderr);
> > -    }
> > -
> > -    /*
> > -     * If there is a crash, libfuzzer/ASAN forks a child to run an
> > -     * "llvm-symbolizer" process for printing out a pretty stacktrace. It
> > -     * communicates with this child using a pipe.  If we timeout+Exit, 
> > while
> > -     * libfuzzer is still communicating with the llvm-symbolizer child, we 
> > will
> > -     * be left with an orphan llvm-symbolizer process. Sometimes, this 
> > appears
> > -     * to lead to a deadlock in the forkserver. Use waitpid to check if 
> > there
> > -     * are any waitable children. If so, exit out of the signal-handler, 
> > and
> > -     * let libfuzzer finish communicating with the child, and exit, on its 
> > own.
> > -     */
> > -    if (waitpid(-1, NULL, WNOHANG) == 0) {
> > -        return;
> > -    }
> > -
> > -    _Exit(0);
> > -}
> > -
> >  /*
> >
> 
> I'm presuming that the timeout is being left to the fuzz orchestrator
> now, rather than us managing it directly in our own way?

Yes. The fuzzer should handle timeouts directly now. 

-Alex

Reply via email to