LLVM provides libFuzzer which does coverage-guided
fuzzing of a library or application under test. For
SPDK, we can use this as a new and better way to
generate random commands to the SPDK nvmf target.
By default, libFuzzer provides the main() and your
source file just provides the function called by
LLVM for each iteration of random data. But this
doesn't really work for SPDK since we need to start
the app framework and the nvmf target. So we
specify -fsanitizer=fuzzer-no-link, explicitly
specify the location of the fuzzer_no_main library
and then call LLVMFuzzerRunDriver to start the
fuzzing process once we are ready.
Since this is all coverage-guided, we invoke the
fuzzer inside the nvmf target application. So this
patch creates a new target application called
'llvm_nvme_fuzz'. One core is needed to run the
nvmf target, then we spawn a pthread to run the
fuzzer against it.
Currently there are two fuzzers defined. Fuzzer 0
does random testing of admin commands. Fuzzer 1
is focused solely on GET_LOG_PAGE and fuzzes a
smaller subset of the bytes in the spdk_nvme_cmd.
Additional fuzzers can be added in the future for
other commands, testing I/O queues, data payloads,
etc.
You do need to specify CC and CXX when running
configure, as well as specify the location of the
special clang_rt.fuzz_no_main library. The path of
that library is dependent on your clang version and
architecture. If using clang-12 on x86_64 platform,
it will look like:
CC=clang-12 CXX=clang++-12 ./configure --with-fuzzer= \
/usr/lib/llvm-12/lib/clang/12.0.0/lib/linux/libclang_rt.fuzzer_no_main-x86_64.a
Then just do the following to demonstrate the fuzzer
tool.
make
test/nvmf/target/llvm_nvme_fuzz.sh --time=60 --fuzzer=0
Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: Iee0997501893ac284a3947a1db7a155c5ceb7849
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/10038
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
050565e5ab