fuzz: Disable QEMU's SIG{INT,HUP,TERM} handlers

Prior to this patch, the only way I found to terminate the fuzzer was either to: 1. Explicitly specify the number of fuzzer runs with the -runs= flag 2. SIGKILL the process with "pkill -9 qemu-fuzz-*" or similar In addition to being annoying to deal with, SIGKILLing the process skips over any exit handlers(e.g. registered with atexit()). This is bad, since some fuzzers might create temporary files that should ideally be removed on exit using an exit handler. The only way to achieve a clean exit now is to specify -runs=N , but the desired "N" is tricky to identify prior to fuzzing. Why doesn't the process exit with standard SIGINT,SIGHUP,SIGTERM signals? QEMU installs its own handlers for these signals in os-posix.c:os_setup_signal_handling, which notify the main loop that an exit was requested. The fuzzer, however, does not run qemu_main_loop, which performs the main_loop_should_exit() check. This means that the fuzzer effectively ignores these signals. As we don't really care about cleanly stopping the disposable fuzzer "VM", this patch uninstalls QEMU's signal handlers. Thus, we can stop the fuzzer with SIG{INT,HUP,TERM} and the fuzzing code can optionally use atexit() to clean up temporary files/resources. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201014142157.46028-1-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

fuzz: Disable QEMU's SIG{INT,HUP,TERM} handlers
Prior to this patch, the only way I found to terminate the fuzzer was either to: 1. Explicitly specify the number of fuzzer runs with the -runs= flag 2. SIGKILL the process with "pkill -9 qemu-fuzz-*" or similar In addition to being annoying to deal with, SIGKILLing the process skips over any exit handlers(e.g. registered with atexit()). This is bad, since some fuzzers might create temporary files that should ideally be removed on exit using an exit handler. The only way to achieve a clean exit now is to specify -runs=N , but the desired "N" is tricky to identify prior to fuzzing. Why doesn't the process exit with standard SIGINT,SIGHUP,SIGTERM signals? QEMU installs its own handlers for these signals in os-posix.c:os_setup_signal_handling, which notify the main loop that an exit was requested. The fuzzer, however, does not run qemu_main_loop, which performs the main_loop_should_exit() check. This means that the fuzzer effectively ignores these signals. As we don't really care about cleanly stopping the disposable fuzzer "VM", this patch uninstalls QEMU's signal handlers. Thus, we can stop the fuzzer with SIG{INT,HUP,TERM} and the fuzzing code can optionally use atexit() to clean up temporary files/resources. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201014142157.46028-1-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
fc69fa21 · Alexander Bulekov · Paolo Bonzini · 5bfb4f52 · fc69fa21
Commit fc69fa21 authored 4 years ago by Alexander Bulekov Committed by Paolo Bonzini 4 years ago
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -217,5 +217,13 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
    /* re-enable the rcu atfork, which was previously disabled in qemu_init */
    rcu_enable_atfork();

+    /*
+     * Disable QEMU's signal handlers, since we manually control the main_loop,
+     * and don't check for main_loop_should_exit
+     */
+    signal(SIGINT, SIG_DFL);
+    signal(SIGHUP, SIG_DFL);
+    signal(SIGTERM, SIG_DFL);
+
    return 0;
 }