configure: Add sanitizer "fuzzer-no-link"

Adds instrumentation for fuzzing to the binaries but links to the usual
main function instead of a fuzzer's. The similar sanitizer "fuzzer"
should then be used only for building the test itself.

Requires clang 6 or higher.

Change-Id: I24ee1f018b0b97f2977dc86fbdc29a164d7c4e01
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

config_help.txt

@@ -131,7 +131,7 @@ Build options:
                          Currently supported backends are 'etw' (Windows) and
                          'lttng' (Linux), or 'yes' for auto-detection. [no]
 
-  -sanitize {address|thread|memory|undefined}
+  -sanitize {address|thread|memory|fuzzer-no-link|undefined}
                          Instrument with the specified compiler sanitizer.
                          Note that some sanitizers cannot be combined;
                          for example, -sanitize address cannot be combined with

configure.json

@@ -895,6 +895,12 @@
             "autoDetect": false,
             "output": [ "publicConfig" ]
         },
+        "sanitize_fuzzer_no_link": {
+            "label": "Fuzzer (instrumentation only)",
+            "autoDetect": false,
+            "output": [ "publicConfig" ],
+            "purpose": [ "Adds instrumentation for fuzzing to the binaries but links to the usual main function instead of a fuzzer's." ]
+        },
         "sanitize_undefined": {
             "label": "Undefined",
             "autoDetect": false,
@@ -902,7 +908,7 @@
         },
         "sanitizer": {
             "label": "Sanitizers",
-            "condition": "features.sanitize_address || features.sanitize_thread || features.sanitize_memory || features.sanitize_undefined",
+            "condition": "features.sanitize_address || features.sanitize_thread || features.sanitize_memory || features.sanitize_fuzzer_no_link || features.sanitize_undefined",
             "output": [ "sanitizer", "publicConfig" ]
         },
         "coverage_trace_pc_guard": {
@@ -1444,6 +1450,11 @@ Qt can be built in release mode with separate debug information, so
             "type": "error",
             "condition": "features.coverage && !config.clang",
             "message": "Command line option -coverage is only supported with clang compilers."
+        },
+        {
+            "type": "error",
+            "condition": "features.sanitize_fuzzer_no_link && !config.clang",
+            "message": "Command line option -sanitize fuzzer-no-link is only supported with clang compilers."
         }
     ],
 
@@ -1581,7 +1592,13 @@ Configure with '-qreal float' to create a build that is binary-compatible with 5
                 {
                     "section": "Sanitizers",
                     "condition": "features.sanitizer",
-                    "entries": [ "sanitize_address", "sanitize_thread", "sanitize_memory", "sanitize_undefined" ]
+                    "entries": [
+                        "sanitize_address",
+                        "sanitize_thread",
+                        "sanitize_memory",
+                        "sanitize_fuzzer_no_link",
+                        "sanitize_undefined"
+                    ]
                 },
                 {
                     "message": "Code Coverage Instrumentation",

configure.pri

@@ -53,6 +53,8 @@ defineTest(qtConfCommandline_sanitize) {
             qtConfCommandlineSetInput("sanitize_thread", "yes")
         } else: equals(val, "memory") {
             qtConfCommandlineSetInput("sanitize_memory", "yes")
+        } else: equals(val, "fuzzer-no-link") {
+            qtConfCommandlineSetInput("sanitize_fuzzer_no_link", "yes")
         } else: equals(val, "undefined") {
             qtConfCommandlineSetInput("sanitize_undefined", "yes")
         } else {

mkspecs/common/sanitize.conf

@@ -17,6 +17,10 @@ QMAKE_SANITIZE_MEMORY_CFLAGS      = -fsanitize=memory
 QMAKE_SANITIZE_MEMORY_CXXFLAGS    = -fsanitize=memory
 QMAKE_SANITIZE_MEMORY_LFLAGS      = -fsanitize=memory
 
+QMAKE_SANITIZE_FUZZERNL_CFLAGS    = -fsanitize=fuzzer-no-link
+QMAKE_SANITIZE_FUZZERNL_CXXFLAGS  = -fsanitize=fuzzer-no-link
+QMAKE_SANITIZE_FUZZERNL_LFLAGS    = -fsanitize=fuzzer-no-link
+
 QMAKE_SANITIZE_UNDEFINED_CFLAGS   = -fsanitize=undefined
 QMAKE_SANITIZE_UNDEFINED_CXXFLAGS = -fsanitize=undefined
 QMAKE_SANITIZE_UNDEFINED_LFLAGS   = -fsanitize=undefined

mkspecs/features/sanitizer.prf

@@ -42,6 +42,12 @@ sanitize_thread {
     QMAKE_LFLAGS   += $$QMAKE_SANITIZE_THREAD_LFLAGS
 }
 
+sanitize_fuzzer_no_link {
+    QMAKE_CFLAGS   += $$QMAKE_SANITIZE_FUZZERNL_CFLAGS
+    QMAKE_CXXFLAGS += $$QMAKE_SANITIZE_FUZZERNL_CXXFLAGS
+    QMAKE_LFLAGS   += $$QMAKE_SANITIZE_FUZZERNL_LFLAGS
+}
+
 sanitize_undefined {
     QMAKE_CFLAGS   += $$QMAKE_SANITIZE_UNDEFINED_CFLAGS
     QMAKE_CXXFLAGS += $$QMAKE_SANITIZE_UNDEFINED_CXXFLAGS

tests/libfuzzer/README

@@ -17,6 +17,8 @@ To run a test with libFuzzer:
    install libFuzzer for this version of clang explicitly.
 2. Make sure clang and clang++ from this version of clang are found in PATH.
 3. Configure Qt with
+    -platform linux-clang -sanitize fuzzer-no-link
+   or, if you are using clang 5
     -platform linux-clang -coverage trace-pc-guard
    to add the needed code coverage instrumentation. Since speed of execution is crucial for fuzz
    testing, it's recommendable to also use the switches