tests/qtest/fuzz/qos_fuzz.c

   1 /*
   2  * QOS-assisted fuzzing helpers
   3  *
   4  * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License version 2.1 as published by the Free Software Foundation.
   9  *
  10  * This library is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * Lesser General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU Lesser General Public
  16  * License along with this library; if not, see <http://www.gnu.org/licenses/>
  17  */
  18
  19 #include "qemu/osdep.h"
  20 #include "qemu/units.h"
  21 #include "qapi/error.h"
  22 #include "exec/memory.h"
  23 #include "qemu/main-loop.h"
  24
  25 #include "tests/qtest/libqos/libqtest.h"
  26 #include "tests/qtest/libqos/malloc.h"
  27 #include "tests/qtest/libqos/qgraph.h"
  28 #include "tests/qtest/libqos/qgraph_internal.h"
  29 #include "tests/qtest/libqos/qos_external.h"
  30
  31 #include "fuzz.h"
  32 #include "qos_fuzz.h"
  33
  34 #include "qapi/qapi-commands-machine.h"
  35 #include "qapi/qapi-commands-qom.h"
  36
  37
  38 void *fuzz_qos_obj;
  39 QGuestAllocator *fuzz_qos_alloc;
  40
  41 static const char *fuzz_target_name;
  42 static char **fuzz_path_vec;
  43
  44 static void qos_set_machines_devices_available(void)
  45 {
  46     MachineInfoList *mach_info;
  47     ObjectTypeInfoList *type_info;
  48
  49     mach_info = qmp_query_machines(&error_abort);
  50     machines_apply_to_node(mach_info);
  51     qapi_free_MachineInfoList(mach_info);
  52
  53     type_info = qmp_qom_list_types(true, "device", true, true,
  54                                    &error_abort);
  55     types_apply_to_node(type_info);
  56     qapi_free_ObjectTypeInfoList(type_info);
  57 }
  58
  59 static char **current_path;
  60
  61 void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc)
  62 {
  63     return allocate_objects(qts, current_path + 1, p_alloc);
  64 }
  65
  66 static GString *qos_build_main_args(void)
  67 {
  68     char **path = fuzz_path_vec;
  69     QOSGraphNode *test_node;
  70     GString *cmd_line;
  71     void *test_arg;
  72
  73     if (!path) {
  74         fprintf(stderr, "QOS Path not found\n");
  75         abort();
  76     }
  77
  78     /* Before test */
  79     cmd_line = g_string_new(path[0]);
  80     current_path = path;
  81     test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]);
  82     test_arg = test_node->u.test.arg;
  83     if (test_node->u.test.before) {
  84         test_arg = test_node->u.test.before(cmd_line, test_arg);
  85     }
  86     /* Prepend the arguments that we need */
  87     g_string_prepend(cmd_line,
  88             TARGET_NAME " -display none -machine accel=qtest -m 64 ");
  89     return cmd_line;
  90 }
  91
  92 /*
  93  * This function is largely a copy of qos-test.c:walk_path. Since walk_path
  94  * is itself a callback, its a little annoying to add another argument/layer of
  95  * indirection
  96  */
  97 static void walk_path(QOSGraphNode *orig_path, int len)
  98 {
  99     QOSGraphNode *path;
 100     QOSGraphEdge *edge;
 101
 102     /*
 103      * etype set to QEDGE_CONSUMED_BY so that machine can add to the command
 104      * line
 105      */
 106     QOSEdgeType etype = QEDGE_CONSUMED_BY;
 107
 108     /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */
 109     char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2));
 110     int path_vec_size = 0;
 111
 112     char *after_cmd, *before_cmd, *after_device;
 113     GString *after_device_str = g_string_new("");
 114     char *node_name = orig_path->name, *path_str;
 115
 116     GString *cmd_line = g_string_new("");
 117     GString *cmd_line2 = g_string_new("");
 118
 119     path = qos_graph_get_node(node_name); /* root */
 120     node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */
 121
 122     path_vec[path_vec_size++] = node_name;
 123     path_vec[path_vec_size++] = qos_get_machine_type(node_name);
 124
 125     for (;;) {
 126         path = qos_graph_get_node(node_name);
 127         if (!path->path_edge) {
 128             break;
 129         }
 130
 131         node_name = qos_graph_edge_get_dest(path->path_edge);
 132
 133         /* append node command line + previous edge command line */
 134         if (path->command_line && etype == QEDGE_CONSUMED_BY) {
 135             g_string_append(cmd_line, path->command_line);
 136             g_string_append(cmd_line, after_device_str->str);
 137             g_string_truncate(after_device_str, 0);
 138         }
 139
 140         path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge);
 141         /* detect if edge has command line args */
 142         after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge);
 143         after_device = qos_graph_edge_get_extra_device_opts(path->path_edge);
 144         before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge);
 145         edge = qos_graph_get_edge(path->name, node_name);
 146         etype = qos_graph_edge_get_type(edge);
 147
 148         if (before_cmd) {
 149             g_string_append(cmd_line, before_cmd);
 150         }
 151         if (after_cmd) {
 152             g_string_append(cmd_line2, after_cmd);
 153         }
 154         if (after_device) {
 155             g_string_append(after_device_str, after_device);
 156         }
 157     }
 158
 159     path_vec[path_vec_size++] = NULL;
 160     g_string_append(cmd_line, after_device_str->str);
 161     g_string_free(after_device_str, true);
 162
 163     g_string_append(cmd_line, cmd_line2->str);
 164     g_string_free(cmd_line2, true);
 165
 166     /*
 167      * here position 0 has <arch>/<machine>, position 1 has <machine>.
 168      * The path must not have the <arch>, qtest_add_data_func adds it.
 169      */
 170     path_str = g_strjoinv("/", path_vec + 1);
 171
 172     /* Check that this is the test we care about: */
 173     char *test_name = strrchr(path_str, '/') + 1;
 174     if (strcmp(test_name, fuzz_target_name) == 0) {
 175         /*
 176          * put arch/machine in position 1 so run_one_test can do its work
 177          * and add the command line at position 0.
 178          */
 179         path_vec[1] = path_vec[0];
 180         path_vec[0] = g_string_free(cmd_line, false);
 181
 182         fuzz_path_vec = path_vec;
 183     } else {
 184         g_free(path_vec);
 185     }
 186
 187     g_free(path_str);
 188 }
 189
 190 static GString *qos_get_cmdline(FuzzTarget *t)
 191 {
 192     /*
 193      * Set a global variable that we use to identify the qos_path for our
 194      * fuzz_target
 195      */
 196     fuzz_target_name = t->name;
 197     qos_set_machines_devices_available();
 198     qos_graph_foreach_test_path(walk_path);
 199     return qos_build_main_args();
 200 }
 201
 202 void fuzz_add_qos_target(
 203         FuzzTarget *fuzz_opts,
 204         const char *interface,
 205         QOSGraphTestOptions *opts
 206         )
 207 {
 208     qos_add_test(fuzz_opts->name, interface, NULL, opts);
 209     fuzz_opts->get_init_cmdline = qos_get_cmdline;
 210     fuzz_add_target(fuzz_opts);
 211 }
 212
 213 void qos_init_path(QTestState *s)
 214 {
 215     fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc);
 216 }