tests/qtest/fuzz/qos_fuzz.c

   1 /*
   2  * QOS-assisted fuzzing helpers
   3  *
   4  * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License version 2.1 as published by the Free Software Foundation.
   9  *
  10  * This library is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * Lesser General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU Lesser General Public
  16  * License along with this library; if not, see <http://www.gnu.org/licenses/>
  17  */
  18
  19 #include "qemu/osdep.h"
  20 #include "qemu/units.h"
  21 #include "qapi/error.h"
  22 #include "qemu-common.h"
  23 #include "exec/memory.h"
  24 #include "qemu/main-loop.h"
  25
  26 #include "tests/qtest/libqos/libqtest.h"
  27 #include "tests/qtest/libqos/malloc.h"
  28 #include "tests/qtest/libqos/qgraph.h"
  29 #include "tests/qtest/libqos/qgraph_internal.h"
  30 #include "tests/qtest/libqos/qos_external.h"
  31
  32 #include "fuzz.h"
  33 #include "qos_fuzz.h"
  34
  35 #include "qapi/qapi-commands-machine.h"
  36 #include "qapi/qapi-commands-qom.h"
  37
  38
  39 void *fuzz_qos_obj;
  40 QGuestAllocator *fuzz_qos_alloc;
  41
  42 static const char *fuzz_target_name;
  43 static char **fuzz_path_vec;
  44
  45 static void qos_set_machines_devices_available(void)
  46 {
  47     MachineInfoList *mach_info;
  48     ObjectTypeInfoList *type_info;
  49
  50     mach_info = qmp_query_machines(&error_abort);
  51     machines_apply_to_node(mach_info);
  52     qapi_free_MachineInfoList(mach_info);
  53
  54     type_info = qmp_qom_list_types(true, "device", true, true,
  55                                    &error_abort);
  56     types_apply_to_node(type_info);
  57     qapi_free_ObjectTypeInfoList(type_info);
  58 }
  59
  60 static char **current_path;
  61
  62 void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc)
  63 {
  64     return allocate_objects(qts, current_path + 1, p_alloc);
  65 }
  66
  67 static GString *qos_build_main_args(void)
  68 {
  69     char **path = fuzz_path_vec;
  70     QOSGraphNode *test_node;
  71     GString *cmd_line;
  72     void *test_arg;
  73
  74     if (!path) {
  75         fprintf(stderr, "QOS Path not found\n");
  76         abort();
  77     }
  78
  79     /* Before test */
  80     cmd_line = g_string_new(path[0]);
  81     current_path = path;
  82     test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]);
  83     test_arg = test_node->u.test.arg;
  84     if (test_node->u.test.before) {
  85         test_arg = test_node->u.test.before(cmd_line, test_arg);
  86     }
  87     /* Prepend the arguments that we need */
  88     g_string_prepend(cmd_line,
  89             TARGET_NAME " -display none -machine accel=qtest -m 64 ");
  90     return cmd_line;
  91 }
  92
  93 /*
  94  * This function is largely a copy of qos-test.c:walk_path. Since walk_path
  95  * is itself a callback, its a little annoying to add another argument/layer of
  96  * indirection
  97  */
  98 static void walk_path(QOSGraphNode *orig_path, int len)
  99 {
 100     QOSGraphNode *path;
 101     QOSGraphEdge *edge;
 102
 103     /*
 104      * etype set to QEDGE_CONSUMED_BY so that machine can add to the command
 105      * line
 106      */
 107     QOSEdgeType etype = QEDGE_CONSUMED_BY;
 108
 109     /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */
 110     char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2));
 111     int path_vec_size = 0;
 112
 113     char *after_cmd, *before_cmd, *after_device;
 114     GString *after_device_str = g_string_new("");
 115     char *node_name = orig_path->name, *path_str;
 116
 117     GString *cmd_line = g_string_new("");
 118     GString *cmd_line2 = g_string_new("");
 119
 120     path = qos_graph_get_node(node_name); /* root */
 121     node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */
 122
 123     path_vec[path_vec_size++] = node_name;
 124     path_vec[path_vec_size++] = qos_get_machine_type(node_name);
 125
 126     for (;;) {
 127         path = qos_graph_get_node(node_name);
 128         if (!path->path_edge) {
 129             break;
 130         }
 131
 132         node_name = qos_graph_edge_get_dest(path->path_edge);
 133
 134         /* append node command line + previous edge command line */
 135         if (path->command_line && etype == QEDGE_CONSUMED_BY) {
 136             g_string_append(cmd_line, path->command_line);
 137             g_string_append(cmd_line, after_device_str->str);
 138             g_string_truncate(after_device_str, 0);
 139         }
 140
 141         path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge);
 142         /* detect if edge has command line args */
 143         after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge);
 144         after_device = qos_graph_edge_get_extra_device_opts(path->path_edge);
 145         before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge);
 146         edge = qos_graph_get_edge(path->name, node_name);
 147         etype = qos_graph_edge_get_type(edge);
 148
 149         if (before_cmd) {
 150             g_string_append(cmd_line, before_cmd);
 151         }
 152         if (after_cmd) {
 153             g_string_append(cmd_line2, after_cmd);
 154         }
 155         if (after_device) {
 156             g_string_append(after_device_str, after_device);
 157         }
 158     }
 159
 160     path_vec[path_vec_size++] = NULL;
 161     g_string_append(cmd_line, after_device_str->str);
 162     g_string_free(after_device_str, true);
 163
 164     g_string_append(cmd_line, cmd_line2->str);
 165     g_string_free(cmd_line2, true);
 166
 167     /*
 168      * here position 0 has <arch>/<machine>, position 1 has <machine>.
 169      * The path must not have the <arch>, qtest_add_data_func adds it.
 170      */
 171     path_str = g_strjoinv("/", path_vec + 1);
 172
 173     /* Check that this is the test we care about: */
 174     char *test_name = strrchr(path_str, '/') + 1;
 175     if (strcmp(test_name, fuzz_target_name) == 0) {
 176         /*
 177          * put arch/machine in position 1 so run_one_test can do its work
 178          * and add the command line at position 0.
 179          */
 180         path_vec[1] = path_vec[0];
 181         path_vec[0] = g_string_free(cmd_line, false);
 182
 183         fuzz_path_vec = path_vec;
 184     } else {
 185         g_free(path_vec);
 186     }
 187
 188     g_free(path_str);
 189 }
 190
 191 static GString *qos_get_cmdline(FuzzTarget *t)
 192 {
 193     /*
 194      * Set a global variable that we use to identify the qos_path for our
 195      * fuzz_target
 196      */
 197     fuzz_target_name = t->name;
 198     qos_set_machines_devices_available();
 199     qos_graph_foreach_test_path(walk_path);
 200     return qos_build_main_args();
 201 }
 202
 203 void fuzz_add_qos_target(
 204         FuzzTarget *fuzz_opts,
 205         const char *interface,
 206         QOSGraphTestOptions *opts
 207         )
 208 {
 209     qos_add_test(fuzz_opts->name, interface, NULL, opts);
 210     fuzz_opts->get_init_cmdline = qos_get_cmdline;
 211     fuzz_add_target(fuzz_opts);
 212 }
 213
 214 void qos_init_path(QTestState *s)
 215 {
 216     fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc);
 217 }