tests/qtest/fuzz/qos_fuzz.c

   1 /*
   2  * QOS-assisted fuzzing helpers
   3  *
   4  * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License version 2.1 as published by the Free Software Foundation.
   9  *
  10  * This library is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13  * Lesser General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU Lesser General Public
  16  * License along with this library; if not, see <http://www.gnu.org/licenses/>
  17  */
  18
  19 #include "qemu/osdep.h"
  20 #include "qemu/units.h"
  21 #include "qapi/error.h"
  22 #include "exec/memory.h"
  23 #include "qemu/main-loop.h"
  24
  25 #include "tests/qtest/libqtest.h"
  26 #include "tests/qtest/libqos/libqos-malloc.h"
  27 #include "tests/qtest/libqos/qgraph.h"
  28 #include "tests/qtest/libqos/qgraph_internal.h"
  29 #include "tests/qtest/libqos/qos_external.h"
  30
  31 #include "fuzz.h"
  32 #include "qos_fuzz.h"
  33
  34 #include "qapi/qapi-commands-machine.h"
  35 #include "qapi/qapi-commands-qom.h"
  36
  37
  38 void *fuzz_qos_obj;
  39 QGuestAllocator *fuzz_qos_alloc;
  40
  41 static const char *fuzz_target_name;
  42 static char **fuzz_path_vec;
  43
  44 static void qos_set_machines_devices_available(void)
  45 {
  46     MachineInfoList *mach_info;
  47     ObjectTypeInfoList *type_info;
  48
  49     mach_info = qmp_query_machines(&error_abort);
  50     machines_apply_to_node(mach_info);
  51     qapi_free_MachineInfoList(mach_info);
  52
  53     type_info = qmp_qom_list_types("device", true, true, &error_abort);
  54     types_apply_to_node(type_info);
  55     qapi_free_ObjectTypeInfoList(type_info);
  56 }
  57
  58 static char **current_path;
  59
  60 void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc)
  61 {
  62     return allocate_objects(qts, current_path + 1, p_alloc);
  63 }
  64
  65 static GString *qos_build_main_args(void)
  66 {
  67     char **path = fuzz_path_vec;
  68     QOSGraphNode *test_node;
  69     GString *cmd_line;
  70     void *test_arg;
  71
  72     if (!path) {
  73         fprintf(stderr, "QOS Path not found\n");
  74         abort();
  75     }
  76
  77     /* Before test */
  78     cmd_line = g_string_new(path[0]);
  79     current_path = path;
  80     test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]);
  81     test_arg = test_node->u.test.arg;
  82     if (test_node->u.test.before) {
  83         test_arg = test_node->u.test.before(cmd_line, test_arg);
  84     }
  85     /* Prepend the arguments that we need */
  86     g_string_prepend(cmd_line,
  87             TARGET_NAME " -display none -machine accel=qtest -m 64 ");
  88     return cmd_line;
  89 }
  90
  91 /*
  92  * This function is largely a copy of qos-test.c:walk_path. Since walk_path
  93  * is itself a callback, its a little annoying to add another argument/layer of
  94  * indirection
  95  */
  96 static void walk_path(QOSGraphNode *orig_path, int len)
  97 {
  98     QOSGraphNode *path;
  99     QOSGraphEdge *edge;
 100
 101     /*
 102      * etype set to QEDGE_CONSUMED_BY so that machine can add to the command
 103      * line
 104      */
 105     QOSEdgeType etype = QEDGE_CONSUMED_BY;
 106
 107     /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */
 108     char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2));
 109     int path_vec_size = 0;
 110
 111     char *after_cmd, *before_cmd, *after_device;
 112     GString *after_device_str = g_string_new("");
 113     char *node_name = orig_path->name, *path_str;
 114
 115     GString *cmd_line = g_string_new("");
 116     GString *cmd_line2 = g_string_new("");
 117
 118     path = qos_graph_get_node(node_name); /* root */
 119     node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */
 120
 121     path_vec[path_vec_size++] = node_name;
 122     path_vec[path_vec_size++] = qos_get_machine_type(node_name);
 123
 124     for (;;) {
 125         path = qos_graph_get_node(node_name);
 126         if (!path->path_edge) {
 127             break;
 128         }
 129
 130         node_name = qos_graph_edge_get_dest(path->path_edge);
 131
 132         /* append node command line + previous edge command line */
 133         if (path->command_line && etype == QEDGE_CONSUMED_BY) {
 134             g_string_append(cmd_line, path->command_line);
 135             g_string_append(cmd_line, after_device_str->str);
 136             g_string_truncate(after_device_str, 0);
 137         }
 138
 139         path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge);
 140         /* detect if edge has command line args */
 141         after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge);
 142         after_device = qos_graph_edge_get_extra_device_opts(path->path_edge);
 143         before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge);
 144         edge = qos_graph_get_edge(path->name, node_name);
 145         etype = qos_graph_edge_get_type(edge);
 146
 147         if (before_cmd) {
 148             g_string_append(cmd_line, before_cmd);
 149         }
 150         if (after_cmd) {
 151             g_string_append(cmd_line2, after_cmd);
 152         }
 153         if (after_device) {
 154             g_string_append(after_device_str, after_device);
 155         }
 156     }
 157
 158     path_vec[path_vec_size++] = NULL;
 159     g_string_append(cmd_line, after_device_str->str);
 160     g_string_free(after_device_str, true);
 161
 162     g_string_append(cmd_line, cmd_line2->str);
 163     g_string_free(cmd_line2, true);
 164
 165     /*
 166      * here position 0 has <arch>/<machine>, position 1 has <machine>.
 167      * The path must not have the <arch>, qtest_add_data_func adds it.
 168      */
 169     path_str = g_strjoinv("/", path_vec + 1);
 170
 171     /* Check that this is the test we care about: */
 172     char *test_name = strrchr(path_str, '/') + 1;
 173     if (strcmp(test_name, fuzz_target_name) == 0) {
 174         /*
 175          * put arch/machine in position 1 so run_one_test can do its work
 176          * and add the command line at position 0.
 177          */
 178         path_vec[1] = path_vec[0];
 179         path_vec[0] = g_string_free(cmd_line, false);
 180
 181         fuzz_path_vec = path_vec;
 182     } else {
 183         g_free(path_vec);
 184     }
 185
 186     g_free(path_str);
 187 }
 188
 189 static GString *qos_get_cmdline(FuzzTarget *t)
 190 {
 191     /*
 192      * Set a global variable that we use to identify the qos_path for our
 193      * fuzz_target
 194      */
 195     fuzz_target_name = t->name;
 196     qos_set_machines_devices_available();
 197     qos_graph_foreach_test_path(walk_path);
 198     return qos_build_main_args();
 199 }
 200
 201 void fuzz_add_qos_target(
 202         FuzzTarget *fuzz_opts,
 203         const char *interface,
 204         QOSGraphTestOptions *opts
 205         )
 206 {
 207     qos_add_test(fuzz_opts->name, interface, NULL, opts);
 208     fuzz_opts->get_init_cmdline = qos_get_cmdline;
 209     fuzz_add_target(fuzz_opts);
 210 }
 211
 212 void qos_init_path(QTestState *s)
 213 {
 214     fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc);
 215 }