ref: 4020f29448cdf1325378ed09199e9eedc851d5e5
parent: 6e82d2a07bdeba1e2b743bb991a943c12c2d5878
author: glenda <[email protected]>
date: Sat Nov 24 15:05:07 EST 2018
add debug mk target ;; add debug() function for printing debug messages ;; add comments indicating segfault locations ;; remove rfork call
--- a/fuzz.h
+++ b/fuzz.h
@@ -161,5 +161,6 @@
// main.c
void dolog(char*, ...);
+void debug(char*, ...);
#endif
--- a/input.c
+++ b/input.c
@@ -11,8 +11,10 @@
// increment the round counter
(sc->round)++;
+ debug("DEBUG: sc_c = %d\n", sc->c);
+
// TODO
- switch(sc->c) {
+ switch(sc->c -1) {
case sc_exits : // _exits(char*);
// mutate the input
mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
@@ -138,6 +140,7 @@
case sc_create : // create(char* : int : ulong);
// mutate the input
mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
+ // Segfaults when fuzzing close() ↓
mut_int((int*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);
mut_ulong((ulong*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);
@@ -458,6 +461,7 @@
mut_int((int*)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
mut_IOchunkstar((IOchunk**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);
mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);
+ // Segfaults on fuzzing read() ↓
mut_vlong((long long*)((t_type*)lget(&(sc->inputs), 3))->var, &sc->round);
// log the variables
--- a/main.c
+++ b/main.c
@@ -26,6 +26,20 @@
va_end(args);
}
+// Perform a debug mode print (if built with -DDEBUG)
+void
+debug(char *fmt, ...)
+{
+ #ifdef DEBUG
+ va_list args;
+ va_start(args, fmt);
+
+ vfprint(1, fmt, args);
+
+ va_end(args);
+ #endif
+}
+
/* Prototypes */
void initsctable(void);
int name2index(char*);
@@ -54,9 +68,9 @@
for(;*argv;argv++){
int index;
if((index = name2index(*argv)) > 0){
- #ifdef DEBUG
- print("DEBUG index: %d\n", index);
- #endif
+
+ debug("DEBUG index %d matched to \"%s\"\n", index, *argv);
+
dolog("Loading call: %s\n", *argv);
ladd(&tofuzz, &syscalls[index]); // Might be dangerous, pls fix
}else{
@@ -80,23 +94,21 @@
for(i = 0; i < nrounds || nrounds < 0; i++){
int j;
dolog("== Begin round %d ==\n", i);
+
+ debug("DEBUG: i: %d nrounds: %d\n", i, nrounds);
+
for(j = 0; j < tofuzz.size; j++){
+
+ debug("DEBUG: tofuzz.size: %d\n", tofuzz.size);
+
caller *fcall = (caller*) lget(&tofuzz, j);
dolog(" Fuzzing: %s \n", fcall->name);
fuzz(fcall); // Fuzz, syncs the disk
- /*
- // Someone in here is calling exits inappropriately so forking.
- int pid = rfork(RFFDG|RFREND|RFPROC|RFMEM);
- if(pid == 0){
- // Child
- fuzz(fcall); // Fuzz, syncs the disk
- exits(nil);
- }
- */
}
}
+ fprint(2, "Fuzz ending…\n");
close(logfd);
exits(nil);
}
@@ -122,9 +134,6 @@
{
int i;
for(i = 0; i < NCALLS; i++){
- #ifdef DEBUG
- print("DEBUG cmp %s to %s on %d\n", syscalls[i].name, name, i);
- #endif
if(strcmp(syscalls[i].name, name) == 0)
return i;
}
--- a/mkfile
+++ b/mkfile
@@ -17,3 +17,6 @@
</sys/src/cmd/mkone
# Add things after this line
+
+debug: nuke
+ mk all 'CFLAGS=$CFLAGS -DDEBUG'
--- a/mutate.c
+++ b/mutate.c
@@ -15,6 +15,7 @@
else
{
(*in_val) << (rand() % (4 + 1 - 0) + 0);
+ // Segfaults when fuzzing close() ↓
(*in_val) |= (rand() % (15 + 1 - 0) + 0);
}
}
@@ -54,12 +55,13 @@
mut_charstar(char** in_val, int *round)
{
// if not round 1, free the previously malloc-ed memory
- if(*round != ROUND_NUM)
+ if(*round != ROUND_NUM && *round != 0)
free(*in_val);
const int MAX_SIZE = 2048;
int size = rand() % MAX_SIZE + 1;
+ in_val = malloc(sizeof(char*) * 1);
*in_val = malloc(sizeof(char) * size);
int i;