shithub: fuzz

Download patch

ref: 4020f29448cdf1325378ed09199e9eedc851d5e5
parent: 6e82d2a07bdeba1e2b743bb991a943c12c2d5878
author: glenda <[email protected]>
date: Sat Nov 24 15:05:07 EST 2018

add debug mk target ;; add debug() function for printing debug messages ;; add comments indicating segfault locations ;; remove rfork call

--- a/fuzz.h
+++ b/fuzz.h
@@ -161,5 +161,6 @@
 
 // main.c
 void dolog(char*, ...);
+void debug(char*, ...);
 
 #endif
--- a/input.c
+++ b/input.c
@@ -11,8 +11,10 @@
 	// increment the round counter
 	(sc->round)++;
 
+	debug("DEBUG: sc_c = %d\n", sc->c);
+
 	// TODO
-	switch(sc->c) {
+	switch(sc->c -1) {
 		case sc_exits :			//	_exits(char*);
 			// mutate the input
 			mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
@@ -138,6 +140,7 @@
 		case sc_create :		//	create(char* : int : ulong);
 			// mutate the input
 			mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
+			// Segfaults when fuzzing close() ↓
 			mut_int((int*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);
 			mut_ulong((ulong*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);
 
@@ -458,6 +461,7 @@
 			mut_int((int*)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);
 			mut_IOchunkstar((IOchunk**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);
 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);
+			// Segfaults on fuzzing read() ↓
 			mut_vlong((long long*)((t_type*)lget(&(sc->inputs), 3))->var, &sc->round);
 
 			// log the variables
--- a/main.c
+++ b/main.c
@@ -26,6 +26,20 @@
 	va_end(args);
 }
 
+// Perform a debug mode print (if built with -DDEBUG)
+void
+debug(char *fmt, ...)
+{
+	#ifdef DEBUG
+	va_list args;
+	va_start(args, fmt);
+
+	vfprint(1, fmt, args);
+
+	va_end(args);
+	#endif
+}
+
 /* Prototypes */
 void	initsctable(void);
 int		name2index(char*);
@@ -54,9 +68,9 @@
 	for(;*argv;argv++){
 		int index;
 		if((index = name2index(*argv)) > 0){
-			#ifdef DEBUG 
-			print("DEBUG index: %d\n", index);
-			#endif
+		
+			debug("DEBUG index %d matched to \"%s\"\n", index, *argv);
+			
 			dolog("Loading call: %s\n", *argv);
 			ladd(&tofuzz, &syscalls[index]); // Might be dangerous, pls fix
 		}else{
@@ -80,23 +94,21 @@
 	for(i = 0; i < nrounds || nrounds < 0; i++){
 		int j;
 		dolog("== Begin round %d ==\n", i);
+		
+		debug("DEBUG: i: %d nrounds: %d\n", i, nrounds);
+		
 		for(j = 0; j < tofuzz.size; j++){
+		
+			debug("DEBUG: tofuzz.size: %d\n", tofuzz.size);
+			
 			caller *fcall = (caller*) lget(&tofuzz, j);
 			dolog("­­ Fuzzing: %s ­­\n", fcall->name);
 			
 			fuzz(fcall); // Fuzz, syncs the disk
-			/*
-			// Someone in here is calling exits inappropriately so forking.
-			int pid = rfork(RFFDG|RFREND|RFPROC|RFMEM);
-			if(pid == 0){
-				// Child
-				fuzz(fcall); // Fuzz, syncs the disk
-				exits(nil);
-			}
-			*/
 		}	
 	}
 
+	fprint(2, "Fuzz ending…\n");
 	close(logfd);
 	exits(nil);
 }
@@ -122,9 +134,6 @@
 {
 	int i;
 	for(i = 0; i < NCALLS; i++){
-		#ifdef DEBUG
-		print("DEBUG cmp %s to %s on %d\n", syscalls[i].name, name, i);
-		#endif
 		if(strcmp(syscalls[i].name, name) == 0)
 			return i;
 	}
--- a/mkfile
+++ b/mkfile
@@ -17,3 +17,6 @@
 </sys/src/cmd/mkone
 
 # Add things after this line
+
+debug: nuke
+	 mk all 'CFLAGS=$CFLAGS -DDEBUG'
--- a/mutate.c
+++ b/mutate.c
@@ -15,6 +15,7 @@
     else
     {
         (*in_val) << (rand() % (4 + 1 - 0) + 0);
+        // Segfaults when fuzzing close() ↓
         (*in_val) |= (rand() % (15 + 1 - 0) + 0);
     }
 }
@@ -54,12 +55,13 @@
 mut_charstar(char** in_val, int *round)
 {
     // if not round 1, free the previously malloc-ed memory
-    if(*round != ROUND_NUM)
+    if(*round != ROUND_NUM && *round != 0)
         free(*in_val);
 
     const int MAX_SIZE = 2048;
     int size = rand() % MAX_SIZE + 1;
 
+		in_val = malloc(sizeof(char*) * 1);
     *in_val = malloc(sizeof(char) * size);
 
     int i;