shithub: fuzz

Info  •  Files  •  Log

add debug mk target ;; add debug() function for printing debug messages ;; add comments indicating segfault locations ;; remove rfork call

--- a/fuzz.h

+++ b/fuzz.h

@@ -161,5 +161,6 @@

 // main.c

 void dolog(char*, ...);

+void debug(char*, ...);

 #endif

--- a/input.c

+++ b/input.c

@@ -11,8 +11,10 @@

 	// increment the round counter

 	(sc->round)++;

+	debug("DEBUG: sc_c = %d\n", sc->c);

+

 	// TODO

-	switch(sc->c) {

+	switch(sc->c -1) {

 		case sc_exits :			//	_exits(char*);

 			// mutate the input

 			mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

@@ -138,6 +140,7 @@

 		case sc_create :		//	create(char* : int : ulong);

 			// mutate the input

 			mut_charstar((char**)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

+			// Segfaults when fuzzing close() ↓

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

 			mut_ulong((ulong*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

@@ -458,6 +461,7 @@

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 0))->var, &sc->round);

 			mut_IOchunkstar((IOchunk**)((t_type*)lget(&(sc->inputs), 1))->var, &sc->round);

 			mut_int((int*)((t_type*)lget(&(sc->inputs), 2))->var, &sc->round);

+			// Segfaults on fuzzing read() ↓

 			mut_vlong((long long*)((t_type*)lget(&(sc->inputs), 3))->var, &sc->round);

 			// log the variables

--- a/main.c

+++ b/main.c

@@ -26,6 +26,20 @@

 	va_end(args);

 }

+// Perform a debug mode print (if built with -DDEBUG)

+void

+debug(char *fmt, ...)

+{

+	#ifdef DEBUG

+	va_list args;

+	va_start(args, fmt);

+

+	vfprint(1, fmt, args);

+

+	va_end(args);

+	#endif

+}

+

 /* Prototypes */

 void	initsctable(void);

 int		name2index(char*);

@@ -54,9 +68,9 @@

 	for(;*argv;argv++){

 		int index;

 		if((index = name2index(*argv)) > 0){

-			#ifdef DEBUG 

-			print("DEBUG index: %d\n", index);

-			#endif

+		

+			debug("DEBUG index %d matched to \"%s\"\n", index, *argv);

+			

 			dolog("Loading call: %s\n", *argv);

 			ladd(&tofuzz, &syscalls[index]); // Might be dangerous, pls fix

 		}else{

@@ -80,23 +94,21 @@

 	for(i = 0; i < nrounds || nrounds < 0; i++){

 		int j;

 		dolog("== Begin round %d ==\n", i);

+		

+		debug("DEBUG: i: %d nrounds: %d\n", i, nrounds);

+		

 		for(j = 0; j < tofuzz.size; j++){

+		

+			debug("DEBUG: tofuzz.size: %d\n", tofuzz.size);

+			

 			caller *fcall = (caller*) lget(&tofuzz, j);

 			dolog("­­ Fuzzing: %s ­­\n", fcall->name);

 			fuzz(fcall); // Fuzz, syncs the disk

-			/*

-			// Someone in here is calling exits inappropriately so forking.

-			int pid = rfork(RFFDG|RFREND|RFPROC|RFMEM);

-			if(pid == 0){

-				// Child

-				fuzz(fcall); // Fuzz, syncs the disk

-				exits(nil);

-			}

-			*/

 		}	

 	}

+	fprint(2, "Fuzz ending…\n");

 	close(logfd);

 	exits(nil);

 }

@@ -122,9 +134,6 @@

 {

 	int i;

 	for(i = 0; i < NCALLS; i++){

-		#ifdef DEBUG

-		print("DEBUG cmp %s to %s on %d\n", syscalls[i].name, name, i);

-		#endif

 		if(strcmp(syscalls[i].name, name) == 0)

 			return i;

 	}

--- a/mkfile

+++ b/mkfile

@@ -17,3 +17,6 @@

 </sys/src/cmd/mkone

 # Add things after this line

+

+debug: nuke

+	 mk all 'CFLAGS=$CFLAGS -DDEBUG'

--- a/mutate.c

+++ b/mutate.c

@@ -15,6 +15,7 @@

     else

     {

         (*in_val) << (rand() % (4 + 1 - 0) + 0);

+        // Segfaults when fuzzing close() ↓

         (*in_val) |= (rand() % (15 + 1 - 0) + 0);

     }

 }

@@ -54,12 +55,13 @@

 mut_charstar(char** in_val, int *round)

 {

     // if not round 1, free the previously malloc-ed memory

-    if(*round != ROUND_NUM)

+    if(*round != ROUND_NUM && *round != 0)

         free(*in_val);

     const int MAX_SIZE = 2048;

     int size = rand() % MAX_SIZE + 1;

+		in_val = malloc(sizeof(char*) * 1);

     *in_val = malloc(sizeof(char) * size);

     int i;