diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-06-20 14:21:43 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-08-16 00:30:08 -0700 |
commit | 4a4e2c71a0f6aaa50e0728922f84a7d54c14380a (patch) | |
tree | 4bbc05387f7b479bc4a3dcb925174676f03d9356 /chip/host | |
parent | 165ee29673b058ba5f4550d5b6e1dfecb179bb22 (diff) | |
download | chrome-ec-4a4e2c71a0f6aaa50e0728922f84a7d54c14380a.tar.gz |
test: host_command_fuzz: fuzzing test
Writing fuzzing tests is a little tricky, as clang takes over the main
function. Instead, we start the test main function in a thread, and
have LLVMFuzzerTestOneInput prepare the host command buffer, and
wake the TEST_RUNNER task.
To make fuzzing faster, we only send somehow correctly formed requests,
with a valid checksum and length (this can be disabled with an option).
We also make sure that the emulator does not hibernate, reboot or jump
to a different image when fuzzing is enabled.
BRANCH=none
BUG=chromium:854975
TEST=make buildfuzztests -j
ASAN_OPTIONS="log_path=stderr" \
build/host/host_command_fuzz/host_command_fuzz.exe -timeout=5
Change-Id: I27b25e44c405f118dfc1296247479245e15e54b4
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1107523
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Diffstat (limited to 'chip/host')
-rw-r--r-- | chip/host/reboot.c | 9 | ||||
-rw-r--r-- | chip/host/reboot.h | 2 | ||||
-rw-r--r-- | chip/host/system.c | 9 | ||||
-rw-r--r-- | chip/host/uart.c | 11 |
4 files changed, 31 insertions, 0 deletions
diff --git a/chip/host/reboot.c b/chip/host/reboot.c index 7fdb6f7f8e..c6eb83ce30 100644 --- a/chip/host/reboot.c +++ b/chip/host/reboot.c @@ -8,10 +8,18 @@ #include <string.h> #include <unistd.h> +#include "console.h" #include "host_test.h" #include "reboot.h" #include "test_util.h" +#ifdef TEST_FUZZ +/* reboot breaks fuzzing, let's just not do it. */ +void emulator_reboot(void) +{ + ccprints("Emulator would reboot here. Fuzzing: doing nothing."); +} +#else /* !TEST_FUZZ */ __attribute__((noreturn)) void emulator_reboot(void) { @@ -21,3 +29,4 @@ void emulator_reboot(void) while (1) ; } +#endif /* !TEST_FUZZ */ diff --git a/chip/host/reboot.h b/chip/host/reboot.h index 113569bb9b..524cd564a1 100644 --- a/chip/host/reboot.h +++ b/chip/host/reboot.h @@ -8,7 +8,9 @@ #ifndef __CROS_EC_REBOOT_H #define __CROS_EC_REBOOT_H +#ifndef TEST_FUZZ __attribute__((noreturn)) +#endif void emulator_reboot(void); #endif diff --git a/chip/host/system.c b/chip/host/system.c index 69ed1c83a1..cc0c307d95 100644 --- a/chip/host/system.c +++ b/chip/host/system.c @@ -173,6 +173,15 @@ test_mockable int system_is_locked(void) return 0; } +#ifdef TEST_FUZZ +/* When fuzzing, do not allow sysjumps. */ +int system_run_image_copy(enum system_image_copy_t copy) +{ + ccprints("Emulator would sysjump here. Fuzzing: doing nothing."); + return EC_ERROR_UNKNOWN; +} +#endif + const char *system_get_chip_vendor(void) { return "chromeos"; diff --git a/chip/host/uart.c b/chip/host/uart.c index cebd529d43..cc0ca04d09 100644 --- a/chip/host/uart.c +++ b/chip/host/uart.c @@ -6,6 +6,7 @@ /* UART driver for emulator */ #include <pthread.h> +#include <signal.h> #include <stdio.h> #include <termio.h> #include <unistd.h> @@ -20,7 +21,9 @@ static int stopped = 1; static int init_done; +#ifndef TEST_FUZZ static pthread_t input_thread; +#endif #define INPUT_BUFFER_SIZE 16 static int char_available; @@ -132,6 +135,11 @@ void uart_inject_char(char *s, int sz) } } +/* + * We do not really need console input when fuzzing, and having it enabled + * breaks terminal when an error is detected. + */ +#ifndef TEST_FUZZ static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t uart_monitor_initialized = PTHREAD_COND_INITIALIZER; @@ -170,14 +178,17 @@ void *uart_monitor_stdin(void *d) return 0; } +#endif /* !TEST_FUZZ */ void uart_init(void) { +#ifndef TEST_FUZZ /* Create UART monitor thread and wait for it to initialize. */ pthread_mutex_lock(&mutex); pthread_create(&input_thread, NULL, uart_monitor_stdin, NULL); pthread_cond_wait(&uart_monitor_initialized, &mutex); pthread_mutex_unlock(&mutex); +#endif stopped = 1; /* Not transmitting yet */ init_done = 1; |