qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] tests: add fuzzing to visitor tests


From: Blue Swirl
Subject: Re: [Qemu-devel] [PATCH] tests: add fuzzing to visitor tests
Date: Sat, 2 Feb 2013 12:40:40 +0000

On Wed, Jan 30, 2013 at 4:37 PM, Kevin Wolf <address@hidden> wrote:
> Am 19.01.2013 17:01, schrieb Blue Swirl:
>> Perform input tests on random data.
>>
>> Improvement to code coverage for qapi/string-input-visitor.c
>> is about 3 percentage points.
>>
>> Signed-off-by: Blue Swirl <address@hidden>
>
> Does this test pass for you? It consistently segfaults for me.

Yes, it works on x86_64, i386, arm and sparc64.

>
> /string-visitor/input/fuzz: ==30703== Conditional jump or move depends
> on uninitialised value(s)
> ==30703==    at 0x508E738: g_free (gmem.c:262)
> ==30703==    by 0x10B123: test_visitor_in_fuzz
> (test-string-input-visitor.c:207)
> ==30703==    by 0x50ABCA7: g_test_run_suite_internal (gtestutils.c:1174)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50AC10E: g_test_run_suite (gtestutils.c:1282)
> ==30703==    by 0x108FBF: main (test-string-input-visitor.c:242)
> ==30703==
> ==30703== Conditional jump or move depends on uninitialised value(s)
> ==30703==    at 0x4A055B4: free (vg_replace_malloc.c:366)
> ==30703==    by 0x508E742: g_free (gmem.c:263)
> ==30703==    by 0x10B123: test_visitor_in_fuzz
> (test-string-input-visitor.c:207)
> ==30703==    by 0x50ABCA7: g_test_run_suite_internal (gtestutils.c:1174)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50AC10E: g_test_run_suite (gtestutils.c:1282)
> ==30703==    by 0x108FBF: main (test-string-input-visitor.c:242)
> ==30703==
> ==30703== Invalid free() / delete / delete[]
> ==30703==    at 0x4A055FE: free (vg_replace_malloc.c:366)
> ==30703==    by 0x508E742: g_free (gmem.c:263)
> ==30703==    by 0x10B123: test_visitor_in_fuzz
> (test-string-input-visitor.c:207)
> ==30703==    by 0x50ABCA7: g_test_run_suite_internal (gtestutils.c:1174)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50ABE15: g_test_run_suite_internal (gtestutils.c:1233)
> ==30703==    by 0x50AC10E: g_test_run_suite (gtestutils.c:1282)
> ==30703==    by 0x108FBF: main (test-string-input-visitor.c:242)
> ==30703==  Address 0x2102508021024020 is not stack'd, malloc'd or
> (recently) free'd
> ==30703==

The call to g_free() in the fuzz function looks suspect. I used
test_visitor_in_string() as a model (which seems to have been copied
from test-qmp-input-visitor.c), is the call to g_free() correct there
either? Perhaps Paolo or Luiz would know?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]