Lines Matching +full:abs +full:- +full:range
2 * Generic Virtual-Device Fuzzing Target
10 * See the COPYING file in the top-level directory.
14 #include "qemu/range.h"
20 #include "tests/qtest/libqos/pci-pc.h"
25 #include "hw/qdev-core.h"
30 #include "hw/mem/sparse-mem.h"
108 if (info->index == 0) { in get_io_address_cb()
109 info->result.addr = (ram_addr_t)start; in get_io_address_cb()
110 info->result.size = (ram_addr_t)size; in get_io_address_cb()
111 info->found = 1; in get_io_address_cb()
114 info->index--; in get_io_address_cb()
151 unsigned access_size_max = mr->ops->valid.max_access_size; in fuzz_memory_access_size()
154 * Regions are assumed to support 1-4 byte accesses unless in fuzz_memory_access_size()
162 if (!mr->ops->impl.unaligned) { in fuzz_memory_access_size()
163 unsigned align_size_max = addr & -addr; in fuzz_memory_access_size()
179 * Call-back for functions that perform DMA reads from guest memory. Confirm
181 * generic_fuzz(), avoiding potential race-conditions, which we don't have
186 /* Are we in the generic-fuzzer or are we using another fuzz-target? */ in fuzz_dma_read_cb()
193 * - We have no DMA patterns defined in fuzz_dma_read_cb()
194 * - The length of the DMA read request is zero in fuzz_dma_read_cb()
195 * - The DMA read is hitting an MR other than the machine's main RAM in fuzz_dma_read_cb()
196 * - The DMA request hits past the bounds of our RAM in fuzz_dma_read_cb()
198 if (dma_patterns->len == 0 in fuzz_dma_read_cb()
201 || (mr != current_machine->ram && mr != sparse_mem_mr)) { in fuzz_dma_read_cb()
206 * If we overlap with any existing dma_regions, split the range and only in fuzz_dma_read_cb()
207 * populate the non-overlapping parts. in fuzz_dma_read_cb()
212 i < dma_regions->len && (avoid_double_fetches || qtest_log_enabled); in fuzz_dma_read_cb()
219 fuzz_dma_read_cb(addr, region.addr - addr, mr); in fuzz_dma_read_cb()
224 addr + len - (region.addr + region.size), mr); in fuzz_dma_read_cb()
242 mr1 = address_space_translate(first_cpu->as, in fuzz_dma_read_cb()
268 fprintf(stderr, "[DOUBLE-FETCH] "); in fuzz_dma_read_cb()
275 len -= l; in fuzz_dma_read_cb()
283 dma_pattern_index = (dma_pattern_index + 1) % dma_patterns->len; in fuzz_dma_read_cb()
287 * Here we want to convert a fuzzer-provided [io-region-index, offset] to
298 view = as->current_map; in get_io_address()
314 if (result->size) { in get_io_address()
315 offset = offset % result->size; in get_io_address()
316 result->addr += offset; in get_io_address()
317 result->size -= offset; in get_io_address()
333 return result->addr <= 0xFFFF ? found : false; in get_pio_address()
350 address_range abs; in op_in() local
356 if (get_pio_address(&abs, a.base, a.offset) == 0) { in op_in()
362 qtest_inb(s, abs.addr); in op_in()
365 if (abs.size >= 2) { in op_in()
366 qtest_inw(s, abs.addr); in op_in()
370 if (abs.size >= 4) { in op_in()
371 qtest_inl(s, abs.addr); in op_in()
386 address_range abs; in op_out() local
393 if (get_pio_address(&abs, a.base, a.offset) == 0) { in op_out()
399 qtest_outb(s, abs.addr, a.value & 0xFF); in op_out()
402 if (abs.size >= 2) { in op_out()
403 qtest_outw(s, abs.addr, a.value & 0xFFFF); in op_out()
407 if (abs.size >= 4) { in op_out()
408 qtest_outl(s, abs.addr, a.value); in op_out()
422 address_range abs; in op_read() local
429 if (get_mmio_address(&abs, a.base, a.offset) == 0) { in op_read()
435 qtest_readb(s, abs.addr); in op_read()
438 if (abs.size >= 2) { in op_read()
439 qtest_readw(s, abs.addr); in op_read()
443 if (abs.size >= 4) { in op_read()
444 qtest_readl(s, abs.addr); in op_read()
448 if (abs.size >= 8) { in op_read()
449 qtest_readq(s, abs.addr); in op_read()
464 address_range abs; in op_write() local
471 if (get_mmio_address(&abs, a.base, a.offset) == 0) { in op_write()
477 qtest_writeb(s, abs.addr, a.value & 0xFF); in op_write()
480 if (abs.size >= 2) { in op_write()
481 qtest_writew(s, abs.addr, a.value & 0xFFFF); in op_write()
485 if (abs.size >= 4) { in op_write()
486 qtest_writel(s, abs.addr, a.value & 0xFFFFFFFF); in op_write()
490 if (abs.size >= 8) { in op_write()
491 qtest_writeq(s, abs.addr, a.value); in op_write()
505 if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { in op_pci_read()
510 a.base % fuzzable_pci_devices->len); in op_pci_read()
511 int devfn = dev->devfn; in op_pci_read()
535 if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { in op_pci_write()
540 a.base % fuzzable_pci_devices->len); in op_pci_write()
541 int devfn = dev->devfn; in op_pci_write()
561 * index and stride can be used to increment the index-th byte of the in op_add_dma_pattern()
572 pattern p = {a.index, a.stride, len - sizeof(a), data + sizeof(a)}; in op_add_dma_pattern()
597 * Some commands can be variable-width, so we use a separator, SEPARATOR, to
601 * 1. This is a simple way to support variable-length operations
609 * Ab SEP Bcg SEP Defg -> B SEP Bcg SEP Defg
616 * -dict), though this should not be necessary.
622 * 00 01 02 -> op00 (0102) -> in (0102, 2)
623 * 03 04 05 06 -> op03 (040506) -> write (040506, 3)
624 * 01 -> op01 (-,0) -> out (-,0)
662 cmd_len = nextcmd ? nextcmd - cmd : Size; in generic_fuzz()
667 ops[op](s, cmd + 1, cmd_len - 1); in generic_fuzz()
673 cmd = nextcmd ? nextcmd + sizeof(SEPARATOR) - 1 : nextcmd; in generic_fuzz()
674 Size = Size - (cmd_len + sizeof(SEPARATOR) - 1); in generic_fuzz()
718 if (g_pattern_match_simple(pattern, type_name->str)) { in locate_fuzz_objects()
737 if (g_pattern_match_simple(pattern, path_name->str)) { in locate_fuzz_objects()
759 qdev = qpci_device_find(bus, dev->devfn); in pci_enum()
762 if (dev->io_regions[i].size) { in pci_enum()
800 result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1); in generic_pre_fuzz()
805 * and Type names so the configs are case-insensitive. in generic_pre_fuzz()
811 name_pattern->str); in generic_pre_fuzz()
820 object_get_canonical_path_component(&(mr->parent_obj)), in generic_pre_fuzz()
869 max_out_size -= copy_len; in generic_fuzz_crossover()
875 max_out_size -= copy_len; in generic_fuzz_crossover()
883 max_out_size -= copy_len; in generic_fuzz_crossover()
889 max_out_size -= copy_len; in generic_fuzz_crossover()
897 max_out_size -= copy_len; in generic_fuzz_crossover()
903 max_out_size -= copy_len; in generic_fuzz_crossover()
909 max_out_size -= copy_len; in generic_fuzz_crossover()
921 g_string_append_printf(cmd_line, " -display none \ in generic_fuzz_cmdline()
922 -machine accel=qtest, \ in generic_fuzz_cmdline()
923 -m 512M %s ", getenv("QEMU_FUZZ_ARGS")); in generic_fuzz_cmdline()
931 g_assert(t->opaque); in generic_fuzz_predefined_config_cmdline()
933 config = t->opaque; in generic_fuzz_predefined_config_cmdline()
935 if (config->argfunc) { in generic_fuzz_predefined_config_cmdline()
936 args = config->argfunc(); in generic_fuzz_predefined_config_cmdline()
940 g_assert_nonnull(config->args); in generic_fuzz_predefined_config_cmdline()
941 g_setenv("QEMU_FUZZ_ARGS", config->args, 1); in generic_fuzz_predefined_config_cmdline()
943 g_setenv("QEMU_FUZZ_OBJECTS", config->objects, 1); in generic_fuzz_predefined_config_cmdline()
950 .name = "generic-fuzz", in register_generic_fuzz_targets()
951 .description = "Fuzz based on any qemu command-line args. ", in register_generic_fuzz_targets()
961 .name = g_strconcat("generic-fuzz-", config->name, NULL), in register_generic_fuzz_targets()
962 .description = "Predefined generic-fuzz config.", in register_generic_fuzz_targets()