[Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test
@ 2013-02-02 21:19 Peter Maydell
  2013-02-02 21:37 ` Andreas Färber
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Maydell @ 2013-02-02 21:19 UTC (permalink / raw)
  To: qemu-devel; +Cc: Blue Swirl, Kevin Wolf, patches

It's OK and expected for visitors to return errors when presented with
the fuzz test's random data. This means the test harness needs to
handle them; check for and free any error after each visitor call,
and only free the string returned by visit_type_str if visit_type_str
succeeded.

This fixes a problem where this test failed the MacOSX malloc()
consistency checks and might segfault on other platforms [due
to calling free() on an uninitialized pointer variable].

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/test-string-input-visitor.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor.c
index f6b0093..793b334 100644
--- a/tests/test-string-input-visitor.c
+++ b/tests/test-string-input-visitor.c
@@ -194,20 +194,41 @@ static void test_visitor_in_fuzz(TestInputVisitorData *data,
 
         v = visitor_input_test_init(data, buf);
         visit_type_int(v, &ires, NULL, &errp);
+        if (error_is_set(&errp)) {
+            error_free(errp);
+            errp = NULL;
+        }
 
         v = visitor_input_test_init(data, buf);
         visit_type_bool(v, &bres, NULL, &errp);
+        if (error_is_set(&errp)) {
+            error_free(errp);
+            errp = NULL;
+        }
         visitor_input_teardown(data, NULL);
 
         v = visitor_input_test_init(data, buf);
         visit_type_number(v, &nres, NULL, &errp);
+        if (error_is_set(&errp)) {
+            error_free(errp);
+            errp = NULL;
+        }
 
         v = visitor_input_test_init(data, buf);
         visit_type_str(v, &sres, NULL, &errp);
-        g_free(sres);
+        if (error_is_set(&errp)) {
+            error_free(errp);
+            errp = NULL;
+        } else {
+            g_free(sres);
+        }
 
         v = visitor_input_test_init(data, buf);
         visit_type_EnumOne(v, &eres, NULL, &errp);
+        if (error_is_set(&errp)) {
+            error_free(errp);
+            errp = NULL;
+        }
         visitor_input_teardown(data, NULL);
     }
 }
-- 
1.7.11.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test
  2013-02-02 21:19 [Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test Peter Maydell
@ 2013-02-02 21:37 ` Andreas Färber
  2013-02-02 23:19   ` Peter Maydell
  0 siblings, 1 reply; 3+ messages in thread
From: Andreas Färber @ 2013-02-02 21:37 UTC (permalink / raw)
  To: Peter Maydell; +Cc: Blue Swirl, Kevin Wolf, qemu-devel, patches

Am 02.02.2013 22:19, schrieb Peter Maydell:
> It's OK and expected for visitors to return errors when presented with
> the fuzz test's random data. This means the test harness needs to
> handle them; check for and free any error after each visitor call,
> and only free the string returned by visit_type_str if visit_type_str
> succeeded.
> 
> This fixes a problem where this test failed the MacOSX malloc()
> consistency checks and might segfault on other platforms [due
> to calling free() on an uninitialized pointer variable].
> 
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>  tests/test-string-input-visitor.c | 23 ++++++++++++++++++++++-
>  1 file changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor.c
> index f6b0093..793b334 100644
> --- a/tests/test-string-input-visitor.c
> +++ b/tests/test-string-input-visitor.c
> @@ -194,20 +194,41 @@ static void test_visitor_in_fuzz(TestInputVisitorData *data,
>  
>          v = visitor_input_test_init(data, buf);
>          visit_type_int(v, &ires, NULL, &errp);
> +        if (error_is_set(&errp)) {
> +            error_free(errp);
> +            errp = NULL;
> +        }

It seems to me the naming is bad here: errp appears to be an Error*, not
an Error**. It would be nice to fix this within the function touched.

Since it is an Error*, I think it was said that we should not use
error_is_set() but err != NULL (or if you prefer, just err).
error_is_set() is intended for **errp arguments that may be NULL.

Your analysis and the freeing and NULL'ing as solution looks correct.

Andreas

>  
>          v = visitor_input_test_init(data, buf);
>          visit_type_bool(v, &bres, NULL, &errp);
> +        if (error_is_set(&errp)) {
> +            error_free(errp);
> +            errp = NULL;
> +        }
>          visitor_input_teardown(data, NULL);
>  
>          v = visitor_input_test_init(data, buf);
>          visit_type_number(v, &nres, NULL, &errp);
> +        if (error_is_set(&errp)) {
> +            error_free(errp);
> +            errp = NULL;
> +        }
>  
>          v = visitor_input_test_init(data, buf);
>          visit_type_str(v, &sres, NULL, &errp);
> -        g_free(sres);
> +        if (error_is_set(&errp)) {
> +            error_free(errp);
> +            errp = NULL;
> +        } else {
> +            g_free(sres);
> +        }
>  
>          v = visitor_input_test_init(data, buf);
>          visit_type_EnumOne(v, &eres, NULL, &errp);
> +        if (error_is_set(&errp)) {
> +            error_free(errp);
> +            errp = NULL;
> +        }
>          visitor_input_teardown(data, NULL);
>      }
>  }
> 


-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test
  2013-02-02 21:37 ` Andreas Färber
@ 2013-02-02 23:19   ` Peter Maydell
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2013-02-02 23:19 UTC (permalink / raw)
  To: Andreas Färber; +Cc: Blue Swirl, Kevin Wolf, qemu-devel, patches

On 2 February 2013 21:37, Andreas Färber <afaerber@suse.de> wrote:
> Am 02.02.2013 22:19, schrieb Peter Maydell:
>> It's OK and expected for visitors to return errors when presented with
>> the fuzz test's random data. This means the test harness needs to
>> handle them; check for and free any error after each visitor call,
>> and only free the string returned by visit_type_str if visit_type_str
>> succeeded.
>>
>> This fixes a problem where this test failed the MacOSX malloc()
>> consistency checks and might segfault on other platforms [due
>> to calling free() on an uninitialized pointer variable].
>>
>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>> ---
>>  tests/test-string-input-visitor.c | 23 ++++++++++++++++++++++-
>>  1 file changed, 22 insertions(+), 1 deletion(-)
>>
>> diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor.c
>> index f6b0093..793b334 100644
>> --- a/tests/test-string-input-visitor.c
>> +++ b/tests/test-string-input-visitor.c
>> @@ -194,20 +194,41 @@ static void test_visitor_in_fuzz(TestInputVisitorData *data,
>>
>>          v = visitor_input_test_init(data, buf);
>>          visit_type_int(v, &ires, NULL, &errp);
>> +        if (error_is_set(&errp)) {
>> +            error_free(errp);
>> +            errp = NULL;
>> +        }
>
> It seems to me the naming is bad here: errp appears to be an Error*, not
> an Error**. It would be nice to fix this within the function touched.

"Error *errp" is blessed by docs/writing-qmp-commands.txt (and
git grep 'Error \*errp' has 80 examples in the tree). I think
if I were writing this code I'd probably agree with you about the
naming, but I'm not and I don't particularly feel like changing
names somebody else has been consistent about in this source file
in the course of fixing a bug.

> Since it is an Error*, I think it was said that we should not use
> error_is_set() but err != NULL (or if you prefer, just err).
> error_is_set() is intended for **errp arguments that may be NULL.

Calling error_is_set(&some_local_err_ptr) is also in the
examples in the docs. If not doing that is the recommendation
there should be a doc comment in error.h about that.

-- PMM

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-02-02 23:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-02 21:19 [Qemu-devel] [PATCH for-1.4] tests/test-string-input-visitor: Handle errors provoked by fuzz test Peter Maydell
2013-02-02 21:37 ` Andreas Färber
2013-02-02 23:19   ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).