From c84b8f8f6fec341215f8317173be3603c3bca05a Mon Sep 17 00:00:00 2001
From: Andrew Jeffery <andrew@aj.id.au>
Date: Tue, 28 Aug 2018 16:50:09 +0930
Subject: test: Add windows_equally_evictable

Tests for the condition where the minimum age is less than any window's
current age, in which case we can get a NULL dereference if the
windows_reset_all() implementation is broken.

    windows.c:409:23: runtime error: member access within null pointer of type 'struct window_context'
    ASAN:DEADLYSIGNAL
    =================================================================
    ==31400==ERROR: AddressSanitizer: SEGV on unknown address 0x00000004 (pc 0x0002b658 bp 0x74c00270 sp 0x7eb7c678 T0)
    ==31400==The signal is caused by a WRITE memory access.
    ==31400==Hint: address points to the zero page.
        #0 0x2b657 in window_reset windows.c:410
        #1 0x2cc9b in windows_create_map windows.c:572
        #2 0x1f3f3 in protocol_v1_create_window protocol.c:167
        #3 0x2121b in protocol_v2_create_window protocol.c:417
        #4 0x24cd7f in generic_vpnor_create_window vpnor/protocol.cpp:51
        #5 0x24d053 in protocol_v2_vpnor_create_window vpnor/protocol.cpp:63
        #6 0x2663b in mbox_handle_create_window transport_mbox.c:282
        #7 0x276db in handle_mbox_req transport_mbox.c:568
        #8 0x276db in transport_mbox_dispatch transport_mbox.c:649
        #9 0x17fcb in poll_loop mboxd.c:185
        #10 0x17fcb in main mboxd.c:423
        #11 0x46b68517 in __libc_start_main (/lib/libc.so.6+0x46b68517)

    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV windows.c:410 in window_reset
    ==31400==ABORTING

Change-Id: I8161e2ea17953e196d4bb3ca90d19e44ec10c86d
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
---
 test/Makefile.am.include         |  6 ++-
 test/windows_equally_evictable.c | 85 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 test/windows_equally_evictable.c

diff --git a/test/Makefile.am.include b/test/Makefile.am.include
index fab9e14..845c13a 100644
--- a/test/Makefile.am.include
+++ b/test/Makefile.am.include
@@ -99,6 +99,9 @@ test_sequence_numbers_SOURCES = %reldir%/sequence_numbers.c \
 test_get_mbox_info_v2_timeout_SOURCES = %reldir%/get_mbox_info_v2_timeout.c \
 					$(TEST_MBOX_SRCS) $(TEST_MOCK_SRCS)
 
+test_windows_equally_evictable_SOURCES = %reldir%/windows_equally_evictable.c \
+					 $(TEST_MBOX_SRCS) $(TEST_MOCK_SRCS)
+
 check_PROGRAMS += \
 		%reldir%/sanity \
 		%reldir%/flash_copy \
@@ -126,4 +129,5 @@ check_PROGRAMS += \
 		%reldir%/invalid_command \
 		%reldir%/read_window_cycle \
 		%reldir%/sequence_numbers \
-		%reldir%/get_mbox_info_v2_timeout
+		%reldir%/get_mbox_info_v2_timeout \
+		%reldir%/windows_equally_evictable
diff --git a/test/windows_equally_evictable.c b/test/windows_equally_evictable.c
new file mode 100644
index 0000000..e54343b
--- /dev/null
+++ b/test/windows_equally_evictable.c
@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2018 IBM Corp.
+
+#include <assert.h>
+#include <string.h>
+
+#include "config.h"
+#include "transport_mbox.h"
+#include "windows.h"
+
+#include "test/mbox.h"
+#include "test/system.h"
+
+struct test_context
+{
+    uint8_t seq;
+    struct mbox_context *ctx;
+};
+
+// Configure the system and the paritions such that we eventually request a
+// window that covers the last section of flash, but the remaining flash is
+// smaller than the window size
+#define BLOCK_SIZE	4096
+#define ERASE_SIZE	BLOCK_SIZE
+#define N_WINDOWS	3
+#define WINDOW_SIZE	BLOCK_SIZE
+#define MEM_SIZE	(N_WINDOWS * WINDOW_SIZE)
+#define PNOR_SIZE	((N_WINDOWS + 1) * WINDOW_SIZE)
+
+static const uint8_t get_info[] = {0x02, 0x00, 0x02, 0x00, 0x00, 0x00,
+                                   0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                                   0x00, 0x00, 0x00, 0x00};
+
+#define MBOX_CREATE_READ_WINDOW 4
+
+static int mbox_create_read_window(struct test_context *tctx, size_t offset,
+                                   size_t len)
+{
+    union mbox_regs regs;
+
+    memset(&regs, 0, sizeof(regs));
+    regs.msg.command = MBOX_CREATE_READ_WINDOW;
+    regs.msg.seq = ++tctx->seq;
+    put_u16(&regs.msg.args[0], offset);
+    put_u16(&regs.msg.args[2], len);
+
+    return mbox_command_dispatch(tctx->ctx, regs.raw, sizeof(regs.raw));
+}
+
+int main()
+{
+    struct test_context _tctx = {0}, *tctx = &_tctx;
+    size_t len;
+    size_t pos;
+    int rc;
+
+    system_set_reserved_size(MEM_SIZE);
+    system_set_mtd_sizes(PNOR_SIZE, ERASE_SIZE);
+
+    tctx->ctx = mbox_create_test_context(N_WINDOWS, WINDOW_SIZE);
+
+    rc = mbox_command_dispatch(tctx->ctx, get_info, sizeof(get_info));
+    assert(rc == 1);
+
+    pos = 0;
+    while (pos < ((PNOR_SIZE - BLOCK_SIZE) / BLOCK_SIZE))
+    {
+        struct mbox_msg _msg, *msg = &_msg;
+
+        rc = mbox_create_read_window(tctx, pos, (WINDOW_SIZE / BLOCK_SIZE));
+        assert(rc == 1);
+
+        mbox_rspcpy(tctx->ctx, msg);
+
+        len = get_u16(&msg->args[2]);
+        pos = get_u16(&msg->args[4]) + len;
+    }
+
+    windows_reset_all(tctx->ctx);
+
+    rc = mbox_create_read_window(tctx, pos, (WINDOW_SIZE / BLOCK_SIZE));
+    assert(rc == 1);
+
+    return 0;
+}
-- 
cgit v1.2.1