TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-A / tf-a-tests.git / refs/heads/master / . / smc_fuzz / src / constraint.c
blob: 7e4c4b5c11c4d3b7e863d804ae14dc8a36866f0d [file] [log] [blame]
Mark Dykes50297972024-03-15 12:49:22 -0500[diff] [blame]1/*
2 * Copyright (c) 2024, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <arg_struct_def.h>
8#include <constraint.h>
9#include <field_specification.h>
10
11#include <debug.h>
12
13#ifdef SMC_FUZZ_TMALLOC
14#define GENMALLOC(x) malloc((x))
15#define GENFREE(x) free((x))
16#else
17#define GENMALLOC(x) smcmalloc((x), mmod)
18#define GENFREE(x) smcfree((x), mmod)
19#endif
20
21/*******************************************************
22* Random 64 bit generator for registers
23*******************************************************/
24
25uint64_t rand64bit(void)
26{
27 uint64_t xreg = (rand() % (1 << FUZZ_MAX_SHIFT_AMNT)) << FUZZ_MAX_SHIFT_AMNT;
28
29 xreg = ((rand() % (1 << FUZZ_MAX_SHIFT_AMNT)) | xreg) << FUZZ_MAX_SHIFT_AMNT;
30 xreg = ((rand() % (1 << FUZZ_MAX_SHIFT_AMNT)) | xreg) << FUZZ_MAX_SHIFT_AMNT;
31 xreg = ((rand() % (1 << FUZZ_MAX_SHIFT_AMNT)) | xreg);
32 return xreg;
33}
34
35/*******************************************************
36* Shift left function for registers
37*******************************************************/
38
39uint64_t shiftlft(uint64_t val, int shamnt)
40{
41 uint64_t ressh = val;
42
43 if (shamnt > FUZZ_MAX_REG_SIZE) {
44 printf("Error: cannot shift beyond %d bits\n", FUZZ_MAX_REG_SIZE);
45 panic();
46 }
47 if (shamnt > FUZZ_MAX_SHIFT_AMNT) {
48 for (int i = 0; i < ((shamnt / FUZZ_MAX_SHIFT_AMNT) + 1); i++) {
49 if (i == (shamnt / FUZZ_MAX_SHIFT_AMNT)) {
50 ressh = ressh << (shamnt % FUZZ_MAX_SHIFT_AMNT);
51 } else {
52 ressh = ressh << FUZZ_MAX_SHIFT_AMNT;
53 }
54 }
55 } else {
56 ressh = ressh << shamnt;
57 }
58 return ressh;
59}
60
61/*******************************************************
62* Shift right function for registers
63*******************************************************/
64
65uint64_t shiftrht(uint64_t val, int shamnt)
66{
67 uint64_t ressh = val;
68
69 if (shamnt > FUZZ_MAX_REG_SIZE) {
70 printf("Error: cannot shift beyond %d bits\n", FUZZ_MAX_REG_SIZE);
71 panic();
72 }
73 if (shamnt > FUZZ_MAX_SHIFT_AMNT) {
74 for (int i = 0; i < ((shamnt / FUZZ_MAX_SHIFT_AMNT) + 1); i++) {
75 if (i == (shamnt / FUZZ_MAX_SHIFT_AMNT)) {
76 ressh = ressh >> (shamnt % FUZZ_MAX_SHIFT_AMNT);
77 } else {
78 ressh = ressh >> FUZZ_MAX_SHIFT_AMNT;
79 }
80 }
81 } else {
82 ressh = ressh >> shamnt;
83 }
84 return ressh;
85}
86
87/*******************************************************
88* Set constraints for the fields in the SMC call
89*******************************************************/
90
91
92void setconstraint(int contype, uint64_t *vecinput, int veclen, int fieldnameptr, struct memmod *mmod, int mode)
93{
94 int argdef = fuzzer_fieldarg[fieldnameptr];
95 int fieldname = fuzzer_fieldfld[fieldnameptr];
96
97 if ((argdef > MAX_ARG_LENGTH) || (argdef < 0)) {
98 printf("SMC argument is out of bounds\n");
99 panic();
100 }
101 if ((fieldname > (fuzzer_arg_array_lst[argdef].arg_span[1] -
102 fuzzer_arg_array_lst[argdef].arg_span[0])) || (fieldname < 0)) {
103 printf("SMC fieldname is out of bounds\n");
104 panic();
105 }
106 int fieldptr = fuzzer_arg_array_lst[argdef].arg_span[0] + fieldname;
107
108 if ((contype > FUZZER_CONSTRAINT_VECTOR) || (contype < 0)) {
109 printf("SMC constraint type is out of bounds\n");
110 panic();
111 }
112 if (mode > 2) {
113 printf("SMC constriant mode input is invalid\n");
114 panic();
115 }
116 if (mmod == NULL) {
117 printf("SMC constraint memory pointer is invalid\n");
118 panic();
119 }
120 if (contype == FUZZER_CONSTRAINT_SVALUE) {
121 if (veclen < 1) {
122 printf("vector length to constraint for single value is not large enough");
123 printf(" %d", veclen);
124 panic();
125 }
126 if (vecinput == NULL) {
127 printf("vector input to constraint single value is not defined\n");
128 panic();
129 }
130 if (fuzzer_arg_array[fieldptr].contval == NULL) {
131 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
132 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(1 * sizeof(uint64_t *));
133 fuzzer_arg_array[fieldptr].contval[0][0] = vecinput[0];
134 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
135 fuzzer_arg_array[fieldptr].contvallen[0] = 1;
136 fuzzer_arg_array[fieldptr].contlen = 1;
137 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
138 fuzzer_arg_array[fieldptr].conttype[0] = contype;
139 } else {
140 if (mode == FUZZER_CONSTRAINT_ACCMODE) {
141 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
142 if (fuzzer_arg_array[fieldptr].conttype[i] ==
143 FUZZER_CONSTRAINT_SVALUE) {
144 if (fuzzer_arg_array[fieldptr].contval[i][0] == vecinput[0]) {
145 return;
146 }
147 }
148 }
149 uint64_t **tarray;
150
151 tarray = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
152 * sizeof(uint64_t **));
153 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
154 tarray[i] = GENMALLOC(fuzzer_arg_array[fieldptr].contvallen[i]
155 * sizeof(uint64_t *));
156 for (int k = 0; k < fuzzer_arg_array[fieldptr].contvallen[i]; k++) {
157 tarray[i][k] = fuzzer_arg_array[fieldptr].contval[i][k];
158 }
159 }
160 tarray[fuzzer_arg_array[fieldptr].contlen] = GENMALLOC(1 * sizeof(int *));
161 tarray[fuzzer_arg_array[fieldptr].contlen][0] = vecinput[0];
162 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
163 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
164 }
165 GENFREE(fuzzer_arg_array[fieldptr].contval);
166 fuzzer_arg_array[fieldptr].contval = tarray;
167 int *tarraysingle;
168
169 tarraysingle = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen) * sizeof(int *));
170 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
171 tarraysingle[i] = fuzzer_arg_array[fieldptr].contvallen[i];
172 }
173 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = 1;
174 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
175 fuzzer_arg_array[fieldptr].contvallen = tarraysingle;
176 tarraysingle = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
177 * sizeof(int *));
178 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
179 tarraysingle[i] = fuzzer_arg_array[fieldptr].conttype[i];
180 }
181 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = contype;
182 GENFREE(fuzzer_arg_array[fieldptr].conttype);
183 fuzzer_arg_array[fieldptr].conttype = tarraysingle;
184 fuzzer_arg_array[fieldptr].contlen++;
185 }
186 if (mode == FUZZER_CONSTRAINT_EXCMODE) {
187 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
188 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
189 }
190 GENFREE(fuzzer_arg_array[fieldptr].contval);
191 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
192 GENFREE(fuzzer_arg_array[fieldptr].conttype);
193 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
194 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(1 * sizeof(uint64_t *));
195 fuzzer_arg_array[fieldptr].contval[0][0] = vecinput[0];
196 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
197 fuzzer_arg_array[fieldptr].contvallen[0] = 1;
198 fuzzer_arg_array[fieldptr].contlen = 1;
199 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
200 fuzzer_arg_array[fieldptr].conttype[0] = contype;
201 }
202 }
203 }
204 if (contype == FUZZER_CONSTRAINT_RANGE) {
205 if (veclen < 2) {
206 printf("vector length to constraint for range is not large enough");
207 printf(" %d", veclen);
208 panic();
209 }
210 if (vecinput == NULL) {
211 printf("vector inputs to constraint for range is not defined\n");
212 panic();
213 }
214 if (fuzzer_arg_array[fieldptr].contval == NULL) {
215 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
216 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(2 * sizeof(uint64_t *));
217 fuzzer_arg_array[fieldptr].contval[0][0] = vecinput[0];
218 fuzzer_arg_array[fieldptr].contval[0][1] = vecinput[1];
219 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
220 fuzzer_arg_array[fieldptr].contvallen[0] = 2;
221 fuzzer_arg_array[fieldptr].contlen = 1;
222 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
223 fuzzer_arg_array[fieldptr].conttype[0] = contype;
224 } else {
225 if (mode == FUZZER_CONSTRAINT_ACCMODE) {
226 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
227 if (fuzzer_arg_array[fieldptr].conttype[i] ==
228 FUZZER_CONSTRAINT_RANGE) {
229 if ((fuzzer_arg_array[fieldptr].contval[i][0] ==
230 vecinput[0]) && (fuzzer_arg_array[fieldptr].contval[i][1]
231 == vecinput[1])) {
232 return;
233 }
234 }
235 }
236 uint64_t **tarray;
237
238 tarray = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
239 * sizeof(uint64_t **));
240 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
241 tarray[i] =
242 GENMALLOC(fuzzer_arg_array[fieldptr].contvallen[i]
243 * sizeof(uint64_t *));
244 for (int k = 0; k < fuzzer_arg_array[fieldptr].contvallen[i]; k++) {
245 tarray[i][k] = fuzzer_arg_array[fieldptr].contval[i][k];
246 }
247 }
248 tarray[fuzzer_arg_array[fieldptr].contlen] = GENMALLOC(2
249 * sizeof(uint64_t *));
250 tarray[fuzzer_arg_array[fieldptr].contlen][0] = vecinput[0];
251 tarray[fuzzer_arg_array[fieldptr].contlen][1] = vecinput[1];
252 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
253 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
254 }
255 GENFREE(fuzzer_arg_array[fieldptr].contval);
256 fuzzer_arg_array[fieldptr].contval = tarray;
257 int *tarraysingle;
258 tarraysingle =
259 GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen) * sizeof(int *));
260 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
261 tarraysingle[i] = fuzzer_arg_array[fieldptr].contvallen[i];
262 }
263 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = 2;
264 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
265 fuzzer_arg_array[fieldptr].contvallen = tarraysingle;
266 tarraysingle = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
267 * sizeof(int *));
268 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
269 tarraysingle[i] = fuzzer_arg_array[fieldptr].conttype[i];
270 }
271 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = contype;
272 GENFREE(fuzzer_arg_array[fieldptr].conttype);
273 fuzzer_arg_array[fieldptr].conttype = tarraysingle;
274 fuzzer_arg_array[fieldptr].contlen++;
275 }
276 if (mode == FUZZER_CONSTRAINT_EXCMODE) {
277 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
278 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
279 }
280 GENFREE(fuzzer_arg_array[fieldptr].contval);
281 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
282 GENFREE(fuzzer_arg_array[fieldptr].conttype);
283 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
284 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(2 * sizeof(uint64_t *));
285 fuzzer_arg_array[fieldptr].contval[0][0] = vecinput[0];
286 fuzzer_arg_array[fieldptr].contval[0][1] = vecinput[1];
287 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
288 fuzzer_arg_array[fieldptr].contvallen[0] = 2;
289 fuzzer_arg_array[fieldptr].contlen = 1;
290 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
291 fuzzer_arg_array[fieldptr].conttype[0] = contype;
292 }
293 }
294 }
295 if (contype == FUZZER_CONSTRAINT_VECTOR) {
296 if (veclen < 2) {
297 printf("vector length to constraint for vector is not large enough");
298 printf(" %d", veclen);
299 panic();
300 }
301 if (vecinput == NULL) {
302 printf("vector input to constraint vector is not defined\n");
303 panic();
304 }
305 if (fuzzer_arg_array[fieldptr].contval == NULL) {
306 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
307 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(veclen * sizeof(uint64_t *));
308 for (int i = 0; i < veclen; i++) {
309 fuzzer_arg_array[fieldptr].contval[0][i] = vecinput[i];
310 }
311 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
312 fuzzer_arg_array[fieldptr].contvallen[0] = veclen;
313 fuzzer_arg_array[fieldptr].contlen = 1;
314 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
315 fuzzer_arg_array[fieldptr].conttype[0] = contype;
316
317 } else {
318 if (mode == FUZZER_CONSTRAINT_ACCMODE) {
319 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
320 if (fuzzer_arg_array[fieldptr].conttype[i] ==
321 FUZZER_CONSTRAINT_VECTOR) {
322 if (fuzzer_arg_array[fieldptr].contvallen[i] == veclen) {
323 int fne = 0;
324 for (int j = 0; j <
325 fuzzer_arg_array[fieldptr].contvallen[i]; j++) {
326 if (fuzzer_arg_array[fieldptr].contval
327 [i][j] != vecinput[j]) {
328 fne = 1;
329 }
330 }
331 if (fne == 0) {
332 return;
333 }
334 }
335 }
336 }
337 uint64_t **tarray;
338
339 tarray = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
340 * sizeof(uint64_t **));
341 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
342 tarray[i] = GENMALLOC(fuzzer_arg_array[fieldptr].contvallen
343 [i] * sizeof(uint64_t *));
344 for (int k = 0; k < fuzzer_arg_array[fieldptr].contvallen[i]; k++) {
345 tarray[i][k] = fuzzer_arg_array[fieldptr].contval[i][k];
346 }
347 }
348 tarray[fuzzer_arg_array[fieldptr].contlen] =
349 GENMALLOC(veclen * sizeof(uint64_t *));
350 for (int i = 0; i < veclen; i++) {
351 tarray[fuzzer_arg_array[fieldptr].contlen][i] = vecinput[i];
352 }
353 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
354 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
355 }
356 GENFREE(fuzzer_arg_array[fieldptr].contval);
357 fuzzer_arg_array[fieldptr].contval = tarray;
358 int *tarraysingle;
359 tarraysingle = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
360 * sizeof(int *));
361 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
362 tarraysingle[i] = fuzzer_arg_array[fieldptr].contvallen[i];
363 }
364 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = veclen;
365 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
366 fuzzer_arg_array[fieldptr].contvallen = tarraysingle;
367 tarraysingle = GENMALLOC((1 + fuzzer_arg_array[fieldptr].contlen)
368 * sizeof(int *));
369 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
370 tarraysingle[i] = fuzzer_arg_array[fieldptr].conttype[i];
371 }
372 tarraysingle[fuzzer_arg_array[fieldptr].contlen] = contype;
373 GENFREE(fuzzer_arg_array[fieldptr].conttype);
374 fuzzer_arg_array[fieldptr].conttype = tarraysingle;
375 fuzzer_arg_array[fieldptr].contlen++;
376 }
377 if (mode == FUZZER_CONSTRAINT_EXCMODE) {
378 for (int i = 0; i < fuzzer_arg_array[fieldptr].contlen; i++) {
379 GENFREE(fuzzer_arg_array[fieldptr].contval[i]);
380 }
381 GENFREE(fuzzer_arg_array[fieldptr].contval);
382 GENFREE(fuzzer_arg_array[fieldptr].contvallen);
383 GENFREE(fuzzer_arg_array[fieldptr].conttype);
384 fuzzer_arg_array[fieldptr].contval = GENMALLOC(1 * sizeof(uint64_t **));
385 fuzzer_arg_array[fieldptr].contval[0] = GENMALLOC(veclen
386 * sizeof(uint64_t *));
387 for (int i = 0; i < veclen; i++) {
388 fuzzer_arg_array[fieldptr].contval[0][i] = vecinput[i];
389 }
390 fuzzer_arg_array[fieldptr].contvallen = GENMALLOC(1 * sizeof(int *));
391 fuzzer_arg_array[fieldptr].contvallen[0] = veclen;
392 fuzzer_arg_array[fieldptr].contlen = 1;
393 fuzzer_arg_array[fieldptr].conttype = GENMALLOC(1 * sizeof(int *));
394 fuzzer_arg_array[fieldptr].conttype[0] = contype;
395 }
396 }
397 }
398}
399
400/*******************************************************
401* Generate the uncondition(no constraint)
402* fields in the SMC call
403*******************************************************/
404
405uint64_t generate_field_uncon(int smccall, int rsel)
406{
407 uint64_t shiftreg = 0;
408 uint64_t resreg = 0;
409 int fieldptr = 0;
410 int argptr = fuzzer_arg_array_start[smccall] + rsel;
411
412 for (int i = 0; i <= (fuzzer_arg_array_lst[argptr].arg_span[1] -
413 fuzzer_arg_array_lst[argptr].arg_span[0]); i++) {
414 fieldptr = fuzzer_arg_array_lst[argptr].arg_span[0] + i;
415 shiftreg = shiftlft((rand() % shiftlft(1, fuzzer_arg_array[fieldptr].bitw)),
416 fuzzer_arg_array[fieldptr].bitst);
417 resreg = resreg | shiftreg;
418 }
419 return resreg;
420}
421
422uint64_t generate_field_con(int smccall, int rsel)
423{
424 uint64_t shiftreg = 0;
425 uint64_t resreg = 0;
426 int fieldptr = 0;
427 int nullstat = 0;
428 int argptr = fuzzer_arg_array_start[smccall] + rsel;
429
430 for (int i = 0; i <= (fuzzer_arg_array_lst[argptr].arg_span[1] -
431 fuzzer_arg_array_lst[argptr].arg_span[0]); i++) {
432 fieldptr = fuzzer_arg_array_lst[argptr].arg_span[0] + i;
433 nullstat = 0;
434 if (fuzzer_arg_array[fieldptr].contval == NULL) {
435 if (fuzzer_arg_array[fieldptr].defval >
436 (shiftlft(1, fuzzer_arg_array[fieldptr].bitw) - 1)) {
437 printf("Default constraint will not fit inside bitfield %llx %llx\n",
438 fuzzer_arg_array[fieldptr].defval,
439 (shiftlft(1, fuzzer_arg_array[fieldptr].bitw) - 1));
440 panic();
441 } else {
442 shiftreg = shiftlft(fuzzer_arg_array[fieldptr].defval,
443 fuzzer_arg_array[fieldptr].bitst);
444 resreg = resreg | shiftreg;
445 }
446 nullstat = 1;
447 } else if (fuzzer_arg_array[fieldptr].contval[0] == NULL) {
448 if (fuzzer_arg_array[fieldptr].defval >
449 (shiftlft(1, fuzzer_arg_array[fieldptr].bitw) - 1)) {
450 printf("Default constraint will not fit inside bitfield %llx %llx\n",
451 fuzzer_arg_array[fieldptr].defval,
452 (shiftlft(1, fuzzer_arg_array[fieldptr].bitw) - 1));
453 panic();
454 } else {
455 shiftreg = shiftlft(fuzzer_arg_array[fieldptr].defval,
456 fuzzer_arg_array[fieldptr].bitst);
457 resreg = resreg | shiftreg;
458 }
459 nullstat = 1;
460 }
461 if (nullstat == 0) {
462 int selcon = rand() % (fuzzer_arg_array[fieldptr].contlen);
463
464 if (fuzzer_arg_array[fieldptr].conttype[selcon] == FUZZER_CONSTRAINT_SVALUE) {
465 if (fuzzer_arg_array[fieldptr].contval[selcon][0] >
466 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1)) {
467 printf("Constraint will not fit inside bitfield %llx %llx\n",
468 fuzzer_arg_array[fieldptr].contval[selcon][0],
469 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1));
470 panic();
471 } else {
472 shiftreg = shiftlft(fuzzer_arg_array[fieldptr].contval[selcon][0],
473 fuzzer_arg_array[fieldptr].bitst);
474 resreg = resreg | shiftreg;
475 }
476 }
477
478 if (fuzzer_arg_array[fieldptr].conttype[selcon] == FUZZER_CONSTRAINT_RANGE) {
479 uint64_t maxn = shiftlft(1, fuzzer_arg_array[fieldptr].bitw);
480
481 if ((fuzzer_arg_array[fieldptr].contval[selcon][0] >
482 ((maxn) - 1)) || ((fuzzer_arg_array[fieldptr].contval[selcon][1] >
483 ((maxn) - 1)))) {
484 if (fuzzer_arg_array[fieldptr].contval[selcon][0] >
485 ((maxn) - 1)) {
486 printf("Constraint will not fit inside bitfield %llx %llx\n",
487 fuzzer_arg_array[fieldptr].contval[selcon][0], ((maxn) - 1));
488 }
489 if (fuzzer_arg_array[fieldptr].contval[selcon][1] >
490 ((maxn) - 1)) {
491 printf("Constraint will not fit inside bitfield %llx %llx\n",
492 fuzzer_arg_array[fieldptr].contval[selcon][1], ((maxn) - 1));
493 }
494 panic();
495 } else {
496 shiftreg = shiftlft(((rand() %
497 (fuzzer_arg_array[fieldptr].contval[selcon][1] -
498 fuzzer_arg_array[fieldptr].contval[selcon][0] + 1)) +
499 fuzzer_arg_array[fieldptr].contval[selcon][0]),
500 fuzzer_arg_array[fieldptr].bitst);
501 resreg = resreg | shiftreg;
502 }
503 }
504
505 if (fuzzer_arg_array[fieldptr].conttype[selcon] == FUZZER_CONSTRAINT_VECTOR) {
506 for (int j = 0; j < fuzzer_arg_array[fieldptr].contvallen[selcon]; j++) {
507 if (fuzzer_arg_array[fieldptr].contval[selcon][j] >
508 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1)) {
509 printf("Constraint will not fit inside bitfield");
510 printf(" %llx %llx\n",
511 fuzzer_arg_array[fieldptr].contval[selcon][j],
512 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1));
513 panic();
514 }
515 }
516 shiftreg = shiftlft((fuzzer_arg_array[fieldptr].contval[selcon]
517 [(rand() % (fuzzer_arg_array[fieldptr].contvallen[selcon]))]),
518 fuzzer_arg_array[fieldptr].bitst);
519 resreg = resreg | shiftreg;
520 }
521 }
522 }
523 return resreg;
524}
525
526/*******************************************************
527* Generate the field arguments for constrained fields
528* for all sanity levels
529*******************************************************/
530
531struct inputparameters generate_args(int smccall, int sanity)
532{
533 if ((smccall > MAX_SMC_CALLS) || (smccall < 0)) {
534 printf("generate args SMC call is out of bounds\n");
535 panic();
536 }
537 if ((sanity > SANITY_LEVEL_3) || (sanity < 0)) {
538 printf("generate args sanity level is out of bounds\n");
539 panic();
540 }
541 struct inputparameters nparam;
542
543 nparam.x1 = 1;
544 if (sanity == SANITY_LEVEL_0) {
545 for (int i = 0; i < fuzzer_arg_array_range[smccall]; i++) {
546 switch (i) {
547 case 0: {
548 nparam.x1 = rand64bit();
549 break;
550 }
551 case 1: {
552 nparam.x2 = rand64bit();
553 break;
554 }
555 case 2: {
556 nparam.x3 = rand64bit();
557 break;
558 }
559 case 3: {
560 nparam.x4 = rand64bit();
561 break;
562 }
563 case 4: {
564 nparam.x5 = rand64bit();
565 break;
566 }
567 case 5: {
568 nparam.x6 = rand64bit();
569 break;
570 }
571 case 6: {
572 nparam.x7 = rand64bit();
573 break;
574 }
575 case 7: {
576 nparam.x8 = rand64bit();
577 break;
578 }
579 case 8: {
580 nparam.x9 = rand64bit();
581 break;
582 }
583 case 9: {
584 nparam.x10 = rand64bit();
585 break;
586 }
587 case 10: {
588 nparam.x11 = rand64bit();
589 break;
590 }
591 case 11: {
592 nparam.x12 = rand64bit();
593 break;
594 }
595 case 12: {
596 nparam.x13 = rand64bit();
597 break;
598 }
599 case 13: {
600 nparam.x14 = rand64bit();
601 break;
602 }
603 case 14: {
604 nparam.x15 = rand64bit();
605 break;
606 }
607 case 15: {
608 nparam.x16 = rand64bit();
609 break;
610 }
611 case 16: {
612 nparam.x17 = rand64bit();
613 break;
614 }
615 }
616 }
617 }
618 if (sanity == SANITY_LEVEL_1) {
619 int selreg = rand() % (fuzzer_arg_array_range[smccall] + 1);
620 for (int i = 0; i < fuzzer_arg_array_range[smccall]; i++) {
621 switch (i) {
622 case 0: {
623 if (selreg == 0) {
624 nparam.x1 = generate_field_uncon(smccall, i);
625 } else {
626 nparam.x1 = rand64bit();
627 }
628 break;
629 }
630 case 1: {
631 if (selreg == 1) {
632 nparam.x2 = generate_field_uncon(smccall, i);
633 } else {
634 nparam.x2 = rand64bit();
635 }
636 break;
637 }
638 case 2: {
639 if (selreg == 2) {
640 nparam.x3 = generate_field_uncon(smccall, i);
641 } else {
642 nparam.x3 = rand64bit();
643 }
644 break;
645 }
646 case 3: {
647 if (selreg == 3) {
648 nparam.x4 = generate_field_uncon(smccall, i);
649 } else {
650 nparam.x4 = rand64bit();
651 }
652 break;
653 }
654 case 4: {
655 if (selreg == 4) {
656 nparam.x5 = generate_field_uncon(smccall, i);
657 } else {
658 nparam.x5 = rand64bit();
659 }
660 break;
661 }
662 case 5: {
663 if (selreg == 5) {
664 nparam.x6 = generate_field_uncon(smccall, i);
665 } else {
666 nparam.x6 = rand64bit();
667 }
668 break;
669 }
670 case 6: {
671 if (selreg == 6) {
672 nparam.x7 = generate_field_uncon(smccall, i);
673 } else {
674 nparam.x7 = rand64bit();
675 }
676 break;
677 }
678 case 7: {
679 if (selreg == 7) {
680 nparam.x8 = generate_field_uncon(smccall, i);
681 } else {
682 nparam.x8 = rand64bit();
683 }
684 break;
685 }
686 case 8: {
687 if (selreg == 8) {
688 nparam.x9 = generate_field_uncon(smccall, i);
689 } else {
690 nparam.x9 = rand64bit();
691 }
692 break;
693 }
694 case 9: {
695 if (selreg == 9) {
696 nparam.x10 = generate_field_uncon(smccall, i);
697 } else {
698 nparam.x10 = rand64bit();
699 }
700 break;
701 }
702 case 10: {
703 if (selreg == 10) {
704 nparam.x11 = generate_field_uncon(smccall, i);
705 } else {
706 nparam.x11 = rand64bit();
707 }
708 break;
709 }
710 case 11: {
711 if (selreg == 11) {
712 nparam.x12 = generate_field_uncon(smccall, i);
713 } else {
714 nparam.x12 = rand64bit();
715 }
716 break;
717 }
718 case 12: {
719 if (selreg == 12) {
720 nparam.x13 = generate_field_uncon(smccall, i);
721 } else {
722 nparam.x13 = rand64bit();
723 }
724 break;
725 }
726 case 13: {
727 if (selreg == 13) {
728 nparam.x14 = generate_field_uncon(smccall, i);
729 } else {
730 nparam.x14 = rand64bit();
731 }
732 break;
733 }
734 case 14: {
735 if (selreg == 14) {
736 nparam.x15 = generate_field_uncon(smccall, i);
737 } else {
738 nparam.x15 = rand64bit();
739 }
740 break;
741 }
742 case 15: {
743 if (selreg == 15) {
744 nparam.x16 = generate_field_uncon(smccall, i);
745 } else {
746 nparam.x16 = rand64bit();
747 }
748 break;
749 }
750 case 16: {
751 if (selreg == 16) {
752 nparam.x17 = generate_field_uncon(smccall, i);
753 } else {
754 nparam.x17 = rand64bit();
755 }
756 break;
757 }
758 }
759 }
760 }
761 if (sanity == SANITY_LEVEL_2) {
762 for (int i = 0; i < fuzzer_arg_array_range[smccall]; i++) {
763 switch (i) {
764 case 0: {
765 nparam.x1 = generate_field_uncon(smccall, i);
766 break;
767 }
768 case 1: {
769 nparam.x2 = generate_field_uncon(smccall, i);
770 break;
771 }
772 case 2: {
773 nparam.x3 = generate_field_uncon(smccall, i);
774 break;
775 }
776 case 3: {
777 nparam.x4 = generate_field_uncon(smccall, i);
778 break;
779 }
780 case 4: {
781 nparam.x5 = generate_field_uncon(smccall, i);
782 break;
783 }
784 case 5: {
785 nparam.x6 = generate_field_uncon(smccall, i);
786 break;
787 }
788 case 6: {
789 nparam.x7 = generate_field_uncon(smccall, i);
790 break;
791 }
792 case 7: {
793 nparam.x8 = generate_field_uncon(smccall, i);
794 break;
795 }
796 case 8: {
797 nparam.x9 = generate_field_uncon(smccall, i);
798 break;
799 }
800 case 9: {
801 nparam.x10 = generate_field_uncon(smccall, i);
802 break;
803 }
804 case 10: {
805 nparam.x11 = generate_field_uncon(smccall, i);
806 break;
807 }
808 case 11: {
809 nparam.x12 = generate_field_uncon(smccall, i);
810 break;
811 }
812 case 12: {
813 nparam.x13 = generate_field_uncon(smccall, i);
814 break;
815 }
816 case 13: {
817 nparam.x14 = generate_field_uncon(smccall, i);
818 break;
819 }
820 case 14: {
821 nparam.x15 = generate_field_uncon(smccall, i);
822 break;
823 }
824 case 15: {
825 nparam.x16 = generate_field_uncon(smccall, i);
826 break;
827 }
828 case 16: {
829 nparam.x17 = generate_field_uncon(smccall, i);
830 break;
831 }
832 }
833 }
834 }
835 if (sanity == SANITY_LEVEL_3) {
836 for (int i = 0; i < fuzzer_arg_array_range[smccall]; i++) {
837 switch (i) {
838 case 0: {
839 nparam.x1 = generate_field_con(smccall, i);
840 break;
841 }
842 case 1: {
843 nparam.x2 = generate_field_con(smccall, i);
844 break;
845 }
846 case 2: {
847 nparam.x3 = generate_field_con(smccall, i);
848 break;
849 }
850 case 3: {
851 nparam.x4 = generate_field_con(smccall, i);
852 break;
853 }
854 case 4: {
855 nparam.x5 = generate_field_con(smccall, i);
856 break;
857 }
858 case 5: {
859 nparam.x6 = generate_field_con(smccall, i);
860 break;
861 }
862 case 6: {
863 nparam.x7 = generate_field_con(smccall, i);
864 break;
865 }
866 case 7: {
867 nparam.x8 = generate_field_con(smccall, i);
868 break;
869 }
870 case 8: {
871 nparam.x9 = generate_field_con(smccall, i);
872 break;
873 }
874 case 9: {
875 nparam.x10 = generate_field_con(smccall, i);
876 break;
877 }
878 case 10: {
879 nparam.x11 = generate_field_con(smccall, i);
880 break;
881 }
882 case 11: {
883 nparam.x12 = generate_field_con(smccall, i);
884 break;
885 }
886 case 12: {
887 nparam.x13 = generate_field_con(smccall, i);
888 break;
889 }
890 case 13: {
891 nparam.x14 = generate_field_con(smccall, i);
892 break;
893 }
894 case 14: {
895 nparam.x15 = generate_field_con(smccall, i);
896 break;
897 }
898 case 15: {
899 nparam.x16 = generate_field_con(smccall, i);
900 break;
901 }
902 case 16: {
903 nparam.x17 = generate_field_con(smccall, i);
904 break;
905 }
906 }
907 }
908 }
909 #ifdef SMC_FUZZER_DEBUG
910 print_smccall(smccall, nparam);
911 #endif
912 return nparam;
913}
914
915/*******************************************************
916* Get generated value from fuzzer for a given field
917*******************************************************/
918
919uint64_t get_generated_value(int fieldnameptr, struct inputparameters inp)
920{
921 uint64_t xval = 0;
922 int argdef = fuzzer_fieldarg[fieldnameptr];
923 int fieldname = fuzzer_fieldfld[fieldnameptr];
924 int fieldptr = fuzzer_arg_array_lst[argdef].arg_span[0] + fieldname;
925
926 switch(fuzzer_arg_array[fieldptr].regnum) {
927 case 1: {
928 xval = shiftrht(inp.x1, fuzzer_arg_array[fieldptr].bitst) &
929 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
930 return xval;
931 }
932 case 2: {
933 xval = shiftrht(inp.x2, fuzzer_arg_array[fieldptr].bitst) &
934 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
935 return xval;
936 }
937 case 3: {
938 xval = shiftrht(inp.x3, fuzzer_arg_array[fieldptr].bitst) &
939 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
940 return xval;
941 }
942 case 4: {
943 xval = shiftrht(inp.x4, fuzzer_arg_array[fieldptr].bitst) &
944 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
945 return xval;
946 }
947 case 5: {
948 xval = shiftrht(inp.x5, fuzzer_arg_array[fieldptr].bitst) &
949 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
950 return xval;
951 }
952 case 6: {
953 xval = shiftrht(inp.x6, fuzzer_arg_array[fieldptr].bitst) &
954 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
955 return xval;
956 }
957 case 7: {
958 xval = shiftrht(inp.x7, fuzzer_arg_array[fieldptr].bitst) &
959 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
960 return xval;
961 }
962 case 8: {
963 xval = shiftrht(inp.x8, fuzzer_arg_array[fieldptr].bitst) &
964 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
965 return xval;
966 }
967 case 9: {
968 xval = shiftrht(inp.x9, fuzzer_arg_array[fieldptr].bitst) &
969 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
970 return xval;
971 }
972 case 10: {
973 xval = shiftrht(inp.x10, fuzzer_arg_array[fieldptr].bitst) &
974 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
975 return xval;
976 }
977 case 11: {
978 xval = shiftrht(inp.x11, fuzzer_arg_array[fieldptr].bitst) &
979 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
980 return xval;
981 }
982 case 12: {
983 xval = shiftrht(inp.x12, fuzzer_arg_array[fieldptr].bitst) &
984 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
985 return xval;
986 }
987 case 13: {
988 xval = shiftrht(inp.x13, fuzzer_arg_array[fieldptr].bitst) &
989 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
990 return xval;
991 }
992 case 14: {
993 xval = shiftrht(inp.x14, fuzzer_arg_array[fieldptr].bitst) &
994 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
995 return xval;
996 }
997 case 15: {
998 xval = shiftrht(inp.x15, fuzzer_arg_array[fieldptr].bitst) &
999 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
1000 return xval;
1001 }
1002 case 16: {
1003 xval = shiftrht(inp.x16, fuzzer_arg_array[fieldptr].bitst) &
1004 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
1005 return xval;
1006 }
1007 case 17: {
1008 xval = shiftrht(inp.x17, fuzzer_arg_array[fieldptr].bitst) &
1009 ((shiftlft(1, fuzzer_arg_array[fieldptr].bitw)) - 1);
1010 return xval;
1011 }
1012 }
1013 return xval;
1014}
1015
1016/*******************************************************
1017* Print the values from a generated SMC call from fuzzer
1018*******************************************************/
1019
1020void print_smccall(int smccall, struct inputparameters inp)
1021{
1022 if ((smccall > MAX_SMC_CALLS) || (smccall < 0)) {
1023 printf("generate args SMC call is out of bounds\n");
1024 panic();
1025 }
1026 int argptr = fuzzer_arg_array_start[smccall];
1027 int fieldptr = fuzzer_arg_array_lst[fuzzer_arg_array_start[smccall]].arg_span[0];
1028
1029 printf("%s\n", fuzzer_arg_array[fieldptr].smcname);
1030 for (int i = 0; i < (fuzzer_arg_array_range[smccall]); i++) {
1031 fieldptr = fuzzer_arg_array_lst[argptr + i].arg_span[0];
1032 printf("argument: %s\n", fuzzer_arg_array[fieldptr].smcargname);
1033 for (int j = fieldptr; j <= ((fuzzer_arg_array_lst[argptr + i].arg_span[1] -
1034 fuzzer_arg_array_lst[argptr + i].arg_span[0]) + fieldptr); j++) {
1035 printf("%s = %llx\n", fuzzer_arg_array[j].bnames,
1036 get_generated_value(j, inp));
1037 }
1038 }
1039 printf("\n\n");
1040}