Add lseek call and short doc

8 years ago · b475edfcc3
2 changed files with 40 additions and 2 deletions
--- a/FUZZING.md
+++ b/FUZZING.md
@ -0,0 +1,29 @@
+# Fuzzing SPIFFS
+
+The SPIFFS test suite includes a test program designed for fuzzing with
+[AFL](http://lcamtuf.coredump.cx/afl/). This automatically exercises the 
+SPIFFS API and verifies that the file system does not crash or interact incorrectly
+with the flash chip. 
+
+There are two steps to fuzzing. The first is to build the test suite with
+the AFL version of gcc. The CC variable should point to your copy of afl-gcc.
+
+```
+make clean test CC=/usr/local/bin/afl-gcc
+```
+
+There is a new test `afl_test` that reads from stdin a list of commands
+and arguments. These are interpreted and executed on the API. The `afltests`
+directory contains a number of test cases that can be fed to the `afl_test` test.
+
+
+The second is to run this test suite under afl as follows (where findings is 
+the output directory):
+
+```
+afl-fuzz -i afltests -o findings ./build/linux_spiffs_test -f afl_test
+```
+
+This run will take hours (or days) and will (hopefully) not find any crashes.
+If a crash (or hang) is found, then the input file that caused the crash is 
+saved. This allows the specific test case to be debugged.
--- a/src/test/test_bugreports.c
+++ b/src/test/test_bugreports.c
@ -647,7 +647,17 @@ TEST(afl_test) {
 	  SPIFFS_close(FS, fd[fdn]);
 	}
 	fd[fdn] = SPIFFS_open(FS, filename[(arg>>3) & 7], modes[arg & 7], 0);
-	printf("Open returned %d\n", fd[fdn]);
+	break;
+
+      case 'S':
+	if (fd[fdn] >= 0) {
+	  int offset = (14 << (arg & 7)) + arg;
+	  if (arg & 16) {
+	    offset = -offset;
+	  }
+	  int whence = (arg & 63) % 3;
+	  SPIFFS_lseek(FS, fd[fdn], offset, whence);
+	}
 	break;

      case 'R':
@ -659,7 +669,6 @@ TEST(afl_test) {
      case 'W':
 	if (fd[fdn] >= 0) {
 	  int rc = SPIFFS_write(FS, fd[fdn], buff, (15 << (arg & 7)) + (arg & 127));
-	  printf("Write returned %d\n", rc);
 	}
 	break;