Commit c84b8f8f authored by Andrew Jeffery's avatar Andrew Jeffery

test: Add windows_equally_evictable

Tests for the condition where the minimum age is less than any window's
current age, in which case we can get a NULL dereference if the
windows_reset_all() implementation is broken.

    windows.c:409:23: runtime error: member access within null pointer of type 'struct window_context'
    ==31400==ERROR: AddressSanitizer: SEGV on unknown address 0x00000004 (pc 0x0002b658 bp 0x74c00270 sp 0x7eb7c678 T0)
    ==31400==The signal is caused by a WRITE memory access.
    ==31400==Hint: address points to the zero page.
        #0 0x2b657 in window_reset windows.c:410
        #1 0x2cc9b in windows_create_map windows.c:572
        #2 0x1f3f3 in protocol_v1_create_window protocol.c:167
        #3 0x2121b in protocol_v2_create_window protocol.c:417
        #4 0x24cd7f in generic_vpnor_create_window vpnor/protocol.cpp:51
        #5 0x24d053 in protocol_v2_vpnor_create_window vpnor/protocol.cpp:63
        #6 0x2663b in mbox_handle_create_window transport_mbox.c:282
        #7 0x276db in handle_mbox_req transport_mbox.c:568
        #8 0x276db in transport_mbox_dispatch transport_mbox.c:649
        #9 0x17fcb in poll_loop mboxd.c:185
        #10 0x17fcb in main mboxd.c:423
        #11 0x46b68517 in __libc_start_main (/lib/

    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV windows.c:410 in window_reset

Change-Id: I8161e2ea17953e196d4bb3ca90d19e44ec10c86d
Signed-off-by: Andrew Jeffery's avatarAndrew Jeffery <>
parent b5fd0a47
......@@ -99,6 +99,9 @@ test_sequence_numbers_SOURCES = %reldir%/sequence_numbers.c \
test_get_mbox_info_v2_timeout_SOURCES = %reldir%/get_mbox_info_v2_timeout.c \
test_windows_equally_evictable_SOURCES = %reldir%/windows_equally_evictable.c \
check_PROGRAMS += \
%reldir%/sanity \
%reldir%/flash_copy \
......@@ -126,4 +129,5 @@ check_PROGRAMS += \
%reldir%/invalid_command \
%reldir%/read_window_cycle \
%reldir%/sequence_numbers \
%reldir%/get_mbox_info_v2_timeout \
// SPDX-License-Identifier: Apache-2.0
// Copyright (C) 2018 IBM Corp.
#include <assert.h>
#include <string.h>
#include "config.h"
#include "transport_mbox.h"
#include "windows.h"
#include "test/mbox.h"
#include "test/system.h"
struct test_context
uint8_t seq;
struct mbox_context *ctx;
// Configure the system and the paritions such that we eventually request a
// window that covers the last section of flash, but the remaining flash is
// smaller than the window size
#define BLOCK_SIZE 4096
#define N_WINDOWS 3
static const uint8_t get_info[] = {0x02, 0x00, 0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00};
static int mbox_create_read_window(struct test_context *tctx, size_t offset,
size_t len)
union mbox_regs regs;
memset(&regs, 0, sizeof(regs));
regs.msg.command = MBOX_CREATE_READ_WINDOW;
regs.msg.seq = ++tctx->seq;
put_u16(&regs.msg.args[0], offset);
put_u16(&regs.msg.args[2], len);
return mbox_command_dispatch(tctx->ctx, regs.raw, sizeof(regs.raw));
int main()
struct test_context _tctx = {0}, *tctx = &_tctx;
size_t len;
size_t pos;
int rc;
system_set_mtd_sizes(PNOR_SIZE, ERASE_SIZE);
tctx->ctx = mbox_create_test_context(N_WINDOWS, WINDOW_SIZE);
rc = mbox_command_dispatch(tctx->ctx, get_info, sizeof(get_info));
assert(rc == 1);
pos = 0;
while (pos < ((PNOR_SIZE - BLOCK_SIZE) / BLOCK_SIZE))
struct mbox_msg _msg, *msg = &_msg;
rc = mbox_create_read_window(tctx, pos, (WINDOW_SIZE / BLOCK_SIZE));
assert(rc == 1);
mbox_rspcpy(tctx->ctx, msg);
len = get_u16(&msg->args[2]);
pos = get_u16(&msg->args[4]) + len;
rc = mbox_create_read_window(tctx, pos, (WINDOW_SIZE / BLOCK_SIZE));
assert(rc == 1);
return 0;
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment