// SPDX-License-Identifier: GPL-2.0
/*
 * Copyright 2018, Breno Leitao, IBM Corp.
 * Licensed under GPLv2.
 *
 * Sigfuz(tm): A PowerPC TM-aware signal fuzzer.
 *
 * This is a new selftest that raises SIGUSR1 signals and handles it in a set
 * of different ways, trying to create different scenario for testing
 * purpose.
 *
 * This test works raising a signal and calling sigreturn interleaved with
 * TM operations, as starting, suspending and terminating a transaction. The
 * test depends on random numbers, and, based on them, it sets different TM
 * states.
 *
 * Other than that, the test fills out the user context struct that is passed
 * to the sigreturn system call with random data, in order to make sure that
 * the signal handler syscall can handle different and invalid states
 * properly.
 *
 * This selftest has command line parameters to control what kind of tests the
 * user wants to run, as for example, if a transaction should be started prior
 * to signal being raised, or, after the signal being raised and before the
 * sigreturn. If no parameter is given, the default is enabling all options.
 *
 * This test does not check if the user context is being read and set
 * properly by the kernel. Its purpose, at this time, is basically
 * guaranteeing that the kernel does not crash on invalid scenarios.
 */

#include <stdio.h>
#include <limits.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <ucontext.h>
#include <sys/mman.h>
#include <pthread.h>
#include "utils.h"

/* Selftest defaults */
#define COUNT_MAX       600             /* Number of interactions */
#define THREADS         16              /* Number of threads */

/* Arguments options */
#define ARG_MESS_WITH_TM_AT     0x1
#define ARG_MESS_WITH_TM_BEFORE 0x2
#define ARG_MESS_WITH_MSR_AT    0x4
#define ARG_FOREVER             0x10
#define ARG_COMPLETE            (ARG_MESS_WITH_TM_AT |          \
                                ARG_MESS_WITH_TM_BEFORE |       \
                                ARG_MESS_WITH_MSR_AT)

static int args;
static int nthread = THREADS;
static int count_max = COUNT_MAX;

/* checkpoint context */
static ucontext_t *tmp_uc;

/* Return true with 1/x probability */
static int one_in_chance(int x)
{
        return rand() % x == 0;
}

/* Change TM states */
static void mess_with_tm(void)
{
        /* Starts a transaction 33% of the time */
        if (one_in_chance(3)) {
                asm ("tbegin.   ;"
                     "beq 8     ;");

                /* And suspended half of them */
                if (one_in_chance(2))
                        asm("tsuspend.  ;");
        }

        /* Call 'tend' in 5% of the runs */
        if (one_in_chance(20))
                asm("tend.      ;");
}

/* Signal handler that will be invoked with raise() */
static void trap_signal_handler(int signo, siginfo_t *si, void *uc)
{
        ucontext_t *ucp = uc;

        ucp->uc_link = tmp_uc;

        /*
         * Set uc_link in three possible ways:
         *  - Setting a single 'int' in the whole chunk
         *  - Cloning ucp into uc_link
         *  - Allocating a new memory chunk
         */
        if (one_in_chance(3)) {
                memset(ucp->uc_link, rand(), sizeof(ucontext_t));
        } else if (one_in_chance(2)) {
                memcpy(ucp->uc_link, uc, sizeof(ucontext_t));
        } else if (one_in_chance(2)) {
                if (tmp_uc) {
                        free(tmp_uc);
                        tmp_uc = NULL;
                }
                tmp_uc = malloc(sizeof(ucontext_t));
                ucp->uc_link = tmp_uc;
                /* Trying to cause a major page fault at Kernel level */
                madvise(ucp->uc_link, sizeof(ucontext_t), MADV_DONTNEED);
        }

        if (args & ARG_MESS_WITH_MSR_AT) {
                /* Changing the checkpointed registers */
                if (one_in_chance(4)) {
                        ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
                } else {
                        if (one_in_chance(2)) {
                                ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
                                                 MSR_TS_T;
                        } else if (one_in_chance(2)) {
                                ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
                                                MSR_TS_T | MSR_TS_S;
                        }
                }

                /* Checking the current register context */
                if (one_in_chance(2)) {
                        ucp->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
                } else if (one_in_chance(2)) {
                        if (one_in_chance(2))
                                ucp->uc_mcontext.gp_regs[PT_MSR] |=
                                        MSR_TS_T;
                        else if (one_in_chance(2))
                                ucp->uc_mcontext.gp_regs[PT_MSR] |=
                                        MSR_TS_T | MSR_TS_S;
                }
        }

        if (one_in_chance(20)) {
                /* Nested transaction start */
                if (one_in_chance(5))
                        mess_with_tm();

                /* Return without changing any other context info */
                return;
        }

        if (one_in_chance(10))
                ucp->uc_mcontext.gp_regs[PT_MSR] = random();
        if (one_in_chance(10))
                ucp->uc_mcontext.gp_regs[PT_NIP] = random();
        if (one_in_chance(10))
                ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] = random();
        if (one_in_chance(10))
                ucp->uc_link->uc_mcontext.gp_regs[PT_NIP] = random();

        ucp->uc_mcontext.gp_regs[PT_TRAP] = random();
        ucp->uc_mcontext.gp_regs[PT_DSISR] = random();
        ucp->uc_mcontext.gp_regs[PT_DAR] = random();
        ucp->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
        ucp->uc_mcontext.gp_regs[PT_XER] = random();
        ucp->uc_mcontext.gp_regs[PT_RESULT] = random();
        ucp->uc_mcontext.gp_regs[PT_SOFTE] = random();
        ucp->uc_mcontext.gp_regs[PT_DSCR] = random();
        ucp->uc_mcontext.gp_regs[PT_CTR] = random();
        ucp->uc_mcontext.gp_regs[PT_LNK] = random();
        ucp->uc_mcontext.gp_regs[PT_CCR] = random();
        ucp->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();

        ucp->uc_link->uc_mcontext.gp_regs[PT_TRAP] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_DSISR] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_DAR] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_XER] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_RESULT] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_SOFTE] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_DSCR] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_CTR] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_LNK] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_CCR] = random();
        ucp->uc_link->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();

        if (args & ARG_MESS_WITH_TM_BEFORE) {
                if (one_in_chance(2))
                        mess_with_tm();
        }
}

static void seg_signal_handler(int signo, siginfo_t *si, void *uc)
{
        /* Clear exit for process that segfaults */
        exit(0);
}

static void *sigfuz_test(void *thrid)
{
        struct sigaction trap_sa, seg_sa;
        int ret, i = 0;
        pid_t t;

        tmp_uc = malloc(sizeof(ucontext_t));

        /* Main signal handler */
        trap_sa.sa_flags = SA_SIGINFO;
        trap_sa.sa_sigaction = trap_signal_handler;

        /* SIGSEGV signal handler */
        seg_sa.sa_flags = SA_SIGINFO;
        seg_sa.sa_sigaction = seg_signal_handler;

        /* The signal handler will enable MSR_TS */
        sigaction(SIGUSR1, &trap_sa, NULL);

        /* If it does not crash, it will segfault, avoid it to retest */
        sigaction(SIGSEGV, &seg_sa, NULL);

        while (i < count_max) {
                t = fork();

                if (t == 0) {
                        /* Once seed per process */
                        srand(time(NULL) + getpid());
                        if (args & ARG_MESS_WITH_TM_AT) {
                                if (one_in_chance(2))
                                        mess_with_tm();
                        }
                        raise(SIGUSR1);
                        exit(0);
                } else {
                        waitpid(t, &ret, 0);
                }
                if (!(args & ARG_FOREVER))
                        i++;
        }

        /* If not freed already, free now */
        if (tmp_uc) {
                free(tmp_uc);
                tmp_uc = NULL;
        }

        return NULL;
}

static int signal_fuzzer(void)
{
        int t, rc;
        pthread_t *threads;

        threads = malloc(nthread * sizeof(pthread_t));

        for (t = 0; t < nthread; t++) {
                rc = pthread_create(&threads[t], NULL, sigfuz_test,
                                    (void *)&t);
                if (rc)
                        perror("Thread creation error\n");
        }

        for (t = 0; t < nthread; t++) {
                rc = pthread_join(threads[t], NULL);
                if (rc)
                        perror("Thread join error\n");
        }

        free(threads);

        return EXIT_SUCCESS;
}

static void show_help(char *name)
{
        printf("%s: Sigfuzzer for powerpc\n", name);
        printf("Usage:\n");
        printf("\t-b\t Mess with TM before raising a SIGUSR1 signal\n");
        printf("\t-a\t Mess with TM after raising a SIGUSR1 signal\n");
        printf("\t-m\t Mess with MSR[TS] bits at mcontext\n");
        printf("\t-x\t Mess with everything above\n");
        printf("\t-f\t Run forever (Press ^C to Quit)\n");
        printf("\t-i\t Amount of interactions.  (Default = %d)\n", COUNT_MAX);
        printf("\t-t\t Amount of threads.       (Default = %d)\n", THREADS);
        exit(-1);
}

int main(int argc, char **argv)
{
        int opt;

        while ((opt = getopt(argc, argv, "bamxt:fi:h")) != -1) {
                if (opt == 'b') {
                        printf("Mess with TM before signal\n");
                        args |= ARG_MESS_WITH_TM_BEFORE;
                } else if (opt == 'a') {
                        printf("Mess with TM at signal handler\n");
                        args |= ARG_MESS_WITH_TM_AT;
                } else if (opt == 'm') {
                        printf("Mess with MSR[TS] bits in mcontext\n");
                        args |= ARG_MESS_WITH_MSR_AT;
                } else if (opt == 'x') {
                        printf("Running with all options enabled\n");
                        args |= ARG_COMPLETE;
                } else if (opt == 't') {
                        nthread = atoi(optarg);
                        printf("Threads = %d\n", nthread);
                } else if (opt == 'f') {
                        args |= ARG_FOREVER;
                        printf("Press ^C to stop\n");
                        test_harness_set_timeout(-1);
                } else if (opt == 'i') {
                        count_max = atoi(optarg);
                        printf("Running for %d interactions\n", count_max);
                } else if (opt == 'h') {
                        show_help(argv[0]);
                }
        }

        /* Default test suite */
        if (!args)
                args = ARG_COMPLETE;

        test_harness(signal_fuzzer, "signal_fuzzer");
}