From 3f4dbb2f6fff9479d6c250e224bc3cb7f5cd66ed Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Fri, 1 May 2020 11:56:50 +0200
Subject: prog: fix size assignment for squashed args

We can have a situation where len target points
into a squashed argument. In suca case we don't have the target argument.
In such case we simply leave size argument as is. It can't happen during generation,
only during mutation and mutation can set size to random values, so it should be fine.
This is a lateny bug, we just never had such case before.
---
 prog/any.go       | 4 ++--
 prog/size.go      | 6 ++++++
 prog/size_test.go | 7 +++++++
 prog/test_util.go | 4 ++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/prog/any.go b/prog/any.go
index f8593395a..15ce6ec53 100644
--- a/prog/any.go
+++ b/prog/any.go
@@ -49,7 +49,7 @@ func initAnyTypes(target *Target) {
 	}
 	target.any.ptrPtr = &PtrType{
 		TypeCommon: TypeCommon{
-			TypeName:   "ptr",
+			TypeName:   "ANYPTR",
 			FldName:    "ANYPTR",
 			TypeSize:   target.PtrSize,
 			IsOptional: true,
@@ -58,7 +58,7 @@ func initAnyTypes(target *Target) {
 	}
 	target.any.ptr64 = &PtrType{
 		TypeCommon: TypeCommon{
-			TypeName:   "ptr64",
+			TypeName:   "ANYPTR64",
 			FldName:    "ANYPTR64",
 			TypeSize:   8,
 			IsOptional: true,
diff --git a/prog/size.go b/prog/size.go
index b621cb6bc..3b0bf0b0f 100644
--- a/prog/size.go
+++ b/prog/size.go
@@ -47,6 +47,12 @@ func (target *Target) assignSize(dst *ConstArg, pos Arg, path []string, args []A
 			offset += buf.Size()
 			continue
 		}
+		if typ := buf.Type().Name(); typ == target.any.ptrPtr.Name() || typ == target.any.ptr64.Name() {
+			// If path points into squashed argument, we don't have the target argument.
+			// In such case we simply leave size argument as is. It can't happen during generation,
+			// only during mutation and mutation can set size to random values, so it should be fine.
+			return
+		}
 		buf = InnerArg(buf)
 		if buf == nil {
 			dst.Val = 0 // target is an optional pointer
diff --git a/prog/size_test.go b/prog/size_test.go
index f0bf6c2f0..49945273b 100644
--- a/prog/size_test.go
+++ b/prog/size_test.go
@@ -158,5 +158,12 @@ func TestAssignSize(t *testing.T) {
 			In:  "test$offsetof0(&(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})",
 			Out: "test$offsetof0(&(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x6, 0x8, 0x10, 0x18, 0x18, 0x20})",
 		},
+		{
+			// If len target points into squashed argument, value is not updated.
+			In: `
+test$length11(&(0x7f0000000000)=ANY=[@ANYBLOB="11"], 0x42)
+test$length30(&(0x7f0000000000)=ANY=[@ANYBLOB="11"], 0x42, &(0x7f0000000000)=0x43, 0x44)
+`,
+		},
 	})
 }
diff --git a/prog/test_util.go b/prog/test_util.go
index 7f391792c..07f24141a 100644
--- a/prog/test_util.go
+++ b/prog/test_util.go
@@ -34,10 +34,10 @@ func TestDeserializeHelper(t *testing.T, OS, arch string, transform func(*Target
 				test.StrictErr = test.Err
 			}
 			if test.Err != "" && test.Out != "" {
-				t.Fatalf("both Err and Out are set")
+				t.Errorf("both Err and Out are set")
 			}
 			if test.In == test.Out {
-				t.Fatalf("In and Out are equal, remove Out in such case\n%v", test.In)
+				t.Errorf("In and Out are equal, remove Out in such case\n%v", test.In)
 			}
 			if test.Out == "" {
 				test.Out = test.In
-- 
cgit mrf-deployment