__int64 __fastcall read_content(__int64 a1, int a2)
{
  __int64 result; // rax
  int i; // [rsp+1Ch] [rbp-14h]
  char s; // [rsp+20h] [rbp-10h]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  memset(&s, 0, 8uLL);
  for ( i = 0; i < a2; ++i )
  {
    if ( read(0, &s, 1uLL) <= 0 )
      exit(1);
    if ( s == 10 )
      break;
    *(_BYTE *)(a1 + i) = s;
  }
  result = (unsigned int)i;
  if ( i == a2 )
  {
    result = i + a1;                            // null off by one
    *(_BYTE *)result = 0;
  }
  return result;
}

void menu()
{
	puts("------------------------");
	puts("1: malloc. ");
	puts("2: free. ");
	puts("3: puts. ");
	puts("4: exit. ");
	puts("------------------------");
	printf("which command?\n> ");
}

void safe_read (char *pt1,unsigned int size)
{
	int i=0;
	if(size==0)
	{
		pt1[0]='\0';
		return;
	}	
	while(1)
	{
		read(0,&pt1[i],1);
		if(i>size-1 || pt1[i]=='\0' || pt1[i]=='\n')
			break;
		i+=1;
	}
	pt1[i]='\0';
	pt1[size]='\0';
}

void malloc_1()
{
	int i;
	unsigned int size;
	for (i=0;i<=9;i++)
	{
		if ( tk->kele[i].pt1==NULL)
			break;
		else continue;
	}
	if (i==10)
		{
			puts("full!");
			return;
		}	
	tk->kele[i].pt1=(char *)malloc(0xf8);
	if (tk->kele[i].pt1==NULL)
		{
			puts("malloc error!");
			bye_bye();
		}
	printf("size \n> ");
	size=get_atoi();
	if(size>0xf8)
		bye_bye();
	tk->kele[i].size=size;
	printf("content \n> ");
	safe_read(tk->kele[i].pt1,tk->kele[i].size);
}

A = malloc(0xf8);
B = malloc(0xf8);
C = malloc(0xf8);
malloc(0xf8); //防止和top_chunk合并
free(A);
free(B);
free(C);/*这里为什么还有freeC呢,因为unsortbin被遍历放到smallbins里面，通过bitmap再拿到之后，会进行分割，会对分割剩下的chunk,设置foot，即reminder_size。这个时候，如果不freeC，这里的0x200会变成0x100，前面做的就白费了*/
//这里就在C的chunk的结构上设置好了0x200
A = malloc(0xf8);
B = malloc(0xf8); // 根据题目条件这里是通过这种输入的size来控制溢出。所以这里我们不会把0x200再覆盖掉。
(char *)B[16] = 0;
C = malloc(0xf8);
free(C)

static __always_inline void *
tcache_get (size_t tc_idx)
{
  tcache_entry *e = tcache->entries[tc_idx];
  assert (tc_idx < TCACHE_MAX_BINS);
  assert (tcache->entries[tc_idx] > 0);
  tcache->entries[tc_idx] = e->next;
  --(tcache->counts[tc_idx]);
  e->key = NULL;
  return (void *) e;
}

__int64 __fastcall show(unsigned int a1, __int64 a2)
{
  __int64 result; // rax

  if ( a1 <= 9 )
  {
    result = heap[a1];
    if ( result )
    {
      myputs(heap[a1], a2);
      result = myputs("Done!\n", a2);
    }
  }
  return result;
}

__int64 __fastcall del(unsigned int a1, __int64 a2)
{
  __int64 result; // rax

  if ( a1 <= 9 )
  {
    free((void *)heap[a1]);
    result = myputs("Done!\n", a2);
  }
  return result;
}

void __fastcall alloc(unsigned int a1, __int64 a2)
{
  void *v2; // rsi

  if ( a1 <= 9 )
  {
    heap[a1] = malloc(0x50uLL);
    myputs("Content:", a2);
    v2 = (void *)heap[a1];
    read(0, v2, 0x50uLL);
    myputs("Done!\n", v2);
  }
}

int
_IO_flush_all_lockp (int do_lock)
{
  int result = 0;
  FILE *fp;
 ...
  for (fp = (FILE *) _IO_list_all; fp != NULL; fp = fp->_chain)
    {
      run_fp = fp;
      if (do_lock)
	_IO_flockfile (fp);

      if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
	   || (_IO_vtable_offset (fp) == 0
	       && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
				    > fp->_wide_data->_IO_write_base))
	   )
	  && _IO_OVERFLOW (fp, EOF) == EOF)
	result = EOF;

      if (do_lock)
	_IO_funlockfile (fp);
      run_fp = NULL;
    }

...

  return result;
}

(_IO_vtable_offset (fp) == 0
       && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
			    > fp->_wide_data->_IO_write_base)

static inline const struct _IO_jump_t *
IO_validate_vtable (const struct _IO_jump_t *vtable)
{
  uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
  const char *ptr = (const char *) vtable;
  uintptr_t offset = ptr - __start___libc_IO_vtables;
  if (__glibc_unlikely (offset >= section_length)) //检查vtable指针是否在glibc的vtable段中。
    /* The vtable pointer is not in the expected section.  Use the
       slow path, which will terminate the process if necessary.  */
    _IO_vtable_check ();
  return vtable;
}

void
_IO_str_finish (fp, dummy)
     _IO_FILE *fp;
     int dummy;
{
  if (fp->_IO_buf_base && !(fp->_flags & _IO_USER_BUF))
    (((_IO_strfile *) fp)->_s._free_buffer) (fp->_IO_buf_base);
  fp->_IO_buf_base = NULL;

  INTUSE(_IO_default_finish) (fp, 0);
}

pwndbg> p _IO_str_jumps 
$9 = {
  __dummy = 0, 
  __dummy2 = 0, 
  __finish = 0x7ffff7e9cc02 <_IO_str_finish>, 
  __overflow = 0x7ffff7e9c8ab <__GI__IO_str_overflow>, 

struct _IO_streambuf
{
  struct _IO_FILE _f;
  const void *_vtable;
};

typedef struct _IO_strfile_
{
  struct _IO_streambuf _sbf;
  struct _IO_str_fields _s;
} _IO_strfile;

struct _IO_str_fields
{
  _IO_alloc_type _allocate_buffer;
  _IO_free_type _free_buffer;
};

struct vm{
       char * mem;  //malloc分配的内存区
       char * stack; // vm里面栈空间，指向栈顶
       uint stack_size; // 栈空间的大小
       uint mem_size; //内存区的大小
       uint *[256]; //breakpoint 断点区
       uint r0; // R0-R15
       uint r1;
       ...
       uint r15;
       uint eip;
       uint esp
       uint ebp;
       uint16	eflags;
   }

if ( v1 >= v2 || *(_DWORD *)(a1 + 1116) >= *(_DWORD *)(a1 + 16) || v2 <= *(_DWORD *)(a1 + 1120) )
    return 1LL;      

void attribute_hidden
_IO_vtable_check (void)
{
#ifdef SHARED
  /* Honor the compatibility flag.  */
  void (*flag) (void) = atomic_load_relaxed (&IO_accept_foreign_vtables);
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (flag);
#endif
  if (flag == &_IO_vtable_check)
    return;

  {
    Dl_info di;
    struct link_map *l;
    if (!rtld_active ()
        || (_dl_addr (_IO_vtable_check, &di, &l, NULL) != 0
            && l->l_ns != LM_ID_BASE))
      return;
  }
  
  ...
  
  __libc_fatal ("Fatal error: glibc detected an invalid stdio handle\n");
}

void
_IO_str_finish (FILE *fp, int dummy)
{
  if (fp->_IO_buf_base && !(fp->_flags & _IO_USER_BUF))
    free (fp->_IO_buf_base);
  fp->_IO_buf_base = NULL;

  _IO_default_finish (fp, 0);
}

#ifdef SHARED
  /* Honor the compatibility flag.  */
  void (*flag) (void) = atomic_load_relaxed (&IO_accept_foreign_vtables);
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (flag);
#endif
  if (flag == &_IO_vtable_check)
    return;

arch_prctl(ARCH_SET_FS, 0x7fc189ed0740) = 0

typedef struct
{
  void *tcb;		/* Pointer to the TCB.  Not necessarily the
			   thread descriptor used by libpthread.  */
  dtv_t *dtv;
  void *self;		/* Pointer to the thread descriptor.  */
  int multiple_threads;
  int gscope_flag;
  uintptr_t sysinfo;
  uintptr_t stack_guard;
  uintptr_t pointer_guard;
  ...
} tcbhead_t;

...
const char *lossage = TLS_INIT_TP (tcbp);
...

void *tcbp = _dl_allocate_tls_storage ();

void *
_dl_allocate_tls_storage (void)
{
  void *result;
  size_t size = GL(dl_tls_static_size);
	...
  size_t alignment = GL(dl_tls_static_align);
  void *allocated = malloc (size + alignment + sizeof (void *));
  if (__glibc_unlikely (allocated == NULL))
    return NULL;
  ...
  void *aligned = (void *) roundup ((uintptr_t) allocated, alignment);
  result = aligned + size - TLS_TCB_SIZE;

  memset (result, '\0', TLS_TCB_SIZE);
	...
  result = allocate_dtv (result);
  if (result == NULL)
    free (allocated);
  return result;
}

void * weak_function
malloc (size_t n)
{
  if (alloc_end == 0)
    {
      /* Consume any unused space in the last page of our data segment.  */
      extern int _end attribute_hidden;
      alloc_ptr = &_end;
      alloc_end = (void *) 0 + (((alloc_ptr - (void *) 0)
				 + GLRO(dl_pagesize) - 1)
				& ~(GLRO(dl_pagesize) - 1));
    }

	 ...

  if (alloc_ptr + n >= alloc_end || n >= -(uintptr_t) alloc_ptr)
    {
   
      caddr_t page;
      size_t nup = (n + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
      if (__glibc_unlikely (nup == 0 && n != 0))
	return NULL;
      nup += GLRO(dl_pagesize);
      page = __mmap (0, nup, PROT_READ|PROT_WRITE,
		     MAP_ANON|MAP_PRIVATE, -1, 0);
      if (page == MAP_FAILED)
	return NULL;
      if (page != alloc_end)
	alloc_ptr = page;
      alloc_end = page + nup;
    }

  alloc_last_block = (void *) alloc_ptr;
  alloc_ptr += n;
  return alloc_last_block;
}

/* Allocate a `struct link_map' for a new object being loaded,
   and enter it into the _dl_loaded list.  */
struct link_map *
_dl_new_object (char *realname, const char *libname, int type,
		struct link_map *loader, int mode, Lmid_t nsid)
{
  size_t libname_len = strlen (libname) + 1;
  struct link_map *new;
  struct libname_list *newname;
#ifdef SHARED
  /* We create the map for the executable before we know whether we have
     auditing libraries and if yes, how many.  Assume the worst.  */
  unsigned int naudit = GLRO(dl_naudit) ?: ((mode & __RTLD_OPENEXEC)
					    ? DL_NNS : 0);
  size_t audit_space = naudit * sizeof (new->l_audit[0]);
#else
# define audit_space 0
#endif

  new = (struct link_map *) calloc (sizeof (*new) + audit_space
				    + sizeof (struct link_map *)
				    + sizeof (*newname) + libname_len, 1);

__int64 __fastcall input_data(char *input, int count)
{
  unsigned int ret_value; // [rsp+14h] [rbp-Ch]

  ret_value = read(0, input, count);
  if ( (ret_value & 0x80000000) != 0 )
  {
    printf("Error!", input);
    exit(0);
  }
  return ret_value;
}

unsigned __int64 leak_name_input()
{
  char name[80]; // [rsp+0h] [rbp-70h]
  unsigned __int64 v2; // [rsp+68h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("leave your name, bro:");
  input_data(name, 0x50);
  printf("worrier %s, now begin your challenge", name);
  return __readfsqword(0x28u) ^ v2;
}

__int64 main_func()
{
  int size; // [rsp+8h] [rbp-18h]
  int temp; // [rsp+Ch] [rbp-14h]
  void *ptr; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  printf("please input the size to trigger stackoverflow: ");
  _isoc99_scanf("%d", &size);
  IO_getc(stdin);
  temp = size;
  while ( size > 0x300000 )
  {
    puts("too much bytes to do stackoverflow.");
    printf("please input the size to trigger stackoverflow: ");
    _isoc99_scanf("%d", &size);
    IO_getc(stdin);
  }
  ptr = malloc(0x28uLL);
  global_ptr = (char *)malloc(size + 1);
  if ( !global_ptr )
  {
    printf("Error!", &size);
    exit(0);
  }
  printf("padding and ropchain: ", &size);
  input_data(global_ptr, size);
  global_ptr[temp] = 0;
  return 0LL;
}

_isoc99_scanf("%d", &size);
 IO_getc(stdin);

typedef struct ucontext
{
	unsigned long int uc_flags;
	struct ucontext *uc_link; //后继上下文
	stack_t uc_stack; //用户自定义栈
	mcontext_t uc_mcontext; //保存当前上下文，即各个寄存器的状态
	__sigset_t uc_sigmask; //保存当前线程的信号屏蔽掩码

} ucontext_t;

int getcontext(ucontext_t *ucp); //将当前的寄存器状态放进ucp里面，相当于保存当前状态。

int setcontext(const ucontext_t *ucp); //从ucp取出状态恢复上下文。

void makecontext(ucontext_t *ucp, void (*func)(), int argc, ...); //设置已经初始过的ucp，改变其具指向的上下文

int swapcontext(ucontext_t *oucp, ucontext_t *ucp);//切换ucp保存的状态，并保存当前的状态到oucp

#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ucontext.h>
#include <assert.h>
#include <unistd.h>
 
// CRC
 
static uint32_t crc32_tab[] = {
  0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
  0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
  0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
  0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
  0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
  0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
  0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c,
  0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
  0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
  0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
  0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106,
  0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
  0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
  0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
  0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
  0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
  0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
  0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
  0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
  0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
  0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
  0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
  0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
  0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
  0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
  0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
  0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
  0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
  0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
  0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
  0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
  0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
  0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
  0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
  0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
  0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
  0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
  0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
  0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
  0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
  0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
  0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
  0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
};
 
uint32_t crc32(uint32_t crc, const unsigned char *buf, size_t size) {
  const uint8_t *p;
 
  p = buf;
  crc = crc ^ ~0U;
 
  while (size--) {
    crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
  }
 
  return crc ^ ~0U;
}
 
// Fiber
 
static ucontext_t *g_fib;
static ucontext_t *g_active_fibs;
static ucontext_t *g_unactive_fibs;
 
void fiber_init() {
  ucontext_t *fib = malloc(sizeof(ucontext_t));
  getcontext(fib);
  fib->uc_link = 0;
  g_fib = fib;
  g_active_fibs = fib;
}
 
void fiber_yield() {
  ucontext_t *next = g_fib->uc_link;
  if (next == NULL)
    next = g_active_fibs;
 
  if (next == g_fib)
    return;
 
  ucontext_t *current_context = g_fib; // g_fib 
  g_fib = next;
  swapcontext(current_context, g_fib);  //first g_active_fib  swapcontent(g_fib,g_fib)
}
 
void __fiber_new(void (*f)()) {
  f();
  while (1)
    fiber_yield();
}
 
void fiber_new(void (*func)()) {
  ucontext_t *fib = malloc(sizeof(ucontext_t));
  getcontext(fib); //init current status
 
  fib->uc_stack.ss_sp = malloc(0x8000); // init customize stack
  fib->uc_stack.ss_size = 0x8000; 
 
  makecontext(fib, (void*)__fiber_new, 1, func); //
  printf("Starting Worker #%08x\n", (unsigned)fib);
  fib->uc_link = g_active_fibs; 
  g_active_fibs = fib;
}
 
int fiber_toggle(ucontext_t *moving, ucontext_t **from, ucontext_t **to) {
  ucontext_t *fib = *from;
  ucontext_t *last = NULL;
  while(fib != NULL && fib != moving) {
    last = fib;
    fib = fib->uc_link;
  }
  if(fib == NULL)
    return 1;
 
  if(last == NULL)
    *from = fib->uc_link;
  else
    last->uc_link = moving->uc_link;//unlink
 
  moving->uc_link = *to;//insert to other queue
  *to = moving;
  return 0;
}
 
int fiber_pause(void *id) {
  return fiber_toggle(id, &g_active_fibs, &g_unactive_fibs);
}
 
int fiber_resume(void *id) {
  return fiber_toggle(id, &g_unactive_fibs, &g_active_fibs);
}
 
// Lock free stack
struct node {
  void *entry;
  struct node* next;
};
 
struct node* job_stack;
struct node* result_stack;
 
void push(struct node **stack, void* e){
  struct node* n = malloc(sizeof(struct node));
  n->entry = e;
  n->next = *stack;
  *stack = n;
}
 
void* pop(struct node **stack) {
  struct node *old_head, *new_head;
  while(1) {
    old_head = *stack;
    if(old_head == NULL){
      return NULL;//empty stack case
    }
    new_head = old_head->next;
    /*
    这里用了一个中间变量来判断临界区有效性，但是这里存在堆上内存空间的复用
	
	第一次yield的时候，worker都会停在这里。不会继续执行下去

    */
    fiber_yield();//exploit here
    if(*stack == old_head) {
      *stack = new_head;//if exploit properly, *stack can be setted to a dangling pointer
      break;
    }
  }
 
  void *result = old_head->entry;
  free(old_head);
  return result;
}
 
// App
 
struct job {
  unsigned int id;
  unsigned int len;
  unsigned char *input;
  unsigned int *result;
};
 
unsigned int job_id = 0;
unsigned int n_jobs = 0;
unsigned int n_workers = 0;
unsigned int n_results = 0;
 
void worker() {
  while(1) {
    printf("[Worker #%08x] Getting Job\n", (unsigned)g_fib);
    struct job* job = pop(&job_stack);
    if(job == NULL) {
      printf("[Worker #%08x] Empty queue, sleeping\n", (unsigned)g_fib);
      fiber_yield();
      continue;
    }
    printf("[Worker #%08x] Got a job\n", (unsigned)g_fib);
 
    *(job->result) = crc32(0, job->input, job->len);
    n_jobs -= 1;
    n_results += 1;
    push(&result_stack, (void*)job);
  }
}
 
int menu() {
  printf("Menu: (stats: %d workers, %d jobs, %d results)\n", n_workers, n_jobs, n_results);
  printf("  1. Request CRC32 computation\n");
  printf("  2. Add a worker\n");
  printf("  3. Yield to workers\n");
  printf("  4. Toggle worker\n");
  printf("  5. Gather some results\n");
  printf("  6. Exit\n");
  printf("> ");
  int choice;
  scanf("%d", &choice);
  fgetc(stdin); // consume new line
  return choice;
}
 
int main() {
  unsigned int wid, size;
  setbuf(stdout, 0);
  fiber_init();
  printf("=================================\n");
  printf("===     CRC32 As A Service     ==\n");
  printf("=================================\n\n");
 
  while(1) {
    switch(menu()) {
      case 1:
        if(n_jobs < 10) {
          printf("Size: ");
          scanf("%d", &size);
          fgetc(stdin); // consume new line
          if(size > 0x100) {
            printf("Error: input needs to be smaller than 0x100");
          } else {
            unsigned char *input = malloc(size);
            printf("Contents:\n");
            assert(size == fread(input, 1, size, stdin));
 
            struct job *job = malloc(sizeof(struct job));
            job->id = job_id;
            job->len = size;
            job->input = input;
            job->result = malloc(sizeof(unsigned int));
 
            push(&job_stack, job);
            n_jobs += 1;
 
            printf("Requested job. ID: #%08x\n", job_id++);
          }
        } else {
          printf("Error: job worker limit\n");
        }
        break;
      case 2:
        if(n_workers < 4) { // max 4 workers
          n_workers++; 
          fiber_new(worker);
        } else {
          printf("Error: reached worker limit\n");
        }
        break;
      case 3:
        printf("Working...\n");
        fiber_yield();
        printf("Finished working for now.\n");
        break;
      case 4:
        printf("Worker ID: #");
        scanf("%x", &wid);
        fgetc(stdin); // consume new line
        if(fiber_pause((ucontext_t *)wid) == 0) {
          printf("Pausing worker #%08x.\n", wid);
        } else if(fiber_resume((ucontext_t *)wid) == 0) {
          printf("Resuming worker #%08x.\n", wid);
        } else {
          printf("Error: Worker #%08x not found.\n", wid);
        }
        break;
      case 5:
        while(1) {
          struct job *job = pop(&result_stack);
          if(job == NULL) {
            printf("No more results right now. Try again later.\n");
            n_results = 0;
            break;
          } else {
            printf("Job #%08x result: %08x\n", job->id, *job->result);
            free(job->result);
            free(job);
          }
        }
        break;
      default:
        return 0;
    }
  }
  return 0;
}

void* pop(struct node **stack) {
  struct node *old_head, *new_head;
  while(1) {
    old_head = *stack;
    if(old_head == NULL){
      return NULL;//empty stack case
    }
    new_head = old_head->next;
    fiber_yield();//exploit here
    if(*stack == old_head) {
      *stack = new_head;//if exploit properly, *stack can be setted to a dangling pointer
      break;
    }
  }
  void *result = old_head->entry;
  free(old_head);
  return result;
}

struct job {
  unsigned int id;
  unsigned int len;
  unsigned char *input; //写的内容 当然这里还是要爆破滴滴滴
  unsigned int *result; // 写哪里
};