2016-01-13 20:57:57 +00:00
|
|
|
/*
|
|
|
|
* Copyright 2016 Google Inc.
|
|
|
|
*
|
|
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
|
|
* found in the LICENSE file.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef Fuzz_DEFINED
|
|
|
|
#define Fuzz_DEFINED
|
|
|
|
|
2019-04-23 17:05:21 +00:00
|
|
|
#include "include/core/SkData.h"
|
|
|
|
#include "include/core/SkImageFilter.h"
|
|
|
|
#include "include/core/SkRegion.h"
|
|
|
|
#include "include/core/SkTypes.h"
|
|
|
|
#include "include/private/SkMalloc.h"
|
|
|
|
#include "tools/Registry.h"
|
2016-01-13 20:57:57 +00:00
|
|
|
|
2018-06-13 13:59:02 +00:00
|
|
|
#include <limits>
|
2016-11-01 19:01:12 +00:00
|
|
|
#include <cmath>
|
2018-01-11 15:27:14 +00:00
|
|
|
#include <signal.h>
|
2018-06-11 15:56:57 +00:00
|
|
|
#include <limits>
|
2016-10-25 13:11:05 +00:00
|
|
|
|
2016-01-13 20:57:57 +00:00
|
|
|
class Fuzz : SkNoncopyable {
|
|
|
|
public:
|
2018-01-11 15:27:14 +00:00
|
|
|
explicit Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
|
2016-01-13 20:57:57 +00:00
|
|
|
|
2016-07-19 23:50:03 +00:00
|
|
|
// Returns the total number of "random" bytes available.
|
2018-01-11 15:27:14 +00:00
|
|
|
size_t size() { return fBytes->size(); }
|
2016-11-01 19:01:12 +00:00
|
|
|
// Returns if there are no bytes remaining for fuzzing.
|
2018-10-23 13:28:48 +00:00
|
|
|
bool exhausted() {
|
2018-01-11 15:27:14 +00:00
|
|
|
return fBytes->size() == fNextByte;
|
|
|
|
}
|
2016-07-19 23:50:03 +00:00
|
|
|
|
2018-10-23 13:28:48 +00:00
|
|
|
size_t remaining() {
|
|
|
|
return fBytes->size() - fNextByte;
|
|
|
|
}
|
|
|
|
|
|
|
|
void deplete() {
|
|
|
|
fNextByte = fBytes->size();
|
|
|
|
}
|
|
|
|
|
2016-11-10 21:17:49 +00:00
|
|
|
// next() loads fuzzed bytes into the variable passed in by pointer.
|
|
|
|
// We use this approach instead of T next() because different compilers
|
|
|
|
// evaluate function parameters in different orders. If fuzz->next()
|
|
|
|
// returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
|
|
|
|
// foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
|
|
|
|
// By requiring params to be passed in, we avoid the temptation to call
|
|
|
|
// next() in a way that does not consume fuzzed bytes in a single
|
2018-02-28 16:46:00 +00:00
|
|
|
// platform-independent order.
|
2016-07-19 23:50:03 +00:00
|
|
|
template <typename T>
|
2018-11-19 18:15:21 +00:00
|
|
|
void next(T* t) { this->nextBytes(t, sizeof(T)); }
|
2016-11-10 21:17:49 +00:00
|
|
|
|
|
|
|
// This is a convenient way to initialize more than one argument at a time.
|
|
|
|
template <typename Arg, typename... Args>
|
|
|
|
void next(Arg* first, Args... rest);
|
2016-07-19 23:50:03 +00:00
|
|
|
|
2016-11-01 19:01:12 +00:00
|
|
|
// nextRange returns values only in [min, max].
|
2016-11-10 21:17:49 +00:00
|
|
|
template <typename T, typename Min, typename Max>
|
|
|
|
void nextRange(T*, Min, Max);
|
|
|
|
|
2019-06-03 15:27:16 +00:00
|
|
|
// nextEnum is a wrapper around nextRange for enums.
|
|
|
|
template <typename T>
|
|
|
|
void nextEnum(T* ptr, T max);
|
|
|
|
|
2016-11-10 21:17:49 +00:00
|
|
|
// nextN loads n * sizeof(T) bytes into ptr
|
2016-11-01 19:01:12 +00:00
|
|
|
template <typename T>
|
2016-11-10 21:17:49 +00:00
|
|
|
void nextN(T* ptr, int n);
|
2016-10-24 18:53:35 +00:00
|
|
|
|
2018-01-11 15:27:14 +00:00
|
|
|
void signalBug(){
|
|
|
|
// Tell the fuzzer that these inputs found a bug.
|
|
|
|
SkDebugf("Signal bug\n");
|
|
|
|
raise(SIGSEGV);
|
|
|
|
}
|
2016-01-15 13:46:54 +00:00
|
|
|
|
2018-09-17 18:46:57 +00:00
|
|
|
// Specialized versions for when true random doesn't quite make sense
|
|
|
|
void next(bool* b);
|
|
|
|
void next(SkImageFilter::CropRect* cropRect);
|
|
|
|
void next(SkRegion* region);
|
|
|
|
|
|
|
|
void nextRange(float* f, float min, float max);
|
|
|
|
|
2016-01-13 20:57:57 +00:00
|
|
|
private:
|
2016-01-15 13:46:54 +00:00
|
|
|
template <typename T>
|
|
|
|
T nextT();
|
|
|
|
|
2016-08-03 20:32:32 +00:00
|
|
|
sk_sp<SkData> fBytes;
|
2016-11-01 19:01:12 +00:00
|
|
|
size_t fNextByte;
|
2018-03-30 19:05:13 +00:00
|
|
|
friend void fuzz__MakeEncoderCorpus(Fuzz*);
|
2016-01-13 20:57:57 +00:00
|
|
|
|
2018-11-19 18:15:21 +00:00
|
|
|
void nextBytes(void* ptr, size_t size);
|
|
|
|
};
|
2016-11-10 21:17:49 +00:00
|
|
|
|
|
|
|
template <typename Arg, typename... Args>
|
|
|
|
inline void Fuzz::next(Arg* first, Args... rest) {
|
|
|
|
this->next(first);
|
|
|
|
this->next(rest...);
|
2016-11-01 19:01:12 +00:00
|
|
|
}
|
|
|
|
|
2016-11-10 21:17:49 +00:00
|
|
|
template <typename T, typename Min, typename Max>
|
2018-11-19 17:21:46 +00:00
|
|
|
inline void Fuzz::nextRange(T* value, Min min, Max max) {
|
|
|
|
this->next(value);
|
|
|
|
if (*value < (T)min) { *value = (T)min; }
|
|
|
|
if (*value > (T)max) { *value = (T)max; }
|
2018-09-17 18:46:57 +00:00
|
|
|
}
|
|
|
|
|
2019-06-03 15:27:16 +00:00
|
|
|
template <typename T>
|
|
|
|
inline void Fuzz::nextEnum(T* value, T max) {
|
|
|
|
// This works around the fact that UBSAN will assert if we put an invalid
|
|
|
|
// value into an enum. We might see issues with enums being represented
|
|
|
|
// on Windows differently than Linux, but that's not a thing we can fix here.
|
|
|
|
using U = typename std::underlying_type<T>::type;
|
|
|
|
U v;
|
|
|
|
this->next(&v);
|
|
|
|
if (v < (U)0) { *value = (T)0; return;}
|
|
|
|
if (v > (U)max) { *value = (T)max; return;}
|
|
|
|
*value = (T)v;
|
|
|
|
}
|
|
|
|
|
2016-11-10 21:17:49 +00:00
|
|
|
template <typename T>
|
|
|
|
inline void Fuzz::nextN(T* ptr, int n) {
|
|
|
|
for (int i = 0; i < n; i++) {
|
|
|
|
this->next(ptr+i);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-13 20:57:57 +00:00
|
|
|
struct Fuzzable {
|
|
|
|
const char* name;
|
|
|
|
void (*fn)(Fuzz*);
|
|
|
|
};
|
|
|
|
|
2018-02-27 13:30:43 +00:00
|
|
|
// Not static so that we can link these into oss-fuzz harnesses if we like.
|
2017-01-11 18:58:55 +00:00
|
|
|
#define DEF_FUZZ(name, f) \
|
2018-02-27 13:30:43 +00:00
|
|
|
void fuzz_##name(Fuzz*); \
|
2017-01-11 18:58:55 +00:00
|
|
|
sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
|
2018-02-27 13:30:43 +00:00
|
|
|
void fuzz_##name(Fuzz* f)
|
2016-01-13 20:57:57 +00:00
|
|
|
|
|
|
|
#endif//Fuzz_DEFINED
|