skia2/fuzz/fuzz.cpp

/*
 * Copyright 2016 Google Inc.
 *
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

#include "Fuzz.h"
#include <stdlib.h>
#include <signal.h>

int main(int argc, char** argv) {
    if (argc < 3) {
        SkDebugf("Usage: %s <fuzz name> <path/to/fuzzed.data>\n", argv[0]);
        return 1;
    }
    const char* name = argv[1];
    const char* path = argv[2];

    SkAutoTUnref<SkData> bytes(SkData::NewFromFileName(path));
    Fuzz fuzz(bytes);

    for (auto r = SkTRegistry<Fuzzable>::Head(); r; r = r->next()) {
        auto fuzzable = r->factory();
        if (0 == strcmp(name, fuzzable.name)) {
            SkDebugf("Running %s\n", fuzzable.name);
            fuzzable.fn(&fuzz);
            return 0;
        }
    }
    return 1;
}


Fuzz::Fuzz(SkData* bytes) : fBytes(SkSafeRef(bytes)), fNextByte(0) {}

void Fuzz::signalBug   () { raise(SIGSEGV); }
void Fuzz::signalBoring() { exit(0); }

template <typename T>
T Fuzz::nextT() {
    if (fNextByte + sizeof(T) > fBytes->size()) {
        this->signalBoring();
    }

    T val;
    memcpy(&val, fBytes->bytes() + fNextByte, sizeof(T));
    fNextByte += sizeof(T);
    return val;
}

uint8_t  Fuzz::nextB() { return this->nextT<uint8_t >(); }
uint32_t Fuzz::nextU() { return this->nextT<uint32_t>(); }
float    Fuzz::nextF() { return this->nextT<float   >(); }
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00			`/*`
			`* Copyright 2016 Google Inc.`
			`*`
			`* Use of this source code is governed by a BSD-style license that can be`
			`* found in the LICENSE file.`
			`*/`

			`#include "Fuzz.h"`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`#include <stdlib.h>`
			`#include <signal.h>`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00
			`int main(int argc, char** argv) {`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`if (argc < 3) {`
			`SkDebugf("Usage: %s <fuzz name> <path/to/fuzzed.data>\n", argv[0]);`
			`return 1;`
			`}`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`const char* name = argv[1];`
			`const char* path = argv[2];`

			`SkAutoTUnref<SkData> bytes(SkData::NewFromFileName(path));`
			`Fuzz fuzz(bytes);`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00
			`for (auto r = SkTRegistry<Fuzzable>::Head(); r; r = r->next()) {`
			`auto fuzzable = r->factory();`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`if (0 == strcmp(name, fuzzable.name)) {`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`SkDebugf("Running %s\n", fuzzable.name);`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00			`fuzzable.fn(&fuzz);`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`return 0;`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00			`}`
			`}`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`return 1;`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00			`}`


some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`Fuzz::Fuzz(SkData* bytes) : fBytes(SkSafeRef(bytes)), fNextByte(0) {}`

fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`void Fuzz::signalBug () { raise(SIGSEGV); }`
			`void Fuzz::signalBoring() { exit(0); }`

some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`template <typename T>`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`T Fuzz::nextT() {`
			`if (fNextByte + sizeof(T) > fBytes->size()) {`
			`this->signalBoring();`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`}`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`T val;`
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`memcpy(&val, fBytes->bytes() + fNextByte, sizeof(T));`
			`fNextByte += sizeof(T);`
some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 2016-01-14 12:59:42 +00:00			`return val;`
			`}`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00
fuzz: signalBug() / signalBoring() Instead of a single ASSERT macro, this switches to two new methods: - signalBug(): tell afl-fuzz there's a bug caused by its inputs (by crashing) - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully) I'm not seeing any effect on fuzz/s when I just always log verbosely. signalBug() now triggers SIGSEGV rather than SIGABRT. This should make it work with catchsegv more easily. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002 Review URL: https://codereview.chromium.org/1585353002 2016-01-15 13:46:54 +00:00			`uint8_t Fuzz::nextB() { return this->nextT<uint8_t >(); }`
			`uint32_t Fuzz::nextU() { return this->nextT<uint32_t>(); }`
			`float Fuzz::nextF() { return this->nextT<float >(); }`
Add new fuzz binary. This is designed to have short startup time, for maximum fuzzing throughput. BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002 Review URL: https://codereview.chromium.org/1589563002 2016-01-13 20:57:57 +00:00