2017-02-14 18:12:37 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# Copyright 2017 Google Inc.
|
|
|
|
#
|
|
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
|
|
# found in the LICENSE file.
|
|
|
|
|
|
|
|
if [ -z "$1" ]; then
|
|
|
|
cat <<-EOM
|
|
|
|
Usage:
|
|
|
|
$0 [afl-out-loc]
|
|
|
|
|
|
|
|
Run something like this:
|
|
|
|
$0 ~/afl-out
|
|
|
|
where afl-out is the directory containing all the output of the afl-fuzzers.
|
|
|
|
You can typically ssh into skia-fuzzer-be-1 and skia-fuzzer-be-2 and run
|
2017-03-15 14:30:33 +00:00
|
|
|
tar -czf afl-out.tar.gz /mnt/ssd0/fuzzes/afl-out/*/fuzzer0/queue
|
2017-02-14 18:12:37 +00:00
|
|
|
and extract it locally to get the directories needed to assess coverage.
|
|
|
|
|
|
|
|
EOM
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -x
|
|
|
|
set -e
|
|
|
|
|
|
|
|
cd "$(dirname "$0")/.."
|
|
|
|
|
|
|
|
EXECUTABLE="fuzz"
|
|
|
|
|
|
|
|
DIR="$(mktemp -d "${TMPDIR:-/tmp}/skia_coverage_XXXXXXXXXX")"
|
|
|
|
BUILD=out/coverage
|
|
|
|
|
|
|
|
# Build $EXECUTABLE
|
|
|
|
bin/sync
|
|
|
|
bin/fetch-gn
|
|
|
|
|
|
|
|
rm -rf $BUILD
|
|
|
|
|
|
|
|
#TODO: make this work with Clang.
|
|
|
|
ARGS='cc="gcc" cxx="g++" extra_cflags=["--coverage"] extra_ldflags=["--coverage"]'
|
|
|
|
gn gen --args="$ARGS" "$BUILD"
|
|
|
|
|
|
|
|
ninja -C "$BUILD" "$EXECUTABLE"
|
|
|
|
|
|
|
|
GCOV="$(realpath tools/gcov_shim)"
|
|
|
|
|
2017-03-15 14:30:33 +00:00
|
|
|
# Generate a zero-baseline so files not covered by $EXECUTABLE $@ will
|
|
|
|
# still show up in the report. This reads the .gcno files that are
|
|
|
|
# created at compile time.
|
2017-02-14 18:12:37 +00:00
|
|
|
lcov -q --gcov-tool="$GCOV" -c -b "$BUILD" -d "$BUILD" -o "$DIR"/baseline -i
|
|
|
|
|
|
|
|
# Running the binary generates the real coverage information, the .gcda files.
|
2018-05-23 16:09:41 +00:00
|
|
|
QUEUES=("$1/api_parse_path/fuzzer0/queue/*" "$1/color_deserialize/fuzzer0/queue/*" "$1/skcodec_scale/fuzzer0/queue/*" "$1/skcodec_mode/fuzzer0/queue/*" "$1/api_draw_functions/fuzzer0/queue/*" "$1/api_gradient/fuzzer0/queue/*" "$1/api_image_filter/fuzzer0/queue/*" "$1/api_pathop/fuzzer0/queue/*" "$1/sksl2glsl/fuzzer0/queue/*" "$1/null_canvas/fuzzer0/queue/*" "$1/pdf_canvas/fuzzer0/queue/*" "$1/n32_canvas/fuzzer0/queue/*")
|
2017-02-14 18:12:37 +00:00
|
|
|
|
2018-05-23 16:09:41 +00:00
|
|
|
ARGS=("-n ParsePath" "-t color_deserialize" "-t image_scale" "-t image_mode" "-n DrawFunctions" "-n Gradients" "-n SerializedImageFilter" "-n Pathop" "-t sksl2glsl" "-n NullCanvas" "-n PDFCanvas" "-n RasterN32Canvas")
|
2017-02-14 18:12:37 +00:00
|
|
|
|
|
|
|
# We can't simply pass the directories to the fuzzers because some of the fuzzes will
|
|
|
|
# crash or assert, which would kill the call to fuzz prematurely. Instead we run them
|
|
|
|
# individually using the loops below.
|
|
|
|
for i in `seq ${#QUEUES[@]}`
|
|
|
|
do
|
|
|
|
FILES=${QUEUES[i]}
|
|
|
|
for f in $FILES
|
|
|
|
do
|
|
|
|
# Executing the fuzzes sequentially would take a very long time. So, we run them
|
|
|
|
# in the background, making sure we don't go crazy and execute them too fast or
|
|
|
|
# that they execute for a long time.
|
|
|
|
timeout 10 $BUILD/$EXECUTABLE ${ARGS[i]} -b $f &
|
|
|
|
sleep .005s
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
sleep 10s
|
|
|
|
|
|
|
|
echo "done running the fuzzes -- generating report"
|
|
|
|
|
|
|
|
lcov -q --gcov-tool="$GCOV" -c -b "$BUILD" -d "$BUILD" -o "$DIR"/coverage
|
|
|
|
|
|
|
|
lcov -q -a "$DIR"/baseline -a "$DIR"/coverage -o "$DIR"/merged
|
|
|
|
|
|
|
|
genhtml -q "$DIR"/merged --legend -o "$DIR"/coverage_report --ignore-errors source
|
|
|
|
|
|
|
|
xdg-open "$DIR"/coverage_report/index.html
|