diff --git a/bin/coverage b/bin/coverage index 7390d7e638..f7c2cf8cd8 100755 --- a/bin/coverage +++ b/bin/coverage @@ -34,7 +34,7 @@ bin/sync bin/fetch-gn #TODO: make this work with Clang. -ARGS='cc="gcc" cxx="g++" extra_cflags="--coverage" extra_ldflags="--coverage"' +ARGS='cc="gcc" cxx="g++" extra_cflags=["--coverage"] extra_ldflags=["--coverage"]' gn gen --args="$ARGS" "$BUILD" ninja -C "$BUILD" "$EXECUTABLE" diff --git a/fuzz/coverage b/fuzz/coverage new file mode 100755 index 0000000000..e9ac001b62 --- /dev/null +++ b/fuzz/coverage @@ -0,0 +1,83 @@ +#!/bin/sh +# Copyright 2017 Google Inc. +# +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +if [ -z "$1" ]; then + cat <<-EOM + Usage: + $0 [afl-out-loc] + + Run something like this: + $0 ~/afl-out + where afl-out is the directory containing all the output of the afl-fuzzers. + You can typically ssh into skia-fuzzer-be-1 and skia-fuzzer-be-2 and run + tar -czf afl-out.tar.gz /mnt/ssd0/fuzzes/afl-out/* + and extract it locally to get the directories needed to assess coverage. + + EOM + exit 1 +fi + +set -x +set -e + +cd "$(dirname "$0")/.." + +EXECUTABLE="fuzz" + +DIR="$(mktemp -d "${TMPDIR:-/tmp}/skia_coverage_XXXXXXXXXX")" +BUILD=out/coverage + +# Build $EXECUTABLE +bin/sync +bin/fetch-gn + +rm -rf $BUILD + +#TODO: make this work with Clang. +ARGS='cc="gcc" cxx="g++" extra_cflags=["--coverage"] extra_ldflags=["--coverage"]' +gn gen --args="$ARGS" "$BUILD" + +ninja -C "$BUILD" "$EXECUTABLE" + +GCOV="$(realpath tools/gcov_shim)" + +# # Generate a zero-baseline so files not covered by $EXECUTABLE $@ will +# # still show up in the report. This reads the .gcno files that are +# # created at compile time. +lcov -q --gcov-tool="$GCOV" -c -b "$BUILD" -d "$BUILD" -o "$DIR"/baseline -i + +# Running the binary generates the real coverage information, the .gcda files. +QUEUES=("$1/api_parse_path/fuzzer0/queue/*" "$1/color_deserialize/fuzzer0/queue/*" "$1/color_icc/fuzzer0/queue/*" "$1/skcodec_scale/fuzzer0/queue/*" "$1/skcodec_mode/fuzzer0/queue/*" "$1/api_draw_functions/fuzzer0/queue/*" "$1/api_gradient/fuzzer0/queue/*" "$1/api_image_filter/fuzzer0/queue/*" "$1/api_pathop/fuzzer0/queue/*" "$1/sksl2glsl/fuzzer0/queue/*") + +ARGS=("-n ParsePath" "-t color_deserialize" "-t icc" "-t image_scale" "-t image_mode" "-n DrawFunctions" "-n Gradients" "-n SerializedImageFilter" "-n Pathop" "-t sksl2glsl") + +# We can't simply pass the directories to the fuzzers because some of the fuzzes will +# crash or assert, which would kill the call to fuzz prematurely. Instead we run them +# individually using the loops below. +for i in `seq ${#QUEUES[@]}` +do + FILES=${QUEUES[i]} + for f in $FILES + do + # Executing the fuzzes sequentially would take a very long time. So, we run them + # in the background, making sure we don't go crazy and execute them too fast or + # that they execute for a long time. + timeout 10 $BUILD/$EXECUTABLE ${ARGS[i]} -b $f & + sleep .005s + done +done + +sleep 10s + +echo "done running the fuzzes -- generating report" + +lcov -q --gcov-tool="$GCOV" -c -b "$BUILD" -d "$BUILD" -o "$DIR"/coverage + +lcov -q -a "$DIR"/baseline -a "$DIR"/coverage -o "$DIR"/merged + +genhtml -q "$DIR"/merged --legend -o "$DIR"/coverage_report --ignore-errors source + +xdg-open "$DIR"/coverage_report/index.html diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index bf3b88c262..67207543e7 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -40,11 +40,11 @@ static int fuzz_file(const char* path); static uint8_t calculate_option(SkData*); static void fuzz_api(sk_sp); -static void fuzz_img(sk_sp, uint8_t, uint8_t); -static void fuzz_skp(sk_sp); -static void fuzz_icc(sk_sp); static void fuzz_color_deserialize(sk_sp); +static void fuzz_icc(sk_sp); +static void fuzz_img(sk_sp, uint8_t, uint8_t); static void fuzz_path_deserialize(sk_sp); +static void fuzz_skp(sk_sp); #if SK_SUPPORT_GPU static void fuzz_sksl2glsl(sk_sp); #endif