AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Create ParsePath API fuzz

Browse Source 
This is based on https://codereview.chromium.org/1675053002

BUG=skia:4438
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1702383003

Review URL: https://codereview.chromium.org/1702383003
This commit is contained in:
kjlubick 2016-02-18 06:27:38 -08:00 committed by Commit bot
parent a7b16858d5
commit 5bd98a244b
3 changed files with 153 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
fuzz/Fuzz.h
View File

@ -16,10 +16,20 @@ class Fuzz : SkNoncopyable {
public: public:
explicit Fuzz(SkData*); explicit Fuzz(SkData*);
bool nextBool();
uint8_t nextB(); uint8_t nextB();
uint32_t nextU(); uint32_t nextU();
// This can be nan, +- infinity, 0, anything.
float nextF(); float nextF();
// Return the next fuzzed value [min, max) as an unsigned 32bit integer.
uint32_t nextRangeU(uint32_t min, uint32_t max);
/**
* Returns next fuzzed value [min...max) as a float.
* Will not be Infinity or NaN.
*/
float nextRangeF(float min, float max);
void signalBug (); // Tell afl-fuzz these inputs found a bug. void signalBug (); // Tell afl-fuzz these inputs found a bug.
void signalBoring(); // Tell afl-fuzz these inputs are not worth testing. void signalBoring(); // Tell afl-fuzz these inputs are not worth testing.

115
fuzz/FuzzParsePath.cpp Normal file
View File

@ -0,0 +1,115 @@
/*
* Copyright 2016 Google Inc.
*
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include "Fuzz.h"
#include "SkString.h"
#include "SkParsePath.h"
#include <stdlib.h>
// Most of this is taken from random_parse_path.cpp and adapted to use the Fuzz
// instead of SKRandom
const struct Legal {
char fSymbol;
int fScalars;
} gLegal[] = {
{ 'M', 2 },
{ 'H', 1 },
{ 'V', 1 },
{ 'L', 2 },
{ 'Q', 4 },
{ 'T', 2 },
{ 'C', 6 },
{ 'S', 4 },
{ 'A', 4 },
{ 'Z', 0 },
};
bool gEasy = false; // set to true while debugging to suppress unusual whitespace
// mostly do nothing, then bias towards spaces
const char gWhiteSpace[] = { 0, 0, 0, 0, 0, 0, 0, 0, ' ', ' ', ' ', ' ', 0x09, 0x0D, 0x0A };
static void add_white(Fuzz* fuzz, SkString* atom) {
if (gEasy) {
atom->append(" ");
return;
}
int reps = fuzz->nextRangeU(0, 2);
for (int rep = 0; rep < reps; ++rep) {
int index = fuzz->nextRangeU(0, (int) SK_ARRAY_COUNT(gWhiteSpace) - 1);
if (gWhiteSpace[index]) {
atom->append(&gWhiteSpace[index], 1);
}
}
}
static void add_comma(Fuzz* fuzz, SkString* atom) {
if (gEasy) {
atom->append(",");
return;
}
size_t count = atom->size();
add_white(fuzz, atom);
if (fuzz->nextBool()) {
atom->append(",");
}
do {
add_white(fuzz, atom);
} while (count == atom->size());
}
static void add_some_white(Fuzz* fuzz, SkString* atom) {
size_t count = atom->size();
do {
add_white(fuzz, atom);
} while (count == atom->size());
}
SkString MakeRandomParsePathPiece(Fuzz* fuzz) {
SkString atom;
int index = fuzz->nextRangeU(0, (int) SK_ARRAY_COUNT(gLegal) - 1);
const Legal& legal = gLegal[index];
gEasy ? atom.append("\n") : add_white(fuzz, &atom);
char symbol = legal.fSymbol | (fuzz->nextBool() ? 0x20 : 0);
atom.append(&symbol, 1);
int reps = fuzz->nextRangeU(1, 3);
for (int rep = 0; rep < reps; ++rep) {
for (int index = 0; index < legal.fScalars; ++index) {
SkScalar coord = fuzz->nextRangeF(0, 100);
add_white(fuzz, &atom);
atom.appendScalar(coord);
if (rep < reps - 1 && index < legal.fScalars - 1) {
add_comma(fuzz, &atom);
} else {
add_some_white(fuzz, &atom);
}
if ('A' == legal.fSymbol && 1 == index) {
atom.appendScalar(fuzz->nextRangeF(-720, 720));
add_comma(fuzz, &atom);
atom.appendU32(fuzz->nextRangeU(0, 1));
add_comma(fuzz, &atom);
atom.appendU32(fuzz->nextRangeU(0, 1));
add_comma(fuzz, &atom);
}
}
}
return atom;
}
DEF_FUZZ(ParsePath, fuzz) {
SkPath path;
SkString spec;
uint32_t count = fuzz->nextRangeU(0, 40);
for (uint32_t i = 0; i < count; ++i) {
spec.append(MakeRandomParsePathPiece(fuzz));
}
SkDebugf("SkParsePath::FromSVGString(%s, &path);\n",spec.c_str());
if (!SkParsePath::FromSVGString(spec.c_str(), &path)){
fuzz->signalBug();
}
}

30
fuzz/fuzz.cpp
View File

@ -17,6 +17,7 @@
#include "SkPicture.h" #include "SkPicture.h"
#include "SkStream.h" #include "SkStream.h"
#include <cmath>
#include <signal.h> #include <signal.h>
#include <stdlib.h> #include <stdlib.h>
@ -114,8 +115,8 @@ static void dump_png(SkBitmap bitmap) {
int fuzz_img(SkData* bytes, uint8_t scale, uint8_t mode) { int fuzz_img(SkData* bytes, uint8_t scale, uint8_t mode) {
// We can scale 1x, 2x, 4x, 8x, 16x // We can scale 1x, 2x, 4x, 8x, 16x
scale = scale % 5; scale = scale % 5;
float fscale = pow(2.0f, scale); float fscale = (float)pow(2.0f, scale);
SkDebugf("Scaling factor: %d\n", fscale); SkDebugf("Scaling factor: %f\n", fscale);
// We have 4 different modes of decoding, just like DM. // We have 4 different modes of decoding, just like DM.
mode = mode % 4; mode = mode % 4;
@ -393,6 +394,31 @@ T Fuzz::nextT() {
} }
uint8_t Fuzz::nextB() { return this->nextT<uint8_t >(); } uint8_t Fuzz::nextB() { return this->nextT<uint8_t >(); }
bool Fuzz::nextBool() { return nextB()&1; }
uint32_t Fuzz::nextU() { return this->nextT<uint32_t>(); } uint32_t Fuzz::nextU() { return this->nextT<uint32_t>(); }
float Fuzz::nextF() { return this->nextT<float >(); } float Fuzz::nextF() { return this->nextT<float >(); }
uint32_t Fuzz::nextRangeU(uint32_t min, uint32_t max) {
if (min > max) {
SkDebugf("Check mins and maxes (%d, %d)\n", min, max);
this->signalBoring();
}
uint32_t range = max - min + 1;
if (0 == range) {
return this->nextU();
} else {
return min + this->nextU() % range;
}
}
float Fuzz::nextRangeF(float min, float max) {
if (min > max) {
SkDebugf("Check mins and maxes (%f, %f)\n", min, max);
this->signalBoring();
}
float f = std::abs(this->nextF());
if (!std::isnormal(f) && f != 0.0) {
this->signalBoring();
}
return min + fmod(f, (max - min + 1));
}