Commit Graph

33 Commits

Author SHA1 Message Date
Hal Canary
6d9a51a75c Fuzz: un-inline some code
Change-Id: I3fd20d2b69d5c3b4b7163c239d65185ce9099c41
Reviewed-on: https://skia-review.googlesource.com/c/171783
Commit-Queue: Hal Canary <halcanary@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Auto-Submit: Hal Canary <halcanary@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2018-11-19 18:44:07 +00:00
Mike Klein
f88f5ef109 simplify nextRange(), fold in nextEnum()
Doesn't look like we need to distinguish these if we just
write them as the simple

   1) load the right number of bytes
   2) clamp to [min,max]

This makes enum fuzzing independent of its underlying type, and may make
it easier to see the mapping from fuzzed byte stream to
nextRange()/nextEnum() values.

Change-Id: I9f785f94f513a0087ad7151b5e7bc14ddbe9314a
Reviewed-on: https://skia-review.googlesource.com/c/171820
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2018-11-19 18:04:12 +00:00
Kevin Lubick
6d3cb2a81e [fuzzer] Check enum type at compile time
I think this originally was done due to int / unsigned
differences between Linux in Windows.  In hindsight, that
was short-sighted.

Bug: oss-fuzz:11281,oss-fuzz:11282,oss-fuzz:11283
Change-Id: I06e38cb663f84278f479eb7fee3118c1068eeaa8
Reviewed-on: https://skia-review.googlesource.com/c/169244
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-11-07 18:24:01 +00:00
Kevin Lubick
f84ded269e Add Legacy fuzz reproducer
Make FuzzEnum always use uint32_t to make it consistent
(we were seeing some Windows setups have underlying type return
int and not unsigned int that we saw on Linux)

Bug: 897455
Change-Id: Ia8c97e59bb498d959a9a30abcb61731f4bd145cf
Reviewed-on: https://skia-review.googlesource.com/c/164240
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-10-23 14:24:22 +00:00
Kevin Lubick
bc9a1a837d Make fuzz::next overloads more consistent
Some oss-fuzz bugs (like the linked one) would not reproduce
in Skia proper due to the fact that there were subtle overloads
of the various Fuzz::next() methods in FuzzCanvas.cpp that
were pulled in in Skia proper, but not oss-fuzz.

This puts all of them in to FuzzCommon.h and makes the
matrix and rrect ones opt-in (fuzz_matrix, fuzz_rrect).

Additionally, this renames fuzz.cpp -> FuzzMain.cpp so we
can properly include Fuzz.cpp in oss-fuzz without
having two mains.

Bug: oss-fuzz:10378
Change-Id: I6cf9afb471781b9fadb689482109a1e5662358b5
Reviewed-on: https://skia-review.googlesource.com/154900
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
2018-09-17 19:20:51 +00:00
Hal Canary
c640d0dc96 Revert "Revert "SkTypes: extract SkTo""
This reverts commit fdcfb8b7c2.

> Original change's description:
> > SkTypes: extract SkTo
> >
> > Change-Id: I8de790d5013db2105ad885fa2683303d7c250b09
> > Reviewed-on: https://skia-review.googlesource.com/133620
> > Reviewed-by: Mike Klein <mtklein@google.com>

Change-Id: Ida74fbc5c21248a724a5edbf9fae18a33bcb23aa
Reviewed-on: https://skia-review.googlesource.com/134506
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Hal Canary <halcanary@google.com>
2018-06-14 14:55:17 +00:00
Hal Canary
fdcfb8b7c2 Revert "SkTypes: extract SkTo"
This reverts commit 2a2f675926.

Reason for revert: this appears to be what is holding up the Chrome roll.

Original change's description:
> SkTypes: extract SkTo
>
> Change-Id: I8de790d5013db2105ad885fa2683303d7c250b09
> Reviewed-on: https://skia-review.googlesource.com/133620
> Reviewed-by: Mike Klein <mtklein@google.com>

TBR=mtklein@google.com,halcanary@google.com

No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Change-Id: Iafd738aedfb679a23c061a51afe4b98a8d4cdfae
Reviewed-on: https://skia-review.googlesource.com/134504
Reviewed-by: Hal Canary <halcanary@google.com>
Commit-Queue: Hal Canary <halcanary@google.com>
2018-06-13 13:45:47 +00:00
Hal Canary
2a2f675926 SkTypes: extract SkTo
Change-Id: I8de790d5013db2105ad885fa2683303d7c250b09
Reviewed-on: https://skia-review.googlesource.com/133620
Reviewed-by: Mike Klein <mtklein@google.com>
2018-06-12 15:03:21 +00:00
Mike Klein
bf45c70639 Clean up a few IWYU issues
Spun off from the SkTFitsIn CL.

Change-Id: I686d680df6a36ebc02db3847ad5e2cedcbcd67ef
Reviewed-on: https://skia-review.googlesource.com/134083
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Mike Klein <mtklein@chromium.org>
2018-06-11 19:40:44 +00:00
Kevin Lubick
e4be55dc28 Add Encoder fuzzers
This also includes a helper "fuzzer" for making a corpus.
Point it at an image or folder of images and it will
decode those images and write the SkPixmap's bytes to
disk, such that the fuzzer will be able to read in
those bytes as if it had decoded the image (or gotten
it from another source).

Bug: skia:
Change-Id: Iaf223a39078f2b62908fb47929add5d63f22d973
Reviewed-on: https://skia-review.googlesource.com/117367
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-03-30 19:31:56 +00:00
Yuqian Li
a63d6900d3 Fix a tiny typo
This shouldn't matter... But I just feel the impulsion to fix it.

Bug: skia:
Change-Id: Id3b6302071165b3abe98a3d89409d39715fac23c
Reviewed-on: https://skia-review.googlesource.com/111002
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2018-03-01 14:52:04 +00:00
Kevin Lubick
1991f5502e Tweak API fuzzers to run better in libfuzzer
Prevents logging from cluttering the stats.
Better handles limited memory.

Bug: skia:
Change-Id: I12c1a46875fd9120938cab520ef70de69c451ad8
Reviewed-on: https://skia-review.googlesource.com/110642
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-27 16:21:49 +00:00
Kevin Lubick
db1e5c6474 Port 3 API fuzzers to be oss-fuzz friendly
Also Remove ScaleToSides, which we hadn't been running for a while.

Bug: skia:
Change-Id: I772dad722c34681392d5b635b3de716f3b00d597
Reviewed-on: https://skia-review.googlesource.com/110443
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-27 13:47:28 +00:00
Kevin Lubick
2541edf0c6 Add in Region SetPath Fuzzer
Also refactor a few things to make it easier to use oss-fuzz.

Bug: skia:
Change-Id: Ie518a6cfc7d57a347b5d09089379f986d33f8b7f
Reviewed-on: https://skia-review.googlesource.com/41740
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
2018-01-11 19:42:53 +00:00
Herb Derby
b549cc38c8 Change SkMemory to the more accurately named SkMalloc.
Change-Id: I6b08a74234b99bac866bad71014b94f7ec2d4bc8
Reviewed-on: https://skia-review.googlesource.com/10188
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>
2017-03-27 18:13:07 +00:00
Herb Derby
d7b34a5ca0 Make SkMemory.h and adjust all files for usage.
This will be rolled out in three stages:
1) make SkMemory.h and have SkTypes.h include it.
2) Adjust chromium and android.
3) no long include SkMemory.h in SkTypes.h

Change-Id: If360ef5e1164d88f50b03f279e2e963ca2f57d5d
Reviewed-on: https://skia-review.googlesource.com/9874
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Herb Derby <herb@google.com>
2017-03-20 18:40:49 +00:00
Hal Canary
24ac42b373 Fuzz PDF, N32, and Null Canvases
run `fuzz --type pdf_canvas` or `fuzz --type null_canvas` or
`fuzz --type n32_canvas`

Change-Id: Id70179d5578ed1e67006aef7823bf75fc1d7a4a6
Reviewed-on: https://skia-review.googlesource.com/8418
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Hal Canary <halcanary@google.com>
2017-02-27 19:03:12 +00:00
Mike Reed
ab273facbf move SkTRegister.h into tools
BUG=skia:

Change-Id: Ie7d4fac3024b361a281f456fec2b3a837e2bfe43
Reviewed-on: https://skia-review.googlesource.com/6881
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Mike Klein <mtklein@chromium.org>
2017-01-11 19:53:36 +00:00
Kevin Lubick
d104266241 Fix fuzzRange
Make the fuzzRange not crash if min == max, just set n to be min.


BUG=skia:

Change-Id: I138cefbec9b408d3b35e4258d770e6b396af0e5f
Reviewed-on: https://skia-review.googlesource.com/5305
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2016-11-29 18:29:03 +00:00
Kevin Lubick
c9f0cc8700 Add back in min/max check on fuzzer range
BUG=skia:

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4798

Change-Id: Ia93b4eeea82dd04f0c6bd287f61d26086a0aa740
Reviewed-on: https://skia-review.googlesource.com/4798
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2016-11-16 19:17:19 +00:00
Kevin Lubick
fb0ce926e6 Properly handle INT_MIN and related
BUG=skia:5967

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4751

Change-Id: Ie846560ebdaf11e1a5247842b3549ade1e100af2
Reviewed-on: https://skia-review.googlesource.com/4751
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2016-11-14 17:27:38 +00:00
Kevin Lubick
416b248312 Avoid platform-dependent function params in Fuzzer
We use this approach instead of T next() because different compilers
evaluate function parameters in different orders. If fuzz->next()
returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
By requiring params to be passed in, we avoid the temptation to call 
next() in a way that does not consume fuzzed bytes in a single 
platform-independent order.

BUG=skia:

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4392

Change-Id: I35de849f82e8be45378f662a48100eb732fa8895
Reviewed-on: https://skia-review.googlesource.com/4392
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2016-11-10 22:52:03 +00:00
Kevin Lubick
2f535cecd0 Make fuzzers use cleaner interface
signalBoring() no longer exists.  When the fuzzer runs out of randomness,
it just returns 0.  Fuzzers should not go into infinite loops if this
happens.  do while loops are particularly error-prone.

BUG=skia:

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=3963

Change-Id: Iebcfc14cc6b0a19c5dd015cd39875c81fa44003e
Reviewed-on: https://skia-review.googlesource.com/3963
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@chromium.org>
2016-11-01 19:23:16 +00:00
kjlubick
840f12a721 Fix memory leak in FuzzGradients
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2446643003

Review-Url: https://codereview.chromium.org/2446643003
2016-10-25 06:11:05 -07:00
kjlubick
85d301745a Fix fuzzer's bools to be 0 or 1 only
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2447823002

Review-Url: https://codereview.chromium.org/2447823002
2016-10-24 11:53:35 -07:00
reed
42943c8aa9 change SkStreams to work with sk_sp<SkData> instead of SkData*
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2333713002

Review-Url: https://codereview.chromium.org/2333713002
2016-09-12 12:01:44 -07:00
bungeman
ffae30db4a Convert SkAutoTUnref<SkData> to sk_sp<SkData>.
With the move from SkData::NewXXX to SkData::MakeXXX most
SkAutoTUnref<SkData> were changed to sk_sp<SkData>. However,
there are still a few SkAutoTUnref<SkData> around, so clean
them up.

Review-Url: https://codereview.chromium.org/2212493002
2016-08-03 13:32:32 -07:00
kjlubick
e565450d0b Port FuzzPathop from chromium
BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2148023002

Review-Url: https://codereview.chromium.org/2148023002
2016-07-19 16:50:03 -07:00
kjlubick
4319593988 Do an in-place replacement of SkRandom with Fuzz for FilterFuzz
This feels rather clunky, because we aren't using the full potential of the
fuzzer, but it works, it seems.

BUG=skia:4969
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1710183002

Review URL: https://codereview.chromium.org/1710183002
2016-04-05 12:48:47 -07:00
kjlubick
5bd98a244b Create ParsePath API fuzz
This is based on https://codereview.chromium.org/1675053002

BUG=skia:4438
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1702383003

Review URL: https://codereview.chromium.org/1702383003
2016-02-18 06:27:39 -08:00
mtklein
a115942ed6 fuzz: signalBug() / signalBoring()
Instead of a single ASSERT macro, this switches to two new methods:
   - signalBug():    tell afl-fuzz there's a bug caused by its inputs (by crashing)
   - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully)

I'm not seeing any effect on fuzz/s when I just always log verbosely.

signalBug() now triggers SIGSEGV rather than SIGABRT.  This should make it work with catchsegv more easily.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002

Review URL: https://codereview.chromium.org/1585353002
2016-01-15 05:46:54 -08:00
mtklein
24a22c7de8 some fuzz hacking
Try to start faster:
 - remove flags dependency
 - print nothing
 - strip unused symbols from the binary on Mac (smaller binary)
 - only create one fuzz object
 - only run one DEF_FUZZ
I am not sure if any of these things mattered, but I thought you may like to look.

Good stuff:
 - make nextU() / nextF() work
 - drop nextURange() / nextFRange() for now
 - add nextB() for a single byte

As you may have guessed, I have figured out how to use afl-fuzz on my laptop.

Syntax to run becomes:
  $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003

Review URL: https://codereview.chromium.org/1581203003
2016-01-14 04:59:42 -08:00
mtklein
65e5824d3a Add new fuzz binary.
This is designed to have short startup time, for maximum fuzzing throughput.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002

Review URL: https://codereview.chromium.org/1589563002
2016-01-13 12:57:58 -08:00