Commit Graph

90 Commits

Author SHA1 Message Date
Zepeng Hu
940070122a add create ddl fuzzer
This is an attempt to fuzz the usage of SkSurfaceCharacterization,
SkDeferredDisplayRecorder, and SkDeferredDisplayList.

This fuzzer first makes a surface and characterization from
GrDirectContext and then create a DDL and draw it on the surface.

The code is compiled with ninja and run with AFL at the speed around
600/sec

The future changes will include:
1. An alternative way to create DDL: first create the surface and
extract the characterization from that existing surface.

2.currently we just pass the ownership of the DDL into draw_ddl. In
the future we should add a version that retains ownership of the DDL
in order to fuzz the lifetime of the DDL.

3. Refactorize line 62-119

Change-Id: I9cd9736813be3abc82430bd4eeb559d6993ecbd4
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/303600
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
2020-07-22 20:10:51 +00:00
Zepeng Hu
a5783f3858 Add SkRuntimeEffect Fuzzer
The major improvement is that now the fuzzer is able to execute
the sksl code (before it just compiled it). The fuzzer will
reserve 256 bytes for providing uniforms to the shader;
meanwhile, the fuzzer will read the remaining bytes as sksl code
to create SkRuntimeEffect. It then creates a shader and executes
it by painting the shader on a canvas.

The code was tested locally with afl-fuzz, and the execution 
speed was around 700/sec.

An alternative implementation would have been using Fuzz.h to
read bytes; I decided to go with sk_sp<SkData> since it has a
comparable format to other binary fuzzer and meets all the
functionality in this fuzzer.

For future changes, there are 2 important improvements to the
implementation:

1) Current shader does not have children shaders; thus,
makeShader() will fail if the SkSL ever tries to use an 'in shader'.

As pointed out in patchset 11, after creating the runtime effect,
effect->children().count() will tell you how many children it's
expecting (how many 'in shader' variables were declared). When you
call makeShader(), the second and third arguments are a
(C-style) array of shader pointers, and
a count (which must match children().count()).

Some helpful examples can be SkRTShader::CreateProc in
SkRuntimeEffect.cpp, make_fuzz_shader in FuzzCanvas.cpp.

2)

In this fuzzer, after creating the paint from a shader, the paint
can be drawn on either GPU canvas or CPU, so a possible way is to
use SkSurface::MakeRenderTarget to create GPU canvas and use a byte
to determine which canvas it will be drawn on.

Change-Id: Ib0385edd0f5ec2f23744aa517135a6955c53ba38
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/300618
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2020-07-10 15:54:23 +00:00
Zepeng Hu
babba97ae6 Use test font manager for SVG fuzzer
Change-Id: Ia4f96278e076d300b432b362db5df6b1a1654f3d
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/301218
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2020-07-08 19:30:00 +00:00
Zepeng Hu
ba7cbf76d4 Add SkSVGCanvas api Fuzzer
When manipulating svg file, the implementation of SkSVGCanvas will be used instead of the 
implementation of SkCanvas, so the api are tested against SkSVGCanvas. In addition, there are 
more api need to be covered in the function fuzz_canvas. As a result, the main changes are to 
add new DEF_FUZZ for SkSVGCanvas and to modify fuzz_canvas to increase the coverages of api.

Change-Id: Iaf6114bb0e2929c73549ff398c3db5592e736ea2
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/298977
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
2020-07-01 13:48:45 +00:00
Zepeng Hu
f1eb43e880 replace max_len with if statements
Change-Id: I60d60e9b9ea0b7b6544a36bef7f4e263bb9de532
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/296416
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Zepeng Hu <zepenghu@google.com>
2020-06-16 17:26:30 +00:00
Zepeng Hu
edaf3020bf add svg fuzzer
Change-Id: I5c4c978c35462e41379939e92fb354dbb40606f8
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/295218
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Zepeng Hu <zepenghu@google.com>
2020-06-12 13:02:03 +00:00
Brian Osman
107c66669d Make it safe to include SkRuntimeEffect.h from client code
Bundling the pipeline stage arguments also simplifies the code in
several spots.

Change-Id: I85e81b436a39378f753cc9404b6eeb27fe055525
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/261778
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
2019-12-30 21:06:56 +00:00
Kevin Lubick
a12f6cbff3 [fuzzing] Fix skdescriptor deserialize compile
Change-Id: I03cf0b61099845ed1a931b30662830ffb883fa05
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/250177
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2019-10-23 11:54:14 +00:00
Kevin Lubick
2be14d3215 [fuzzing] Add two fuzzers for SkDescriptor
One is an API fuzzer, the other is for deserializing.

Bug: skia:9548
Change-Id: I5923b8fb76f36ec09fca74d5ba82245a8ddb5938
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/249776
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2019-10-21 20:48:15 +00:00
Brian Osman
2e29ab5b03 added support for user-defined functions to GrSKSLFP
Bug: skia:
Change-Id: I1483cdf7229b7234be41d21407e2b4abf99fff76
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/239925
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
2019-09-20 17:13:57 +00:00
Mike Klein
c0bd9f9fe5 rewrite includes to not need so much -Ifoo
Current strategy: everything from the top

Things to look at first are the manual changes:

   - added tools/rewrite_includes.py
   - removed -Idirectives from BUILD.gn
   - various compile.sh simplifications
   - tweak tools/embed_resources.py
   - update gn/find_headers.py to write paths from the top
   - update gn/gn_to_bp.py SkUserConfig.h layout
     so that #include "include/config/SkUserConfig.h" always
     gets the header we want.

No-Presubmit: true
Change-Id: I73a4b181654e0e38d229bc456c0d0854bae3363e
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/209706
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Hal Canary <halcanary@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
2019-04-24 16:27:11 +00:00
Mike Klein
c6142d855c de-common the rest of the flags
Turns out lots of tools had two copies of many of these flags.

Some GN and .cpp file refactoring to make sure when flags are
present in a binary, they do something in that binary.

I think this finally finishes the flag refrag.

Change-Id: I01488e37ab73a5c4361786863ddb137a7f1095b1
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/203420
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
2019-03-25 17:39:58 +00:00
Mike Klein
ea3f014e2b sk_tool_utils -> ToolUtils, and git clang-format
sk_tool_utils doesn't really fit the naming convention
the rest of code under tools/ tends to use.

Change-Id: I45326a174101c6eb4b6149e9c742f658f2fd23b1
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/202313
Auto-Submit: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
2019-03-20 18:05:42 +00:00
Mike Klein
0cffcbf97b de-Sk tools/font, and git clang-format
Change-Id: I0326eb9cc1e1e38b0fdc417567987a595f9021d2
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/202310
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
2019-03-20 17:36:52 +00:00
Kevin Lubick
0f0a7107d3 Add SkSL2Pipeline fuzzer
Bug: skia:8876
Change-Id: Ib62da438dec493536c7351eb0c4a06a0275833b4
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/201645
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
2019-03-18 21:02:49 +00:00
Kevin Lubick
39cbe46df6 Add input length check when fuzzing
Otherwise, the string constructor can walk off the end
looking for a null terminator that never arrives.

Fix some logging copypasta

Bug: skia:
Change-Id: I0cb1b0b75673f64a5ac647307dbc04253f707686
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/199937
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2019-03-11 20:08:07 +00:00
Kevin Lubick
e9c1ce89c0 Add oss-fuzz compatible fuzzers for sksl2*
Bug: skia:
Change-Id: I468517481fcae42155c4363d817405455181d3c3
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/199721
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2019-03-11 15:54:01 +00:00
Kevin Lubick
ec1c620316 Avoid system fonts when fuzzing
This should make reproducing certain fuzzes easier between oss-fuzz
and a typical dev's desktop.

This was the most straight-forward way I could think of to
accomplish this.  An ideal solution would "compile" a set of
fonts that was not the test set and embed it, but I lack the
domain knowledge to craft such a set.

If this method works ok, we can explore making the font set
more robust and varied.

Bug: 818769
Change-Id: I03eb2bc316caf7aec3ffa88e59ff29d76c8557ec
Reviewed-on: https://skia-review.googlesource.com/c/177800
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Ben Wagner <bungeman@google.com>
2018-12-14 17:11:56 +00:00
Kevin Lubick
0f3d2a6010 Add new Codec fuzzers to FuzzMain
Already in oss-fuzz:
https://github.com/google/oss-fuzz/pull/1882

This tweaks some names and return types to be more
consistent.

Bug: skia:
Change-Id: Id7e2e00bd4e7c7758d616d102195c0291bc37d9f
Reviewed-on: https://skia-review.googlesource.com/c/163124
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-10-17 18:44:07 +00:00
Leon Scroggins III
0b8fcbcfa3 Add fuzzers for SkAndroidCodec & incrementalDecode
Fuzz SkAndroidCodec to help to catch errors in both incrementalDecode
and scanlineDecode. Try a variety of sample sizes, but cap it at 64.
Though sometimes larger sample sizes are used, the lower ones tend to
more common. Also draw the resulting bitmap to verify that we
initialized all pixels.

Independently test incrementalDecode to ensure that it initializes
rowsDecoded.

Change-Id: I20d8a408cd280262fdc62f902a6f04f0f57f5ad2
Reviewed-on: https://skia-review.googlesource.com/c/162025
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Auto-Submit: Leon Scroggins <scroggo@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2018-10-17 12:08:18 +00:00
Kevin Lubick
de2dc8dc77 Add oss-fuzz entrypoint for Polyutils fuzz
Bug: skia:
Change-Id: Iee7fe4344e65290ae25e4cd51f338d9ce56def55
Reviewed-on: https://skia-review.googlesource.com/c/161421
Reviewed-by: Kevin Lubick <kjlubick@google.com>
2018-10-11 13:40:09 +00:00
Mike Klein
7ffa40cedb FuzzPath -> FuzzNicePath
This CL renames FuzzPath() to FuzzNicePath() to remind us that it's
meant to create paths that a user could reasonably want to create
in good faith, to pass to Skia via its API, etc.

Then, add fuzz_nice_rect(), and have FuzzNicePath() use that to create
its rectangles and use FuzzNiceMatrix() to create its matrices, just
like we already use FuzzNiceRRect() to create rounded rectangles and
FuzzNicePath() itself to create sub-paths.

Using fuzz_nice_rect() should be the fix for the attached bug.
Using FuzzNiceMatrix() is by analogy, more preemptive.

While we're at it, rename BuildPath to FuzzEvilPath, so the contrast
with FuzzNicePath is more clear.

Update the assertions that we create a valid path in FuzzNicePath()
to tell us where things went wrong if they do.

Bug: oss-fuzz:10667, skia:8384
Change-Id: I6d802182a62815cd969c65cf0479609f64b1da55
Reviewed-on: https://skia-review.googlesource.com/156840
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
2018-09-25 17:04:00 +00:00
Kevin Lubick
549ed8874e Add FuzzPathop to oss-fuzz
With the fixes in https://skia-review.googlesource.com/c/skia/+/150465
this should allow us to fuzz Pathop on oss-fuzz.

Bug: skia:
Change-Id: Id5df511f850f23b5aad0bcb39664d18f639ddb69
Reviewed-on: https://skia-review.googlesource.com/150560
Auto-Submit: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Cary Clark <caryclark@google.com>
2018-08-30 16:47:13 +00:00
Cary Clark
6943689ab4 clean up includes
Prepare SkRegion.h, SkShader.h, SkStream.h for documentation.
Name params, add trailing commas to enum member list,
move or remove some public SkRegion.h stuff.

SkRegion gets a minor overhaul to move some pieces
to private: or SkRegionPriv. The intent is to preserve the
current code so that the fixes for documentation do not impact
performance or code size.

R=djsollen@google.com,reed@google.com

Docs-Preview: https://skia.org/?cl=141284
Bug: skia:6818
Change-Id: I0d82794081b8739a9e8af0d1cd4a0e5d32d04f04
Reviewed-on: https://skia-review.googlesource.com/141284
Commit-Queue: Cary Clark <caryclark@skia.org>
Reviewed-by: Mike Reed <reed@google.com>
2018-08-06 14:49:46 +00:00
Cary Clark
53c8769002 remove unused untested parts of text blob
SkTextBlob has a number of untested entry points
to serialize and deserialize. Privitize ones only used
by Skia, and remove ones suspected to be unused
and untested.

R=fmalita@chromium.org
TBR=reed@google.com,bsalomon@google.com

Bug: skia:6818
Change-Id: I6a9982a26a883982af3592f3302029a1bcdf5aa3
Reviewed-on: https://skia-review.googlesource.com/141820
Reviewed-by: Florin Malita <fmalita@chromium.org>
Reviewed-by: Cary Clark <caryclark@skia.org>
Commit-Queue: Cary Clark <caryclark@skia.org>
2018-07-17 17:01:20 +00:00
Florin Malita
80452bee11 Fold SkJSON into Skia/utils
It's a tiny, core-ish component -- might as well treat as such to
simplify dependencies.

Change-Id: I6f31ce2d151f9a629d88bfc7f15d64891d5150c0
Reviewed-on: https://skia-review.googlesource.com/135780
Reviewed-by: Mike Klein <mtklein@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>
2018-06-19 18:23:30 +00:00
Florin Malita
3d856bdeee [skottie] Relocate to modules/skottie
TBR=
Change-Id: I218d251ca56578a3a7fd4fb86cba9abdc10fb3bd
Reviewed-on: https://skia-review.googlesource.com/130322
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Florin Malita <fmalita@chromium.org>
2018-05-27 02:21:33 +00:00
Kevin Lubick
9eeede2e71 Add Skottie fuzzer (via json input)
Bug: skia:
Change-Id: I97543b73755fca73f2ad014113ae8cd2c9227cf3
Reviewed-on: https://skia-review.googlesource.com/125820
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-05-04 13:05:12 +00:00
Kevin Lubick
27d42198d3 Move oss-fuzz to MockGPUCanvas
Bug: skia:7776
Change-Id: I4f2791375d8be05486d10ce8f7f2e58aa032cfd8
Reviewed-on: https://skia-review.googlesource.com/118166
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
2018-04-03 17:02:20 +00:00
Kevin Lubick
e4be55dc28 Add Encoder fuzzers
This also includes a helper "fuzzer" for making a corpus.
Point it at an image or folder of images and it will
decode those images and write the SkPixmap's bytes to
disk, such that the fuzzer will be able to read in
those bytes as if it had decoded the image (or gotten
it from another source).

Bug: skia:
Change-Id: Iaf223a39078f2b62908fb47929add5d63f22d973
Reviewed-on: https://skia-review.googlesource.com/117367
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-03-30 19:31:56 +00:00
Jonathan Metzman
8264b310d5 Add libFuzzer style fuzzer for NullGLCanvas for use on OSS-Fuzz.
Bug: 827225
Change-Id: Icb30c0c234326340213af0cc402a4124dd0336b3
Reviewed-on: https://skia-review.googlesource.com/117150
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>
2018-03-29 19:40:26 +00:00
Kevin Lubick
486ee3d4c6 Port 2 Canvas fuzzers to oss-fuzz
Bug: skia:
Change-Id: I0d34bfff4a53f831986614844bdc955935f28501
Reviewed-on: https://skia-review.googlesource.com/115582
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
2018-03-21 14:44:28 +00:00
Kevin Lubick
05cb229e58 Add oss-fuzz endpoint for PathMeasure
Bug: skia:
Change-Id: I3e051cefd6861b63bab33a1812674eacf67a35dd
Reviewed-on: https://skia-review.googlesource.com/113748
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-03-12 18:43:38 +00:00
Cary Clark
91390c8ace pathmeasure fuzzer
R=kjlubick@google.com, reed@google.com
Bug: skia:
Change-Id: I16a8b09312e5d1d1783bd6a4b791636ad8f63889
Reviewed-on: https://skia-review.googlesource.com/113165
Reviewed-by: Mike Reed <reed@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Cary Clark <caryclark@skia.org>
2018-03-12 15:29:18 +00:00
Kevin Lubick
db1e5c6474 Port 3 API fuzzers to be oss-fuzz friendly
Also Remove ScaleToSides, which we hadn't been running for a while.

Bug: skia:
Change-Id: I772dad722c34681392d5b635b3de716f3b00d597
Reviewed-on: https://skia-review.googlesource.com/110443
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-27 13:47:28 +00:00
Kevin Lubick
37c0f7183e Add guidance for oss-fuzzer for new path version
This only changes it for the oss-fuzz executable
which allows our normal fuzz executable to repro
on older versions, if needed.

This CL also accompanies additions to the corpus
of a bunch of v4 paths.

Bug: skia:

Change-Id: I4a1a3b27f48423f2bddc73e1b8bf63b82dfa59ff
Reviewed-on: https://skia-review.googlesource.com/109560
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-23 13:35:37 +00:00
Kevin Lubick
2416f968a6 Add 2 fuzz targets for image decoding (oss-fuzz)
This also adds in a few small guards to prevent libfuzzer from frequently
running out of memory when an image claims to have billions of pixels.

Bug: skia:
Change-Id: I47a9daac832c4d85a42000698482b61721c38880
Reviewed-on: https://skia-review.googlesource.com/106264
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Leon Scroggins <scroggo@google.com>
2018-02-12 15:25:59 +00:00
Kevin Lubick
f034d11859 Break some fuzzer targets out so oss-fuzz can use them
FuzzImageFilterDeserialize is already being used in oss-fuzz
but the target lived there and not here.  This moves it here.

Then we can turn on:
 - FuzzPathDeserialize
 - FuzzTextBlobDeserialize


Bug: skia:
Change-Id: I7baee8386fb7aeebc43a68abfff9a670ba16f82c
Reviewed-on: https://skia-review.googlesource.com/105763
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-09 14:37:41 +00:00
Kevin Lubick
a71b8d17e8 Check for nullptrs when fuzzing region_deserialize
Bug: oss-fuzz:5629
Change-Id: I1129a6a9a68c69e07ab63e2e2be1c00cf0581962
Reviewed-on: https://skia-review.googlesource.com/102482
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
2018-02-01 15:10:43 +00:00
Kevin Lubick
2541edf0c6 Add in Region SetPath Fuzzer
Also refactor a few things to make it easier to use oss-fuzz.

Bug: skia:
Change-Id: Ie518a6cfc7d57a347b5d09089379f986d33f8b7f
Reviewed-on: https://skia-review.googlesource.com/41740
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
2018-01-11 19:42:53 +00:00