Commit Graph

259 Commits

Author SHA1 Message Date
herb
5e0883cf57 Fix bounds of checking if a radii are too long for a side.
BUG=skia:4692,skia:4413
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1617763003

Review URL: https://codereview.chromium.org/1617763003
2016-01-22 08:34:35 -08:00
mtklein
26379ca002 Demo fuzz for Herb
BUG=skia:4692
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1611293002

Review URL: https://codereview.chromium.org/1611293002
2016-01-21 09:25:33 -08:00
mtklein
d4387ea993 fuzz: list API fuzzing options if -t api and -n matches nothing.
Today we segfault if --name is empty.  This fixes that too.

This updates some terms: -t api lets us fuzz an API.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1617713003

Review URL: https://codereview.chromium.org/1617713003
2016-01-21 06:13:52 -08:00
kjlubick
dba5734409 Seperating our fuzzing binary from DM produces a 50x speed increase for decoding images and a 10x speed increase in decoding/rendering Skps.
This also lets us differentiate between the decoding of Skps and the rendering of them, the latter of which may be more interesting for bugs.

BUG=skia:4800
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1591073002

Review URL: https://codereview.chromium.org/1591073002
2016-01-21 05:03:28 -08:00
mtklein
d0b823479a If we pass no bytes, use the fuzz binary itself.
This is mostly for convenient local testing.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1587043009

Review URL: https://codereview.chromium.org/1587043009
2016-01-15 07:56:20 -08:00
mtklein
f5e9782bde Restore creature comforts to fuzz binary
The hack to remove these niceties didn't seem to make a difference in my
fuzz/s, so we might as well keep them.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589493006

Review URL: https://codereview.chromium.org/1589493006
2016-01-15 06:19:53 -08:00
mtklein
a115942ed6 fuzz: signalBug() / signalBoring()
Instead of a single ASSERT macro, this switches to two new methods:
   - signalBug():    tell afl-fuzz there's a bug caused by its inputs (by crashing)
   - signalBoring(): tell afl-fuzz these inputs are not worth testing (by exiting gracefully)

I'm not seeing any effect on fuzz/s when I just always log verbosely.

signalBug() now triggers SIGSEGV rather than SIGABRT.  This should make it work with catchsegv more easily.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1585353002

Review URL: https://codereview.chromium.org/1585353002
2016-01-15 05:46:54 -08:00
mtklein
24a22c7de8 some fuzz hacking
Try to start faster:
 - remove flags dependency
 - print nothing
 - strip unused symbols from the binary on Mac (smaller binary)
 - only create one fuzz object
 - only run one DEF_FUZZ
I am not sure if any of these things mattered, but I thought you may like to look.

Good stuff:
 - make nextU() / nextF() work
 - drop nextURange() / nextFRange() for now
 - add nextB() for a single byte

As you may have guessed, I have figured out how to use afl-fuzz on my laptop.

Syntax to run becomes:
  $ afl-fuzz ... out/Release/fuzz <DEF_FUZZ name> @@

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003

Review URL: https://codereview.chromium.org/1581203003
2016-01-14 04:59:42 -08:00
mtklein
65e5824d3a Add new fuzz binary.
This is designed to have short startup time, for maximum fuzzing throughput.

BUG=skia:
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1589563002

Review URL: https://codereview.chromium.org/1589563002
2016-01-13 12:57:58 -08:00