This is an attempt to fuzz the usage of SkSurfaceCharacterization,
SkDeferredDisplayRecorder, and SkDeferredDisplayList.
This fuzzer first makes a surface and characterization from
GrDirectContext and then create a DDL and draw it on the surface.
The code is compiled with ninja and run with AFL at the speed around
600/sec
The future changes will include:
1. An alternative way to create DDL: first create the surface and
extract the characterization from that existing surface.
2.currently we just pass the ownership of the DDL into draw_ddl. In
the future we should add a version that retains ownership of the DDL
in order to fuzz the lifetime of the DDL.
3. Refactorize line 62-119
Change-Id: I9cd9736813be3abc82430bd4eeb559d6993ecbd4
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/303600
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
Helpful for bugs that require evolving global state over multiple
iterations, or bugs that don't repro 100% deterministically.
Change-Id: I4499a8783b00ccd079b79219cad2a4d45e467777
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/303581
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
The major improvement is that now the fuzzer is able to execute
the sksl code (before it just compiled it). The fuzzer will
reserve 256 bytes for providing uniforms to the shader;
meanwhile, the fuzzer will read the remaining bytes as sksl code
to create SkRuntimeEffect. It then creates a shader and executes
it by painting the shader on a canvas.
The code was tested locally with afl-fuzz, and the execution
speed was around 700/sec.
An alternative implementation would have been using Fuzz.h to
read bytes; I decided to go with sk_sp<SkData> since it has a
comparable format to other binary fuzzer and meets all the
functionality in this fuzzer.
For future changes, there are 2 important improvements to the
implementation:
1) Current shader does not have children shaders; thus,
makeShader() will fail if the SkSL ever tries to use an 'in shader'.
As pointed out in patchset 11, after creating the runtime effect,
effect->children().count() will tell you how many children it's
expecting (how many 'in shader' variables were declared). When you
call makeShader(), the second and third arguments are a
(C-style) array of shader pointers, and
a count (which must match children().count()).
Some helpful examples can be SkRTShader::CreateProc in
SkRuntimeEffect.cpp, make_fuzz_shader in FuzzCanvas.cpp.
2)
In this fuzzer, after creating the paint from a shader, the paint
can be drawn on either GPU canvas or CPU, so a possible way is to
use SkSurface::MakeRenderTarget to create GPU canvas and use a byte
to determine which canvas it will be drawn on.
Change-Id: Ib0385edd0f5ec2f23744aa517135a6955c53ba38
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/300618
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
When manipulating svg file, the implementation of SkSVGCanvas will be used instead of the
implementation of SkCanvas, so the api are tested against SkSVGCanvas. In addition, there are
more api need to be covered in the function fuzz_canvas. As a result, the main changes are to
add new DEF_FUZZ for SkSVGCanvas and to modify fuzz_canvas to increase the coverages of api.
Change-Id: Iaf6114bb0e2929c73549ff398c3db5592e736ea2
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/298977
Commit-Queue: Zepeng Hu <zepenghu@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
This CL is not fully comprehensive; for instance, it does not contain
fixes for backends that don't compile on Mac. But it does resolve the
vast majority of cases that trigger -Wimplicit-fallthrough.
A few minor bugs were found and fixed, but none that were likely to
affect normal operation.
Change-Id: I43487602b0d56200ce8b42702e04f66390d82f60
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/295916
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
Use std::min and std::max everywhere.
SkTPin still exists. We can't use std::clamp yet, and even when
we can, it has undefined behavior with NaN. SkTPin is written
to ensure that we return a value in the [lo, hi] range.
Change-Id: I506852a36e024ae405358d5078a872e2c77fa71e
Docs-Preview: https://skia.org/?cl=269357
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/269357
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Mike Reed <reed@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>
One is an API fuzzer, the other is for deserializing.
Bug: skia:9548
Change-Id: I5923b8fb76f36ec09fca74d5ba82245a8ddb5938
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/249776
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
This is a reland of 6fc04f88a8
Original change's description:
> Reland "SkSurface asynchronous read APIs allow client to extend pixel lifetime"
>
> This is a reland of ce240cc6fd
>
> Original change's description:
> > SkSurface asynchronous read APIs allow client to extend pixel lifetime
> >
> > Previously the pixel data passed to the client was only valid during
> > the client's callback. This meant if the client wanted to defer
> > processing of the data a copy was necessary.
> >
> > Now we pass an object to the callback and the pixel lifetime is tied
> > to the lifetime of that object.
> >
> > The object may be holding a GPU transfer buffer mapped. We don't assume
> > that the object will be released on the direct GrContext thread. So
> > when the object is destroyed it posts a message to a new type,
> > GrClientMappedBufferManager, hanging off the direct context. The direct
> > context will periodically check for messages and unmap and then unref
> > buffers so that they can be reused. Currently this is done in
> > GrContext::performDeferredCleanup() and GrDrawingManager::flush().
> >
> > The old API is kept around for backwards compatibility but it is
> > reimplemented as a bridge on top of the new mechanism.
> >
> > Also a utility function to SkImageInfo is added to directly make a new
> > info with a specified dimensions rather than passing the width and
> > height separately to makeWH().
> >
> > Bug: chromium:973403
> > Bug: skia:8962
> >
> > Change-Id: Id5cf04235376170142a48e90d3ecd13fd021a2a6
> > Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245457
> > Reviewed-by: Brian Osman <brianosman@google.com>
> > Commit-Queue: Brian Salomon <bsalomon@google.com>
>
> Bug: chromium:973403, skia:8962
> Change-Id: I5cecd36276c8b6dc942cf549c7095db2df88530c
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245678
> Reviewed-by: Brian Salomon <bsalomon@google.com>
> Commit-Queue: Brian Salomon <bsalomon@google.com>
Bug: chromium:973403, skia:8962
Change-Id: Ie584c1c3ef8021c976f71b708e53871c693cc450
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/246057
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
This reverts commit 6fc04f88a8.
Reason for revert: Chrome roll failure suspect because of:
* https://chromium-review.googlesource.com/c/chromium/src/+/1837131 (22 commits)
* https://chromium-review.googlesource.com/c/chromium/src/+/1837214 (24 commits)
Original change's description:
> Reland "SkSurface asynchronous read APIs allow client to extend pixel lifetime"
>
> This is a reland of ce240cc6fd
>
> Original change's description:
> > SkSurface asynchronous read APIs allow client to extend pixel lifetime
> >
> > Previously the pixel data passed to the client was only valid during
> > the client's callback. This meant if the client wanted to defer
> > processing of the data a copy was necessary.
> >
> > Now we pass an object to the callback and the pixel lifetime is tied
> > to the lifetime of that object.
> >
> > The object may be holding a GPU transfer buffer mapped. We don't assume
> > that the object will be released on the direct GrContext thread. So
> > when the object is destroyed it posts a message to a new type,
> > GrClientMappedBufferManager, hanging off the direct context. The direct
> > context will periodically check for messages and unmap and then unref
> > buffers so that they can be reused. Currently this is done in
> > GrContext::performDeferredCleanup() and GrDrawingManager::flush().
> >
> > The old API is kept around for backwards compatibility but it is
> > reimplemented as a bridge on top of the new mechanism.
> >
> > Also a utility function to SkImageInfo is added to directly make a new
> > info with a specified dimensions rather than passing the width and
> > height separately to makeWH().
> >
> > Bug: chromium:973403
> > Bug: skia:8962
> >
> > Change-Id: Id5cf04235376170142a48e90d3ecd13fd021a2a6
> > Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245457
> > Reviewed-by: Brian Osman <brianosman@google.com>
> > Commit-Queue: Brian Salomon <bsalomon@google.com>
>
> Bug: chromium:973403, skia:8962
> Change-Id: I5cecd36276c8b6dc942cf549c7095db2df88530c
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245678
> Reviewed-by: Brian Salomon <bsalomon@google.com>
> Commit-Queue: Brian Salomon <bsalomon@google.com>
TBR=bsalomon@google.com,brianosman@google.com
Change-Id: I9e01d1b82fb399b94292441d91da51176bb161d9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:973403, skia:8962
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245956
Reviewed-by: Ravi Mistry <rmistry@google.com>
Commit-Queue: Ravi Mistry <rmistry@google.com>
This is a reland of ce240cc6fd
Original change's description:
> SkSurface asynchronous read APIs allow client to extend pixel lifetime
>
> Previously the pixel data passed to the client was only valid during
> the client's callback. This meant if the client wanted to defer
> processing of the data a copy was necessary.
>
> Now we pass an object to the callback and the pixel lifetime is tied
> to the lifetime of that object.
>
> The object may be holding a GPU transfer buffer mapped. We don't assume
> that the object will be released on the direct GrContext thread. So
> when the object is destroyed it posts a message to a new type,
> GrClientMappedBufferManager, hanging off the direct context. The direct
> context will periodically check for messages and unmap and then unref
> buffers so that they can be reused. Currently this is done in
> GrContext::performDeferredCleanup() and GrDrawingManager::flush().
>
> The old API is kept around for backwards compatibility but it is
> reimplemented as a bridge on top of the new mechanism.
>
> Also a utility function to SkImageInfo is added to directly make a new
> info with a specified dimensions rather than passing the width and
> height separately to makeWH().
>
> Bug: chromium:973403
> Bug: skia:8962
>
> Change-Id: Id5cf04235376170142a48e90d3ecd13fd021a2a6
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245457
> Reviewed-by: Brian Osman <brianosman@google.com>
> Commit-Queue: Brian Salomon <bsalomon@google.com>
Bug: chromium:973403, skia:8962
Change-Id: I5cecd36276c8b6dc942cf549c7095db2df88530c
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245678
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
This reverts commit ce240cc6fd.
Reason for revert: crashing in chrome unit test, abandoned context related?
Original change's description:
> SkSurface asynchronous read APIs allow client to extend pixel lifetime
>
> Previously the pixel data passed to the client was only valid during
> the client's callback. This meant if the client wanted to defer
> processing of the data a copy was necessary.
>
> Now we pass an object to the callback and the pixel lifetime is tied
> to the lifetime of that object.
>
> The object may be holding a GPU transfer buffer mapped. We don't assume
> that the object will be released on the direct GrContext thread. So
> when the object is destroyed it posts a message to a new type,
> GrClientMappedBufferManager, hanging off the direct context. The direct
> context will periodically check for messages and unmap and then unref
> buffers so that they can be reused. Currently this is done in
> GrContext::performDeferredCleanup() and GrDrawingManager::flush().
>
> The old API is kept around for backwards compatibility but it is
> reimplemented as a bridge on top of the new mechanism.
>
> Also a utility function to SkImageInfo is added to directly make a new
> info with a specified dimensions rather than passing the width and
> height separately to makeWH().
>
> Bug: chromium:973403
> Bug: skia:8962
>
> Change-Id: Id5cf04235376170142a48e90d3ecd13fd021a2a6
> Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245457
> Reviewed-by: Brian Osman <brianosman@google.com>
> Commit-Queue: Brian Salomon <bsalomon@google.com>
TBR=bsalomon@google.com,brianosman@google.com
Change-Id: Ic14cf07a7629b167c9f34a651aa87a0326e74207
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:973403, skia:8962
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245721
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
Previously the pixel data passed to the client was only valid during
the client's callback. This meant if the client wanted to defer
processing of the data a copy was necessary.
Now we pass an object to the callback and the pixel lifetime is tied
to the lifetime of that object.
The object may be holding a GPU transfer buffer mapped. We don't assume
that the object will be released on the direct GrContext thread. So
when the object is destroyed it posts a message to a new type,
GrClientMappedBufferManager, hanging off the direct context. The direct
context will periodically check for messages and unmap and then unref
buffers so that they can be reused. Currently this is done in
GrContext::performDeferredCleanup() and GrDrawingManager::flush().
The old API is kept around for backwards compatibility but it is
reimplemented as a bridge on top of the new mechanism.
Also a utility function to SkImageInfo is added to directly make a new
info with a specified dimensions rather than passing the width and
height separately to makeWH().
Bug: chromium:973403
Bug: skia:8962
Change-Id: Id5cf04235376170142a48e90d3ecd13fd021a2a6
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/245457
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
This will make fuzzing more hermetic and less machine-dependent.
Docs-Preview: https://skia.org/?cl=217864
Change-Id: If29d7b86e5290e9f749cb2fdde6f2ff892ffc333
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/217864
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Current strategy: everything from the top
Things to look at first are the manual changes:
- added tools/rewrite_includes.py
- removed -Idirectives from BUILD.gn
- various compile.sh simplifications
- tweak tools/embed_resources.py
- update gn/find_headers.py to write paths from the top
- update gn/gn_to_bp.py SkUserConfig.h layout
so that #include "include/config/SkUserConfig.h" always
gets the header we want.
No-Presubmit: true
Change-Id: I73a4b181654e0e38d229bc456c0d0854bae3363e
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/209706
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Hal Canary <halcanary@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
Like any normal variable, flags can be made file-scoped static,
and like any normal variable, mostly they should be if they can.
This CL converts most flags to be static, if only so that the
ones that do cross files stand out more clearly, and so that
there's more examples of static flags through the codebase for
people to ape.
Change-Id: Ibb5ddd7aa09fce073d0996ac3ef0487b078b7d79
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/202800
Commit-Queue: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: Mike Klein <mtklein@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
sk_tool_utils doesn't really fit the naming convention
the rest of code under tools/ tends to use.
Change-Id: I45326a174101c6eb4b6149e9c742f658f2fd23b1
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/202313
Auto-Submit: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
The command line flag package is tool-only, not part of Skia per se,
and does not need an Sk prefix to avoid naming conflicts.
And git clang-format.
Change-Id: Ida8477779e51750ed0475590ed2454841b23d6ea
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/202307
Auto-Submit: Mike Klein <mtklein@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Otherwise, the string constructor can walk off the end
looking for a null terminator that never arrives.
Fix some logging copypasta
Bug: skia:
Change-Id: I0cb1b0b75673f64a5ac647307dbc04253f707686
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/199937
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Make FuzzEnum always use uint32_t to make it consistent
(we were seeing some Windows setups have underlying type return
int and not unsigned int that we saw on Linux)
Bug: 897455
Change-Id: Ia8c97e59bb498d959a9a30abcb61731f4bd145cf
Reviewed-on: https://skia-review.googlesource.com/c/164240
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Nothing's using it except test tools.
I'd like to make that a bit clearer by getting it out of src.
Disabled the fuzzer.
Removed the bench so Android's building nanobench doesn't block this.
Bug: chromium:886713
Change-Id: I761f52c40171c27ff4b699409b32647e84684ec3
Reviewed-on: https://skia-review.googlesource.com/156240
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Some oss-fuzz bugs (like the linked one) would not reproduce
in Skia proper due to the fact that there were subtle overloads
of the various Fuzz::next() methods in FuzzCanvas.cpp that
were pulled in in Skia proper, but not oss-fuzz.
This puts all of them in to FuzzCommon.h and makes the
matrix and rrect ones opt-in (fuzz_matrix, fuzz_rrect).
Additionally, this renames fuzz.cpp -> FuzzMain.cpp so we
can properly include Fuzz.cpp in oss-fuzz without
having two mains.
Bug: oss-fuzz:10378
Change-Id: I6cf9afb471781b9fadb689482109a1e5662358b5
Reviewed-on: https://skia-review.googlesource.com/154900
Commit-Queue: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>