683ae40560
The fuzzer constructs a long, valid nonsense expression (x+x+x-x+x-x, etc.) which exceeds parse depth. At that point, the token stream points to a `+` token. The parser attempts to consume a new statement but stops in `unaryExpression`; this fails again, due to the max parse-depth, but doesn't consume a token. The parser continues trying to parse the statement, but stopping in `unaryExpression`, making no forward progress in an infinite loop. I've made a couple of changes as a result. - Exceeding the max parse depth now sets `fEncounteredFatalError`. - Encountering a fatal error causes block() to immediately halt. This actually undoes a few of the arbitrary changes from http://review.skia.org/506463 but not in a bad way. - `unaryExpression()` now consumes a token before checking parse-depth. - `structDeclaration()` had a similar issue where it could potentially fail without consuming any tokens; this is fixed as well. - Some unnecessarily-nested logic in ternaryExpression() was flattened while I tried to ensure that it always consumes a token. Change-Id: I52c2161965ffbcef1185761ca6897ec1cba5df89 Bug: oss-fuzz:44551 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/507436 Auto-Submit: John Stiles <johnstiles@google.com> Reviewed-by: Ethan Nicholas <ethannicholas@google.com> Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
10 lines
182 B
Plaintext
10 lines
182 B
Plaintext
void main(inout float4 color) {
|
|
color.r[ = ( color.g );
|
|
}
|
|
|
|
/*%%*
|
|
shader 'main' must be main() or main(float2)
|
|
unknown identifier 'color'
|
|
expected expression, but found '='
|
|
*%%*/
|