24ac42b373
run `fuzz --type pdf_canvas` or `fuzz --type null_canvas` or `fuzz --type n32_canvas` Change-Id: Id70179d5578ed1e67006aef7823bf75fc1d7a4a6 Reviewed-on: https://skia-review.googlesource.com/8418 Reviewed-by: Kevin Lubick <kjlubick@google.com> Commit-Queue: Hal Canary <halcanary@google.com>
135 lines
3.6 KiB
C++
135 lines
3.6 KiB
C++
/*
|
|
* Copyright 2016 Google Inc.
|
|
*
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
|
|
#ifndef Fuzz_DEFINED
|
|
#define Fuzz_DEFINED
|
|
|
|
#include "SkData.h"
|
|
#include "../tools/Registry.h"
|
|
#include "SkTypes.h"
|
|
|
|
#include <cmath>
|
|
|
|
class Fuzz : SkNoncopyable {
|
|
public:
|
|
explicit Fuzz(sk_sp<SkData>);
|
|
|
|
// Returns the total number of "random" bytes available.
|
|
size_t size();
|
|
// Returns if there are no bytes remaining for fuzzing.
|
|
bool exhausted();
|
|
|
|
// next() loads fuzzed bytes into the variable passed in by pointer.
|
|
// We use this approach instead of T next() because different compilers
|
|
// evaluate function parameters in different orders. If fuzz->next()
|
|
// returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
|
|
// foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
|
|
// By requiring params to be passed in, we avoid the temptation to call
|
|
// next() in a way that does not consume fuzzed bytes in a single
|
|
// uplatform-independent order.
|
|
template <typename T>
|
|
void next(T* t);
|
|
|
|
// This is a convenient way to initialize more than one argument at a time.
|
|
template <typename Arg, typename... Args>
|
|
void next(Arg* first, Args... rest);
|
|
|
|
// nextRange returns values only in [min, max].
|
|
template <typename T, typename Min, typename Max>
|
|
void nextRange(T*, Min, Max);
|
|
|
|
// nextN loads n * sizeof(T) bytes into ptr
|
|
template <typename T>
|
|
void nextN(T* ptr, int n);
|
|
|
|
void signalBug(); // Tell afl-fuzz these inputs found a bug.
|
|
|
|
private:
|
|
template <typename T>
|
|
T nextT();
|
|
|
|
sk_sp<SkData> fBytes;
|
|
size_t fNextByte;
|
|
};
|
|
|
|
// UBSAN reminds us that bool can only legally hold 0 or 1.
|
|
template <>
|
|
inline void Fuzz::next(bool* b) {
|
|
uint8_t n;
|
|
this->next(&n);
|
|
*b = (n & 1) == 1;
|
|
}
|
|
|
|
template <typename T>
|
|
inline void Fuzz::next(T* n) {
|
|
if ((fNextByte + sizeof(T)) > fBytes->size()) {
|
|
sk_bzero(n, sizeof(T));
|
|
memcpy(n, fBytes->bytes() + fNextByte, fBytes->size() - fNextByte);
|
|
fNextByte = fBytes->size();
|
|
return;
|
|
}
|
|
memcpy(n, fBytes->bytes() + fNextByte, sizeof(T));
|
|
fNextByte += sizeof(T);
|
|
}
|
|
|
|
template <typename Arg, typename... Args>
|
|
inline void Fuzz::next(Arg* first, Args... rest) {
|
|
this->next(first);
|
|
this->next(rest...);
|
|
}
|
|
|
|
template <>
|
|
inline void Fuzz::nextRange(float* f, float min, float max) {
|
|
this->next(f);
|
|
if (!std::isnormal(*f) && *f != 0.0f) {
|
|
// Don't deal with infinity or other strange floats.
|
|
*f = max;
|
|
}
|
|
*f = min + std::fmod(std::abs(*f), (max - min + 1));
|
|
}
|
|
|
|
template <typename T, typename Min, typename Max>
|
|
inline void Fuzz::nextRange(T* n, Min min, Max max) {
|
|
this->next<T>(n);
|
|
if (min == max) {
|
|
*n = min;
|
|
return;
|
|
}
|
|
if (min > max) {
|
|
// Avoid misuse of nextRange
|
|
this->signalBug();
|
|
}
|
|
if (*n < 0) { // Handle negatives
|
|
if (*n != std::numeric_limits<T>::lowest()) {
|
|
*n *= -1;
|
|
}
|
|
else {
|
|
*n = std::numeric_limits<T>::max();
|
|
}
|
|
}
|
|
*n = min + (*n % ((size_t)max - min + 1));
|
|
}
|
|
|
|
template <typename T>
|
|
inline void Fuzz::nextN(T* ptr, int n) {
|
|
for (int i = 0; i < n; i++) {
|
|
this->next(ptr+i);
|
|
}
|
|
}
|
|
|
|
struct Fuzzable {
|
|
const char* name;
|
|
void (*fn)(Fuzz*);
|
|
};
|
|
|
|
#define DEF_FUZZ(name, f) \
|
|
static void fuzz_##name(Fuzz*); \
|
|
sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
|
|
static void fuzz_##name(Fuzz* f)
|
|
|
|
#endif//Fuzz_DEFINED
|