890f3b37f6
Change-Id: Iea5cfb32f27d09e5231a0952aef52a8502abbfcd Reviewed-on: https://skia-review.googlesource.com/c/skia/+/441056 Reviewed-by: John Stiles <johnstiles@google.com> |
||
---|---|---|
.. | ||
oss_fuzz | ||
coverage | ||
Fuzz.cpp | ||
Fuzz.h | ||
FuzzCanvas.cpp | ||
FuzzCommon.cpp | ||
FuzzCommon.h | ||
FuzzCreateDDL.cpp | ||
FuzzDDLThreading.cpp | ||
FuzzDrawFunctions.cpp | ||
FuzzEncoders.cpp | ||
FuzzGradients.cpp | ||
FuzzMain.cpp | ||
FuzzParsePath.cpp | ||
FuzzPath.cpp | ||
FuzzPathMeasure.cpp | ||
FuzzPathop.cpp | ||
FuzzPolyUtils.cpp | ||
FuzzRegionOp.cpp | ||
FuzzRRect.cpp | ||
FuzzSkParagraph.cpp | ||
FuzzTriangulation.cpp | ||
README.md |
#Fuzzing
In this folder, we keep our fuzzers (bits of code that takes a randomized input and executes code
randomly, focusing on specific APIs). For example, we have a codec fuzzer which takes a mutated
png/jpeg or similar file and attempts to turn it into an SkImage
. We also have a canvas fuzzer
which takes in a random set of bytes and turns them into calls on SkCanvas
.
Executables
These fuzzers are packaged in two different ways (see //BUILD.gn). There is a fuzz
executable
that contains all fuzzers and is a convenient way to reproduce fuzzer-reported bugs. There are also
single fuzzer executables containing exactly one fuzzer, which are convenient to build with
libfuzzer.
See [../site/dev/testing/fuzz.md] for more information on building and running fuzzers using the
fuzz
executable.
Continuous Running
We fuzz Skia using OSS-Fuzz, which in turn uses fuzzing engines such as libfuzzer, afl-fuzz, hong-fuzz, and others to fuzz Skia. OSS-fuzz will automatically file and close bugs when it finds issues.
There is a Skia folder in the OSS-Fuzz repo that we make changes to when we want to add/remove/change the fuzzers that are automatically run.
When enabling a fuzzer in oss-fuzz, we typically need to follow these steps:
- *Add a seed corpus to
gs://skia-fuzzer/oss-fuzz/
(in the skia-public project). Make sure the corpus file is public-readable. It is easiest to add this permission via the web UI. This is done by granting the allUsers "name" the Reader role to the zip file. See the infra team if you do not have access to this bucket. - *Update the Dockerfile to download the seed corpus to the build image.
- Update build.sh
to build the desired fuzzer target and move it into $OUT. If there is a seed corpus, move
it into $OUT and make sure it is the same name as the fuzzer executable with
_seed_corpus.zip
as a suffix.
*For fuzzers who depend strongly on the format of the randomized data, e.g. image decoding, SkSL parsing. These are called binary fuzzers, as opposed to API fuzzers.
Example PRs for adding fuzzers: binary, API
There is also an OSS-fuzz folder set up for the skcms repo. The build process is similar, except instead of compiling using GN targets, the build.sh script compiles the fuzz executables directly.