skia2/fuzz
Michael Ludwig db285de247 Adjust fuzzing behavior for triangulator/dashing
Bug 36932:
Adds a lower limit when fuzzing dash path effects, since it can produce
paths with > 140k verbs. While this is not that much memory on its own,
the triangulating path renderer can require 3+GB to complete its work
(although it doesn't actually fail).

Bug 36945, 37042:
Also has PathToTriangles check for finite paths before starting any
triangulation work. These paths were created with infinities and NaNs.
Normally such a path would be rejected at a higher level in SkCanvas.
Since the triangulator is being fuzzed directly, this emulates this.
It's included in GrTriangulator and not the fuzzer's main function
because it's a cheap test and theoretically we could encounter a path
that was built lower down (e.g. dashing or transformed to device space)
that then overflowed.

Bug: oss-fuzz:36923, oss-fuzz:36945, oss-fuzz:37042
Change-Id: If97212bf410f771b42cebaedb5733af1abbfc4b2
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/449520
Reviewed-by: Greg Daniel <egdaniel@google.com>
Reviewed-by: Jim Van Verth <jvanverth@google.com>
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
2021-09-16 16:32:11 +00:00
..
oss_fuzz Convert internal SkSL to use .eval() 2021-09-03 15:54:54 +00:00
coverage remove SkColorSpace::MakeICC() fuzzer 2018-05-23 16:31:11 +00:00
Fuzz.cpp Hide SkImageFilter::CropRect 2021-01-30 16:10:29 +00:00
Fuzz.h Stop using filterquality 2021-07-18 15:48:36 +00:00
FuzzCanvas.cpp Fix additional cases of variable shadowing. 2021-08-16 17:47:14 +00:00
FuzzCommon.cpp [fuzz] Expose Region Op fuzzing to oss-fuzz. 2021-03-29 16:05:05 +00:00
FuzzCommon.h rewrite includes to not need so much -Ifoo 2019-04-24 16:27:11 +00:00
FuzzCreateDDL.cpp Handle null GrDirectContext in DDL Fuzzer 2020-07-31 18:12:53 +00:00
FuzzDDLThreading.cpp Bail if context creation fails in FuzzDDLThreadingGL 2021-03-04 03:50:26 +00:00
FuzzDrawFunctions.cpp Use SkClipOp::kFoo instead of kFoo_SkClipOp from SkClipOpPriv 2021-08-03 18:08:21 +00:00
FuzzEncoders.cpp Reland "Add format-specifier warnings to SkDebugf." 2021-06-25 17:57:43 +00:00
FuzzGradients.cpp rewrite includes to not need so much -Ifoo 2019-04-24 16:27:11 +00:00
FuzzMain.cpp Reland "Fix compilation w/ "skia_enable_svg = false" (take 2)" 2021-09-01 17:54:08 +00:00
FuzzParsePath.cpp Fix additional cases of variable shadowing. 2021-08-16 17:47:14 +00:00
FuzzPath.cpp add SKPath::readFromMemory() fuzzer 2020-08-12 17:40:16 +00:00
FuzzPathMeasure.cpp [fuzz] Standardize, document, and backport fuzzing defines. 2020-09-14 13:36:10 +00:00
FuzzPathop.cpp Revert "Revert "switch to new filltype for SkPath"" 2019-11-26 17:43:14 +00:00
FuzzPolyUtils.cpp Move SkImageFilter functionality into private SkImageFilter_Base 2019-08-02 18:56:39 +00:00
FuzzRegionOp.cpp [fuzz] Expose Region Op fuzzing to oss-fuzz. 2021-03-29 16:05:05 +00:00
FuzzRRect.cpp add SkRRect::readFromMemory() fuzzer 2020-08-11 20:26:28 +00:00
FuzzSkParagraph.cpp Fix compilation with "skia_enable_skparagraph = false" 2021-08-31 18:50:20 +00:00
FuzzTriangulation.cpp Adjust fuzzing behavior for triangulator/dashing 2021-09-16 16:32:11 +00:00
README.md [fuzz] Update docs with better OSS-Fuzz link 2021-08-31 14:04:02 +00:00

#Fuzzing In this folder, we keep our fuzzers (bits of code that takes a randomized input and executes code randomly, focusing on specific APIs). For example, we have a codec fuzzer which takes a mutated png/jpeg or similar file and attempts to turn it into an SkImage. We also have a canvas fuzzer which takes in a random set of bytes and turns them into calls on SkCanvas.

Executables

These fuzzers are packaged in two different ways (see //BUILD.gn). There is a fuzz executable that contains all fuzzers and is a convenient way to reproduce fuzzer-reported bugs. There are also single fuzzer executables containing exactly one fuzzer, which are convenient to build with libfuzzer.

See [../site/dev/testing/fuzz.md] for more information on building and running fuzzers using the fuzz executable.

Continuous Running

We fuzz Skia using OSS-Fuzz, which in turn uses fuzzing engines such as libfuzzer, afl-fuzz, hong-fuzz, and others to fuzz Skia. OSS-fuzz will automatically file and close bugs when it finds issues.

There is a Skia folder in the OSS-Fuzz repo that we make changes to when we want to add/remove/change the fuzzers that are automatically run. This describes how to test the OSS-Fuzz build and fuzzers locally using Docker.

When enabling a fuzzer in OSS-Fuzz, we typically need to follow these steps:

  1. *Add a seed corpus to gs://skia-fuzzer/oss-fuzz/ (in the skia-public project). Make sure the corpus file is public-readable. It is easiest to add this permission via the web UI. This is done by granting the allUsers "name" the Reader role to the zip file. See the infra team if you do not have access to this bucket.
  2. *Update the Dockerfile to download the seed corpus to the build image.
  3. Update build.sh to build the desired fuzzer target and move it into $OUT. If there is a seed corpus, move it into $OUT and make sure it is the same name as the fuzzer executable with _seed_corpus.zip as a suffix.

*For fuzzers who depend strongly on the format of the randomized data, e.g. image decoding, SkSL parsing. These are called binary fuzzers, as opposed to API fuzzers.

Example PRs for adding fuzzers: binary, API

There is also an OSS-fuzz folder set up for the skcms repo. The build process is similar, except instead of compiling using GN targets, the build.sh script compiles the fuzz executables directly.

OSS-Fuzz dashboard

https://oss-fuzz.com/fuzzer-stats is useful to see metrics on how our fuzzers are running. It shows things like executions per second (higher is better), edge coverage percent per fuzzer, what percent of fuzzing runs end in OOM/timeout/crash, the entire corpus of fuzzed inputs (corpus_backup), etc. Contact aarya@ to get permission to view this dashboard if necessary. Here are some example dashboards:

That dashboard also has a Coverage Report. Even though it appears the Coverage report is per fuzzer, the reports always show the aggregated coverage from all fuzzers. Example coverage report from 2021 Aug 22

See Also