a5783f3858
The major improvement is that now the fuzzer is able to execute the sksl code (before it just compiled it). The fuzzer will reserve 256 bytes for providing uniforms to the shader; meanwhile, the fuzzer will read the remaining bytes as sksl code to create SkRuntimeEffect. It then creates a shader and executes it by painting the shader on a canvas. The code was tested locally with afl-fuzz, and the execution speed was around 700/sec. An alternative implementation would have been using Fuzz.h to read bytes; I decided to go with sk_sp<SkData> since it has a comparable format to other binary fuzzer and meets all the functionality in this fuzzer. For future changes, there are 2 important improvements to the implementation: 1) Current shader does not have children shaders; thus, makeShader() will fail if the SkSL ever tries to use an 'in shader'. As pointed out in patchset 11, after creating the runtime effect, effect->children().count() will tell you how many children it's expecting (how many 'in shader' variables were declared). When you call makeShader(), the second and third arguments are a (C-style) array of shader pointers, and a count (which must match children().count()). Some helpful examples can be SkRTShader::CreateProc in SkRuntimeEffect.cpp, make_fuzz_shader in FuzzCanvas.cpp. 2) In this fuzzer, after creating the paint from a shader, the paint can be drawn on either GPU canvas or CPU, so a possible way is to use SkSurface::MakeRenderTarget to create GPU canvas and use a byte to determine which canvas it will be drawn on. Change-Id: Ib0385edd0f5ec2f23744aa517135a6955c53ba38 Reviewed-on: https://skia-review.googlesource.com/c/skia/+/300618 Commit-Queue: Zepeng Hu <zepenghu@google.com> Reviewed-by: Brian Osman <brianosman@google.com> Reviewed-by: Kevin Lubick <kjlubick@google.com> |
||
---|---|---|
.. | ||
FuzzAndroidCodec.cpp | ||
FuzzAnimatedImage.cpp | ||
FuzzAPIImageFilter.cpp | ||
FuzzAPISkDescriptor.cpp | ||
FuzzAPISVGCanvas.cpp | ||
FuzzDrawFunctions.cpp | ||
FuzzGradients.cpp | ||
FuzzImage.cpp | ||
FuzzImageFilterDeserialize.cpp | ||
FuzzIncrementalImage.cpp | ||
FuzzJPEGEncoder.cpp | ||
FuzzJSON.cpp | ||
FuzzMockGPUCanvas.cpp | ||
FuzzNullCanvas.cpp | ||
FuzzPathDeserialize.cpp | ||
FuzzPathMeasure.cpp | ||
FuzzPathop.cpp | ||
FuzzPNGEncoder.cpp | ||
FuzzPolyUtils.cpp | ||
FuzzRasterN32Canvas.cpp | ||
FuzzRegionDeserialize.cpp | ||
FuzzRegionSetPath.cpp | ||
FuzzSkDescriptorDeserialize.cpp | ||
FuzzSkRuntimeEffect.cpp | ||
FuzzSKSL2GLSL.cpp | ||
FuzzSKSL2Metal.cpp | ||
FuzzSKSL2Pipeline.cpp | ||
FuzzSKSL2SPIRV.cpp | ||
FuzzSVG.cpp | ||
FuzzTextBlobDeserialize.cpp | ||
FuzzWEBPEncoder.cpp |