diff options
Diffstat (limited to 'test/core/end2end/fuzzers')
| -rw-r--r-- | test/core/end2end/fuzzers/api_fuzzer.c | 129 | ||||
| -rw-r--r-- | test/core/end2end/fuzzers/client_fuzzer.c | 18 | ||||
| -rw-r--r-- | test/core/end2end/fuzzers/hpack.dictionary | 5 | ||||
| -rw-r--r-- | test/core/end2end/fuzzers/server_fuzzer.c | 5 |
4 files changed, 115 insertions, 42 deletions
diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c index 19ac6ced14..c9d5c24798 100644 --- a/test/core/end2end/fuzzers/api_fuzzer.c +++ b/test/core/end2end/fuzzers/api_fuzzer.c @@ -44,6 +44,7 @@ #include "src/core/lib/iomgr/resolve_address.h" #include "src/core/lib/iomgr/tcp_client.h" #include "src/core/lib/iomgr/timer.h" +#include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/surface/server.h" #include "src/core/lib/transport/metadata.h" #include "test/core/end2end/data/ssl_test_data.h" @@ -90,7 +91,7 @@ static uint8_t next_byte(input_stream *inp) { static void end(input_stream *inp) { inp->cur = inp->end; } -static char *read_string(input_stream *inp) { +static char *read_string(input_stream *inp, bool *special) { char *str = NULL; size_t cap = 0; size_t sz = 0; @@ -102,18 +103,56 @@ static char *read_string(input_stream *inp) { } c = (char)next_byte(inp); str[sz++] = c; - } while (c != 0); + } while (c != 0 && c != 1); + if (special != NULL) { + *special = (c == 1); + } + if (c == 1) { + str[sz-1] = 0; + } return str; } -static void read_buffer(input_stream *inp, char **buffer, size_t *length) { +static void read_buffer(input_stream *inp, char **buffer, size_t *length, + bool *special) { *length = next_byte(inp); + if (*length == 255) { + if (special != NULL) *special = true; + *length = next_byte(inp); + } else { + if (special != NULL) *special = false; + } *buffer = gpr_malloc(*length); for (size_t i = 0; i < *length; i++) { (*buffer)[i] = (char)next_byte(inp); } } +static grpc_slice maybe_intern(grpc_slice s, bool intern) { + grpc_slice r = intern ? grpc_slice_intern(s) : grpc_slice_ref(s); + grpc_slice_unref(s); + return r; +} + +static grpc_slice read_string_like_slice(input_stream *inp) { + bool special; + char *s = read_string(inp, &special); + grpc_slice r = maybe_intern(grpc_slice_from_copied_string(s), special); + gpr_free(s); + return r; +} + +static grpc_slice read_buffer_like_slice(input_stream *inp) { + char *buffer; + size_t length; + bool special; + read_buffer(inp, &buffer, &length, &special); + grpc_slice r = + maybe_intern(grpc_slice_from_copied_buffer(buffer, length), special); + gpr_free(buffer); + return r; +} + static uint32_t read_uint22(input_stream *inp) { uint8_t b = next_byte(inp); uint32_t x = b & 0x7f; @@ -170,12 +209,12 @@ static grpc_channel_args *read_args(input_stream *inp) { switch (next_byte(inp)) { case 1: args[i].type = GRPC_ARG_STRING; - args[i].key = read_string(inp); - args[i].value.string = read_string(inp); + args[i].key = read_string(inp, NULL); + args[i].value.string = read_string(inp, NULL); break; case 2: args[i].type = GRPC_ARG_INTEGER; - args[i].key = read_string(inp); + args[i].key = read_string(inp, NULL); args[i].value.integer = read_int(inp); break; case 3: @@ -217,7 +256,7 @@ static const char *read_cred_artifact(cred_artifact_ctx *ctx, input_stream *inp, size_t num_builtins) { uint8_t b = next_byte(inp); if (b == 0) return NULL; - if (b == 1) return ctx->release[ctx->num_release++] = read_string(inp); + if (b == 1) return ctx->release[ctx->num_release++] = read_string(inp, NULL); if (b >= num_builtins + 1) { end(inp); return NULL; @@ -504,8 +543,7 @@ typedef struct call_state { grpc_status_code status; grpc_metadata_array recv_initial_metadata; grpc_metadata_array recv_trailing_metadata; - char *recv_status_details; - size_t recv_status_details_capacity; + grpc_slice recv_status_details; int cancelled; int pending_ops; grpc_call_details call_details; @@ -519,6 +557,11 @@ typedef struct call_state { size_t cap_to_free; void **to_free; + // array of slices to unref + size_t num_slices_to_unref; + size_t cap_slices_to_unref; + grpc_slice *slices_to_unref; + struct call_state *next; struct call_state *prev; } call_state; @@ -554,12 +597,15 @@ static call_state *maybe_delete_call_state(call_state *call) { call->next->prev = call->prev; grpc_metadata_array_destroy(&call->recv_initial_metadata); grpc_metadata_array_destroy(&call->recv_trailing_metadata); - gpr_free(call->recv_status_details); + grpc_slice_unref(call->recv_status_details); grpc_call_details_destroy(&call->call_details); for (size_t i = 0; i < call->num_to_free; i++) { gpr_free(call->to_free[i]); } + for (size_t i = 0; i < call->num_slices_to_unref; i++) { + grpc_slice_unref(call->slices_to_unref[i]); + } gpr_free(call->to_free); gpr_free(call); @@ -576,6 +622,17 @@ static void add_to_free(call_state *call, void *p) { call->to_free[call->num_to_free++] = p; } +static grpc_slice *add_to_slice_unref(call_state *call, grpc_slice s) { + if (call->num_slices_to_unref == call->cap_slices_to_unref) { + call->cap_slices_to_unref = GPR_MAX(8, 2 * call->cap_slices_to_unref); + call->slices_to_unref = + gpr_realloc(call->slices_to_unref, + sizeof(*call->slices_to_unref) * call->cap_slices_to_unref); + } + call->slices_to_unref[call->num_to_free++] = s; + return &call->slices_to_unref[call->num_to_free - 1]; +} + static void read_metadata(input_stream *inp, size_t *count, grpc_metadata **metadata, call_state *cs) { *count = next_byte(inp); @@ -583,12 +640,11 @@ static void read_metadata(input_stream *inp, size_t *count, *metadata = gpr_malloc(*count * sizeof(**metadata)); memset(*metadata, 0, *count * sizeof(**metadata)); for (size_t i = 0; i < *count; i++) { - (*metadata)[i].key = read_string(inp); - read_buffer(inp, (char **)&(*metadata)[i].value, - &(*metadata)[i].value_length); + (*metadata)[i].key = read_string_like_slice(inp); + (*metadata)[i].value = read_buffer_like_slice(inp); (*metadata)[i].flags = read_uint32(inp); - add_to_free(cs, (void *)(*metadata)[i].key); - add_to_free(cs, (void *)(*metadata)[i].value); + add_to_slice_unref(cs, (*metadata)[i].key); + add_to_slice_unref(cs, (*metadata)[i].value); } } else { *metadata = gpr_malloc(1); @@ -652,7 +708,7 @@ static validator *make_finished_batch_validator(call_state *cs, } int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - grpc_test_only_set_metadata_hash_seed(0); + grpc_test_only_set_slice_hash_seed(0); if (squelch) gpr_set_log_function(dont_log); input_stream inp = {data, data + size}; grpc_resolve_address = my_resolve_address; @@ -738,13 +794,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { // create an insecure channel case 2: { if (g_channel == NULL) { - char *target = read_string(&inp); + char *target = read_string(&inp, NULL); char *target_uri; gpr_asprintf(&target_uri, "dns:%s", target); grpc_channel_args *args = read_args(&inp); g_channel = grpc_insecure_channel_create(target_uri, args, NULL); GPR_ASSERT(g_channel != NULL); - grpc_channel_args_destroy(args); + { + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + grpc_channel_args_destroy(&exec_ctx, args); + grpc_exec_ctx_finish(&exec_ctx); + } gpr_free(target_uri); gpr_free(target); } else { @@ -768,7 +828,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { grpc_channel_args *args = read_args(&inp); g_server = grpc_server_create(args, NULL); GPR_ASSERT(g_server != NULL); - grpc_channel_args_destroy(args); + { + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + grpc_channel_args_destroy(&exec_ctx, args); + grpc_exec_ctx_finish(&exec_ctx); + } grpc_server_register_completion_queue(g_server, cq, NULL); grpc_server_start(g_server); server_shutdown = false; @@ -859,8 +923,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { parent_call = g_active_call->call; } uint32_t propagation_mask = read_uint32(&inp); - char *method = read_string(&inp); - char *host = read_string(&inp); + grpc_slice method = read_string_like_slice(&inp); + grpc_slice host = read_string_like_slice(&inp); gpr_timespec deadline = gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN)); @@ -869,12 +933,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { call_state *cs = new_call(g_active_call, CLIENT); cs->call = grpc_channel_create_call(g_channel, parent_call, propagation_mask, - cq, method, host, deadline, NULL); + cq, method, &host, deadline, NULL); } else { end(&inp); } - gpr_free(method); - gpr_free(host); + grpc_slice_unref(method); + grpc_slice_unref(host); break; } // switch the 'current' call @@ -939,7 +1003,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { g_active_call); op->data.send_status_from_server.status = next_byte(&inp); op->data.send_status_from_server.status_details = - read_string(&inp); + add_to_slice_unref(g_active_call, + read_buffer_like_slice(&inp)); break; case GRPC_OP_RECV_INITIAL_METADATA: op->op = GRPC_OP_RECV_INITIAL_METADATA; @@ -959,8 +1024,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { &g_active_call->recv_trailing_metadata; op->data.recv_status_on_client.status_details = &g_active_call->recv_status_details; - op->data.recv_status_on_client.status_details_capacity = - &g_active_call->recv_status_details_capacity; break; case GRPC_OP_RECV_CLOSE_ON_SERVER: op->op = GRPC_OP_RECV_CLOSE_ON_SERVER; @@ -1048,14 +1111,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } // enable a tracer case 17: { - char *tracer = read_string(&inp); + char *tracer = read_string(&inp, NULL); grpc_tracer_set_enabled(tracer, 1); gpr_free(tracer); break; } // disable a tracer case 18: { - char *tracer = read_string(&inp); + char *tracer = read_string(&inp, NULL); grpc_tracer_set_enabled(tracer, 0); gpr_free(tracer); break; @@ -1097,14 +1160,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { // create a secure channel case 22: { if (g_channel == NULL) { - char *target = read_string(&inp); + char *target = read_string(&inp, NULL); char *target_uri; gpr_asprintf(&target_uri, "dns:%s", target); grpc_channel_args *args = read_args(&inp); grpc_channel_credentials *creds = read_channel_creds(&inp); g_channel = grpc_secure_channel_create(creds, target_uri, args, NULL); GPR_ASSERT(g_channel != NULL); - grpc_channel_args_destroy(args); + { + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + grpc_channel_args_destroy(&exec_ctx, args); + grpc_exec_ctx_finish(&exec_ctx); + } gpr_free(target_uri); gpr_free(target); grpc_channel_credentials_release(creds); diff --git a/test/core/end2end/fuzzers/client_fuzzer.c b/test/core/end2end/fuzzers/client_fuzzer.c index c5260cd287..0972a4c8e7 100644 --- a/test/core/end2end/fuzzers/client_fuzzer.c +++ b/test/core/end2end/fuzzers/client_fuzzer.c @@ -37,6 +37,7 @@ #include <grpc/support/alloc.h> #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h" +#include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/surface/channel.h" #include "test/core/util/memory_counters.h" #include "test/core/util/mock_endpoint.h" @@ -51,7 +52,7 @@ static void *tag(int n) { return (void *)(uintptr_t)n; } static void dont_log(gpr_log_func_args *args) {} int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - grpc_test_only_set_metadata_hash_seed(0); + grpc_test_only_set_slice_hash_seed(0); struct grpc_memory_counters counters; if (squelch) gpr_set_log_function(dont_log); if (leak_check) grpc_memory_counters_init(); @@ -62,7 +63,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { grpc_resource_quota_create("client_fuzzer"); grpc_endpoint *mock_endpoint = grpc_mock_endpoint_create(discard_write, resource_quota); - grpc_resource_quota_internal_unref(&exec_ctx, resource_quota); + grpc_resource_quota_unref_internal(&exec_ctx, resource_quota); grpc_completion_queue *cq = grpc_completion_queue_create(NULL); grpc_transport *transport = @@ -71,9 +72,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { grpc_channel *channel = grpc_channel_create( &exec_ctx, "test-target", NULL, GRPC_CLIENT_DIRECT_CHANNEL, transport); - grpc_call *call = - grpc_channel_create_call(channel, NULL, 0, cq, "/foo", "localhost", - gpr_inf_future(GPR_CLOCK_REALTIME), NULL); + grpc_slice host = grpc_slice_from_static_string("localhost"); + grpc_call *call = grpc_channel_create_call( + channel, NULL, 0, cq, grpc_slice_from_static_string("/foo"), &host, + gpr_inf_future(GPR_CLOCK_REALTIME), NULL); grpc_metadata_array initial_metadata_recv; grpc_metadata_array_init(&initial_metadata_recv); @@ -81,8 +83,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { grpc_metadata_array trailing_metadata_recv; grpc_metadata_array_init(&trailing_metadata_recv); grpc_status_code status; - char *details = NULL; - size_t details_capacity = 0; + grpc_slice details; grpc_op ops[6]; memset(ops, 0, sizeof(ops)); @@ -110,7 +111,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv; op->data.recv_status_on_client.status = &status; op->data.recv_status_on_client.status_details = &details; - op->data.recv_status_on_client.status_details_capacity = &details_capacity; op->flags = 0; op->reserved = NULL; op++; @@ -155,7 +155,7 @@ done: grpc_completion_queue_destroy(cq); grpc_metadata_array_destroy(&initial_metadata_recv); grpc_metadata_array_destroy(&trailing_metadata_recv); - gpr_free(details); + grpc_slice_unref(details); grpc_channel_destroy(channel); if (response_payload_recv != NULL) { grpc_byte_buffer_destroy(response_payload_recv); diff --git a/test/core/end2end/fuzzers/hpack.dictionary b/test/core/end2end/fuzzers/hpack.dictionary index 12db0ff024..d5ee01bfbf 100644 --- a/test/core/end2end/fuzzers/hpack.dictionary +++ b/test/core/end2end/fuzzers/hpack.dictionary @@ -40,6 +40,10 @@ "\x03GET" "\x04grpc" "\x14grpc-accept-encoding" +"\x1Egrpc.max_request_message_bytes" +"\x1Fgrpc.max_response_message_bytes" +"\x0Cgrpc.timeout" +"\x13grpc.wait_for_ready" "\x0Dgrpc-encoding" "\x1Egrpc-internal-encoding-request" "\x0Cgrpc-message" @@ -82,6 +86,7 @@ "\x06server" "\x0Aset-cookie" "\x01/" +"$/grpc.lb.v1.LoadBalancer/BalanceLoad" "\x0B/index.html" "\x07:status" "\x19strict-transport-security" diff --git a/test/core/end2end/fuzzers/server_fuzzer.c b/test/core/end2end/fuzzers/server_fuzzer.c index 164022ec79..186542d4b2 100644 --- a/test/core/end2end/fuzzers/server_fuzzer.c +++ b/test/core/end2end/fuzzers/server_fuzzer.c @@ -34,6 +34,7 @@ #include <grpc/grpc.h> #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h" +#include "src/core/lib/slice/slice_internal.h" #include "src/core/lib/surface/server.h" #include "test/core/util/memory_counters.h" #include "test/core/util/mock_endpoint.h" @@ -49,7 +50,7 @@ static int detag(void *p) { return (int)(uintptr_t)p; } static void dont_log(gpr_log_func_args *args) {} int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - grpc_test_only_set_metadata_hash_seed(0); + grpc_test_only_set_slice_hash_seed(0); struct grpc_memory_counters counters; if (squelch) gpr_set_log_function(dont_log); if (leak_check) grpc_memory_counters_init(); @@ -60,7 +61,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { grpc_resource_quota_create("server_fuzzer"); grpc_endpoint *mock_endpoint = grpc_mock_endpoint_create(discard_write, resource_quota); - grpc_resource_quota_internal_unref(&exec_ctx, resource_quota); + grpc_resource_quota_unref_internal(&exec_ctx, resource_quota); grpc_mock_endpoint_put_read( &exec_ctx, mock_endpoint, grpc_slice_from_copied_buffer((const char *)data, size)); |