diff options
Diffstat (limited to 'test/core')
10 files changed, 40 insertions, 34 deletions
diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c index c1c5966801..5ccaa784a4 100644 --- a/test/core/end2end/fuzzers/api_fuzzer.c +++ b/test/core/end2end/fuzzers/api_fuzzer.c @@ -143,19 +143,6 @@ static grpc_byte_buffer *read_message(input_stream *inp) { return out; } -static void read_metadata(input_stream *inp, size_t *count, - grpc_metadata **metadata) { - *count = next_byte(inp); - *metadata = gpr_malloc(*count * sizeof(**metadata)); - memset(*metadata, 0, *count * sizeof(**metadata)); - for (size_t i = 0; i < *count; i++) { - (*metadata)[i].key = read_string(inp); - read_buffer(inp, (char **)&(*metadata)[i].value, - &(*metadata)[i].value_length); - (*metadata)[i].flags = read_uint32(inp); - } -} - static int read_int(input_stream *inp) { return (int)read_uint32(inp); } static grpc_channel_args *read_args(input_stream *inp) { @@ -366,6 +353,11 @@ typedef struct call_state { int pending_ops; grpc_call_details call_details; + // array of pointers to free later + size_t num_to_free; + size_t cap_to_free; + void **to_free; + struct call_state *next; struct call_state *prev; } call_state; @@ -403,11 +395,42 @@ static call_state *maybe_delete_call_state(call_state *call) { grpc_metadata_array_destroy(&call->recv_trailing_metadata); gpr_free(call->recv_status_details); grpc_call_details_destroy(&call->call_details); + + for (size_t i = 0; i < call->num_to_free; i++) { + gpr_free(call->to_free[i]); + } + gpr_free(call->to_free); + gpr_free(call); return next; } +static void add_to_free(call_state *call, void *p) { + if (call->num_to_free == call->cap_to_free) { + call->cap_to_free = GPR_MAX(8, 2 * call->cap_to_free); + call->to_free = + gpr_realloc(call->to_free, sizeof(*call->to_free) * call->cap_to_free); + } + call->to_free[call->num_to_free++] = p; +} + +static void read_metadata(input_stream *inp, size_t *count, + grpc_metadata **metadata, call_state *cs) { + *count = next_byte(inp); + *metadata = gpr_malloc(*count * sizeof(**metadata)); + memset(*metadata, 0, *count * sizeof(**metadata)); + for (size_t i = 0; i < *count; i++) { + (*metadata)[i].key = read_string(inp); + read_buffer(inp, (char **)&(*metadata)[i].value, + &(*metadata)[i].value_length); + (*metadata)[i].flags = read_uint32(inp); + add_to_free(cs, (void *)(*metadata)[i].key); + add_to_free(cs, (void *)(*metadata)[i].value); + } + add_to_free(cs, *metadata); +} + static call_state *destroy_call(call_state *call) { grpc_call_destroy(call->call); call->call = NULL; @@ -688,7 +711,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case GRPC_OP_SEND_INITIAL_METADATA: op->op = GRPC_OP_SEND_INITIAL_METADATA; read_metadata(&inp, &op->data.send_initial_metadata.count, - &op->data.send_initial_metadata.metadata); + &op->data.send_initial_metadata.metadata, + g_active_call); break; case GRPC_OP_SEND_MESSAGE: op->op = GRPC_OP_SEND_MESSAGE; @@ -702,7 +726,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { read_metadata( &inp, &op->data.send_status_from_server.trailing_metadata_count, - &op->data.send_status_from_server.trailing_metadata); + &op->data.send_status_from_server.trailing_metadata, + g_active_call); op->data.send_status_from_server.status = next_byte(&inp); op->data.send_status_from_server.status_details = read_string(&inp); @@ -751,30 +776,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { op = &ops[i]; switch (op->op) { case GRPC_OP_SEND_INITIAL_METADATA: - for (size_t j = 0; j < op->data.send_initial_metadata.count; - j++) { - gpr_free( - (void *)op->data.send_initial_metadata.metadata[j].key); - gpr_free( - (void *)op->data.send_initial_metadata.metadata[j].value); - } - gpr_free(op->data.send_initial_metadata.metadata); break; case GRPC_OP_SEND_MESSAGE: grpc_byte_buffer_destroy(op->data.send_message); break; case GRPC_OP_SEND_STATUS_FROM_SERVER: - for (size_t j = 0; - j < op->data.send_status_from_server.trailing_metadata_count; - j++) { - gpr_free((void *)op->data.send_status_from_server - .trailing_metadata[j] - .key); - gpr_free((void *)op->data.send_status_from_server - .trailing_metadata[j] - .value); - } - gpr_free(op->data.send_status_from_server.trailing_metadata); gpr_free((void *)op->data.send_status_from_server.status_details); break; case GRPC_OP_SEND_CLOSE_FROM_CLIENT: diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/07aa7d6c71878eb78b25ca12d79082f70ae7f64c b/test/core/end2end/fuzzers/api_fuzzer_corpus/07aa7d6c71878eb78b25ca12d79082f70ae7f64c Binary files differnew file mode 100644 index 0000000000..e87065df42 --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/07aa7d6c71878eb78b25ca12d79082f70ae7f64c diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/3465fb573ac3c59a0804aadeba2f205870abcc3d b/test/core/end2end/fuzzers/api_fuzzer_corpus/3465fb573ac3c59a0804aadeba2f205870abcc3d Binary files differnew file mode 100644 index 0000000000..58f59a4814 --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/3465fb573ac3c59a0804aadeba2f205870abcc3d diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/595603f4ed37e3716cbe53b3ef180e5cdf8005f0 b/test/core/end2end/fuzzers/api_fuzzer_corpus/595603f4ed37e3716cbe53b3ef180e5cdf8005f0 Binary files differnew file mode 100644 index 0000000000..ceee8e5b32 --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/595603f4ed37e3716cbe53b3ef180e5cdf8005f0 diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/6186bfc21ff7df3982e5d9757e5c7160da0f493a b/test/core/end2end/fuzzers/api_fuzzer_corpus/6186bfc21ff7df3982e5d9757e5c7160da0f493a Binary files differnew file mode 100644 index 0000000000..45ec1dc83a --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/6186bfc21ff7df3982e5d9757e5c7160da0f493a diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/8a912877743b165b233303efaf502f5092b3c5b0 b/test/core/end2end/fuzzers/api_fuzzer_corpus/8a912877743b165b233303efaf502f5092b3c5b0 Binary files differnew file mode 100644 index 0000000000..1e978a110b --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/8a912877743b165b233303efaf502f5092b3c5b0 diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/a8f87a7038125bd0e3b753c2a42ebdc3e4c75cba b/test/core/end2end/fuzzers/api_fuzzer_corpus/a8f87a7038125bd0e3b753c2a42ebdc3e4c75cba Binary files differnew file mode 100644 index 0000000000..219182e029 --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/a8f87a7038125bd0e3b753c2a42ebdc3e4c75cba diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/bc6770a9bad24599ea4970735e9b17702a12b651 b/test/core/end2end/fuzzers/api_fuzzer_corpus/bc6770a9bad24599ea4970735e9b17702a12b651 Binary files differnew file mode 100644 index 0000000000..57a17c105d --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/bc6770a9bad24599ea4970735e9b17702a12b651 diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/crash-7ca23a3e10cdbf579cf81a50e51af358f86631eb b/test/core/end2end/fuzzers/api_fuzzer_corpus/crash-7ca23a3e10cdbf579cf81a50e51af358f86631eb Binary files differnew file mode 100644 index 0000000000..9618323b35 --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/crash-7ca23a3e10cdbf579cf81a50e51af358f86631eb diff --git a/test/core/end2end/fuzzers/api_fuzzer_corpus/d712d007679af5438c7bda723ddc724c2e57b0c1 b/test/core/end2end/fuzzers/api_fuzzer_corpus/d712d007679af5438c7bda723ddc724c2e57b0c1 Binary files differnew file mode 100644 index 0000000000..81295b8c9f --- /dev/null +++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/d712d007679af5438c7bda723ddc724c2e57b0c1 |