From 24a22c7de8890642e43d6ae1115ecd59e2f8f0db Mon Sep 17 00:00:00 2001 From: mtklein Date: Thu, 14 Jan 2016 04:59:42 -0800 Subject: some fuzz hacking Try to start faster: - remove flags dependency - print nothing - strip unused symbols from the binary on Mac (smaller binary) - only create one fuzz object - only run one DEF_FUZZ I am not sure if any of these things mattered, but I thought you may like to look. Good stuff: - make nextU() / nextF() work - drop nextURange() / nextFRange() for now - add nextB() for a single byte As you may have guessed, I have figured out how to use afl-fuzz on my laptop. Syntax to run becomes: $ afl-fuzz ... out/Release/fuzz @@ BUG=skia: GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1581203003 Review URL: https://codereview.chromium.org/1581203003 --- fuzz/Fuzz.h | 6 ++---- fuzz/FuzzPaeth.cpp | 6 +++--- fuzz/fuzz.cpp | 44 +++++++++++++++++++++++++------------------- 3 files changed, 30 insertions(+), 26 deletions(-) (limited to 'fuzz') diff --git a/fuzz/Fuzz.h b/fuzz/Fuzz.h index cf5bcb9ead..f5083ef8e6 100644 --- a/fuzz/Fuzz.h +++ b/fuzz/Fuzz.h @@ -17,15 +17,13 @@ class Fuzz : SkNoncopyable { public: explicit Fuzz(SkData*); + uint8_t nextB(); uint32_t nextU(); float nextF(); - // These return a value in [min, max). - uint32_t nextURange(uint32_t min, uint32_t max); - float nextFRange(float min, float max); - private: SkAutoTUnref fBytes; + int fNextByte; }; struct Fuzzable { diff --git a/fuzz/FuzzPaeth.cpp b/fuzz/FuzzPaeth.cpp index aa7deb09e2..d7c139ce7a 100644 --- a/fuzz/FuzzPaeth.cpp +++ b/fuzz/FuzzPaeth.cpp @@ -33,8 +33,8 @@ static uint8_t paeth_alt(uint8_t a, uint8_t b, uint8_t c) { } DEF_FUZZ(Paeth, fuzz) { - int a = fuzz->nextU(), - b = fuzz->nextU(), - c = fuzz->nextU(); + auto a = fuzz->nextB(), + b = fuzz->nextB(), + c = fuzz->nextB(); ASSERT(paeth_alt(a,b,c) == paeth_std(a,b,c)); } diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp index 6e31790951..929ba7a4cf 100644 --- a/fuzz/fuzz.cpp +++ b/fuzz/fuzz.cpp @@ -6,35 +6,41 @@ */ #include "Fuzz.h" -#include "SkCommandLineFlags.h" - -DEFINE_string2(match, m, "", "The usual match patterns, applied to name."); -DEFINE_string2(bytes, b, "", "Path to file containing fuzzed bytes."); int main(int argc, char** argv) { - SkCommandLineFlags::Parse(argc, argv); - SkAutoTUnref bytes; - if (!FLAGS_bytes.isEmpty()) { - bytes.reset(SkData::NewFromFileName(FLAGS_bytes[0])); - } + ASSERT(argc > 2); + const char* name = argv[1]; + const char* path = argv[2]; + + SkAutoTUnref bytes(SkData::NewFromFileName(path)); + Fuzz fuzz(bytes); for (auto r = SkTRegistry::Head(); r; r = r->next()) { auto fuzzable = r->factory(); - if (!SkCommandLineFlags::ShouldSkip(FLAGS_match, fuzzable.name)) { - SkDebugf("Running %s...\n", fuzzable.name); - Fuzz fuzz(bytes); + if (0 == strcmp(name, fuzzable.name)) { fuzzable.fn(&fuzz); + return 0; } } - return 0; + return 1; } -Fuzz::Fuzz(SkData* bytes) : fBytes(SkSafeRef(bytes)) {} +Fuzz::Fuzz(SkData* bytes) : fBytes(SkSafeRef(bytes)), fNextByte(0) {} + +template +static T read(const SkData* data, int* next) { + ASSERT(sizeof(T) <= data->size()); + if (*next + sizeof(T) > data->size()) { + *next = 0; + } + T val; + memcpy(&val, data->bytes() + *next, sizeof(T)); + *next += sizeof(T); + return val; +} -// These methods are all TODO(kjlubick). -uint32_t Fuzz::nextU() { return 0; } -float Fuzz::nextF() { return 0.0f; } -uint32_t Fuzz::nextURange(uint32_t min, uint32_t max) { return min; } -float Fuzz::nextFRange(float min, float max) { return min; } +uint8_t Fuzz::nextB() { return read(fBytes, &fNextByte); } +uint32_t Fuzz::nextU() { return read(fBytes, &fNextByte); } +float Fuzz::nextF() { return read(fBytes, &fNextByte); } -- cgit v1.2.3