xref: /aosp_15_r20/external/skia/fuzz/Fuzz.h (revision c8dee2aa9b3f27cf6c858bd81872bdeb2c07ed17) 
1*c8dee2aaSAndroid Build Coastguard Worker /*
2*c8dee2aaSAndroid Build Coastguard Worker  * Copyright 2016 Google Inc.
3*c8dee2aaSAndroid Build Coastguard Worker  *
4*c8dee2aaSAndroid Build Coastguard Worker  * Use of this source code is governed by a BSD-style license that can be
5*c8dee2aaSAndroid Build Coastguard Worker  * found in the LICENSE file.
6*c8dee2aaSAndroid Build Coastguard Worker  */
7*c8dee2aaSAndroid Build Coastguard Worker 
8*c8dee2aaSAndroid Build Coastguard Worker #ifndef Fuzz_DEFINED
9*c8dee2aaSAndroid Build Coastguard Worker #define Fuzz_DEFINED
10*c8dee2aaSAndroid Build Coastguard Worker 
11*c8dee2aaSAndroid Build Coastguard Worker #include "include/core/SkData.h"
12*c8dee2aaSAndroid Build Coastguard Worker #include "include/core/SkImageFilter.h"
13*c8dee2aaSAndroid Build Coastguard Worker #include "include/core/SkRegion.h"
14*c8dee2aaSAndroid Build Coastguard Worker #include "include/core/SkTypes.h"
15*c8dee2aaSAndroid Build Coastguard Worker #include "include/private/base/SkMalloc.h"
16*c8dee2aaSAndroid Build Coastguard Worker #include "include/private/base/SkTFitsIn.h"
17*c8dee2aaSAndroid Build Coastguard Worker #include "tools/Registry.h"
18*c8dee2aaSAndroid Build Coastguard Worker 
19*c8dee2aaSAndroid Build Coastguard Worker #include <limits>
20*c8dee2aaSAndroid Build Coastguard Worker #include <cmath>
21*c8dee2aaSAndroid Build Coastguard Worker #include <signal.h>
22*c8dee2aaSAndroid Build Coastguard Worker #include <limits>
23*c8dee2aaSAndroid Build Coastguard Worker 
24*c8dee2aaSAndroid Build Coastguard Worker class Fuzz {
25*c8dee2aaSAndroid Build Coastguard Worker public:
Fuzz(const uint8_t * data,size_t size)26*c8dee2aaSAndroid Build Coastguard Worker     explicit Fuzz(const uint8_t* data, size_t size) : fData(data), fSize(size), fNextByte(0) {}
27*c8dee2aaSAndroid Build Coastguard Worker     Fuzz() = delete;
28*c8dee2aaSAndroid Build Coastguard Worker 
29*c8dee2aaSAndroid Build Coastguard Worker     // Make noncopyable
30*c8dee2aaSAndroid Build Coastguard Worker     Fuzz(Fuzz&) = delete;
31*c8dee2aaSAndroid Build Coastguard Worker     Fuzz& operator=(Fuzz&) = delete;
32*c8dee2aaSAndroid Build Coastguard Worker 
33*c8dee2aaSAndroid Build Coastguard Worker     // Returns the total number of "random" bytes available.
size()34*c8dee2aaSAndroid Build Coastguard Worker     size_t size() const {
35*c8dee2aaSAndroid Build Coastguard Worker         return fSize;
36*c8dee2aaSAndroid Build Coastguard Worker     }
37*c8dee2aaSAndroid Build Coastguard Worker 
38*c8dee2aaSAndroid Build Coastguard Worker     // Returns if there are no bytes remaining for fuzzing.
exhausted()39*c8dee2aaSAndroid Build Coastguard Worker     bool exhausted() const {
40*c8dee2aaSAndroid Build Coastguard Worker         return fSize == fNextByte;
41*c8dee2aaSAndroid Build Coastguard Worker     }
42*c8dee2aaSAndroid Build Coastguard Worker 
deplete()43*c8dee2aaSAndroid Build Coastguard Worker     void deplete() {
44*c8dee2aaSAndroid Build Coastguard Worker         fNextByte = fSize;
45*c8dee2aaSAndroid Build Coastguard Worker     }
46*c8dee2aaSAndroid Build Coastguard Worker 
remainingSize()47*c8dee2aaSAndroid Build Coastguard Worker     size_t remainingSize() const {
48*c8dee2aaSAndroid Build Coastguard Worker         return fSize - fNextByte;
49*c8dee2aaSAndroid Build Coastguard Worker     }
50*c8dee2aaSAndroid Build Coastguard Worker 
remainingData()51*c8dee2aaSAndroid Build Coastguard Worker     const uint8_t *remainingData() const {
52*c8dee2aaSAndroid Build Coastguard Worker         return fData + fNextByte;
53*c8dee2aaSAndroid Build Coastguard Worker     }
54*c8dee2aaSAndroid Build Coastguard Worker 
55*c8dee2aaSAndroid Build Coastguard Worker     // next() loads fuzzed bytes into the variable passed in by pointer.
56*c8dee2aaSAndroid Build Coastguard Worker     // We use this approach instead of T next() because different compilers
57*c8dee2aaSAndroid Build Coastguard Worker     // evaluate function parameters in different orders. If fuzz->next()
58*c8dee2aaSAndroid Build Coastguard Worker     // returned 5 and then 7, foo(fuzz->next(), fuzz->next()) would be
59*c8dee2aaSAndroid Build Coastguard Worker     // foo(5, 7) when compiled on GCC and foo(7, 5) when compiled on Clang.
60*c8dee2aaSAndroid Build Coastguard Worker     // By requiring params to be passed in, we avoid the temptation to call
61*c8dee2aaSAndroid Build Coastguard Worker     // next() in a way that does not consume fuzzed bytes in a single
62*c8dee2aaSAndroid Build Coastguard Worker     // platform-independent order.
63*c8dee2aaSAndroid Build Coastguard Worker     template <typename T>
next(T * t)64*c8dee2aaSAndroid Build Coastguard Worker     void next(T* t) { this->nextBytes(t, sizeof(T)); }
65*c8dee2aaSAndroid Build Coastguard Worker 
66*c8dee2aaSAndroid Build Coastguard Worker     // This is a convenient way to initialize more than one argument at a time.
67*c8dee2aaSAndroid Build Coastguard Worker     template <typename Arg, typename... Args>
68*c8dee2aaSAndroid Build Coastguard Worker     void next(Arg* first, Args... rest);
69*c8dee2aaSAndroid Build Coastguard Worker 
70*c8dee2aaSAndroid Build Coastguard Worker     // nextRange returns values only in [min, max].
71*c8dee2aaSAndroid Build Coastguard Worker     template <typename T, typename Min, typename Max>
72*c8dee2aaSAndroid Build Coastguard Worker     void nextRange(T*, Min, Max);
73*c8dee2aaSAndroid Build Coastguard Worker 
74*c8dee2aaSAndroid Build Coastguard Worker     // nextEnum is a wrapper around nextRange for enums.
75*c8dee2aaSAndroid Build Coastguard Worker     template <typename T>
76*c8dee2aaSAndroid Build Coastguard Worker     void nextEnum(T* ptr, T max);
77*c8dee2aaSAndroid Build Coastguard Worker 
78*c8dee2aaSAndroid Build Coastguard Worker     // nextN loads n * sizeof(T) bytes into ptr
79*c8dee2aaSAndroid Build Coastguard Worker     template <typename T>
80*c8dee2aaSAndroid Build Coastguard Worker     void nextN(T* ptr, int n);
81*c8dee2aaSAndroid Build Coastguard Worker 
signalBug()82*c8dee2aaSAndroid Build Coastguard Worker     void signalBug() {
83*c8dee2aaSAndroid Build Coastguard Worker         // Tell the fuzzer that these inputs found a bug.
84*c8dee2aaSAndroid Build Coastguard Worker         SkDebugf("Signal bug\n");
85*c8dee2aaSAndroid Build Coastguard Worker         raise(SIGSEGV);
86*c8dee2aaSAndroid Build Coastguard Worker     }
87*c8dee2aaSAndroid Build Coastguard Worker 
88*c8dee2aaSAndroid Build Coastguard Worker     // Specialized versions for when true random doesn't quite make sense
89*c8dee2aaSAndroid Build Coastguard Worker     void next(bool* b);
90*c8dee2aaSAndroid Build Coastguard Worker     void next(SkRegion* region);
91*c8dee2aaSAndroid Build Coastguard Worker 
nextBool()92*c8dee2aaSAndroid Build Coastguard Worker     bool nextBool() {
93*c8dee2aaSAndroid Build Coastguard Worker         bool b;
94*c8dee2aaSAndroid Build Coastguard Worker         this->next(&b);
95*c8dee2aaSAndroid Build Coastguard Worker         return b;
96*c8dee2aaSAndroid Build Coastguard Worker     }
97*c8dee2aaSAndroid Build Coastguard Worker 
98*c8dee2aaSAndroid Build Coastguard Worker     void nextRange(float* f, float min, float max);
99*c8dee2aaSAndroid Build Coastguard Worker 
100*c8dee2aaSAndroid Build Coastguard Worker private:
101*c8dee2aaSAndroid Build Coastguard Worker     template <typename T>
102*c8dee2aaSAndroid Build Coastguard Worker     T nextT();
103*c8dee2aaSAndroid Build Coastguard Worker 
104*c8dee2aaSAndroid Build Coastguard Worker     const uint8_t *fData;
105*c8dee2aaSAndroid Build Coastguard Worker     size_t fSize;
106*c8dee2aaSAndroid Build Coastguard Worker     size_t fNextByte;
107*c8dee2aaSAndroid Build Coastguard Worker     friend void fuzz__MakeEncoderCorpus(Fuzz*);
108*c8dee2aaSAndroid Build Coastguard Worker 
109*c8dee2aaSAndroid Build Coastguard Worker     void nextBytes(void* ptr, size_t size);
110*c8dee2aaSAndroid Build Coastguard Worker };
111*c8dee2aaSAndroid Build Coastguard Worker 
112*c8dee2aaSAndroid Build Coastguard Worker template <typename Arg, typename... Args>
next(Arg * first,Args...rest)113*c8dee2aaSAndroid Build Coastguard Worker inline void Fuzz::next(Arg* first, Args... rest) {
114*c8dee2aaSAndroid Build Coastguard Worker    this->next(first);
115*c8dee2aaSAndroid Build Coastguard Worker    this->next(rest...);
116*c8dee2aaSAndroid Build Coastguard Worker }
117*c8dee2aaSAndroid Build Coastguard Worker 
118*c8dee2aaSAndroid Build Coastguard Worker template <typename T, typename Min, typename Max>
nextRange(T * value,Min min,Max max)119*c8dee2aaSAndroid Build Coastguard Worker inline void Fuzz::nextRange(T* value, Min min, Max max) {
120*c8dee2aaSAndroid Build Coastguard Worker     // UBSAN worries if we make an enum with out of range values, even temporarily.
121*c8dee2aaSAndroid Build Coastguard Worker     using Raw = typename sk_strip_enum<T>::type;
122*c8dee2aaSAndroid Build Coastguard Worker     Raw raw;
123*c8dee2aaSAndroid Build Coastguard Worker     this->next(&raw);
124*c8dee2aaSAndroid Build Coastguard Worker 
125*c8dee2aaSAndroid Build Coastguard Worker     if (raw < (Raw)min) { raw = (Raw)min; }
126*c8dee2aaSAndroid Build Coastguard Worker     if (raw > (Raw)max) { raw = (Raw)max; }
127*c8dee2aaSAndroid Build Coastguard Worker     *value = (T)raw;
128*c8dee2aaSAndroid Build Coastguard Worker }
129*c8dee2aaSAndroid Build Coastguard Worker 
130*c8dee2aaSAndroid Build Coastguard Worker template <typename T>
nextEnum(T * value,T max)131*c8dee2aaSAndroid Build Coastguard Worker inline void Fuzz::nextEnum(T* value, T max) {
132*c8dee2aaSAndroid Build Coastguard Worker     // This works around the fact that UBSAN will assert if we put an invalid
133*c8dee2aaSAndroid Build Coastguard Worker     // value into an enum. We might see issues with enums being represented
134*c8dee2aaSAndroid Build Coastguard Worker     // on Windows differently than Linux, but that's not a thing we can fix here.
135*c8dee2aaSAndroid Build Coastguard Worker     using U = typename std::underlying_type<T>::type;
136*c8dee2aaSAndroid Build Coastguard Worker     U v;
137*c8dee2aaSAndroid Build Coastguard Worker     this->next(&v);
138*c8dee2aaSAndroid Build Coastguard Worker     if (v < (U)0) { *value = (T)0; return;}
139*c8dee2aaSAndroid Build Coastguard Worker     if (v > (U)max) { *value = (T)max; return;}
140*c8dee2aaSAndroid Build Coastguard Worker     *value = (T)v;
141*c8dee2aaSAndroid Build Coastguard Worker }
142*c8dee2aaSAndroid Build Coastguard Worker 
143*c8dee2aaSAndroid Build Coastguard Worker template <typename T>
nextN(T * ptr,int n)144*c8dee2aaSAndroid Build Coastguard Worker inline void Fuzz::nextN(T* ptr, int n) {
145*c8dee2aaSAndroid Build Coastguard Worker    for (int i = 0; i < n; i++) {
146*c8dee2aaSAndroid Build Coastguard Worker        this->next(ptr+i);
147*c8dee2aaSAndroid Build Coastguard Worker    }
148*c8dee2aaSAndroid Build Coastguard Worker }
149*c8dee2aaSAndroid Build Coastguard Worker 
150*c8dee2aaSAndroid Build Coastguard Worker struct Fuzzable {
151*c8dee2aaSAndroid Build Coastguard Worker     const char* name;
152*c8dee2aaSAndroid Build Coastguard Worker     void (*fn)(Fuzz*);
153*c8dee2aaSAndroid Build Coastguard Worker };
154*c8dee2aaSAndroid Build Coastguard Worker 
155*c8dee2aaSAndroid Build Coastguard Worker // Not static so that we can link these into oss-fuzz harnesses if we like.
156*c8dee2aaSAndroid Build Coastguard Worker #define DEF_FUZZ(name, f)                                               \
157*c8dee2aaSAndroid Build Coastguard Worker     void fuzz_##name(Fuzz*);                                            \
158*c8dee2aaSAndroid Build Coastguard Worker     sk_tools::Registry<Fuzzable> register_##name({#name, fuzz_##name}); \
159*c8dee2aaSAndroid Build Coastguard Worker     void fuzz_##name(Fuzz* f)
160*c8dee2aaSAndroid Build Coastguard Worker 
161*c8dee2aaSAndroid Build Coastguard Worker #endif  // Fuzz_DEFINED
162