xref: /aosp_15_r20/external/virglrenderer/tests/fuzzer/virgl_fuzzer.c (revision bbecb9d118dfdb95f99bd754f8fa9be01f189df3) 
1 // Copyright 2018 The Chromium OS Authors. All rights reserved.
2 //
3 // Redistribution and use in source and binary forms, with or without
4 // modification, are permitted provided that the following conditions are
5 // met:
6 //
7 //    * Redistributions of source code must retain the above copyright
8 // notice, this list of conditions and the following disclaimer.
9 //    * Redistributions in binary form must reproduce the above
10 // copyright notice, this list of conditions and the following disclaimer
11 // in the documentation and/or other materials provided with the
12 // distribution.
13 //    * Neither the name of Google Inc. nor the names of its
14 // contributors may be used to endorse or promote products derived from
15 // this software without specific prior written permission.
16 //
17 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
18 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
19 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
20 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
21 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
22 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
23 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 
29 // libfuzzer-based fuzzer for public APIs.
30 
31 #include <assert.h>
32 #include <stdint.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <unistd.h>
36 
37 #include <epoxy/egl.h>
38 
39 #include "util/macros.h"
40 #include "virglrenderer.h"
41 
42 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
43 
44 #ifndef CLEANUP_EACH_INPUT
45 // eglInitialize leaks unless eglTeriminate is called (which only happens
46 // with CLEANUP_EACH_INPUT), so suppress leak detection on everything
47 // allocated by it.
48 const char* __lsan_default_suppressions(void);
__lsan_default_suppressions()49 const char* __lsan_default_suppressions() {
50    return "leak:eglInitialize\n";
51 }
52 
53 #endif // !CLEANUP_EACH_INPUT
54 
55 struct fuzzer_cookie
56 {
57    EGLDisplay display;
58    EGLConfig egl_config;
59    EGLContext ctx;
60 };
61 
fuzzer_write_fence(UNUSED void * opaque,UNUSED uint32_t fence)62 static void fuzzer_write_fence(UNUSED void *opaque, UNUSED uint32_t fence)
63 {
64 }
65 
fuzzer_create_gl_context(void * cookie,UNUSED int scanout_idx,struct virgl_renderer_gl_ctx_param * param)66 static virgl_renderer_gl_context fuzzer_create_gl_context(
67       void *cookie, UNUSED int scanout_idx,
68       struct virgl_renderer_gl_ctx_param *param)
69 {
70    struct fuzzer_cookie *cookie_data = cookie;
71    EGLContext shared = param->shared ? eglGetCurrentContext() : NULL;
72    const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
73                                       EGL_NONE };
74    EGLContext ctx = eglCreateContext(cookie_data->display,
75                                      cookie_data->egl_config,
76                                      shared,
77                                      context_attribs);
78    assert(ctx);
79 
80    return ctx;
81 }
82 
fuzzer_destroy_gl_context(void * cookie,virgl_renderer_gl_context ctx)83 static void fuzzer_destroy_gl_context(void *cookie,
84                                       virgl_renderer_gl_context ctx)
85 {
86    struct fuzzer_cookie *cookie_data = cookie;
87    eglDestroyContext(cookie_data->display, ctx);
88 }
89 
fuzzer_make_current(UNUSED void * cookie,UNUSED int scanout_idx,UNUSED virgl_renderer_gl_context ctx)90 static int fuzzer_make_current(UNUSED void *cookie, UNUSED int scanout_idx,
91                                UNUSED virgl_renderer_gl_context ctx)
92 {
93    return 0;
94 }
95 
96 const int FUZZER_CTX_ID = 1;
97 const char *SWRAST_ENV = "LIBGL_ALWAYS_SOFTWARE";
98 
99 static struct fuzzer_cookie cookie;
100 
101 static struct virgl_renderer_callbacks fuzzer_cbs = {
102    .version = 1,
103    .write_fence = fuzzer_write_fence,
104    .create_gl_context = fuzzer_create_gl_context,
105    .destroy_gl_context = fuzzer_destroy_gl_context,
106    .make_current = fuzzer_make_current,
107 };
108 
109 static bool initialized = false;
110 
initialize_environment()111 static int initialize_environment()
112 {
113    if (!initialized) {
114       EGLBoolean ok;
115 
116       // Force SW rendering unless env variable is already set.
117       setenv(SWRAST_ENV, "true", 0);
118 
119       cookie.display = eglGetDisplay(EGL_DEFAULT_DISPLAY);
120       assert(cookie.display != EGL_NO_DISPLAY);
121 
122       ok = eglInitialize(cookie.display, NULL, NULL);
123       assert(ok);
124 
125       const EGLint config_attribs[] = { EGL_SURFACE_TYPE, EGL_DONT_CARE,
126                                         EGL_NONE };
127       EGLint num_configs;
128       ok = eglChooseConfig(cookie.display, config_attribs,
129                            &cookie.egl_config, 1, &num_configs);
130       assert(ok);
131 
132       ok = eglBindAPI(EGL_OPENGL_ES_API);
133       assert(ok);
134 
135       const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
136                                          EGL_NONE };
137       cookie.ctx = eglCreateContext(cookie.display, cookie.egl_config,
138                                     EGL_NO_CONTEXT, context_attribs);
139       assert(cookie.ctx != EGL_NO_CONTEXT);
140 
141       ok = eglMakeCurrent(cookie.display, EGL_NO_SURFACE, EGL_NO_SURFACE,
142                           cookie.ctx);
143       assert(ok);
144 
145       initialized = true;
146    }
147 
148    return FUZZER_CTX_ID;
149 }
150 
151 #ifdef CLEANUP_EACH_INPUT
cleanup_environment()152 static void cleanup_environment()
153 {
154    if (cookie.ctx != EGL_NO_CONTEXT) {
155       eglMakeCurrent(cookie.display, NULL, NULL, NULL);
156       eglDestroyContext(cookie.display, cookie.ctx);
157    }
158 
159    if (cookie.display != EGL_NO_DISPLAY) {
160       eglTerminate(cookie.display);
161    }
162 
163    initialized = false;
164 }
165 #endif
166 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)167 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
168 {
169    uint32_t ctx_id = initialize_environment();
170    int ret;
171 
172    // There are trade-offs here between ensuring that state is not persisted
173    // between invocations of virgl_renderer_submit_cmd, and to avoid leaking
174    // resources that comes with repeated dlopen()/dlclose()ing the mesa
175    // driver with each eglInitialize()/eglTerminate() if CLEANUP_EACH_INPUT
176    // is set.
177 
178    ret = virgl_renderer_init(&cookie, 0, &fuzzer_cbs);
179    assert(!ret);
180 
181    const char *name = "fuzzctx";
182    ret = virgl_renderer_context_create(ctx_id, strlen(name), name);
183    assert(!ret);
184 
185    virgl_renderer_submit_cmd((void *) data, ctx_id, size / sizeof(uint32_t));
186 
187    virgl_renderer_context_destroy(ctx_id);
188 
189    virgl_renderer_cleanup(&cookie);
190 
191 #ifdef CLEANUP_EACH_INPUT
192    // The following cleans up between each input which is a lot slower.
193    cleanup_environment();
194 #endif
195 
196    return 0;
197 }
198