Add ability to fuzz images and skps to fuzz binary

fuzz/fuzz.cpp

Index: fuzz/fuzz.cpp
diff --git a/fuzz/fuzz.cpp b/fuzz/fuzz.cpp
index 343e25b45303527a8a5cbfb5cc33bcebfb747afa..5a62abf516212529492e6d399106b1dc8ef43e87 100644
--- a/fuzz/fuzz.cpp
+++ b/fuzz/fuzz.cpp
@@ -6,20 +6,54 @@
  */
 
 #include "Fuzz.h"
+#include "SkCanvas.h"
 #include "SkCommandLineFlags.h"
+#include "SkData.h"
+#include "SkImage.h"
+#include "SkImageEncoder.h"
+#include "SkImageDecoder.h"

[scroggo, 2016/01/19 15:35:39]

We're actually interested in testing SkCodec, not SkImageDecoder.

+#include "SkForceLinking.h"
+#include "SkPicture.h"
+#include "SkStream.h"
+
 #include <signal.h>
 #include <stdlib.h>
+#include <cmath>
+
+__SK_FORCE_IMAGE_DECODER_LINKING;
 
 DEFINE_string2(bytes, b, "", "A path to a file containing fuzzed bytes.");
 DEFINE_string2(match, m, "", "The usual --match, applied to DEF_FUZZ names.");
 
+DEFINE_string2(file, f, "", "The path to a binary file.");

[mtklein, 2016/01/19 16:17:25]

What's the difference between -b and -f?  Let's pick one.

[kjlubick, 2016/01/20 13:08:15]

Done

+DEFINE_string(mode, "", "The mode in which to treat the binary file.  Can be 'image', 'skp'");

[mtklein, 2016/01/19 16:17:25]

DEFINE_string(mode, "api", "How to interpret --bytes, either 'image', 'skp', or
'api'.");

[kjlubick, 2016/01/20 13:08:15]

Done

+DEFINE_bool(debug, false, "If the output of any renderings should be dumped as a png.");

[mtklein, 2016/01/19 16:17:25]

DEFINE_string(dump, "", "If not empty, dump 'image' or 'skp' modes as a PNG with
this name.");

[kjlubick, 2016/01/20 13:08:15]

Done.

+
+void runSingleTest();
+int decodeImage();
+int decodeSkp();
+
 int main(int argc, char** argv) {
     SkCommandLineFlags::Parse(argc, argv);
 
-    if (FLAGS_bytes.isEmpty()) {
-        SkDebugf("Usage: %s -b <path/to/fuzzed.data> [-m pattern]\n", argv[0]);
-        return 1;
+    if (FLAGS_mode.isEmpty()) {
+        runSingleTest();
+        return 0;
     }
+
+    if (0 == strcmp(FLAGS_mode[0], "image")) {
+        return decodeImage();
+    } else if (0 == strcmp(FLAGS_mode[0], "skp")) {
+        return decodeSkp();
+    }
+
+    SkDebugf("Usage: %s -b <path/to/fuzzed.data> [-m pattern]\n", argv[0]);
+    SkDebugf("or\n");
+    SkDebugf("Usage: %s --mode [mode] -f <path/to/fuzzed.file>\n", argv[0]);
+    return 1;
+}
+
+void runSingleTest() {
     SkAutoTUnref<SkData> bytes(SkData::NewFromFileName(FLAGS_bytes[0]));
 
     for (auto r = SkTRegistry<Fuzzable>::Head(); r; r = r->next()) {
@@ -28,11 +62,69 @@ int main(int argc, char** argv) {
             SkDebugf("Fuzzing %s...\n", fuzzable.name);
             Fuzz fuzz(bytes);
             fuzzable.fn(&fuzz);
+            return;
         }
     }
+}
+
+int decodeImage() {
+    if (FLAGS_file.isEmpty()) {
+        SkDebugf("Usage: fuzz --mode image --file <path/to/fuzzed.image>\n");
+        return 1;
+    }
+    SkAutoTUnref<SkData> encoded(SkData::NewFromFileName(FLAGS_file[0]));

[mtklein, 2016/01/19 16:17:25]

It looks like you're copying and pasting.  Let's share the logic between API,
image, and SKP fuzzes.  They all want to read a fuzzed file.

I think you'll find this easier to do if you keep everything inside main().

[kjlubick, 2016/01/20 13:08:15]

I'm going to keep the functions here for easier future addition of things and
structure.  I will group up duplicated effort.

+    if (!encoded) {
+        SkDebugf("Could not read %s\n", FLAGS_file[0]);
+        return 2;
+    }
+    SkBitmap bitmap;
+    if (!SkImageDecoder::DecodeMemory(encoded->data(), encoded->size(), &bitmap)) {
+        SkDebugf("Could not decode image.\n");
+        return 3;
+    }
+    encoded.reset((SkData*)nullptr);  // Might as well drop this when we're done with it.

[mtklein, 2016/01/19 16:17:25]

Actually, here in this program we probably don't need to bother, and might even
consider going the other way, leaking this instead of ever unreffing it.  In DM,
it's important to free memory as soon as you can (so other threads can use it). 
It's not important here, as there are no other threads.

[kjlubick, 2016/01/20 13:08:14]

Done.

+
+    SkImage::NewFromBitmap(bitmap);
+    SkDebugf("Created an SkImage!\n");
+    if (FLAGS_debug) {
+        SkImageEncoder::EncodeFile("debug.png", bitmap, SkImageEncoder::kPNG_Type, 100);
+    }
     return 0;
 }
 
+static const SkRect kSKPViewport = {0,0, 1000,1000};
+
+int decodeSkp() {
+    if (FLAGS_file.isEmpty()) {
+        SkDebugf("Usage: fuzz --mode skp --file <path/to/fuzzed.skp>\n");
+        return 1;
+    }
+    SkAutoTDelete<SkStream> stream(SkStream::NewFromFile(FLAGS_file[0]));
+    if (!stream) {
+        SkDebugf("Couldn't read %s.", FLAGS_file[0]);
+        return 2;
+    }
+    SkDebugf("Decoding");
+    SkAutoTUnref<SkPicture> pic(SkPicture::CreateFromStream(stream));
+    if (!pic) {
+        SkDebugf("Couldn't decode as a picture.");
+        return 3;
+    }
+    stream.reset((SkStream*)nullptr);  // Might as well drop this when we're done with it.
+    SkDebugf("Rendering");
+    SkBitmap bitmap;
+    if (FLAGS_debug) {
+        bitmap.allocN32Pixels(4000, 4000);

[mtklein, 2016/01/19 16:17:25]

Probably better to allocate pixels to fit pic->cullRect().roundOut().

[kjlubick, 2016/01/20 13:08:14]

Done.

+    }
+    SkCanvas canvas(bitmap);
+    canvas.clipRect(kSKPViewport);
+    canvas.drawPicture(pic);
+    SkDebugf("Decoded and rendered an SkPicture!\n");
+    if (FLAGS_debug) {
+        SkImageEncoder::EncodeFile("debug.png", bitmap, SkImageEncoder::kPNG_Type, 100);
+    }
+    return 0;
+}
 
 Fuzz::Fuzz(SkData* bytes) : fBytes(SkSafeRef(bytes)), fNextByte(0) {}