Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2123733002:
Add a fuzzer for TemplateURLParser/Open Search Descriptions. (Closed)
|
Created:
4 years, 5 months ago by dominicc (has gone to gerrit) Modified:
3 years, 9 months ago Reviewers:
aizatsky CC:
chromium-reviews Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/heads/master Project:
chromium Visibility:
Public. |
DescriptionAdd a fuzzer for TemplateURLParser/Open Search Descriptions.
BUG=625746
Review-Url: https://codereview.chromium.org/2123733002
Cr-Commit-Position: refs/heads/master@{#459727}
Committed: https://chromium.googlesource.com/chromium/src/+/588a32ac7a5824a30aea437bf85a1f7615dfcbc3
Patch Set 1 #Patch Set 2 : Bring patch to head. #
Total comments: 4
Patch Set 3 : Bring patch to head. #Patch Set 4 : Try to fix Linux build problem. #
Total comments: 1
Patch Set 5 : Feedback. #Patch Set 6 : Bring patch to head. #
Messages
Total messages: 33 (21 generated)
dominicc@chromium.org changed reviewers: + aizatsky@chromium.org
PTAL My first fuzzer, advice appreciated. Open Search Descriptions are XML documents from the interwebs parsed by libxml's SAX parser in browser without any user intervention so it seems worthwhile fuzzing them.
https://codereview.chromium.org/2123733002/diff/20001/testing/libfuzzer/fuzze... File testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc (right): https://codereview.chromium.org/2123733002/diff/20001/testing/libfuzzer/fuzze... testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:30: extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { Let's add struct FuzzerFixedParams { bool show_in_default_list; uint32_t seed; etc. } and use it to extract fixed parameters. https://codereview.chromium.org/2123733002/diff/20001/testing/libfuzzer/fuzze... testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:31: if (size < 5) { should be sizeof(FuzzerFixedParams) https://codereview.chromium.org/2123733002/diff/20001/testing/libfuzzer/fuzze... testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:36: bool show_in_default_list = data[0] & 1; use bit field in params struct. https://codereview.chromium.org/2123733002/diff/20001/testing/libfuzzer/fuzze... testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:40: PseudoRandomFilter filter(*reinterpret_cast<const int32_t*>(data)); these 4 bytes would go into rng and which doesn't have any smoothness. I suggest you simply use input string hash as a seed rather than waste 4 bytes of genes: std::string str = std::string(reinterpret_cast<const char*>(data), size); std::size_t data_hash = std::hash<std::string>()(str);
The CQ bit was checked by dominicc@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Thanks for the feedback! Sorry for the slow reply. Please take another look.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by dominicc@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
https://codereview.chromium.org/2123733002/diff/60001/testing/libfuzzer/fuzze... File testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc (right): https://codereview.chromium.org/2123733002/diff/60001/testing/libfuzzer/fuzze... testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:31: std::size_t data_hash = with this approach every input bit change would result in different seed => different parameters kept. I suggest you use first 4 bytes of the data as seed and the rest as a string.
The CQ bit was checked by dominicc@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
On 2017/03/20 at 20:14:05, aizatsky wrote: > https://codereview.chromium.org/2123733002/diff/60001/testing/libfuzzer/fuzze... > File testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc (right): > > https://codereview.chromium.org/2123733002/diff/60001/testing/libfuzzer/fuzze... > testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc:31: std::size_t data_hash = > with this approach every input bit change would result in different seed => different parameters kept. > > I suggest you use first 4 bytes of the data as seed and the rest as a string. Done; PTAL. Thanks!
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: chromeos_daisy_chromium_compile_only_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/chromeos_daisy_...)
lgtm
The CQ bit was checked by dominicc@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by dominicc@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by dominicc@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from aizatsky@chromium.org Link to the patchset: https://codereview.chromium.org/2123733002/#ps100001 (title: "Bring patch to head.")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 100001, "attempt_start_ts": 1490602100474350,
"parent_rev": "6965a1a18751e9c2331051dbe2d986ad392f5250", "commit_rev":
"588a32ac7a5824a30aea437bf85a1f7615dfcbc3"}
Message was sent while issue was closed.
Description was changed from ========== Add a fuzzer for TemplateURLParser/Open Search Descriptions. BUG=625746 ========== to ========== Add a fuzzer for TemplateURLParser/Open Search Descriptions. BUG=625746 Review-Url: https://codereview.chromium.org/2123733002 Cr-Commit-Position: refs/heads/master@{#459727} Committed: https://chromium.googlesource.com/chromium/src/+/588a32ac7a5824a30aea437bf85a... ==========
Message was sent while issue was closed.
Committed patchset #6 (id:100001) as https://chromium.googlesource.com/chromium/src/+/588a32ac7a5824a30aea437bf85a... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
