Introduce gpu_fuzzer to fuzz the GPU command buffers

Introduce gpu_fuzzer to fuzz the GPU command buffers

This fuzzer sets up a decoder using the stub GL API and runs an arbitrary string
as a command buffer.

This introduces a maximum size for buckets as well as buffers, because the
fuzzer will rapidly try to create giant ones, running out of memory (and/or
being extremely slow). The limit is kept at 1GB in production, but limited to
8MB in the fuzzer.

BUG=None
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Committed: https://crrev.com/5adadcfc2694ac8b90405f5b82a856adc542d83f
Cr-Commit-Position: refs/heads/master@{#405636}

[piman, 2016-07-14 03:57:51]

Description was changed from

==========
Introduce gpu_fuzzer to fuzz the GPU command buffers

This fuzzer sets up a decoder using the stub GL API and runs an arbitrary string
as a command buffer.

This introduces a maximum size for buckets as well as buffers, because the
fuzzer will rapidly try to create giant ones, running out of memory (and/or
being extremely slow). The limit is kept at 1GB in production, but limited to
8MB in the fuzzer.

BUG=None
==========

to

==========
Introduce gpu_fuzzer to fuzz the GPU command buffers

This fuzzer sets up a decoder using the stub GL API and runs an arbitrary string
as a command buffer.

This introduces a maximum size for buckets as well as buffers, because the
fuzzer will rapidly try to create giant ones, running out of memory (and/or
being extremely slow). The limit is kept at 1GB in production, but limited to
8MB in the fuzzer.

BUG=None
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
==========

[piman, 2016-07-14 03:57:59]

The CQ bit was checked by piman@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-14 03:58:09]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[piman, 2016-07-14 04:01:12]

piman@chromium.org changed reviewers:
+ sievers@chromium.org

[piman, 2016-07-14 04:01:12]

sievers: PTAL. This still runs fairly slowly, because of the cost to
reinitialize the decoder, and it spews a lot of error messages which slows it
down, but I have follow up CLs that should reduce that cost.

[piman, 2016-07-14 04:16:18]

The CQ bit was checked by piman@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-14 04:16:30]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[piman, 2016-07-14 04:32:35]

Patchset #1 (id:1) has been deleted

[commit-bot: I haz the power, 2016-07-14 06:39:58]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-14 06:39:59]

Dry run: This issue passed the CQ dry run.

[no sievers, 2016-07-14 21:33:24]

lgtm, neat.

https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
File gpu/command_buffer/tests/fuzzer_main.cc (right):

https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
gpu/command_buffer/tests/fuzzer_main.cc:138: command_buffer_->Flush((size + 3) /
4);
don't you want to round down here?

[piman, 2016-07-14 22:15:46]

https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
File gpu/command_buffer/tests/fuzzer_main.cc (right):

https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
gpu/command_buffer/tests/fuzzer_main.cc:138: command_buffer_->Flush((size + 3) /
4);
On 2016/07/14 21:33:24, sievers wrote:
> don't you want to round down here?

I was thinking, this gives us slightly more coverage, with partially written
commands (which are possible from the client pov), in that those bits explored
by the fuzzer are not completely "wasted". It may be worth tweaking the CHECK
above though.

I'm not sure how much of a difference it makes in practice though - arguably the
fuzzer can explore those as well, by writing trailing zeros, it just feels like
a teeny tiny less waste.

[piman, 2016-07-14 22:26:59]

On 2016/07/14 22:15:46, piman wrote:
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> File gpu/command_buffer/tests/fuzzer_main.cc (right):
> 
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> gpu/command_buffer/tests/fuzzer_main.cc:138: command_buffer_->Flush((size + 3)
/
> 4);
> On 2016/07/14 21:33:24, sievers wrote:
> > don't you want to round down here?
> 
> I was thinking, this gives us slightly more coverage, with partially written
> commands (which are possible from the client pov), in that those bits explored
> by the fuzzer are not completely "wasted". It may be worth tweaking the CHECK
> above though.
> 
> I'm not sure how much of a difference it makes in practice though - arguably
the
> fuzzer can explore those as well, by writing trailing zeros, it just feels
like
> a teeny tiny less waste.

And then I realized I'm not actually writing those 0 bytes. Let me fix this too.

[piman, 2016-07-14 22:32:33]

On 2016/07/14 22:26:59, piman wrote:
> On 2016/07/14 22:15:46, piman wrote:
> >
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> > File gpu/command_buffer/tests/fuzzer_main.cc (right):
> > 
> >
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> > gpu/command_buffer/tests/fuzzer_main.cc:138: command_buffer_->Flush((size +
3)
> /
> > 4);
> > On 2016/07/14 21:33:24, sievers wrote:
> > > don't you want to round down here?
> > 
> > I was thinking, this gives us slightly more coverage, with partially written
> > commands (which are possible from the client pov), in that those bits
explored
> > by the fuzzer are not completely "wasted". It may be worth tweaking the
CHECK
> > above though.
> > 
> > I'm not sure how much of a difference it makes in practice though - arguably
> the
> > fuzzer can explore those as well, by writing trailing zeros, it just feels
> like
> > a teeny tiny less waste.
> 
> And then I realized I'm not actually writing those 0 bytes. Let me fix this
too.

Done, PTAL

[piman, 2016-07-14 22:32:42]

The CQ bit was checked by piman@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-14 22:33:29]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[no sievers, 2016-07-14 23:22:01]

On 2016/07/14 22:32:33, piman wrote:
> On 2016/07/14 22:26:59, piman wrote:
> > On 2016/07/14 22:15:46, piman wrote:
> > >
> >
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> > > File gpu/command_buffer/tests/fuzzer_main.cc (right):
> > > 
> > >
> >
>
https://codereview.chromium.org/2150803003/diff/20001/gpu/command_buffer/test...
> > > gpu/command_buffer/tests/fuzzer_main.cc:138: command_buffer_->Flush((size
+
> 3)
> > /
> > > 4);
> > > On 2016/07/14 21:33:24, sievers wrote:
> > > > don't you want to round down here?
> > > 
> > > I was thinking, this gives us slightly more coverage, with partially
written
> > > commands (which are possible from the client pov), in that those bits
> explored
> > > by the fuzzer are not completely "wasted". It may be worth tweaking the
> CHECK
> > > above though.
> > > 
> > > I'm not sure how much of a difference it makes in practice though -
arguably
> > the
> > > fuzzer can explore those as well, by writing trailing zeros, it just feels
> > like
> > > a teeny tiny less waste.
> > 
> > And then I realized I'm not actually writing those 0 bytes. Let me fix this
> too.
> 
> Done, PTAL

lgtm!

[piman, 2016-07-14 23:41:36]

The CQ bit was unchecked by piman@chromium.org

[piman, 2016-07-14 23:41:38]

The CQ bit was checked by piman@chromium.org

[commit-bot: I haz the power, 2016-07-14 23:41:56]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-14 23:52:52]

Committed patchset #2 (id:40001)

[commit-bot: I haz the power, 2016-07-14 23:53:07]

CQ bit was unchecked.

[commit-bot: I haz the power, 2016-07-14 23:55:33]

Description was changed from

==========
Introduce gpu_fuzzer to fuzz the GPU command buffers

This fuzzer sets up a decoder using the stub GL API and runs an arbitrary string
as a command buffer.

This introduces a maximum size for buckets as well as buffers, because the
fuzzer will rapidly try to create giant ones, running out of memory (and/or
being extremely slow). The limit is kept at 1GB in production, but limited to
8MB in the fuzzer.

BUG=None
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
==========

to

==========
Introduce gpu_fuzzer to fuzz the GPU command buffers

This fuzzer sets up a decoder using the stub GL API and runs an arbitrary string
as a command buffer.

This introduces a maximum size for buckets as well as buffers, because the
fuzzer will rapidly try to create giant ones, running out of memory (and/or
being extremely slow). The limit is kept at 1GB in production, but limited to
8MB in the fuzzer.

BUG=None
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Committed: https://crrev.com/5adadcfc2694ac8b90405f5b82a856adc542d83f
Cr-Commit-Position: refs/heads/master@{#405636}
==========

[commit-bot: I haz the power, 2016-07-14 23:55:34]

Patchset 2 (id:??) landed as
https://crrev.com/5adadcfc2694ac8b90405f5b82a856adc542d83f
Cr-Commit-Position: refs/heads/master@{#405636}