Add SKSL fuzzer

fuzz/fuzz.cpp

 /*
  * Copyright 2016 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "Fuzz.h"
 #include "SkCanvas.h"
 #include "SkCodec.h"
 #include "SkCommandLineFlags.h"
 #include "SkData.h"
 #include "SkImage.h"
 #include "SkImageEncoder.h"
 #include "SkMallocPixelRef.h"
 #include "SkPicture.h"
 #include "SkPicture.h"
 #include "SkPicture.h"
+#include "SkSLCompiler.h"
 #include "SkStream.h"
 
 #include <cmath>
 #include <signal.h>
 #include <stdlib.h>
 
 DEFINE_string2(bytes, b, "", "A path to a file.  This can be the fuzz bytes or a binary to parse.");
 DEFINE_string2(name, n, "", "If --type is 'api', fuzz the API with this name.");
 
 DEFINE_string2(type, t, "api", "How to interpret --bytes, either 'image_scale', 'image_mode', 'skp', 'icc', or 'api'.");
 DEFINE_string2(dump, d, "", "If not empty, dump 'image*' or 'skp' types as a PNG with this name.");
 
 static int printUsage(const char* name) {
     SkDebugf("Usage: %s -t <type> -b <path/to/file> [-n api-to-fuzz]\n", name);
     return 1;
 }
 static uint8_t calculate_option(SkData*);
 
 static int fuzz_api(sk_sp<SkData>);
 static int fuzz_img(sk_sp<SkData>, uint8_t, uint8_t);
 static int fuzz_skp(sk_sp<SkData>);
 static int fuzz_icc(sk_sp<SkData>);
 static int fuzz_color_deserialize(sk_sp<SkData>);
+static int fuzz_sksl2glsl(sk_sp<SkData>);
 
 int main(int argc, char** argv) {
     SkCommandLineFlags::Parse(argc, argv);
 
     const char* path = FLAGS_bytes.isEmpty() ? argv[0] : FLAGS_bytes[0];
     sk_sp<SkData> bytes(SkData::MakeFromFileName(path));
     if (!bytes) {
         SkDebugf("Could not read %s\n", path);
         return 2;
     }
 
     uint8_t option = calculate_option(bytes.get());
 
     if (!FLAGS_type.isEmpty()) {
         switch (FLAGS_type[0][0]) {
             case 'a': return fuzz_api(bytes);
 
             case 'c': return fuzz_color_deserialize(bytes);
 
             case 'i':
                 if (FLAGS_type[0][1] == 'c') { //icc
                     return fuzz_icc(bytes);
                 }
                 // We only allow one degree of freedom to avoid a search space explosion for afl-fuzz.
                 if (FLAGS_type[0][6] == 's') { // image_scale
                     return fuzz_img(bytes, option, 0);
                 }
                 // image_mode
                 return fuzz_img(bytes, 0, option);
-            case 's': return fuzz_skp(bytes);
+            case 's':
+                if (FLAGS_type[0][2] == 's') { //sksl2glsl

[mtklein_C, 2016/10/14 15:26:18]

It may be time to rewrite this parsing.  It's getting kind of complex now, and
it'd be easier to read with strings, e.g.

...
if (0 == strcmp("skp"      , FLAGS_type[0]) { return fuzz_skp      (bytes); }
if (0 == strcmp("sksl2glsl", FLAGS_type[0]) { return fuzz_sksl2glsl(bytes); }
...

Side note: I just had to type sksl2glsl a couple times and it's a complete
finger twister.  It can probably be something pithier like sksl?

[kjlubick, 2016/10/14 16:28:05]

Done.  I'm keeping sksl2glsl because I imagine we'll want to have sksl2spirv in
the near future.

+                    return fuzz_sksl2glsl(bytes);
+                }
+            return fuzz_skp(bytes);
         }
     }
     return printUsage(argv[0]);
 }
 
 // This adds up the first 1024 bytes and returns it as an 8 bit integer.  This allows afl-fuzz to
 // deterministically excercise different paths, or *options* (such as different scaling sizes or
 // different image modes) without needing to introduce a parameter.  This way we don't need a
 // image_scale1, image_scale2, image_scale4, etc fuzzer, we can just have a image_scale fuzzer.
 // Clients are expected to transform this number into a different range, e.g. with modulo (%).
@@ skipping 311 matching lines @@
 int fuzz_color_deserialize(sk_sp<SkData> bytes) {
     sk_sp<SkColorSpace> space(SkColorSpace::Deserialize(bytes->data(), bytes->size()));
     if (!space) {
         SkDebugf("[terminated] Couldn't deserialize Colorspace.\n");
         return 1;
     }
     SkDebugf("[terminated] Success! deserialized Colorspace.\n");
     return 0;
 }
 
+static SkSL::GLCaps default_caps() {
+    return {
+             400,
+             SkSL::GLCaps::kGL_Standard,
+             false, // isCoreProfile
+             false, // usesPrecisionModifiers;
+             false, // mustDeclareFragmentShaderOutput
+             true,   // canUseMinAndAbsTogether
+             false  // mustForceNegatedAtanParamToFloat
+           };
+}
+
+int fuzz_sksl2glsl(sk_sp<SkData> bytes) {
+    SkSL::Compiler compiler;
+    std::string output;
+    bool result = compiler.toGLSL(SkSL::Program::kFragment_Kind,
+        reinterpret_cast<const char*>(bytes->data()), default_caps(), &output);

[mtklein_C, 2016/10/14 15:26:18]

This probably shouldn't be reinterpret_cast.  It'll work fine but it gives off a
strong "I am doing something weird and byte-punny here" vibe.  Really we're just
turning bytes into bytes... nothing weird.

Try (const char*)bytes->data(), or maybe just bytes->bytes() if that works?

[kjlubick, 2016/10/14 16:28:05]

Done.  bytes->bytes() did not work

+
+    if (!result) {
+        //SkDebugf("%s\n", compiler.errorText().c_str());
+        SkDebugf("[terminated] Couldn't compile input.\n");
+        return 1;
+    }
+    //SkDebugf("%s\n", output.c_str());
+    SkDebugf("[terminated] Success! Compiled input.\n");
+    return 0;
+}
+
 Fuzz::Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
 
 void Fuzz::signalBug   () { SkDebugf("Signal bug\n"); raise(SIGSEGV); }
 void Fuzz::signalBoring() { SkDebugf("Signal boring\n"); exit(0); }
 
 size_t Fuzz::size() { return fBytes->size(); }
 
 size_t Fuzz::remaining() {
     return fBytes->size() - fNextByte;
 }
@@ skipping 38 matching lines @@
     if (min > max) {
         SkDebugf("Check mins and maxes (%f, %f)\n", min, max);
         this->signalBoring();
     }
     float f = std::abs(this->nextF());
     if (!std::isnormal(f) && f != 0.0) {
         this->signalBoring();
     }
     return min + fmod(f, (max - min + 1));
 }