Add SKSL fuzzer

fuzz/fuzz.cpp

 /*
  * Copyright 2016 Google Inc.
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include "Fuzz.h"
 #include "SkCanvas.h"
 #include "SkCodec.h"
 #include "SkCommandLineFlags.h"
 #include "SkData.h"
 #include "SkImage.h"
 #include "SkImageEncoder.h"
 #include "SkMallocPixelRef.h"
 #include "SkPicture.h"
 #include "SkPicture.h"
 #include "SkPicture.h"
+#include "SkSLCompiler.h"
 #include "SkStream.h"
 
 #include <cmath>
 #include <signal.h>
 #include <stdlib.h>
 
 DEFINE_string2(bytes, b, "", "A path to a file.  This can be the fuzz bytes or a binary to parse.");
 DEFINE_string2(name, n, "", "If --type is 'api', fuzz the API with this name.");
 
 DEFINE_string2(type, t, "api", "How to interpret --bytes, either 'image_scale', 'image_mode', 'skp', 'icc', or 'api'.");
 DEFINE_string2(dump, d, "", "If not empty, dump 'image*' or 'skp' types as a PNG with this name.");
 
 static int printUsage(const char* name) {
     SkDebugf("Usage: %s -t <type> -b <path/to/file> [-n api-to-fuzz]\n", name);
     return 1;
 }
 static uint8_t calculate_option(SkData*);
 
 static int fuzz_api(sk_sp<SkData>);
 static int fuzz_img(sk_sp<SkData>, uint8_t, uint8_t);
 static int fuzz_skp(sk_sp<SkData>);
 static int fuzz_icc(sk_sp<SkData>);
 static int fuzz_color_deserialize(sk_sp<SkData>);
+static int fuzz_sksl2glsl(sk_sp<SkData>);
 
 int main(int argc, char** argv) {
     SkCommandLineFlags::Parse(argc, argv);
 
     const char* path = FLAGS_bytes.isEmpty() ? argv[0] : FLAGS_bytes[0];
     sk_sp<SkData> bytes(SkData::MakeFromFileName(path));
     if (!bytes) {
         SkDebugf("Could not read %s\n", path);
         return 2;
     }
 
     uint8_t option = calculate_option(bytes.get());
 
     if (!FLAGS_type.isEmpty()) {
-        switch (FLAGS_type[0][0]) {
-            case 'a': return fuzz_api(bytes);
-
-            case 'c': return fuzz_color_deserialize(bytes);
-
-            case 'i':
-                if (FLAGS_type[0][1] == 'c') { //icc
-                    return fuzz_icc(bytes);
-                }
-                // We only allow one degree of freedom to avoid a search space explosion for afl-fuzz.
-                if (FLAGS_type[0][6] == 's') { // image_scale
-                    return fuzz_img(bytes, option, 0);
-                }
-                // image_mode
-                return fuzz_img(bytes, 0, option);
-            case 's': return fuzz_skp(bytes);
+        if (0 == strcmp("api", FLAGS_type[0])) {
+            return fuzz_api(bytes);
+        }
+        if (0 == strcmp("color_deserialize", FLAGS_type[0])) {
+            return fuzz_color_deserialize(bytes);
+        }
+        if (0 == strcmp("icc", FLAGS_type[0])) {
+            return fuzz_icc(bytes);
+        }
+        if (0 == strcmp("image_scale", FLAGS_type[0])) {
+            return fuzz_img(bytes, option, 0);
+        }
+        if (0 == strcmp("image_mode", FLAGS_type[0])) {
+            return fuzz_img(bytes, 0, option);
+        }
+        if (0 == strcmp("skp", FLAGS_type[0])) {
+            return fuzz_skp(bytes);
+        }
+        if (0 == strcmp("sksl2glsl", FLAGS_type[0])) {
+            return fuzz_sksl2glsl(bytes);
         }
     }
     return printUsage(argv[0]);
 }
 
 // This adds up the first 1024 bytes and returns it as an 8 bit integer.  This allows afl-fuzz to
 // deterministically excercise different paths, or *options* (such as different scaling sizes or
 // different image modes) without needing to introduce a parameter.  This way we don't need a
 // image_scale1, image_scale2, image_scale4, etc fuzzer, we can just have a image_scale fuzzer.
 // Clients are expected to transform this number into a different range, e.g. with modulo (%).
@@ skipping 311 matching lines @@
 int fuzz_color_deserialize(sk_sp<SkData> bytes) {
     sk_sp<SkColorSpace> space(SkColorSpace::Deserialize(bytes->data(), bytes->size()));
     if (!space) {
         SkDebugf("[terminated] Couldn't deserialize Colorspace.\n");
         return 1;
     }
     SkDebugf("[terminated] Success! deserialized Colorspace.\n");
     return 0;
 }
 
+static SkSL::GLCaps default_caps() {
+    return {
+             400,
+             SkSL::GLCaps::kGL_Standard,
+             false, // isCoreProfile
+             false, // usesPrecisionModifiers;
+             false, // mustDeclareFragmentShaderOutput
+             true,   // canUseMinAndAbsTogether
+             false  // mustForceNegatedAtanParamToFloat
+           };
+}
+
+int fuzz_sksl2glsl(sk_sp<SkData> bytes) {
+    SkSL::Compiler compiler;
+    std::string output;
+    bool result = compiler.toGLSL(SkSL::Program::kFragment_Kind,
+        (const char*)bytes->data(), default_caps(), &output);
+
+    if (!result) {
+        SkDebugf("[terminated] Couldn't compile input.\n");
+        return 1;
+    }
+    SkDebugf("[terminated] Success! Compiled input.\n");
+    return 0;
+}
+
 Fuzz::Fuzz(sk_sp<SkData> bytes) : fBytes(bytes), fNextByte(0) {}
 
 void Fuzz::signalBug   () { SkDebugf("Signal bug\n"); raise(SIGSEGV); }
 void Fuzz::signalBoring() { SkDebugf("Signal boring\n"); exit(0); }
 
 size_t Fuzz::size() { return fBytes->size(); }
 
 size_t Fuzz::remaining() {
     return fBytes->size() - fNextByte;
 }
@@ skipping 38 matching lines @@
     if (min > max) {
         SkDebugf("Check mins and maxes (%f, %f)\n", min, max);
         this->signalBoring();
     }
     float f = std::abs(this->nextF());
     if (!std::isnormal(f) && f != 0.0) {
         this->signalBoring();
     }
     return min + fmod(f, (max - min + 1));
 }