Add ScopedTaskScheduler in URLRequestDataJobFuzzerHarness.

net/url_request/url_request_data_job_fuzzer.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 #include <string>
 
 #include "base/memory/ptr_util.h"
 #include "base/memory/singleton.h"
+#include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/test/fuzzed_data_provider.h"
-#include "base/threading/thread_task_runner_handle.h"
+#include "base/test/scoped_task_scheduler.h"
 #include "net/http/http_request_headers.h"
 #include "net/url_request/data_protocol_handler.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_job_factory_impl.h"
 #include "net/url_request/url_request_test_util.h"
 
 namespace {
 
 const size_t kMaxLengthForFuzzedRange = 32;
 
 }  // namespace
 
 // This class tests creating and reading to completion a URLRequest with fuzzed
 // input. The fuzzer provides a data: URL and optionally generates custom Range
 // headers. The amount of data read in each Read call is also fuzzed, as is
 // the size of the IOBuffer to read data into.
 class URLRequestDataJobFuzzerHarness : public net::URLRequest::Delegate {
  public:
   URLRequestDataJobFuzzerHarness()
-      : context_(true), task_runner_(base::ThreadTaskRunnerHandle::Get()) {
+      : scoped_task_scheduler_(base::MessageLoop::current()), context_(true) {
     job_factory_.SetProtocolHandler(
         "data", base::MakeUnique<net::DataProtocolHandler>());
     context_.set_job_factory(&job_factory_);
     context_.Init();
   }
 
   static URLRequestDataJobFuzzerHarness* GetInstance() {
     return base::Singleton<URLRequestDataJobFuzzerHarness>::get();
   }
 
@@ skipping 45 matching lines @@
     base::RunLoop read_loop;
     read_loop_ = &read_loop;
     request->Start();
     read_loop.Run();
     read_loop_ = nullptr;
     return 0;
   }
 
   void QuitLoop() {
     DCHECK(read_loop_);
-    task_runner_->PostTask(FROM_HERE, read_loop_->QuitClosure());
+    read_loop_->QuitWhenIdle();

[fdoray, 2017/02/14 18:24:30]

QuitWhenIdle() quits the loop when there are no more pending tasks.
Alternatively, we could use Quit() to quit immediately.

I prefer QuitWhenIdle() because it prevents potential errors from being skipped.

[xunjieli, 2017/02/14 18:55:31]

QuitWhenIdle() can be flaky in some cases. I know this fuzzer is only run on a
single thread, so QuitWhenIdle() might be equivalent to the original code.

However, I prefer if you post read_loop_->QuitClosure() to the task scheduler,
so the original logic is kept.

Is that feasible?

[fdoray, 2017/02/16 15:08:59]

Done.

   }
 
   void ReadFromRequest(net::URLRequest* request) {
     int bytes_read = 0;
     do {
       // If possible, pop the next read size. If none exists, then this should
       // be the last call to Read.
       bool using_populated_read = read_lengths_.size() > 0;
       size_t read_size = 1;
       if (using_populated_read) {
@@ skipping 39 matching lines @@
     if (bytes_read > 0) {
       ReadFromRequest(request);
     } else {
       QuitLoop();
     }
   }
 
  private:
   friend struct base::DefaultSingletonTraits<URLRequestDataJobFuzzerHarness>;
 
+  base::test::ScopedTaskScheduler scoped_task_scheduler_;
   net::TestURLRequestContext context_;
   net::URLRequestJobFactoryImpl job_factory_;
   std::vector<size_t> read_lengths_;
   scoped_refptr<net::IOBuffer> buf_;
-  scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
   base::RunLoop* read_loop_;
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestDataJobFuzzerHarness);
 };
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Using a static singleton test harness lets the test run ~3-4x faster.
   return URLRequestDataJobFuzzerHarness::GetInstance()
       ->CreateAndReadFromDataURLRequest(data, size);
 }