1 /*
2 *
3 * Copyright 2016 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/grpc.h>
20
21 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
22 #include "src/core/lib/iomgr/executor.h"
23 #include "src/core/lib/slice/slice_internal.h"
24 #include "src/core/lib/surface/server.h"
25 #include "test/core/util/mock_endpoint.h"
26
27 bool squelch = true;
28 bool leak_check = true;
29
discard_write(grpc_slice)30 static void discard_write(grpc_slice /*slice*/) {}
31
tag(int n)32 static void* tag(int n) { return (void*)static_cast<uintptr_t>(n); }
detag(void * p)33 static int detag(void* p) { return static_cast<int>((uintptr_t)p); }
34
dont_log(gpr_log_func_args *)35 static void dont_log(gpr_log_func_args* /*args*/) {}
36
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)37 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
38 grpc_test_only_set_slice_hash_seed(0);
39 if (squelch) gpr_set_log_function(dont_log);
40 grpc_init();
41 {
42 grpc_core::ExecCtx exec_ctx;
43 grpc_core::Executor::SetThreadingAll(false);
44
45 grpc_resource_quota* resource_quota =
46 grpc_resource_quota_create("server_fuzzer");
47 grpc_endpoint* mock_endpoint =
48 grpc_mock_endpoint_create(discard_write, resource_quota);
49 grpc_resource_quota_unref_internal(resource_quota);
50 grpc_mock_endpoint_put_read(
51 mock_endpoint, grpc_slice_from_copied_buffer((const char*)data, size));
52
53 grpc_server* server = grpc_server_create(nullptr, nullptr);
54 grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
55 grpc_server_register_completion_queue(server, cq, nullptr);
56 // TODO(ctiller): add more registered methods (one for POST, one for PUT)
57 grpc_server_register_method(server, "/reg", nullptr, {}, 0);
58 grpc_server_start(server);
59 grpc_transport* transport =
60 grpc_create_chttp2_transport(nullptr, mock_endpoint, false);
61 grpc_server_setup_transport(server, transport, nullptr, nullptr, nullptr);
62 grpc_chttp2_transport_start_reading(transport, nullptr, nullptr);
63
64 grpc_call* call1 = nullptr;
65 grpc_call_details call_details1;
66 grpc_metadata_array request_metadata1;
67 grpc_call_details_init(&call_details1);
68 grpc_metadata_array_init(&request_metadata1);
69 int requested_calls = 0;
70
71 GPR_ASSERT(GRPC_CALL_OK ==
72 grpc_server_request_call(server, &call1, &call_details1,
73 &request_metadata1, cq, cq, tag(1)));
74 requested_calls++;
75
76 grpc_event ev;
77 while (1) {
78 grpc_core::ExecCtx::Get()->Flush();
79 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
80 nullptr);
81 switch (ev.type) {
82 case GRPC_QUEUE_TIMEOUT:
83 goto done;
84 case GRPC_QUEUE_SHUTDOWN:
85 break;
86 case GRPC_OP_COMPLETE:
87 switch (detag(ev.tag)) {
88 case 1:
89 requested_calls--;
90 // TODO(ctiller): keep reading that call!
91 break;
92 }
93 }
94 }
95
96 done:
97 if (call1 != nullptr) grpc_call_unref(call1);
98 grpc_call_details_destroy(&call_details1);
99 grpc_metadata_array_destroy(&request_metadata1);
100 grpc_server_shutdown_and_notify(server, cq, tag(0xdead));
101 grpc_server_cancel_all_calls(server);
102 grpc_millis deadline = grpc_core::ExecCtx::Get()->Now() + 5000;
103 for (int i = 0; i <= requested_calls; i++) {
104 // A single grpc_completion_queue_next might not be sufficient for getting
105 // the tag from shutdown, because we might potentially get blocked by
106 // an operation happening on the timer thread.
107 // For example, the deadline timer might expire, leading to the timer
108 // thread trying to cancel the RPC and thereby acquiring a few references
109 // to the call. This will prevent the shutdown to complete till the timer
110 // thread releases those references.
111 // As a solution, we are going to keep performing a cq_next for a
112 // liberal period of 5 seconds for the timer thread to complete its work.
113 do {
114 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
115 nullptr);
116 grpc_core::ExecCtx::Get()->InvalidateNow();
117 } while (ev.type != GRPC_OP_COMPLETE &&
118 grpc_core::ExecCtx::Get()->Now() < deadline);
119 GPR_ASSERT(ev.type == GRPC_OP_COMPLETE);
120 }
121 grpc_completion_queue_shutdown(cq);
122 for (int i = 0; i <= requested_calls; i++) {
123 do {
124 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
125 nullptr);
126 grpc_core::ExecCtx::Get()->InvalidateNow();
127 } while (ev.type != GRPC_QUEUE_SHUTDOWN &&
128 grpc_core::ExecCtx::Get()->Now() < deadline);
129 GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
130 }
131 grpc_server_destroy(server);
132 grpc_completion_queue_destroy(cq);
133 }
134 grpc_shutdown();
135 return 0;
136 }
137