1 /*
2 * Copyright 2020 Google, LLC
3 *
4 * Use of this source code is governed by a BSD-style license that can be
5 * found in the LICENSE file.
6 */
7
8 #include "include/core/SkCanvas.h"
9 #include "include/core/SkPaint.h"
10 #include "include/core/SkSurface.h"
11 #include "include/effects/SkRuntimeEffect.h"
12 #include "src/gpu/GrShaderCaps.h"
13
14 #include "fuzz/Fuzz.h"
15
16 static constexpr size_t kReservedBytes = 256;
17 /**
18 * The fuzzer will take in the bytes and divide into two parts.
19 * original bytes : [... code bytes ... | 256 bytes]
20 * The first part is codeBytes, the original bytes minus 256 bytes, which will be treated
21 * as sksl code, intending to create SkRuntimeEffect.
22 * For the second part, it will first reserve 256 bytes and then allocate bytes with same size
23 * as effect->inputSize() to uniformBytes. The uniformBytes is intended to create makeShader().
24 * Note that if uniformBytes->size() != effect->inputSize() the shader won't be created.
25 *
26 * We fuzz twice, with two different settings for inlining in the SkSL compiler. By default, the
27 * compiler inlines most small to medium functions. This can hide bugs related to function-calling.
28 * So we run the fuzzer once with inlining disabled, and again with it enabled (aggressively).
29 * This gives us better coverage, and eases the burden on the fuzzer to inject useless noise into
30 * functions to suppress inlining.
31 */
FuzzSkRuntimeEffect_Once(sk_sp<SkData> bytes,const SkRuntimeEffect::Options & options)32 static bool FuzzSkRuntimeEffect_Once(sk_sp<SkData> bytes, const SkRuntimeEffect::Options& options) {
33 if (bytes->size() < kReservedBytes) {
34 return false;
35 }
36 sk_sp<SkData> codeBytes = SkData::MakeSubset(bytes.get(), 0, bytes->size() - kReservedBytes);
37
38 SkString shaderText{static_cast<const char*>(codeBytes->data()), codeBytes->size()};
39 SkRuntimeEffect::Result result = SkRuntimeEffect::MakeForShader(shaderText, options);
40 SkRuntimeEffect* effect = result.effect.get();
41
42 if (!effect || effect->uniformSize() > kReservedBytes) { // if there is not enough uniform bytes
43 return false;
44 }
45 sk_sp<SkData> uniformBytes =
46 SkData::MakeSubset(bytes.get(), bytes->size() - kReservedBytes, effect->uniformSize());
47 auto shader = effect->makeShader(uniformBytes, /*children=*/nullptr, /*childCount=*/0,
48 /*localMatrix=*/nullptr, /*isOpaque=*/false);
49 if (!shader) {
50 return false;
51 }
52 SkPaint paint;
53 paint.setShader(std::move(shader));
54
55 sk_sp<SkSurface> s = SkSurface::MakeRasterN32Premul(128, 128);
56 if (!s) {
57 return false;
58 }
59 s->getCanvas()->drawPaint(paint);
60
61 return true;
62 }
63
FuzzSkRuntimeEffect(sk_sp<SkData> bytes)64 bool FuzzSkRuntimeEffect(sk_sp<SkData> bytes) {
65 // Test once with the inliner disabled...
66 SkRuntimeEffect::Options options;
67 options.forceNoInline = true;
68 bool result = FuzzSkRuntimeEffect_Once(bytes, options);
69
70 // ... and then with the inliner enabled.
71 options.forceNoInline = false;
72 result = FuzzSkRuntimeEffect_Once(bytes, options) || result;
73
74 return result;
75 }
76
77 #if defined(SK_BUILD_FOR_LIBFUZZER)
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)78 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
79 if (size > 3000) {
80 return 0;
81 }
82 auto bytes = SkData::MakeWithoutCopy(data, size);
83 FuzzSkRuntimeEffect(bytes);
84 return 0;
85 }
86 #endif
87