1 /*
2 *
3 * Copyright 2016 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <string.h>
20
21 #include <grpc/grpc.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/string_util.h>
24
25 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
26 #include "src/core/lib/iomgr/executor.h"
27 #include "src/core/lib/slice/slice_internal.h"
28 #include "src/core/lib/surface/channel.h"
29 #include "test/core/util/memory_counters.h"
30 #include "test/core/util/mock_endpoint.h"
31
32 bool squelch = true;
33 bool leak_check = true;
34
discard_write(grpc_slice slice)35 static void discard_write(grpc_slice slice) {}
36
tag(int n)37 static void* tag(int n) { return (void*)static_cast<uintptr_t>(n); }
38
dont_log(gpr_log_func_args * args)39 static void dont_log(gpr_log_func_args* args) {}
40
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)41 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
42 grpc_test_only_set_slice_hash_seed(0);
43 struct grpc_memory_counters counters;
44 if (squelch) gpr_set_log_function(dont_log);
45 if (leak_check) grpc_memory_counters_init();
46 grpc_init();
47 {
48 grpc_core::ExecCtx exec_ctx;
49 grpc_executor_set_threading(false);
50
51 grpc_resource_quota* resource_quota =
52 grpc_resource_quota_create("client_fuzzer");
53 grpc_endpoint* mock_endpoint =
54 grpc_mock_endpoint_create(discard_write, resource_quota);
55 grpc_resource_quota_unref_internal(resource_quota);
56
57 grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
58 grpc_transport* transport =
59 grpc_create_chttp2_transport(nullptr, mock_endpoint, true);
60 grpc_chttp2_transport_start_reading(transport, nullptr, nullptr);
61
62 grpc_arg authority_arg = grpc_channel_arg_string_create(
63 const_cast<char*>(GRPC_ARG_DEFAULT_AUTHORITY),
64 const_cast<char*>("test-authority"));
65 grpc_channel_args* args =
66 grpc_channel_args_copy_and_add(nullptr, &authority_arg, 1);
67 grpc_channel* channel = grpc_channel_create(
68 "test-target", args, GRPC_CLIENT_DIRECT_CHANNEL, transport);
69 grpc_channel_args_destroy(args);
70 grpc_slice host = grpc_slice_from_static_string("localhost");
71 grpc_call* call = grpc_channel_create_call(
72 channel, nullptr, 0, cq, grpc_slice_from_static_string("/foo"), &host,
73 gpr_inf_future(GPR_CLOCK_REALTIME), nullptr);
74
75 grpc_metadata_array initial_metadata_recv;
76 grpc_metadata_array_init(&initial_metadata_recv);
77 grpc_byte_buffer* response_payload_recv = nullptr;
78 grpc_metadata_array trailing_metadata_recv;
79 grpc_metadata_array_init(&trailing_metadata_recv);
80 grpc_status_code status;
81 grpc_slice details = grpc_empty_slice();
82
83 grpc_op ops[6];
84 memset(ops, 0, sizeof(ops));
85 grpc_op* op = ops;
86 op->op = GRPC_OP_SEND_INITIAL_METADATA;
87 op->data.send_initial_metadata.count = 0;
88 op->flags = 0;
89 op->reserved = nullptr;
90 op++;
91 op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
92 op->flags = 0;
93 op->reserved = nullptr;
94 op++;
95 op->op = GRPC_OP_RECV_INITIAL_METADATA;
96 op->data.recv_initial_metadata.recv_initial_metadata =
97 &initial_metadata_recv;
98 op->flags = 0;
99 op->reserved = nullptr;
100 op++;
101 op->op = GRPC_OP_RECV_MESSAGE;
102 op->data.recv_message.recv_message = &response_payload_recv;
103 op->flags = 0;
104 op->reserved = nullptr;
105 op++;
106 op->op = GRPC_OP_RECV_STATUS_ON_CLIENT;
107 op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv;
108 op->data.recv_status_on_client.status = &status;
109 op->data.recv_status_on_client.status_details = &details;
110 op->flags = 0;
111 op->reserved = nullptr;
112 op++;
113 grpc_call_error error =
114 grpc_call_start_batch(call, ops, (size_t)(op - ops), tag(1), nullptr);
115 int requested_calls = 1;
116 GPR_ASSERT(GRPC_CALL_OK == error);
117
118 grpc_mock_endpoint_put_read(
119 mock_endpoint, grpc_slice_from_copied_buffer((const char*)data, size));
120
121 grpc_event ev;
122 while (1) {
123 grpc_core::ExecCtx::Get()->Flush();
124 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
125 nullptr);
126 switch (ev.type) {
127 case GRPC_QUEUE_TIMEOUT:
128 goto done;
129 case GRPC_QUEUE_SHUTDOWN:
130 break;
131 case GRPC_OP_COMPLETE:
132 requested_calls--;
133 break;
134 }
135 }
136
137 done:
138 if (requested_calls) {
139 grpc_call_cancel(call, nullptr);
140 }
141 for (int i = 0; i < requested_calls; i++) {
142 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
143 nullptr);
144 GPR_ASSERT(ev.type == GRPC_OP_COMPLETE);
145 }
146 grpc_completion_queue_shutdown(cq);
147 for (int i = 0; i < requested_calls; i++) {
148 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
149 nullptr);
150 GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
151 }
152 grpc_call_unref(call);
153 grpc_completion_queue_destroy(cq);
154 grpc_metadata_array_destroy(&initial_metadata_recv);
155 grpc_metadata_array_destroy(&trailing_metadata_recv);
156 grpc_slice_unref(details);
157 grpc_channel_destroy(channel);
158 if (response_payload_recv != nullptr) {
159 grpc_byte_buffer_destroy(response_payload_recv);
160 }
161 }
162 grpc_shutdown();
163 if (leak_check) {
164 counters = grpc_memory_counters_snapshot();
165 grpc_memory_counters_destroy();
166 GPR_ASSERT(counters.total_size_relative == 0);
167 }
168 return 0;
169 }
170