1 /*
2 *
3 * Copyright 2016 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include <grpc/grpc.h>
20
21 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
22 #include "src/core/lib/iomgr/executor.h"
23 #include "src/core/lib/slice/slice_internal.h"
24 #include "src/core/lib/surface/server.h"
25 #include "test/core/util/memory_counters.h"
26 #include "test/core/util/mock_endpoint.h"
27
28 bool squelch = true;
29 bool leak_check = true;
30
discard_write(grpc_slice slice)31 static void discard_write(grpc_slice slice) {}
32
tag(int n)33 static void* tag(int n) { return (void*)static_cast<uintptr_t>(n); }
detag(void * p)34 static int detag(void* p) { return static_cast<int>((uintptr_t)p); }
35
dont_log(gpr_log_func_args * args)36 static void dont_log(gpr_log_func_args* args) {}
37
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)38 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
39 grpc_test_only_set_slice_hash_seed(0);
40 struct grpc_memory_counters counters;
41 if (squelch) gpr_set_log_function(dont_log);
42 if (leak_check) grpc_memory_counters_init();
43 grpc_init();
44 {
45 grpc_core::ExecCtx exec_ctx;
46 grpc_executor_set_threading(false);
47
48 grpc_resource_quota* resource_quota =
49 grpc_resource_quota_create("server_fuzzer");
50 grpc_endpoint* mock_endpoint =
51 grpc_mock_endpoint_create(discard_write, resource_quota);
52 grpc_resource_quota_unref_internal(resource_quota);
53 grpc_mock_endpoint_put_read(
54 mock_endpoint, grpc_slice_from_copied_buffer((const char*)data, size));
55
56 grpc_server* server = grpc_server_create(nullptr, nullptr);
57 grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
58 grpc_server_register_completion_queue(server, cq, nullptr);
59 // TODO(ctiller): add registered methods (one for POST, one for PUT)
60 // void *registered_method =
61 // grpc_server_register_method(server, "/reg", NULL, 0);
62 grpc_server_start(server);
63 grpc_transport* transport =
64 grpc_create_chttp2_transport(nullptr, mock_endpoint, false);
65 grpc_server_setup_transport(server, transport, nullptr, nullptr);
66 grpc_chttp2_transport_start_reading(transport, nullptr, nullptr);
67
68 grpc_call* call1 = nullptr;
69 grpc_call_details call_details1;
70 grpc_metadata_array request_metadata1;
71 grpc_call_details_init(&call_details1);
72 grpc_metadata_array_init(&request_metadata1);
73 int requested_calls = 0;
74
75 GPR_ASSERT(GRPC_CALL_OK ==
76 grpc_server_request_call(server, &call1, &call_details1,
77 &request_metadata1, cq, cq, tag(1)));
78 requested_calls++;
79
80 grpc_event ev;
81 while (1) {
82 grpc_core::ExecCtx::Get()->Flush();
83 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
84 nullptr);
85 switch (ev.type) {
86 case GRPC_QUEUE_TIMEOUT:
87 goto done;
88 case GRPC_QUEUE_SHUTDOWN:
89 break;
90 case GRPC_OP_COMPLETE:
91 switch (detag(ev.tag)) {
92 case 1:
93 requested_calls--;
94 // TODO(ctiller): keep reading that call!
95 break;
96 }
97 }
98 }
99
100 done:
101 if (call1 != nullptr) grpc_call_unref(call1);
102 grpc_call_details_destroy(&call_details1);
103 grpc_metadata_array_destroy(&request_metadata1);
104 grpc_server_shutdown_and_notify(server, cq, tag(0xdead));
105 grpc_server_cancel_all_calls(server);
106 grpc_millis deadline = grpc_core::ExecCtx::Get()->Now() + 5000;
107 for (int i = 0; i <= requested_calls; i++) {
108 // A single grpc_completion_queue_next might not be sufficient for getting
109 // the tag from shutdown, because we might potentially get blocked by
110 // an operation happening on the timer thread.
111 // For example, the deadline timer might expire, leading to the timer
112 // thread trying to cancel the RPC and thereby acquiring a few references
113 // to the call. This will prevent the shutdown to complete till the timer
114 // thread releases those references.
115 // As a solution, we are going to keep performing a cq_next for a
116 // liberal period of 5 seconds for the timer thread to complete its work.
117 do {
118 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
119 nullptr);
120 grpc_core::ExecCtx::Get()->InvalidateNow();
121 } while (ev.type != GRPC_OP_COMPLETE &&
122 grpc_core::ExecCtx::Get()->Now() < deadline);
123 GPR_ASSERT(ev.type == GRPC_OP_COMPLETE);
124 }
125 grpc_completion_queue_shutdown(cq);
126 for (int i = 0; i <= requested_calls; i++) {
127 do {
128 ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
129 nullptr);
130 grpc_core::ExecCtx::Get()->InvalidateNow();
131 } while (ev.type != GRPC_QUEUE_SHUTDOWN &&
132 grpc_core::ExecCtx::Get()->Now() < deadline);
133 GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
134 }
135 grpc_server_destroy(server);
136 grpc_completion_queue_destroy(cq);
137 }
138 grpc_shutdown();
139 if (leak_check) {
140 counters = grpc_memory_counters_snapshot();
141 grpc_memory_counters_destroy();
142 GPR_ASSERT(counters.total_size_relative == 0);
143 }
144 return 0;
145 }
146