• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2015 The Chromium Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5# Individual libfuzzer tests that didn't find their home yet.
6
7import("//build/config/features.gni")
8import("//testing/libfuzzer/fuzzer_test.gni")
9import("//third_party/protobuf/proto_library.gni")
10import("//ui/gl/features.gni")
11import("//v8/gni/v8.gni")
12
13# root BUILD depends on this target. Needed for package discovery
14group("fuzzers") {
15}
16
17fuzzer_test("empty_fuzzer") {
18  sources = [ "empty_fuzzer.cc" ]
19  additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
20}
21
22fuzzer_test("courgette_fuzzer") {
23  sources = [ "courgette_fuzzer.cc" ]
24  deps = [
25    "//base",
26    "//courgette:courgette_lib",
27  ]
28}
29
30fuzzer_test("language_detection_fuzzer") {
31  sources = [ "language_detection_fuzzer.cc" ]
32  deps = [
33    "//base",
34    "//components/translate/core/language_detection:language_detection",
35  ]
36}
37
38fuzzer_test("snappy_compress_fuzzer") {
39  sources = [ "snappy_compress_fuzzer.cc" ]
40  deps = [ "//third_party/snappy:snappy" ]
41  seed_corpus = "//third_party/snappy/src/testdata"
42}
43
44fuzzer_test("snappy_uncompress_fuzzer") {
45  sources = [ "snappy_uncompress_fuzzer.cc" ]
46  deps = [ "//third_party/snappy:snappy" ]
47  seed_corpus = "//third_party/snappy/src/testdata"
48}
49
50fuzzer_test("template_url_parser_fuzzer") {
51  sources = [ "template_url_parser_fuzzer.cc" ]
52  deps = [
53    "//base",
54    "//base:i18n",
55    "//components/search_engines",
56    "//mojo/core/embedder",
57    "//services/data_decoder/public/cpp",
58    "//services/data_decoder/public/cpp:test_support",
59    "//third_party/libxml:libxml",
60  ]
61  dict = "//third_party/libxml/fuzz/xml.dict"
62  libfuzzer_options = [ "max_len=4096" ]
63}
64
65fuzzer_test("url_parse_proto_fuzzer") {
66  sources = [ "url_parse_proto_fuzzer.cc" ]
67  deps = [
68    "//base",
69    "//base:i18n",
70    "//testing/libfuzzer/proto:url_proto",
71    "//third_party/libprotobuf-mutator",
72    "//url:url",
73  ]
74}
75
76fuzzer_test("libsrtp_fuzzer") {
77  sources = [ "libsrtp_fuzzer.cc" ]
78  deps = [ "//third_party/libsrtp" ]
79  libfuzzer_options = [ "max_len=1500" ]
80}
81
82libpng_seed_corpuses = [
83  "//components/test/data/viz",
84  "//third_party/blink/web_tests/images/png-suite/samples",
85  "//third_party/blink/web_tests/images/resources/pngfuzz",
86]
87
88fuzzer_test("gfx_png_image_fuzzer") {
89  sources = [ "gfx_png_image_fuzzer.cc" ]
90  deps = [
91    "//base",
92    "//ui/base",
93    "//ui/gfx",
94  ]
95  dict = "dicts/png.dict"
96  seed_corpuses = libpng_seed_corpuses
97}
98
99fuzzer_test("libxml_xml_read_memory_fuzzer") {
100  sources = [ "libxml_xml_read_memory_fuzzer.cc" ]
101  deps = [ "//third_party/libxml:libxml" ]
102  dict = "//third_party/libxml/fuzz/xml.dict"
103  seed_corpus = "//third_party/libxml/fuzz/seed_corpus"
104}
105
106fuzzer_test("libpng_progressive_read_fuzzer") {
107  sources = [ "libpng_read_fuzzer.cc" ]
108  deps = [
109    "//base",
110    "//third_party/libpng",
111  ]
112  dict = "dicts/png.dict"
113  seed_corpuses = libpng_seed_corpuses
114}
115
116fuzzer_test("v8_script_parser_fuzzer") {
117  sources = []
118  deps = [ "//v8:parser_fuzzer" ]
119  asan_options = [
120    "allow_user_segv_handler=1",
121    "handle_sigtrap=1",
122  ]
123  msan_options = [ "handle_sigtrap=1" ]
124  ubsan_options = [
125    "handle_sigtrap=1",
126    "handle_segv=1",
127  ]
128  dict = "dicts/generated/javascript.dict"
129  seed_corpus = "//v8/test/mjsunit/regress/"
130  libfuzzer_options = [ "only_ascii=1" ]
131  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
132}
133
134v8_inspector_fuzzer_corpus_dir = "$target_gen_dir/v8_inspector_fuzzer_corpus"
135
136action("generate_v8_inspector_fuzzer_corpus") {
137  script = "generate_v8_inspector_fuzzer_corpus.py"
138  sources = [ "generate_v8_inspector_fuzzer_corpus.py" ]
139  args = [
140    rebase_path("//v8/test/inspector/", root_build_dir),
141    rebase_path(v8_inspector_fuzzer_corpus_dir, root_build_dir),
142  ]
143  outputs = [ v8_inspector_fuzzer_corpus_dir ]
144}
145
146fuzzer_test("v8_inspector_fuzzer") {
147  sources = []
148  deps = [ "//v8:inspector_fuzzer" ]
149  asan_options = [
150    "allow_user_segv_handler=1",
151    "handle_sigtrap=1",
152  ]
153  msan_options = [ "handle_sigtrap=1" ]
154  ubsan_options = [
155    "handle_sigtrap=1",
156    "handle_segv=1",
157  ]
158  dict = "dicts/generated/javascript.dict"
159  seed_corpus = v8_inspector_fuzzer_corpus_dir
160  seed_corpus_deps = [ ":generate_v8_inspector_fuzzer_corpus" ]
161
162  # The fuzzer is able to handle any input, but since the input is interpreted
163  # as JS code, restricting to ascii only will increase fuzzing efficiency.
164  libfuzzer_options = [ "only_ascii=1" ]
165  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
166}
167
168fuzzer_test("v8_json_parser_fuzzer") {
169  sources = []
170  deps = [ "//v8:json_fuzzer" ]
171  asan_options = [
172    "allow_user_segv_handler=1",
173    "handle_sigtrap=1",
174  ]
175  msan_options = [ "handle_sigtrap=1" ]
176  ubsan_options = [
177    "handle_sigtrap=1",
178    "handle_segv=1",
179  ]
180  dict = "dicts/json.dict"
181  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
182}
183
184fuzzer_test("v8_regexp_parser_fuzzer") {
185  sources = []
186  deps = [ "//v8:regexp_fuzzer" ]
187  asan_options = [
188    "allow_user_segv_handler=1",
189    "handle_sigtrap=1",
190  ]
191  msan_options = [ "handle_sigtrap=1" ]
192  ubsan_options = [
193    "handle_sigtrap=1",
194    "handle_segv=1",
195  ]
196  dict = "dicts/regexp.dict"
197  seed_corpus = "//v8/test/fuzzer/regexp/"
198  libfuzzer_options = [ "max_len=64" ]
199  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
200}
201
202if (v8_enable_webassembly) {
203  fuzzer_test("v8_multi_return_fuzzer") {
204    sources = []
205    deps = [ "//v8:multi_return_fuzzer" ]
206    asan_options = [
207      "allow_user_segv_handler=1",
208      "handle_sigtrap=1",
209    ]
210    msan_options = [ "handle_sigtrap=1" ]
211    ubsan_options = [
212      "handle_sigtrap=1",
213      "handle_segv=1",
214    ]
215    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
216  }
217
218  fuzzer_test("v8_wasm_code_fuzzer") {
219    sources = []
220    deps = [ "//v8:wasm_code_fuzzer" ]
221    libfuzzer_options = [ "max_len=500" ]
222    asan_options = [
223      "allow_user_segv_handler=1",
224      "handle_sigtrap=1",
225    ]
226    msan_options = [ "handle_sigtrap=1" ]
227    ubsan_options = [
228      "handle_sigtrap=1",
229      "handle_segv=1",
230    ]
231    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
232  }
233
234  fuzzer_test("v8_wasm_compile_fuzzer") {
235    sources = []
236    deps = [ "//v8:wasm_compile_fuzzer" ]
237    libfuzzer_options = [ "max_len=500" ]
238    asan_options = [
239      "allow_user_segv_handler=1",
240      "handle_sigtrap=1",
241    ]
242    msan_options = [ "handle_sigtrap=1" ]
243    ubsan_options = [
244      "handle_sigtrap=1",
245      "handle_segv=1",
246    ]
247    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
248  }
249
250  fuzzer_test("v8_wasm_fuzzer") {
251    sources = []
252    deps = [ "//v8:wasm_fuzzer" ]
253    dict = "dicts/v8_wasm.dict"
254    seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
255    libfuzzer_options = [ "max_len=500" ]
256    asan_options = [
257      "allow_user_segv_handler=1",
258      "handle_sigtrap=1",
259    ]
260    msan_options = [ "handle_sigtrap=1" ]
261    ubsan_options = [
262      "handle_sigtrap=1",
263      "handle_segv=1",
264    ]
265    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
266  }
267
268  fuzzer_test("v8_wasm_async_fuzzer") {
269    sources = []
270    deps = [ "//v8:wasm_async_fuzzer" ]
271    dict = "dicts/v8_wasm.dict"
272    seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
273    libfuzzer_options = [ "max_len=500" ]
274    asan_options = [
275      "allow_user_segv_handler=1",
276      "handle_sigtrap=1",
277    ]
278    msan_options = [ "handle_sigtrap=1" ]
279    ubsan_options = [
280      "handle_sigtrap=1",
281      "handle_segv=1",
282    ]
283    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
284  }
285
286  fuzzer_test("v8_wasm_streaming_fuzzer") {
287    sources = []
288    deps = [ "//v8:wasm_streaming_fuzzer" ]
289    libfuzzer_options = [ "max_len=500" ]
290    asan_options = [
291      "allow_user_segv_handler=1",
292      "handle_sigtrap=1",
293    ]
294    msan_options = [ "handle_sigtrap=1" ]
295    ubsan_options = [
296      "handle_sigtrap=1",
297      "handle_segv=1",
298    ]
299    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
300  }
301}
302
303fuzzer_test("convert_woff2ttf_fuzzer") {
304  sources = [ "convert_woff2ttf_fuzzer.cc" ]
305  deps = [ "//third_party/woff2:woff2_dec" ]
306  seed_corpus = "//testing/libfuzzer/fuzzers/woff2_corpus"
307  libfuzzer_options = [ "max_len=803500" ]
308}
309
310fuzzer_test("flatbuffers_verifier_fuzzer") {
311  sources = [ "flatbuffers_verifier_fuzzer.cc" ]
312  deps = [
313    "//third_party/flatbuffers",
314    "//third_party/flatbuffers:flatbuffers_samplebuffer",
315  ]
316  libfuzzer_options = [ "max_len=1024" ]
317  seed_corpus = "//testing/libfuzzer/fuzzers/flatbuffers_corpus"
318}
319
320fuzzer_test("skia_path_fuzzer") {
321  sources = [
322    "skia_path_common.cc",
323    "skia_path_common.h",
324    "skia_path_fuzzer.cc",
325  ]
326  deps = [
327    "//base",
328    "//skia",
329  ]
330  libfuzzer_options = [ "max_len=256" ]
331  if (is_debug) {
332    # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275).
333    additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
334  }
335}
336
337fuzzer_test("skia_pathop_fuzzer") {
338  sources = [
339    "skia_path_common.cc",
340    "skia_path_common.h",
341    "skia_pathop_fuzzer.cc",
342  ]
343  deps = [
344    "//base",
345    "//skia",
346  ]
347  libfuzzer_options = [ "max_len=512" ]
348  if (is_debug) {
349    # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275).
350    additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
351  }
352}
353
354fuzzer_test("prtime_fuzzer") {
355  sources = [ "prtime_fuzzer.cc" ]
356  deps = [ "//base" ]
357  dict = "dicts/prtime.dict"
358  libfuzzer_options = [ "max_len=1024" ]
359}
360
361fuzzer_test("angle_translator_fuzzer") {
362  sources = []
363  deps = [ "//third_party/angle:translator_fuzzer" ]
364  libfuzzer_options = [ "max_len=1000" ]
365  dict = "dicts/webgl-glsl.dict"
366}
367
368fuzzer_test("sha1_fuzzer") {
369  sources = [ "sha1_fuzzer.cc" ]
370  deps = [ "//base" ]
371}
372
373fuzzer_test("hash_fuzzer") {
374  sources = [ "hash_fuzzer.cc" ]
375  deps = [ "//base" ]
376}
377
378action("gen_javascript_parser_proto") {
379  # Only targets in this file and the top-level visibility target can
380  # depend on this.
381  visibility = [ ":*" ]
382
383  script = "generate_javascript_parser_proto.py"
384
385  sources = [ "dicts/javascript_parser_proto.dict" ]
386
387  outputs = [
388    "$target_gen_dir/javascript_parser.proto",
389    "$target_gen_dir/javascript_parser_proto_to_string.cc",
390  ]
391
392  args = rebase_path(outputs, root_build_dir) +
393         rebase_path(sources, root_build_dir)
394}
395
396proto_library("javascript_parser_proto") {
397  sources = [ "$target_gen_dir/javascript_parser.proto" ]
398  proto_deps = [ ":gen_javascript_parser_proto" ]
399  proto_out_dir = ""
400}
401
402fuzzer_test("javascript_parser_proto_fuzzer") {
403  generated_sources = [ "$target_gen_dir/javascript_parser_proto_to_string.cc" ]
404  sources = [
405    "javascript_parser_proto_fuzzer.cc",
406    "javascript_parser_proto_to_string.h",
407  ]
408  deps = [
409    ":gen_javascript_parser_proto",
410    ":javascript_parser_proto",
411    "//third_party/libprotobuf-mutator",
412    "//v8:v8",
413    "//v8:v8_libplatform",
414  ]
415}
416
417fuzzer_test("v8_fully_instrumented_fuzzer") {
418  sources = [ "v8_fuzzer.cc" ]
419  deps = [
420    "//base",
421    "//v8:v8",
422    "//v8:v8_libplatform",
423  ]
424  dict = "dicts/generated/javascript.dict"
425  asan_options = [
426    "allow_user_segv_handler=1",
427    "handle_sigtrap=1",
428  ]
429  msan_options = [ "handle_sigtrap=1" ]
430  ubsan_options = [
431    "handle_sigtrap=1",
432    "handle_segv=1",
433  ]
434  libfuzzer_options = [ "only_ascii=1" ]
435}
436
437fuzzer_test("skia_image_filter_proto_fuzzer") {
438  sources = [ "skia_image_filter_proto_fuzzer.cc" ]
439
440  deps = [
441    "//base",
442    "//base/test:test_support",
443    "//skia",
444    "//testing/libfuzzer/proto:skia_image_filter_converter",
445    "//testing/libfuzzer/proto:skia_image_filter_proto",
446    "//third_party/libprotobuf-mutator",
447  ]
448}
449
450# We build the libyuv_scale_fuzzer both for fuzztest
451# and libfuzzer, for education/comparison purposes.
452# Abstract the common parts:
453source_set("libyuv_scale_fuzzer_common") {
454  testonly = true
455  sources = [
456    "libyuv_scale_fuzzer.cc",
457    "libyuv_scale_fuzzer.h",
458  ]
459
460  public_deps = [ "//third_party/libyuv" ]
461}
462
463# The libfuzzer version (which also works with other compatible
464# frameworks, e.g. centipede)
465fuzzer_test("libyuv_scale_fuzzer") {
466  sources = [ "libyuv_scale_fuzzer_libfuzzer.cc" ]
467  deps = [ ":libyuv_scale_fuzzer_common" ]
468}
469
470# This is a fuzztest fuzzer, which (for now) means we build this as
471# a unit test rather than using a fuzzing gn template such as
472# fuzzer_test.
473# This executable can be run in four modes:
474# modes:
475# ./libyuv_scale_fuzzer - runs a small amount of fuzzing as if
476#    to fit in with a unit test framework, just to look for
477#    egregious bugs
478# With the enable_fuzztest_fuzz gn arg:
479#   ./libyuv_scale_fuzzer -fuzz=    - fuzzes properly.
480# With the use_centipede gn arg:
481#   centipede --binary=libyuv_scale_fuzzer - fuzzes using centipede
482# With the use_libfuzzer gn arg:
483#   ./libyuv_scale_fuzzer - runs in a libfuzzer-compatible way
484# Note that right now this is using the plain 'test' template.
485# In time, we may choose a different option here.
486test("libyuv_scale_fuzztest") {
487  sources = [ "libyuv_scale_fuzztest.cc" ]
488  enable_fuzztest = true
489
490  deps = [
491    ":libyuv_scale_fuzzer_common",
492    "//third_party/fuzztest:fuzztest_gtest_main",
493  ]
494}
495
496proto_library("command_buffer_lpm_fuzzer_proto") {
497  sources = [ "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.proto" ]
498
499  use_protobuf_full = true
500  deps = [ "//third_party/protobuf:protobuf_full" ]
501}
502
503fuzzer_test("command_buffer_lpm_fuzzer") {
504  sources = [
505    "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.cc",
506    "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.h",
507    "command_buffer_lpm_fuzzer/webgpu_support.cc",
508    "command_buffer_lpm_fuzzer/webgpu_support.h",
509  ]
510
511  # This is a hack. These files should be pulled in as a result of the
512  # dependency on //gpu:webgpu which has a public dependency on
513  # //gpu/command_buffer/client:webgpu_sources, but for some reason these files
514  # get dropped in component builds, so manually add them to the sources here.
515  if (is_component_build) {
516    sources += [
517      "//gpu/command_buffer/client/webgpu_implementation.cc",
518      "//gpu/command_buffer/client/webgpu_implementation.h",
519    ]
520
521    if (use_dawn) {
522      sources += [
523        "//gpu/command_buffer/client/dawn_client_memory_transfer_service.cc",
524        "//gpu/command_buffer/client/dawn_client_memory_transfer_service.h",
525        "//gpu/command_buffer/client/dawn_client_serializer.cc",
526        "//gpu/command_buffer/client/dawn_client_serializer.h",
527      ]
528    }
529  }
530
531  deps = [
532    ":command_buffer_lpm_fuzzer_proto",
533    "//base",
534    "//base/test:test_support",
535    "//base/third_party/dynamic_annotations",
536    "//build:chromeos_buildflags",
537    "//components/viz/common:shared_image_format",
538    "//components/viz/test:test_support",  # TODO: huge; is there something more
539                                           # targeted?
540    "//content/public/common:static_switches",
541    "//gpu:gles2",
542    "//gpu:gpu",
543    "//gpu:test_support",
544    "//gpu:webgpu",
545    "//gpu/command_buffer/client",
546    "//gpu/command_buffer/client:gles2_c_lib",
547    "//gpu/command_buffer/client:gles2_implementation",
548    "//gpu/command_buffer/common",
549    "//gpu/command_buffer/common:gles2_utils",
550    "//gpu/command_buffer/service",
551    "//gpu/config",
552    "//gpu/ipc:gl_in_process_context",
553    "//gpu/ipc/client",
554    "//gpu/ipc/common",
555    "//gpu/ipc/host",
556    "//gpu/ipc/service:service",
557    "//gpu/webgpu:common",
558    "//mojo/core/embedder",
559    "//mojo/core/embedder",
560    "//mojo/public/cpp/bindings",
561    "//testing/gmock",
562    "//testing/gtest:gtest",
563    "//third_party/libprotobuf-mutator",
564    "//ui/gfx:gfx",
565    "//ui/gl:gl",
566    "//ui/gl:test_support",
567    "//ui/gl/init:init",
568    "//url",
569  ]
570
571  if (use_dawn) {
572    deps += [
573      "//third_party/dawn/src/dawn:cpp",
574      "//third_party/dawn/src/dawn:proc",
575      "//third_party/dawn/src/dawn/native",
576    ]
577  }
578
579  libfuzzer_options = [ "max_len=16384" ]
580}
581