You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
171 lines
5.2 KiB
171 lines
5.2 KiB
// Copyright 2019 The Chromium OS Authors. All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are
|
|
// met:
|
|
//
|
|
// * Redistributions of source code must retain the above copyright
|
|
// notice, this list of conditions and the following disclaimer.
|
|
// * Redistributions in binary form must reproduce the above
|
|
// copyright notice, this list of conditions and the following disclaimer
|
|
// in the documentation and/or other materials provided with the
|
|
// distribution.
|
|
// * Neither the name of Google Inc. nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
#include <stdio.h>
|
|
#include <signal.h>
|
|
#include <stdbool.h>
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <sys/un.h>
|
|
#include <fcntl.h>
|
|
#include <getopt.h>
|
|
#include <string.h>
|
|
|
|
#include "util.h"
|
|
#include "util/u_memory.h"
|
|
#include "vtest.h"
|
|
#include "vtest_protocol.h"
|
|
#include "virglrenderer.h"
|
|
|
|
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
|
|
|
|
#ifndef CLEANUP_EACH_INPUT
|
|
// eglInitialize leaks unless eglTeriminate is called (which only happens
|
|
// with CLEANUP_EACH_INPUT), so suppress leak detection on everything
|
|
// allocated by it.
|
|
|
|
#if !defined(__has_feature)
|
|
#define __has_feature(x) 0
|
|
#endif
|
|
|
|
#if __has_feature(address_sanitizer)
|
|
const char* __lsan_default_suppressions(void);
|
|
|
|
const char* __lsan_default_suppressions() {
|
|
return "leak:dri2_initialize_surfaceless\n";
|
|
}
|
|
#endif // __has_feature(address_sanitizer)
|
|
|
|
#endif // !CLEANUP_EACH_INPUT
|
|
|
|
typedef int (*vtest_cmd_fptr_t)(uint32_t);
|
|
|
|
static vtest_cmd_fptr_t vtest_commands[] = {
|
|
NULL /* CMD ids starts at 1 */,
|
|
vtest_send_caps,
|
|
vtest_create_resource,
|
|
vtest_resource_unref,
|
|
vtest_transfer_get_nop,
|
|
vtest_transfer_put_nop,
|
|
vtest_submit_cmd,
|
|
NULL, /* VCMD_RESOURCE_BUSY_WAIT is determined by VTEST_FUZZER_FENCES */
|
|
NULL, /* VCMD_CREATE_RENDERER is a specific case */
|
|
vtest_send_caps2,
|
|
vtest_ping_protocol_version,
|
|
vtest_protocol_version,
|
|
vtest_create_resource2,
|
|
vtest_transfer_get2_nop,
|
|
vtest_transfer_put2_nop,
|
|
};
|
|
|
|
static void vtest_fuzzer_run_renderer(int out_fd, struct vtest_input *input,
|
|
int ctx_flags, bool wait_fences)
|
|
{
|
|
struct vtest_context *context = NULL;
|
|
int ret;
|
|
uint32_t header[VTEST_HDR_SIZE];
|
|
|
|
vtest_commands[VCMD_RESOURCE_BUSY_WAIT] = wait_fences ?
|
|
vtest_resource_busy_wait : vtest_resource_busy_wait_nop;
|
|
|
|
do {
|
|
ret = input->read(input, &header, sizeof(header));
|
|
if (ret < 0 || (size_t)ret < sizeof(header)) {
|
|
break;
|
|
}
|
|
|
|
if (!context) {
|
|
/* The first command MUST be VCMD_CREATE_RENDERER */
|
|
if (header[1] != VCMD_CREATE_RENDERER) {
|
|
break;
|
|
}
|
|
|
|
ret = vtest_init_renderer(false, ctx_flags, NULL);
|
|
if (ret >= 0) {
|
|
ret = vtest_create_context(input, out_fd, header[0], &context);
|
|
}
|
|
if (ret >= 0) {
|
|
ret = vtest_lazy_init_context(context);
|
|
}
|
|
if (ret < 0) {
|
|
break;
|
|
}
|
|
vtest_set_current_context(context);
|
|
vtest_poll_resource_busy_wait();
|
|
continue;
|
|
}
|
|
|
|
vtest_poll_resource_busy_wait();
|
|
if (header[1] <= 0 || header[1] >= ARRAY_SIZE(vtest_commands)) {
|
|
break;
|
|
}
|
|
|
|
if (vtest_commands[header[1]] == NULL) {
|
|
break;
|
|
}
|
|
|
|
ret = vtest_commands[header[1]](header[0]);
|
|
if (ret < 0) {
|
|
break;
|
|
}
|
|
} while (1);
|
|
|
|
if (context) {
|
|
vtest_destroy_context(context);
|
|
}
|
|
vtest_cleanup_renderer();
|
|
}
|
|
|
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
|
|
{
|
|
/* Limit unbounded allocations under fuzzer default limits. */
|
|
vtest_set_max_length(256 * 1024 * 1024);
|
|
|
|
int out_fd = open("/dev/null", O_WRONLY);
|
|
|
|
struct vtest_buffer buffer;
|
|
buffer.buffer = data;
|
|
buffer.size = size;
|
|
struct vtest_input input;
|
|
input.data.buffer = &buffer;
|
|
input.read = vtest_buf_read;
|
|
|
|
vtest_fuzzer_run_renderer(out_fd, &input,
|
|
VIRGL_RENDERER_USE_EGL |
|
|
VIRGL_RENDERER_USE_SURFACELESS |
|
|
(getenv("VTEST_FUZZER_USE_GL") != NULL ?
|
|
0 : VIRGL_RENDERER_USE_GLES),
|
|
getenv("VTEST_FUZZER_FENCES") != NULL);
|
|
|
|
close(out_fd);
|
|
|
|
return 0;
|
|
}
|
|
|