FuzzSkRuntimeBlender.cpp

Go to the documentation of this file.

/*
 * Copyright 2023 Google, LLC
 *
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */
 
#include "fuzz/Fuzz.h"
#include "fuzz/FuzzCommon.h"
#include "include/core/SkCanvas.h"
#include "include/core/SkPaint.h"
#include "include/core/SkShader.h"
#include "include/core/SkSurface.h"
#include "include/effects/SkRuntimeEffect.h"
#include "include/private/base/SkTArray.h"
#include "src/gpu/ganesh/GrShaderCaps.h"
 
using namespace skia_private;
 
/**
 * The fuzzer treats the input bytes as an SkSL blend program. The requested number of
 * uniforms and children are automatically synthesized to match the program's needs.
 *
 * We fuzz twice, with two different settings for inlining in the SkSL compiler. By default, the
 * compiler inlines most small to medium functions. This can hide bugs related to function-calling.
 * So we run the fuzzer once with inlining disabled, and again with it enabled.
 * This gives us better coverage, and eases the burden on the fuzzer to inject useless noise into
 * functions to suppress inlining.
 */
static bool FuzzSkRuntimeBlender_Once(const SkString& shaderText,
                                      const SkRuntimeEffect::Options& options) {
    SkRuntimeEffect::Result result = SkRuntimeEffect::MakeForBlender(shaderText, options);
    SkRuntimeEffect* effect = result.effect.get();
    if (!effect) {
        return false;
    }
 
    sk_sp<SkData> uniformBytes;
    TArray<SkRuntimeEffect::ChildPtr> children;
    FuzzCreateValidInputsForRuntimeEffect(effect, uniformBytes, children);
 
    sk_sp<SkBlender> blender = effect->makeBlender(uniformBytes, SkSpan(children));
    if (!blender) {
        return false;
    }
    SkPaint paint;
    paint.setColor(SK_ColorRED);
    paint.setBlender(std::move(blender));
 
    sk_sp<SkSurface> s = SkSurfaces::Raster(SkImageInfo::MakeN32Premul(4, 4));
    if (!s) {
        return false;
    }
    s->getCanvas()->drawPaint(paint);
 
    return true;
}
 
bool FuzzSkRuntimeBlender(const uint8_t *data, size_t size) {
    // Test once with optimization disabled...
    SkString shaderText{reinterpret_cast<const char*>(data), size};
    SkRuntimeEffect::Options options;
    options.forceUnoptimized = true;
    bool result = FuzzSkRuntimeBlender_Once(shaderText, options);
 
    // ... and then with optimization enabled.
    options.forceUnoptimized = false;
    result = FuzzSkRuntimeBlender_Once(shaderText, options) || result;
 
    return result;
}
 
#if defined(SK_BUILD_FOR_LIBFUZZER)
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if (size > 3000) {
        return 0;
    }
    FuzzSkRuntimeBlender(data, size);
    return 0;
}
#endif