encounter/dawn-cmake
1
0
Fork 0
mirror of https://github.com/encounter/dawn-cmake.git synced 2025-12-09 21:47:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

tint->dawn: Move src/fuzzers/dawn -> src/dawn/fuzzers

Browse Source 
This has already been moved once, but with more consideration, there's far less fuzzer-related stuff to put in the same root directory here.

Bug: dawn:1275
Change-Id: Ic4bb556d9a9f104293cca3316cae84b66a6362b6
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/79104
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
This commit is contained in:
Ben Clayton
2022-02-04 18:48:05 +00:00
committed by Dawn LUCI CQ
parent a6750751c7
commit c6ccd539e8
10 changed files with 133 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
src/fuzzers/dawn/BUILD.gn
View File

@@ -1,4 +1,4 @@
# Copyright 2018 The Dawn Authors
# Copyright 2022 The Dawn Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,113 +12,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build_overrides/build.gni")
import("../../../scripts/dawn_overrides_with_defaults.gni")
# We only have libfuzzer in Chromium builds but if we build fuzzer targets only
# there, we would risk breaking fuzzer targets all the time when making changes
# to Dawn. To avoid that, we make fuzzer targets compile in standalone builds
# as well with a dawn_fuzzer_test target that acts like Chromium's fuzzer_test.
#
# The standalone fuzzer targets are able to run a single fuzzer input which
# could help reproduce fuzzer crashes more easily because you don't need a
# whole Chromium checkout.
if (build_with_chromium) {
import("//testing/libfuzzer/fuzzer_test.gni")
# In Chromium build we just proxy everything to the real fuzzer_test
template("dawn_fuzzer_test") {
fuzzer_test(target_name) {
forward_variables_from(invoker, "*")
}
}
} else {
import("//testing/test.gni")
# In standalone build we do something similar to fuzzer_test.
template("dawn_fuzzer_test") {
test(target_name) {
forward_variables_from(invoker,
[
"asan_options",
"cflags",
"cflags_cc",
"check_includes",
"defines",
"deps",
"include_dirs",
"sources",
])
if (defined(asan_options)) {
not_needed([ "asan_options" ])
}
if (!defined(configs)) {
configs = []
}
# Weirdly fuzzer_test uses a special variable for additional configs.
if (defined(invoker.additional_configs)) {
configs += invoker.additional_configs
}
sources += [ "StandaloneFuzzerMain.cpp" ]
}
}
}
static_library("dawn_wire_server_fuzzer_common") {
sources = [
"DawnWireServerFuzzer.cpp",
"DawnWireServerFuzzer.h",
]
public_deps = [
"${dawn_root}/src/dawn:cpp",
"${dawn_root}/src/dawn:proc",
"${dawn_root}/src/dawn/common",
"${dawn_root}/src/dawn/native:static",
"${dawn_root}/src/dawn/utils",
"${dawn_root}/src/dawn/wire:static",
]
}
dawn_fuzzer_test("dawn_wire_server_and_frontend_fuzzer") {
sources = [ "DawnWireServerAndFrontendFuzzer.cpp" ]
deps = [ ":dawn_wire_server_fuzzer_common" ]
additional_configs = [ "${dawn_root}/src/dawn/common:internal_config" ]
}
if (is_win) {
dawn_fuzzer_test("dawn_wire_server_and_d3d12_backend_fuzzer") {
sources = [ "DawnWireServerAndD3D12BackendFuzzer.cpp" ]
deps = [ ":dawn_wire_server_fuzzer_common" ]
additional_configs = [ "${dawn_root}/src/dawn/common:internal_config" ]
}
}
dawn_fuzzer_test("dawn_wire_server_and_vulkan_backend_fuzzer") {
sources = [ "DawnWireServerAndVulkanBackendFuzzer.cpp" ]
deps = [ ":dawn_wire_server_fuzzer_common" ]
additional_configs = [ "${dawn_root}/src/dawn/common:internal_config" ]
}
# A group target to build all the fuzzers
################################################################################
# Build target aliases
# TODO(crbug.com/dawn/1275) - remove these
################################################################################
group("dawn_fuzzers") {
public_deps = [ "../../dawn/fuzzers" ]
testonly = true
deps = [
":dawn_wire_server_and_frontend_fuzzer",
":dawn_wire_server_and_vulkan_backend_fuzzer",
]
if (is_win) {
deps += [ ":dawn_wire_server_and_d3d12_backend_fuzzer" ]
}
}

44
src/fuzzers/dawn/DawnWireServerAndD3D12BackendFuzzer.cpp
View File

@@ -1,44 +0,0 @@
// Copyright 2020 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "DawnWireServerFuzzer.h"
#include "dawn/native/DawnNative.h"
#include "testing/libfuzzer/libfuzzer_exports.h"
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
return DawnWireServerFuzzer::Initialize(argc, argv);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return DawnWireServerFuzzer::Run(
data, size,
[](dawn::native::Instance* instance) {
std::vector<dawn::native::Adapter> adapters = instance->GetAdapters();
wgpu::Device device;
for (dawn::native::Adapter adapter : adapters) {
wgpu::AdapterProperties properties;
adapter.GetProperties(&properties);
if (properties.backendType == wgpu::BackendType::D3D12 &&
properties.adapterType == wgpu::AdapterType::CPU) {
device = wgpu::Device::Acquire(adapter.CreateDevice());
break;
}
}
return device;
},
true /* supportsErrorInjection */);
}

46
src/fuzzers/dawn/DawnWireServerAndFrontendFuzzer.cpp
View File

@@ -1,46 +0,0 @@
// Copyright 2018 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "DawnWireServerFuzzer.h"
#include "dawn/common/Assert.h"
#include "dawn/native/DawnNative.h"
#include "testing/libfuzzer/libfuzzer_exports.h"
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
return DawnWireServerFuzzer::Initialize(argc, argv);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return DawnWireServerFuzzer::Run(
data, size,
[](dawn::native::Instance* instance) {
std::vector<dawn::native::Adapter> adapters = instance->GetAdapters();
wgpu::Device nullDevice;
for (dawn::native::Adapter adapter : adapters) {
wgpu::AdapterProperties properties;
adapter.GetProperties(&properties);
if (properties.backendType == wgpu::BackendType::Null) {
nullDevice = wgpu::Device::Acquire(adapter.CreateDevice());
break;
}
}
ASSERT(nullDevice.Get() != nullptr);
return nullDevice;
},
false /* supportsErrorInjection */);
}

44
src/fuzzers/dawn/DawnWireServerAndVulkanBackendFuzzer.cpp
View File

@@ -1,44 +0,0 @@
// Copyright 2019 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "DawnWireServerFuzzer.h"
#include "dawn/native/DawnNative.h"
#include "testing/libfuzzer/libfuzzer_exports.h"
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
return DawnWireServerFuzzer::Initialize(argc, argv);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return DawnWireServerFuzzer::Run(
data, size,
[](dawn::native::Instance* instance) {
std::vector<dawn::native::Adapter> adapters = instance->GetAdapters();
wgpu::Device device;
for (dawn::native::Adapter adapter : adapters) {
wgpu::AdapterProperties properties;
adapter.GetProperties(&properties);
if (properties.backendType == wgpu::BackendType::Vulkan &&
properties.adapterType == wgpu::AdapterType::CPU) {
device = wgpu::Device::Acquire(adapter.CreateDevice());
break;
}
}
return device;
},
true /* supportsErrorInjection */);
}

141
src/fuzzers/dawn/DawnWireServerFuzzer.cpp
View File

@@ -1,141 +0,0 @@
// Copyright 2019 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "DawnWireServerFuzzer.h"
#include "dawn/common/Assert.h"
#include "dawn/common/Log.h"
#include "dawn/common/SystemUtils.h"
#include "dawn/dawn_proc.h"
#include "dawn/native/DawnNative.h"
#include "dawn/utils/SystemUtils.h"
#include "dawn/webgpu_cpp.h"
#include "dawn/wire/WireServer.h"
#include <fstream>
#include <vector>
namespace {
class DevNull : public dawn::wire::CommandSerializer {
public:
size_t GetMaximumAllocationSize() const override {
// Some fuzzer bots have a 2GB allocation limit. Pick a value reasonably below that.
return 1024 * 1024 * 1024;
}
void* GetCmdSpace(size_t size) override {
if (size > buf.size()) {
buf.resize(size);
}
return buf.data();
}
bool Flush() override {
return true;
}
private:
std::vector<char> buf;
};
std::unique_ptr<dawn::native::Instance> sInstance;
WGPUProcDeviceCreateSwapChain sOriginalDeviceCreateSwapChain = nullptr;
bool sCommandsComplete = false;
WGPUSwapChain ErrorDeviceCreateSwapChain(WGPUDevice device,
WGPUSurface surface,
const WGPUSwapChainDescriptor*) {
WGPUSwapChainDescriptor desc = {};
// A 0 implementation will trigger a swapchain creation error.
desc.implementation = 0;
return sOriginalDeviceCreateSwapChain(device, surface, &desc);
}
} // namespace
int DawnWireServerFuzzer::Initialize(int* argc, char*** argv) {
// TODO(crbug.com/1038952): The Instance must be static because destructing the vkInstance with
// Swiftshader crashes libFuzzer. When this is fixed, move this into Run so that error injection
// for adapter discovery can be fuzzed.
sInstance = std::make_unique<dawn::native::Instance>();
sInstance->DiscoverDefaultAdapters();
return 0;
}
int DawnWireServerFuzzer::Run(const uint8_t* data,
size_t size,
MakeDeviceFn MakeDevice,
bool supportsErrorInjection) {
// We require at least the injected error index.
if (size < sizeof(uint64_t)) {
return 0;
}
// Get and consume the injected error index.
uint64_t injectedErrorIndex = *reinterpret_cast<const uint64_t*>(data);
data += sizeof(uint64_t);
size -= sizeof(uint64_t);
if (supportsErrorInjection) {
dawn::native::EnableErrorInjector();
// Clear the error injector since it has the previous run's call counts.
dawn::native::ClearErrorInjector();
dawn::native::InjectErrorAt(injectedErrorIndex);
}
DawnProcTable procs = dawn::native::GetProcs();
// Swapchains receive a pointer to an implementation. The fuzzer will pass garbage in so we
// intercept calls to create swapchains and make sure they always return error swapchains.
// This is ok for fuzzing because embedders of dawn_wire would always define their own
// swapchain handling.
sOriginalDeviceCreateSwapChain = procs.deviceCreateSwapChain;
procs.deviceCreateSwapChain = ErrorDeviceCreateSwapChain;
dawnProcSetProcs(&procs);
wgpu::Device device = MakeDevice(sInstance.get());
if (!device) {
// We should only ever fail device creation if an error was injected.
ASSERT(supportsErrorInjection);
return 0;
}
DevNull devNull;
dawn::wire::WireServerDescriptor serverDesc = {};
serverDesc.procs = &procs;
serverDesc.serializer = &devNull;
std::unique_ptr<dawn::wire::WireServer> wireServer(new dawn_wire::WireServer(serverDesc));
wireServer->InjectDevice(device.Get(), 1, 0);
wireServer->HandleCommands(reinterpret_cast<const char*>(data), size);
// Wait for all previous commands before destroying the server.
// TODO(enga): Improve this when we improve/finalize how processing events happens.
{
device.GetQueue().OnSubmittedWorkDone(
0u, [](WGPUQueueWorkDoneStatus, void*) { sCommandsComplete = true; }, nullptr);
while (!sCommandsComplete) {
device.Tick();
utils::USleep(100);
}
}
wireServer = nullptr;
return 0;
}

34
src/fuzzers/dawn/DawnWireServerFuzzer.h
View File

@@ -1,34 +0,0 @@
// Copyright 2019 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "dawn/webgpu_cpp.h"
#include <cstdint>
#include <functional>
namespace dawn::native {
class Instance;
} // namespace dawn::native
namespace DawnWireServerFuzzer {
using MakeDeviceFn = std::function<wgpu::Device(dawn::native::Instance*)>;
int Initialize(int* argc, char*** argv);
int Run(const uint8_t* data, size_t size, MakeDeviceFn MakeDevice, bool supportsErrorInjection);
} // namespace DawnWireServerFuzzer

68
src/fuzzers/dawn/StandaloneFuzzerMain.cpp
View File

@@ -1,68 +0,0 @@
// Copyright 2018 The Dawn Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <cstdint>
#include <cstdlib>
#include <iostream>
#include <vector>
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
int main(int argc, char** argv) {
if (LLVMFuzzerInitialize(&argc, &argv)) {
std::cerr << "Failed to initialize fuzzer target" << std::endl;
return 1;
}
if (argc != 2) {
std::cout << "Usage: <standalone reproducer> [options] FILE" << std::endl;
return 1;
}
std::cout << "WARNING: this is just a best-effort reproducer for fuzzer issues in standalone "
<< "Dawn builds. For the real fuzzer, please build inside Chromium." << std::endl;
const char* filename = argv[1];
std::cout << "Reproducing using file: " << filename << std::endl;
std::vector<char> data;
{
FILE* file = fopen(filename, "rb");
if (!file) {
std::cerr << "Failed to open " << filename << std::endl;
return 1;
}
fseek(file, 0, SEEK_END);
long tellFileSize = ftell(file);
if (tellFileSize <= 0) {
std::cerr << "Input file of incorrect size: " << filename << std::endl;
return 1;
}
fseek(file, 0, SEEK_SET);
size_t fileSize = static_cast<size_t>(tellFileSize);
data.resize(fileSize);
size_t bytesRead = fread(data.data(), sizeof(char), fileSize, file);
fclose(file);
if (bytesRead != fileSize) {
std::cerr << "Failed to read " << filename << std::endl;
return 1;
}
}
return LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t*>(data.data()), data.size());
}