Bug 1485463 - Part 1 - added a fuzzer for PCompositorManagerParent IPC; r=jrmuizel
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 23 Jan 2019 14:32:38 +0000
changeset 515198 08a365b043d71ff7f2c0cd08bce4469151296f7e
parent 515197 e3dee65958a3ebe2c0f1fcec48bc896e5ffbefb6
child 515199 5f1830b621aa67dedf3a9da4e8311b732a0bde97
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjrmuizel
bugs1485463
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1485463 - Part 1 - added a fuzzer for PCompositorManagerParent IPC; r=jrmuizel Differential Revision: https://phabricator.services.mozilla.com/D14587
gfx/layers/ipc/CompositorBridgeParent.h
gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp
gfx/layers/ipc/fuzztest/moz.build
gfx/layers/moz.build
tools/fuzzing/ipc/ProtocolFuzzer.cpp
tools/fuzzing/ipc/ProtocolFuzzer.h
--- a/gfx/layers/ipc/CompositorBridgeParent.h
+++ b/gfx/layers/ipc/CompositorBridgeParent.h
@@ -54,16 +54,19 @@ class CancelableRunnable;
 namespace gfx {
 class DrawTarget;
 class GPUProcessManager;
 class GPUParent;
 }  // namespace gfx
 
 namespace ipc {
 class Shmem;
+#ifdef FUZZING
+class ProtocolFuzzerHelper;
+#endif
 }  // namespace ipc
 
 namespace layers {
 
 class APZCTreeManager;
 class APZCTreeManagerParent;
 class APZSampler;
 class APZUpdater;
@@ -205,16 +208,19 @@ MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(
 
 class CompositorBridgeParent final : public CompositorBridgeParentBase,
                                      public CompositorController,
                                      public CompositorVsyncSchedulerOwner {
   friend class CompositorThreadHolder;
   friend class InProcessCompositorSession;
   friend class gfx::GPUProcessManager;
   friend class gfx::GPUParent;
+#ifdef FUZZING
+  friend class mozilla::ipc::ProtocolFuzzerHelper;
+#endif
 
  public:
   NS_IMETHOD_(MozExternalRefCountType) AddRef() override {
     return CompositorBridgeParentBase::AddRef();
   }
   NS_IMETHOD_(MozExternalRefCountType) Release() override {
     return CompositorBridgeParentBase::Release();
   }
new file mode 100644
--- /dev/null
+++ b/gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp
@@ -0,0 +1,40 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "FuzzingInterface.h"
+#include "ProtocolFuzzer.h"
+
+#include "mozilla/layers/CompositorBridgeParent.h"
+#include "mozilla/layers/CompositorManagerParent.h"
+#include "mozilla/layers/LayerTreeOwnerTracker.h"
+
+int
+FuzzingInitCompositorManagerParentIPC(int* argc, char*** argv)
+{
+  mozilla::ipc::ProtocolFuzzerHelper::CompositorBridgeParentSetup();
+  mozilla::layers::LayerTreeOwnerTracker::Initialize();
+  return 0;
+}
+
+static int
+RunCompositorManagerParentIPCFuzzing(const uint8_t* data, size_t size)
+{
+  static mozilla::layers::CompositorManagerParent* p =
+    mozilla::layers::CompositorManagerParent::CreateSameProcess().take();
+
+  static nsTArray<nsCString> ignored = mozilla::ipc::LoadIPCMessageBlacklist(
+    getenv("MOZ_IPC_MESSAGE_FUZZ_BLACKLIST"));
+
+  mozilla::ipc::FuzzProtocol(p, data, size, ignored);
+
+  return 0;
+}
+
+MOZ_FUZZING_INTERFACE_RAW(FuzzingInitCompositorManagerParentIPC,
+                          RunCompositorManagerParentIPCFuzzing,
+                          CompositorManagerParentIPC);
new file mode 100644
--- /dev/null
+++ b/gfx/layers/ipc/fuzztest/moz.build
@@ -0,0 +1,18 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library('FuzzingCompositorManagerParentIPC')
+
+SOURCES += [
+    'compositor_manager_parent_ipc_libfuzz.cpp'
+]
+
+include('/ipc/chromium/chromium-config.mozbuild')
+
+FINAL_LIBRARY = 'xul-gtest'
+
+# Add libFuzzer configuration directives
+include('/tools/fuzzing/libfuzzer-config.mozbuild')
--- a/gfx/layers/moz.build
+++ b/gfx/layers/moz.build
@@ -585,8 +585,16 @@ if CONFIG['CC_TYPE'] in ('clang', 'gcc')
     CXXFLAGS += [
         '-Wno-maybe-uninitialized'
     ]
 
 if CONFIG['MOZ_ENABLE_SKIA']:
   UNIFIED_SOURCES += [
     'composite/PaintCounter.cpp',
   ]
+
+if CONFIG['FUZZING'] and CONFIG['FUZZING_INTERFACES']:
+    TEST_DIRS += [
+        'ipc/fuzztest'
+    ]
+
+# Add libFuzzer configuration directives
+include('/tools/fuzzing/libfuzzer-config.mozbuild')
--- a/tools/fuzzing/ipc/ProtocolFuzzer.cpp
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.cpp
@@ -1,14 +1,16 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "mozilla/layers/CompositorBridgeParent.h"
+
 #include "ProtocolFuzzer.h"
 
 namespace mozilla {
 namespace ipc {
 
 nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath) {
   nsTArray<nsCString> blacklist;
   if (aPath) {
@@ -21,10 +23,15 @@ nsTArray<nsCString> LoadIPCMessageBlackl
 mozilla::dom::ContentParent* ProtocolFuzzerHelper::CreateContentParent(
     mozilla::dom::ContentParent* aOpener, const nsAString& aRemoteType) {
   auto* cp = new mozilla::dom::ContentParent(aOpener, aRemoteType);
   // TODO: this duplicates MessageChannel::Open
   cp->GetIPCChannel()->mWorkerThread = GetCurrentVirtualThread();
   cp->GetIPCChannel()->mMonitor = new RefCountedMonitor();
   return cp;
 }
+
+void ProtocolFuzzerHelper::CompositorBridgeParentSetup() {
+  mozilla::layers::CompositorBridgeParent::Setup();
+}
+
 }  // namespace ipc
 }  // namespace mozilla
--- a/tools/fuzzing/ipc/ProtocolFuzzer.h
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.h
@@ -15,16 +15,18 @@
 namespace mozilla {
 namespace ipc {
 
 class ProtocolFuzzerHelper {
  public:
   static mozilla::dom::ContentParent* CreateContentParent(
       mozilla::dom::ContentParent* aOpener, const nsAString& aRemoteType);
 
+  static void CompositorBridgeParentSetup();
+
   template <typename T>
   static void AddShmemToProtocol(T* aProtocol, Shmem::SharedMemory* aSegment,
                                  int32_t aId) {
     GetToplevelState(aProtocol)->mShmemMap.AddWithID(aSegment, aId);
   }
 
   template <typename T>
   static void RemoveShmemFromProtocol(T* aProtocol, int32_t aId) {