diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 16:35:13 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-01 15:33:35 +0000 |
| commit | c8c2d1901aec01e934adf561a9fdf0cc776cdef8 (patch) | |
| tree | 9157c3d9815e5870799e070b113813bec53e0535 /chromium/third_party/libprotobuf-mutator | |
| parent | abefd5095b41dac94ca451d784ab6e27372e981a (diff) | |
| download | qtwebengine-chromium-c8c2d1901aec01e934adf561a9fdf0cc776cdef8.tar.gz | |
BASELINE: Update Chromium to 64.0.3282.139
Change-Id: I1cae68fe9c94ff7608b26b8382fc19862cdb293a
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Diffstat (limited to 'chromium/third_party/libprotobuf-mutator')
11 files changed, 86 insertions, 109 deletions
diff --git a/chromium/third_party/libprotobuf-mutator/BUILD.gn b/chromium/third_party/libprotobuf-mutator/BUILD.gn index a82ecc8006a..42ddc48704d 100644 --- a/chromium/third_party/libprotobuf-mutator/BUILD.gn +++ b/chromium/third_party/libprotobuf-mutator/BUILD.gn @@ -1,6 +1,5 @@ # Copyright 2017 The Chromium Authors. All rights reserved. - -import("//testing/libfuzzer/fuzzer_test.gni") +import("//build/config/sanitizers/sanitizers.gni") config("include_config") { include_dirs = [ "src/" ] @@ -8,23 +7,33 @@ config("include_config") { source_set("libprotobuf-mutator") { testonly = true - configs += [ ":include_config" ] - public_configs = [ ":include_config" ] - sources = [ - "src/src/binary_format.cc", - "src/src/libfuzzer/libfuzzer_macro.cc", - "src/src/libfuzzer/libfuzzer_mutator.cc", - "src/src/mutator.cc", - "src/src/text_format.cc", - "src/src/utf8_fix.cc", - ] - deps = [ - "//third_party/protobuf:protobuf_full", - ] - # Let ClusterFuzz builders know to not build targets that depend on - # libprotobuf-mutator for AFL. - if (use_afl) { - all_dependent_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] + # Dont allow building on windows to avoid tryjob failure. This is OK since + # libFuzzer doesn't build on windows anyway. + if (!is_win) { + configs += [ ":include_config" ] + + # Remove *San and coverage for a performance boost. + configs -= not_fuzzed_remove_configs + configs += [ "//build/config/sanitizers:not_fuzzed" ] + + public_configs = [ ":include_config" ] + sources = [ + "src/src/binary_format.cc", + "src/src/libfuzzer/libfuzzer_macro.cc", + "src/src/libfuzzer/libfuzzer_mutator.cc", + "src/src/mutator.cc", + "src/src/text_format.cc", + "src/src/utf8_fix.cc", + ] + deps = [ + "//third_party/protobuf:protobuf_full", + ] + + # Let ClusterFuzz builders know to not build targets that depend on + # libprotobuf-mutator for AFL. + if (use_afl) { + all_dependent_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] + } } } diff --git a/chromium/third_party/libprotobuf-mutator/OWNERS b/chromium/third_party/libprotobuf-mutator/OWNERS index 63072487b29..d315db4d2a3 100644 --- a/chromium/third_party/libprotobuf-mutator/OWNERS +++ b/chromium/third_party/libprotobuf-mutator/OWNERS @@ -1,2 +1,4 @@ kcc@chromium.org +metzman@chromium.org +mmoroz@chromium.org vitalybuka@chromium.org diff --git a/chromium/third_party/libprotobuf-mutator/src/.travis.yml b/chromium/third_party/libprotobuf-mutator/src/.travis.yml index 049a9304a24..58d53386fab 100644 --- a/chromium/third_party/libprotobuf-mutator/src/.travis.yml +++ b/chromium/third_party/libprotobuf-mutator/src/.travis.yml @@ -14,7 +14,7 @@ addons: - ubuntu-toolchain-r-test env: - global: CLANG_VERSION=5.0 GCC_VERSION=4.8 + global: CLANG_VERSION=6.0 GCC_VERSION=4.8 matrix: include: @@ -23,10 +23,10 @@ matrix: apt: packages: - *common_packages - - clang-5.0 + - clang-6.0 sources: - *common_sources - - sourceline: 'deb http://apt.llvm.org/trusty/ llvm-toolchain-trusty-5.0 main' + - sourceline: 'deb http://apt.llvm.org/jessie/ llvm-toolchain-jessie main' key_url: 'http://apt.llvm.org/llvm-snapshot.gpg.key' - env: BUILD_TYPE=Debug CC_COMPILER=clang-${CLANG_VERSION} CXX_COMPILER=clang++-${CLANG_VERSION} diff --git a/chromium/third_party/libprotobuf-mutator/src/CMakeLists.txt b/chromium/third_party/libprotobuf-mutator/src/CMakeLists.txt index 240aa5a6626..c018d453c50 100644 --- a/chromium/third_party/libprotobuf-mutator/src/CMakeLists.txt +++ b/chromium/third_party/libprotobuf-mutator/src/CMakeLists.txt @@ -54,15 +54,20 @@ set(CMAKE_REQUIRED_FLAGS "-fsanitize-coverage=0") check_cxx_compiler_flag(-fsanitize-coverage= LIB_PROTO_MUTATOR_HAS_NO_COVERAGE) unset(CMAKE_REQUIRED_FLAGS) -set(CMAKE_REQUIRED_FLAGS "-fsanitize-coverage=trace-pc-guard") -check_cxx_compiler_flag(-fsanitize-coverage=trace-pc-guard LIB_PROTO_MUTATOR_HAS_TRACE_PC) +set(CMAKE_REQUIRED_FLAGS "-fsanitize=fuzzer-no-link") +check_cxx_compiler_flag(-fsanitize=fuzzer-no-link LIB_PROTO_MUTATOR_HAS_SANITIZE_FUZZER) unset(CMAKE_REQUIRED_FLAGS) -set(CMAKE_REQUIRED_FLAGS "-fsanitize-coverage=trace-cmp") -check_cxx_compiler_flag(-fsanitize-coverage=trace-cmp LIB_PROTO_MUTATOR_HAS_TRACE_CMP) +set(CMAKE_REQUIRED_FLAGS "-fno-sanitize=fuzzer") +check_cxx_compiler_flag(-fno-sanitize=fuzzer LIB_PROTO_MUTATOR_HAS_NO_SANITIZE_FUZZER) unset(CMAKE_REQUIRED_FLAGS) -set(EXTRA_FLAGS "-fno-exceptions -Werror -Wall -Wstring-conversion") +check_cxx_compiler_flag(-Wstring-conversion LIB_PROTO_MUTATOR_HAS_WSTRING_CONVERSION) + +set(EXTRA_FLAGS "-fno-exceptions -Werror -Wall") +if (LIB_PROTO_MUTATOR_HAS_WSTRING_CONVERSION) + set(EXTRA_FLAGS "${EXTRA_FLAGS} -Wstring-conversion") +endif() if (LIB_PROTO_MUTATOR_WITH_ASAN) if (LIB_PROTO_MUTATOR_HAS_SANITIZE_ADDRESS) @@ -73,24 +78,18 @@ if (LIB_PROTO_MUTATOR_WITH_ASAN) endif() endif() -if (LIB_PROTO_MUTATOR_HAS_TRACE_PC) - list(APPEND SANITIZE_COVERAGE_OPTIONS trace-pc-guard) -endif() -if (LIB_PROTO_MUTATOR_HAS_TRACE_CMP) - list(APPEND SANITIZE_COVERAGE_OPTIONS trace-cmp) -endif() - -if (SANITIZE_COVERAGE_OPTIONS) - foreach(OPT ${SANITIZE_COVERAGE_OPTIONS}) - set(FUZZING_FLAGS "${FUZZING_FLAGS},${OPT}") - endforeach() - string(SUBSTRING ${FUZZING_FLAGS} 1 -1 FUZZING_FLAGS) - set(FUZZING_FLAGS "-fsanitize-coverage=${FUZZING_FLAGS}") - set(NO_FUZZING_FLAGS "-fsanitize-coverage=0") +# Assume CFLAGS has coverage options if LIB_PROTO_MUTATOR_FUZZER_LIBRARIES was set +if ("${LIB_PROTO_MUTATOR_FUZZER_LIBRARIES}" STREQUAL "") + if (LIB_PROTO_MUTATOR_HAS_SANITIZE_FUZZER) + set(FUZZING_FLAGS "-fsanitize=fuzzer-no-link") + set(FUZZING_FLAGS_BINARY "-fsanitize=fuzzer") + endif() + if (LIB_PROTO_MUTATOR_HAS_SANITIZE_NO_FUZZER) + set(NO_FUZZING_FLAGS "-fno-sanitize=fuzzer") + endif() endif() - if (LIB_PROTO_MUTATOR_HAS_NO_COVERAGE) - set(NO_FUZZING_FLAGS "-fsanitize-coverage=0") + set(NO_FUZZING_FLAGS "${NO_FUZZING_FLAGS} -fsanitize-coverage=0") endif() set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_FLAGS}") @@ -123,12 +122,8 @@ add_custom_target(check add_subdirectory(src) -if ("${LIB_PROTO_MUTATOR_FUZZER_LIBRARIES}" STREQUAL "" AND +if (NOT "${LIB_PROTO_MUTATOR_FUZZER_LIBRARIES}" STREQUAL "" OR NOT "${FUZZING_FLAGS}" STREQUAL "") - include(libfuzzer) -endif() - -if (NOT "${LIB_PROTO_MUTATOR_FUZZER_LIBRARIES}" STREQUAL "") add_subdirectory(examples EXCLUDE_FROM_ALL) endif() diff --git a/chromium/third_party/libprotobuf-mutator/src/README.md b/chromium/third_party/libprotobuf-mutator/src/README.md index c0bb7d93620..947546098e4 100644 --- a/chromium/third_party/libprotobuf-mutator/src/README.md +++ b/chromium/third_party/libprotobuf-mutator/src/README.md @@ -45,6 +45,7 @@ methods with more sophisticated logic, e.g. using [libFuzzer](http://libfuzzer.info)'s mutators. To apply one mutation to a protobuf object do the following: + ``` class MyProtobufMutator : public protobuf_mutator::Mutator { public: @@ -73,3 +74,9 @@ DEFINE_PROTO_FUZZER(const MyMessageType& input) { ``` Please see [libfuzzer_example.cc](/examples/libfuzzer/libfuzzer_example.cc) as an example. + +## UTF-8 strings +"proto2" and "proto3" handle invalid UTF-8 strings differently. In both cases +string should be UTF-8, however only "proto3" enforces that. So if fuzzer is +applied to "proto2" type libprotobuf-mutator will generate any strings including +invalid UTF-8. If it's a "proto3" message type, only valid UTF-8 will be used. diff --git a/chromium/third_party/libprotobuf-mutator/src/cmake/external/libfuzzer.cmake b/chromium/third_party/libprotobuf-mutator/src/cmake/external/libfuzzer.cmake deleted file mode 100644 index 4eb1f3bfacd..00000000000 --- a/chromium/third_party/libprotobuf-mutator/src/cmake/external/libfuzzer.cmake +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2017 Google Inc. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set(LIBFUZZER_TARGET external.libfuzzer) -set(LIBFUZZER_INSTALL_DIR ${CMAKE_CURRENT_BINARY_DIR}/${LIBFUZZER_TARGET}) - -list(APPEND LIB_PROTO_MUTATOR_FUZZER_LIBRARIES Fuzzer) - -foreach(lib IN LISTS LIB_PROTO_MUTATOR_FUZZER_LIBRARIES) - set(CUR_LIB ${LIBFUZZER_INSTALL_DIR}/src/${LIBFUZZER_TARGET}-build/lib${lib}.a) - list(APPEND LIBFUZZER_BUILD_BYPRODUCTS ${CUR_LIB}) - - add_library(${lib} STATIC IMPORTED) - set_property(TARGET ${lib} PROPERTY IMPORTED_LOCATION ${CUR_LIB}) - add_dependencies(${lib} ${LIBFUZZER_TARGET}) -endforeach(lib) - -include (ExternalProject) -ExternalProject_Add(${LIBFUZZER_TARGET} - PREFIX ${LIBFUZZER_TARGET} - GIT_REPOSITORY https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer - GIT_TAG master - UPDATE_COMMAND "" - CONFIGURE_COMMAND "" - BUILD_COMMAND CXX=${CMAKE_CXX_COMPILER} ${LIBFUZZER_INSTALL_DIR}/src/${LIBFUZZER_TARGET}/build.sh - INSTALL_COMMAND "" - BUILD_BYPRODUCTS ${LIBFUZZER_BUILD_BYPRODUCTS} -) diff --git a/chromium/third_party/libprotobuf-mutator/src/examples/expat/CMakeLists.txt b/chromium/third_party/libprotobuf-mutator/src/examples/expat/CMakeLists.txt index e719d4bcb42..f2031f5dfed 100644 --- a/chromium/third_party/libprotobuf-mutator/src/examples/expat/CMakeLists.txt +++ b/chromium/third_party/libprotobuf-mutator/src/examples/expat/CMakeLists.txt @@ -25,7 +25,7 @@ target_link_libraries(expat_example set_property(TARGET expat_example PROPERTY COMPILE_FLAGS ${FUZZING_FLAGS}) set_property(TARGET expat_example - PROPERTY LINK_FLAGS ${FUZZING_FLAGS}) + PROPERTY LINK_FLAGS ${FUZZING_FLAGS_BINARY}) add_executable(expat_example_test expat_example_test.cc) diff --git a/chromium/third_party/libprotobuf-mutator/src/examples/libfuzzer/CMakeLists.txt b/chromium/third_party/libprotobuf-mutator/src/examples/libfuzzer/CMakeLists.txt index a0f103f252d..dc39177be8b 100644 --- a/chromium/third_party/libprotobuf-mutator/src/examples/libfuzzer/CMakeLists.txt +++ b/chromium/third_party/libprotobuf-mutator/src/examples/libfuzzer/CMakeLists.txt @@ -38,6 +38,6 @@ foreach(fuzzer libfuzzer_example libfuzzer_bin_example) set_property(TARGET ${fuzzer} PROPERTY COMPILE_FLAGS ${FUZZING_FLAGS}) set_property(TARGET ${fuzzer} - PROPERTY LINK_FLAGS ${FUZZING_FLAGS}) + PROPERTY LINK_FLAGS ${FUZZING_FLAGS_BINARY}) add_dependencies(libfuzzer_example_test ${fuzzer}) endforeach(fuzzer) diff --git a/chromium/third_party/libprotobuf-mutator/src/examples/libxml2/CMakeLists.txt b/chromium/third_party/libprotobuf-mutator/src/examples/libxml2/CMakeLists.txt index f39e35d3105..cf9f8a23960 100644 --- a/chromium/third_party/libprotobuf-mutator/src/examples/libxml2/CMakeLists.txt +++ b/chromium/third_party/libprotobuf-mutator/src/examples/libxml2/CMakeLists.txt @@ -26,7 +26,7 @@ target_link_libraries(libxml2_example set_property(TARGET libxml2_example PROPERTY COMPILE_FLAGS ${FUZZING_FLAGS}) set_property(TARGET libxml2_example - PROPERTY LINK_FLAGS ${FUZZING_FLAGS}) + PROPERTY LINK_FLAGS ${FUZZING_FLAGS_BINARY}) add_executable(libxml2_example_test libxml2_example_test.cc) diff --git a/chromium/third_party/libprotobuf-mutator/src/src/mutator.cc b/chromium/third_party/libprotobuf-mutator/src/src/mutator.cc index 17b3a78504b..2aa9693935b 100644 --- a/chromium/third_party/libprotobuf-mutator/src/src/mutator.cc +++ b/chromium/third_party/libprotobuf-mutator/src/src/mutator.cc @@ -37,7 +37,7 @@ using std::placeholders::_1; namespace { -const size_t kMaxInitializeDepth = 100; +const int kMaxInitializeDepth = 200; const uint64_t kDefaultMutateWeight = 1000000; enum class Mutation { @@ -480,10 +480,8 @@ void Mutator::Mutate(Message* message, size_t size_increase_hint) { } } while (repeat); - if (keep_initialized_ && !message->IsInitialized()) { - InitializeMessage(message, kMaxInitializeDepth); - assert(message->IsInitialized()); - } + InitializeAndTrim(message, kMaxInitializeDepth); + assert(!keep_initialized_ || message->IsInitialized()); } void Mutator::CrossOver(const protobuf::Message& message1, @@ -495,10 +493,8 @@ void Mutator::CrossOver(const protobuf::Message& message1, CrossOverImpl(message1, message2); - if (keep_initialized_ && !message2->IsInitialized()) { - InitializeMessage(message2, kMaxInitializeDepth); - assert(message2->IsInitialized()); - } + InitializeAndTrim(message2, kMaxInitializeDepth); + assert(!keep_initialized_ || message2->IsInitialized()); // Can't call mutate from crossover because of a bug in libFuzzer. return; @@ -581,29 +577,36 @@ void Mutator::CrossOverImpl(const protobuf::Message& message1, } } -void Mutator::InitializeMessage(Message* message, size_t max_depth) { - assert(keep_initialized_); +void Mutator::InitializeAndTrim(Message* message, int max_depth) { const Descriptor* descriptor = message->GetDescriptor(); const Reflection* reflection = message->GetReflection(); for (int i = 0; i < descriptor->field_count(); ++i) { const FieldDescriptor* field = descriptor->field(i); - if (field->is_required() && !reflection->HasField(*message, field)) + if (keep_initialized_ && field->is_required() && + !reflection->HasField(*message, field)) CreateDefaultField()(FieldInstance(message, field)); - if (max_depth > 0 && - field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) { + if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) { + if (max_depth <= 0 && !field->is_required()) { + // Clear deep optional fields to avoid stack overflow. + reflection->ClearField(message, field); + if (field->is_repeated()) + assert(!reflection->FieldSize(*message, field)); + else + assert(!reflection->HasField(*message, field)); + continue; + } + if (field->is_repeated()) { const int field_size = reflection->FieldSize(*message, field); for (int j = 0; j < field_size; ++j) { Message* nested_message = reflection->MutableRepeatedMessage(message, field, j); - if (!nested_message->IsInitialized()) - InitializeMessage(nested_message, max_depth - 1); + InitializeAndTrim(nested_message, max_depth - 1); } } else if (reflection->HasField(*message, field)) { Message* nested_message = reflection->MutableMessage(message, field); - if (!nested_message->IsInitialized()) - InitializeMessage(nested_message, max_depth - 1); + InitializeAndTrim(nested_message, max_depth - 1); } } } diff --git a/chromium/third_party/libprotobuf-mutator/src/src/mutator.h b/chromium/third_party/libprotobuf-mutator/src/src/mutator.h index ad1cbadad6c..47139bdf0b9 100644 --- a/chromium/third_party/libprotobuf-mutator/src/src/mutator.h +++ b/chromium/third_party/libprotobuf-mutator/src/src/mutator.h @@ -78,7 +78,7 @@ class Mutator { private: friend class FieldMutator; friend class TestMutator; - void InitializeMessage(protobuf::Message* message, size_t max_depth); + void InitializeAndTrim(protobuf::Message* message, int max_depth); void CrossOverImpl(const protobuf::Message& message1, protobuf::Message* message2); std::string MutateUtf8String(const std::string& value, |