xref: /aosp_15_r20/external/cronet/testing/libfuzzer/fuzzers/BUILD.gn (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1# Copyright 2015 The Chromium Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5# Individual libfuzzer tests that didn't find their home yet.
6
7import("//build/config/features.gni")
8import("//testing/libfuzzer/fuzzer_test.gni")
9import("//third_party/protobuf/proto_library.gni")
10import("//ui/gl/features.gni")
11import("//v8/gni/v8.gni")
12
13# root BUILD depends on this target. Needed for package discovery
14group("fuzzers") {
15}
16
17fuzzer_test("empty_fuzzer") {
18  sources = [ "empty_fuzzer.cc" ]
19  additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
20}
21
22fuzzer_test("string_compare_fuzzer") {
23  sources = [ "string_compare_fuzzer.cc" ]
24  additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
25}
26
27fuzzer_test("courgette_fuzzer") {
28  sources = [ "courgette_fuzzer.cc" ]
29  deps = [
30    "//base",
31    "//courgette:courgette_lib",
32  ]
33}
34
35fuzzer_test("language_detection_fuzzer") {
36  sources = [ "language_detection_fuzzer.cc" ]
37  deps = [
38    "//base",
39    "//components/translate/core/language_detection:language_detection",
40  ]
41}
42
43fuzzer_test("snappy_compress_fuzzer") {
44  sources = [ "snappy_compress_fuzzer.cc" ]
45  deps = [ "//third_party/snappy:snappy" ]
46  seed_corpus = "//third_party/snappy/src/testdata"
47}
48
49fuzzer_test("snappy_uncompress_fuzzer") {
50  sources = [ "snappy_uncompress_fuzzer.cc" ]
51  deps = [ "//third_party/snappy:snappy" ]
52  seed_corpus = "//third_party/snappy/src/testdata"
53}
54
55fuzzer_test("template_url_parser_fuzzer") {
56  sources = [ "template_url_parser_fuzzer.cc" ]
57  deps = [
58    "//base",
59    "//base:i18n",
60    "//components/search_engines",
61    "//mojo/core/embedder",
62    "//services/data_decoder/public/cpp",
63    "//services/data_decoder/public/cpp:test_support",
64    "//third_party/libxml:libxml",
65  ]
66  dict = "//third_party/libxml/fuzz/xml.dict"
67  libfuzzer_options = [ "max_len=4096" ]
68}
69
70fuzzer_test("url_parse_proto_fuzzer") {
71  sources = [ "url_parse_proto_fuzzer.cc" ]
72  deps = [
73    "//base",
74    "//base:i18n",
75    "//testing/libfuzzer/proto:url_proto",
76    "//third_party/libprotobuf-mutator",
77    "//url:url",
78  ]
79}
80
81fuzzer_test("libsrtp_fuzzer") {
82  sources = [ "libsrtp_fuzzer.cc" ]
83  deps = [ "//third_party/libsrtp" ]
84  libfuzzer_options = [ "max_len=1500" ]
85}
86
87libpng_seed_corpuses = [
88  "//components/test/data/viz",
89  "//third_party/blink/web_tests/images/png-suite/samples",
90  "//third_party/blink/web_tests/images/resources/pngfuzz",
91]
92
93fuzzer_test("gfx_png_image_fuzzer") {
94  sources = [ "gfx_png_image_fuzzer.cc" ]
95  deps = [
96    "//base",
97    "//ui/base",
98    "//ui/gfx",
99  ]
100  dict = "dicts/png.dict"
101  seed_corpuses = libpng_seed_corpuses
102}
103
104fuzzer_test("libxml_xml_read_memory_fuzzer") {
105  sources = [ "libxml_xml_read_memory_fuzzer.cc" ]
106  deps = [ "//third_party/libxml:libxml" ]
107  dict = "//third_party/libxml/fuzz/xml.dict"
108  seed_corpus = "//third_party/libxml/fuzz/seed_corpus"
109}
110
111fuzzer_test("libpng_progressive_read_fuzzer") {
112  sources = [ "libpng_read_fuzzer.cc" ]
113  deps = [
114    "//base",
115    "//third_party/libpng",
116  ]
117  dict = "dicts/png.dict"
118  seed_corpuses = libpng_seed_corpuses
119}
120
121template("v8_fuzzer") {
122  if (defined(invoker.v8_dep)) {
123    _deps = [ "//v8:${invoker.v8_dep}" ]
124  } else {
125    _deps = [ "//v8:${target_name}" ]
126  }
127
128  fuzzer_test("v8_${target_name}") {
129    forward_variables_from(invoker,
130                           "*",
131                           [
132                             "v8_dep",
133                             "max_len",
134                           ])
135
136    sources = []
137    deps = _deps
138    if (defined(invoker.max_len)) {
139      if (!defined(libfuzzer_options)) {
140        libfuzzer_options = []
141      }
142      libfuzzer_options += [ "max_len=${invoker.max_len}" ]
143    }
144
145    asan_options = [
146      "allow_user_segv_handler=1",
147      "handle_sigtrap=1",
148    ]
149    msan_options = [ "handle_sigtrap=1" ]
150    ubsan_options = [
151      "handle_sigtrap=1",
152      "handle_segv=1",
153    ]
154    environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
155  }
156}
157
158v8_fuzzer("script_parser_fuzzer") {
159  v8_dep = "parser_fuzzer"
160  dict = "dicts/generated/javascript.dict"
161  seed_corpus = "//v8/test/mjsunit/regress/"
162  libfuzzer_options = [ "only_ascii=1" ]
163}
164
165v8_inspector_fuzzer_corpus_dir = "$target_gen_dir/v8_inspector_fuzzer_corpus"
166
167action("generate_v8_inspector_fuzzer_corpus") {
168  script = "generate_v8_inspector_fuzzer_corpus.py"
169  sources = [ "generate_v8_inspector_fuzzer_corpus.py" ]
170  args = [
171    rebase_path("//v8/test/inspector/", root_build_dir),
172    rebase_path(v8_inspector_fuzzer_corpus_dir, root_build_dir),
173  ]
174  outputs = [ v8_inspector_fuzzer_corpus_dir ]
175}
176
177v8_fuzzer("inspector_fuzzer") {
178  dict = "dicts/generated/javascript.dict"
179  seed_corpus = v8_inspector_fuzzer_corpus_dir
180  seed_corpus_deps = [ ":generate_v8_inspector_fuzzer_corpus" ]
181
182  # The fuzzer is able to handle any input, but since the input is interpreted
183  # as JS code, restricting to ascii only will increase fuzzing efficiency.
184  libfuzzer_options = [ "only_ascii=1" ]
185}
186
187v8_fuzzer("json_parser_fuzzer") {
188  v8_dep = "json_fuzzer"
189  dict = "dicts/json.dict"
190}
191
192v8_fuzzer("regexp_parser_fuzzer") {
193  v8_dep = "regexp_fuzzer"
194  dict = "dicts/regexp.dict"
195  seed_corpus = "//v8/test/fuzzer/regexp/"
196  libfuzzer_options = [ "max_len=64" ]
197}
198
199if (v8_enable_webassembly) {
200  v8_fuzzer("multi_return_fuzzer") {
201  }
202
203  v8_fuzzer("wasm_code_fuzzer") {
204    max_len = 500
205  }
206
207  v8_fuzzer("wasm_compile_all_fuzzer") {
208    max_len = 500
209  }
210
211  v8_fuzzer("wasm_compile_fuzzer") {
212    max_len = 500
213  }
214
215  v8_fuzzer("wasm_compile_simd_fuzzer") {
216    max_len = 500
217  }
218
219  v8_fuzzer("wasm_compile_wasmgc_fuzzer") {
220    max_len = 500
221  }
222
223  v8_fuzzer("wasm_fuzzer") {
224    max_len = 500
225    seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
226  }
227
228  v8_fuzzer("wasm_async_fuzzer") {
229    max_len = 500
230    seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
231  }
232
233  v8_fuzzer("wasm_streaming_fuzzer") {
234    max_len = 500
235    seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
236  }
237
238  v8_fuzzer("wasm_init_expr_fuzzer") {
239    max_len = 500
240  }
241}
242
243fuzzer_test("convert_woff2ttf_fuzzer") {
244  sources = [ "convert_woff2ttf_fuzzer.cc" ]
245  deps = [ "//third_party/woff2:woff2_dec" ]
246  seed_corpus = "//testing/libfuzzer/fuzzers/woff2_corpus"
247  libfuzzer_options = [ "max_len=803500" ]
248}
249
250fuzzer_test("flatbuffers_verifier_fuzzer") {
251  sources = [ "flatbuffers_verifier_fuzzer.cc" ]
252  deps = [
253    "//third_party/flatbuffers",
254    "//third_party/flatbuffers:flatbuffers_samplebuffer",
255  ]
256  libfuzzer_options = [ "max_len=1024" ]
257  seed_corpus = "//testing/libfuzzer/fuzzers/flatbuffers_corpus"
258}
259
260fuzzer_test("skia_path_fuzzer") {
261  sources = [
262    "skia_path_common.cc",
263    "skia_path_common.h",
264    "skia_path_fuzzer.cc",
265  ]
266  deps = [
267    "//base",
268    "//skia",
269  ]
270  libfuzzer_options = [ "max_len=256" ]
271  if (is_debug) {
272    # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275).
273    additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
274  }
275}
276
277fuzzer_test("skia_pathop_fuzzer") {
278  sources = [
279    "skia_path_common.cc",
280    "skia_path_common.h",
281    "skia_pathop_fuzzer.cc",
282  ]
283  deps = [
284    "//base",
285    "//skia",
286  ]
287  libfuzzer_options = [ "max_len=512" ]
288  if (is_debug) {
289    # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275).
290    additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ]
291  }
292}
293
294fuzzer_test("prtime_fuzzer") {
295  sources = [ "prtime_fuzzer.cc" ]
296  deps = [ "//base" ]
297  dict = "dicts/prtime.dict"
298  libfuzzer_options = [ "max_len=1024" ]
299}
300
301fuzzer_test("angle_translator_fuzzer") {
302  sources = []
303  deps = [ "//third_party/angle:translator_fuzzer" ]
304  libfuzzer_options = [ "max_len=1000" ]
305  dict = "dicts/webgl-glsl.dict"
306}
307
308fuzzer_test("sha1_fuzzer") {
309  sources = [ "sha1_fuzzer.cc" ]
310  deps = [ "//base" ]
311}
312
313fuzzer_test("hash_fuzzer") {
314  sources = [ "hash_fuzzer.cc" ]
315  deps = [ "//base" ]
316}
317
318action("gen_javascript_parser_proto") {
319  # Only targets in this file and the top-level visibility target can
320  # depend on this.
321  visibility = [ ":*" ]
322
323  script = "generate_javascript_parser_proto.py"
324
325  sources = [ "dicts/javascript_parser_proto.dict" ]
326
327  outputs = [
328    "$target_gen_dir/javascript_parser.proto",
329    "$target_gen_dir/javascript_parser_proto_to_string.cc",
330  ]
331
332  args = rebase_path(outputs, root_build_dir) +
333         rebase_path(sources, root_build_dir)
334}
335
336proto_library("javascript_parser_proto") {
337  sources = [ "$target_gen_dir/javascript_parser.proto" ]
338  proto_deps = [ ":gen_javascript_parser_proto" ]
339  proto_out_dir = ""
340}
341
342fuzzer_test("javascript_parser_proto_fuzzer") {
343  generated_sources = [ "$target_gen_dir/javascript_parser_proto_to_string.cc" ]
344  sources = [
345    "javascript_parser_proto_fuzzer.cc",
346    "javascript_parser_proto_to_string.h",
347  ]
348  deps = [
349    ":gen_javascript_parser_proto",
350    ":javascript_parser_proto",
351    "//base",
352    "//third_party/libprotobuf-mutator",
353    "//v8:v8",
354    "//v8:v8_libplatform",
355  ]
356}
357
358fuzzer_test("v8_fully_instrumented_fuzzer") {
359  sources = [ "v8_fuzzer.cc" ]
360  deps = [
361    "//base",
362    "//v8:v8",
363    "//v8:v8_libplatform",
364  ]
365  dict = "dicts/generated/javascript.dict"
366  asan_options = [
367    "allow_user_segv_handler=1",
368    "handle_sigtrap=1",
369  ]
370  msan_options = [ "handle_sigtrap=1" ]
371  ubsan_options = [
372    "handle_sigtrap=1",
373    "handle_segv=1",
374  ]
375  libfuzzer_options = [ "only_ascii=1" ]
376}
377
378fuzzer_test("skia_image_filter_proto_fuzzer") {
379  sources = [ "skia_image_filter_proto_fuzzer.cc" ]
380
381  deps = [
382    "//base",
383    "//base/test:test_support",
384    "//skia",
385    "//testing/libfuzzer/proto:skia_image_filter_converter",
386    "//testing/libfuzzer/proto:skia_image_filter_proto",
387    "//third_party/libprotobuf-mutator",
388  ]
389}
390
391# We build the libyuv_scale_fuzzer both for fuzztest
392# and libfuzzer, for education/comparison purposes.
393# Abstract the common parts:
394source_set("libyuv_scale_fuzzer_common") {
395  testonly = true
396  sources = [
397    "libyuv_scale_fuzzer.cc",
398    "libyuv_scale_fuzzer.h",
399  ]
400
401  public_deps = [ "//third_party/libyuv" ]
402}
403
404# The libfuzzer version (which also works with other compatible
405# frameworks, e.g. centipede)
406fuzzer_test("libyuv_scale_fuzzer") {
407  sources = [ "libyuv_scale_fuzzer_libfuzzer.cc" ]
408  deps = [ ":libyuv_scale_fuzzer_common" ]
409}
410
411# This is a fuzztest fuzzer, which (for now) means we build this as
412# a unit test rather than using a fuzzing gn template such as
413# fuzzer_test.
414# This executable can be run in four modes:
415# modes:
416# ./libyuv_scale_fuzzer - runs a small amount of fuzzing as if
417#    to fit in with a unit test framework, just to look for
418#    egregious bugs
419# With the enable_fuzztest_fuzz gn arg:
420#   ./libyuv_scale_fuzzer -fuzz=    - fuzzes properly.
421# With the use_centipede gn arg:
422#   centipede --binary=libyuv_scale_fuzzer - fuzzes using centipede
423# With the use_libfuzzer gn arg:
424#   ./libyuv_scale_fuzzer - runs in a libfuzzer-compatible way
425# Note that right now this is using the plain 'test' template.
426# In time, we may choose a different option here.
427test("libyuv_scale_fuzztest") {
428  sources = [ "libyuv_scale_fuzztest.cc" ]
429  fuzztests = [ "ScaleFuzz.ScaleDoesNotCrash" ]
430
431  deps = [
432    ":libyuv_scale_fuzzer_common",
433    "//third_party/fuzztest:fuzztest_gtest_main",
434  ]
435}
436
437proto_library("command_buffer_lpm_fuzzer_proto") {
438  sources = [ "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.proto" ]
439
440  use_protobuf_full = true
441  deps = [ "//third_party/protobuf:protobuf_full" ]
442}
443
444if (!is_win) {
445  fuzzer_test("command_buffer_lpm_fuzzer") {
446    sources = [
447      "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.cc",
448      "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.h",
449      "command_buffer_lpm_fuzzer/webgpu_support.cc",
450      "command_buffer_lpm_fuzzer/webgpu_support.h",
451    ]
452
453    # This is a hack. These files should be pulled in as a result of the
454    # dependency on //gpu:webgpu which has a public dependency on
455    # //gpu/command_buffer/client:webgpu_sources, but for some reason these files
456    # get dropped in component builds, so manually add them to the sources here.
457    if (is_component_build) {
458      sources += [
459        "//gpu/command_buffer/client/webgpu_implementation.cc",
460        "//gpu/command_buffer/client/webgpu_implementation.h",
461      ]
462
463      if (use_dawn) {
464        sources += [
465          "//gpu/command_buffer/client/dawn_client_memory_transfer_service.cc",
466          "//gpu/command_buffer/client/dawn_client_memory_transfer_service.h",
467          "//gpu/command_buffer/client/dawn_client_serializer.cc",
468          "//gpu/command_buffer/client/dawn_client_serializer.h",
469        ]
470      }
471    }
472
473    deps = [
474      ":command_buffer_lpm_fuzzer_proto",
475      "//base",
476      "//base/test:test_support",
477      "//build:chromeos_buildflags",
478      "//components/viz/common:shared_image_format",
479      "//components/viz/test:test_support",  # TODO: huge; is there something
480                                             # more
481
482      # targeted?
483      "//content/public/common:static_switches",
484      "//gpu:gles2",
485      "//gpu:gpu",
486      "//gpu:test_support",
487      "//gpu:webgpu",
488      "//gpu/command_buffer/client",
489      "//gpu/command_buffer/client:gles2_c_lib",
490      "//gpu/command_buffer/client:gles2_implementation",
491      "//gpu/command_buffer/common",
492      "//gpu/command_buffer/common:gles2_utils",
493      "//gpu/command_buffer/service",
494      "//gpu/config",
495      "//gpu/ipc:gl_in_process_context",
496      "//gpu/ipc/client",
497      "//gpu/ipc/common",
498      "//gpu/ipc/host",
499      "//gpu/ipc/service:service",
500      "//gpu/webgpu:common",
501      "//mojo/core/embedder",
502      "//mojo/core/embedder",
503      "//mojo/public/cpp/bindings",
504      "//testing/gmock",
505      "//testing/gtest:gtest",
506      "//third_party/libprotobuf-mutator",
507      "//ui/gfx:gfx",
508      "//ui/gl:gl",
509      "//ui/gl:test_support",
510      "//ui/gl/init:init",
511      "//url",
512    ]
513
514    if (use_dawn) {
515      deps += [
516        "//third_party/dawn/src/dawn:cpp",
517        "//third_party/dawn/src/dawn:proc",
518        "//third_party/dawn/src/dawn/native",
519      ]
520    }
521
522    libfuzzer_options = [ "max_len=16384" ]
523  }
524}
525