# Copyright 2015 The Chromium Authors # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Individual libfuzzer tests that didn't find their home yet. import("//build/config/features.gni") import("//testing/libfuzzer/fuzzer_test.gni") import("//third_party/protobuf/proto_library.gni") import("//ui/gl/features.gni") import("//v8/gni/v8.gni") # root BUILD depends on this target. Needed for package discovery group("fuzzers") { } fuzzer_test("empty_fuzzer") { sources = [ "empty_fuzzer.cc" ] additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] } fuzzer_test("courgette_fuzzer") { sources = [ "courgette_fuzzer.cc" ] deps = [ "//base", "//courgette:courgette_lib", ] } fuzzer_test("language_detection_fuzzer") { sources = [ "language_detection_fuzzer.cc" ] deps = [ "//base", "//components/translate/core/language_detection:language_detection", ] } fuzzer_test("snappy_compress_fuzzer") { sources = [ "snappy_compress_fuzzer.cc" ] deps = [ "//third_party/snappy:snappy" ] seed_corpus = "//third_party/snappy/src/testdata" } fuzzer_test("snappy_uncompress_fuzzer") { sources = [ "snappy_uncompress_fuzzer.cc" ] deps = [ "//third_party/snappy:snappy" ] seed_corpus = "//third_party/snappy/src/testdata" } fuzzer_test("template_url_parser_fuzzer") { sources = [ "template_url_parser_fuzzer.cc" ] deps = [ "//base", "//base:i18n", "//components/search_engines", "//mojo/core/embedder", "//services/data_decoder/public/cpp", "//services/data_decoder/public/cpp:test_support", "//third_party/libxml:libxml", ] dict = "//third_party/libxml/fuzz/xml.dict" libfuzzer_options = [ "max_len=4096" ] } fuzzer_test("url_parse_proto_fuzzer") { sources = [ "url_parse_proto_fuzzer.cc" ] deps = [ "//base", "//base:i18n", "//testing/libfuzzer/proto:url_proto", "//third_party/libprotobuf-mutator", "//url:url", ] } fuzzer_test("libsrtp_fuzzer") { sources = [ "libsrtp_fuzzer.cc" ] deps = [ "//third_party/libsrtp" ] libfuzzer_options = [ "max_len=1500" ] } libpng_seed_corpuses = [ "//components/test/data/viz", "//third_party/blink/web_tests/images/png-suite/samples", "//third_party/blink/web_tests/images/resources/pngfuzz", ] fuzzer_test("gfx_png_image_fuzzer") { sources = [ "gfx_png_image_fuzzer.cc" ] deps = [ "//base", "//ui/gfx", ] dict = "dicts/png.dict" seed_corpuses = libpng_seed_corpuses } fuzzer_test("libxml_xml_read_memory_fuzzer") { sources = [ "libxml_xml_read_memory_fuzzer.cc" ] deps = [ "//third_party/libxml:libxml" ] dict = "//third_party/libxml/fuzz/xml.dict" seed_corpus = "//third_party/libxml/fuzz/seed_corpus" } fuzzer_test("libpng_progressive_read_fuzzer") { sources = [ "libpng_read_fuzzer.cc" ] deps = [ "//base", "//third_party/libpng", ] dict = "dicts/png.dict" seed_corpuses = libpng_seed_corpuses } fuzzer_test("v8_script_parser_fuzzer") { sources = [] deps = [ "//v8:parser_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] dict = "dicts/generated/javascript.dict" seed_corpus = "//v8/test/mjsunit/regress/" libfuzzer_options = [ "only_ascii=1" ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } v8_inspector_fuzzer_corpus_dir = "$target_gen_dir/v8_inspector_fuzzer_corpus" action("generate_v8_inspector_fuzzer_corpus") { script = "generate_v8_inspector_fuzzer_corpus.py" sources = [ "generate_v8_inspector_fuzzer_corpus.py" ] args = [ rebase_path("//v8/test/inspector/", root_build_dir), rebase_path(v8_inspector_fuzzer_corpus_dir, root_build_dir), ] outputs = [ v8_inspector_fuzzer_corpus_dir ] } fuzzer_test("v8_inspector_fuzzer") { sources = [] deps = [ "//v8:inspector_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] dict = "dicts/generated/javascript.dict" seed_corpus = v8_inspector_fuzzer_corpus_dir seed_corpus_deps = [ ":generate_v8_inspector_fuzzer_corpus" ] # The fuzzer is able to handle any input, but since the input is interpreted # as JS code, restricting to ascii only will increase fuzzing efficiency. libfuzzer_options = [ "only_ascii=1" ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_json_parser_fuzzer") { sources = [] deps = [ "//v8:json_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] dict = "dicts/json.dict" environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_regexp_parser_fuzzer") { sources = [] deps = [ "//v8:regexp_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] dict = "dicts/regexp.dict" seed_corpus = "//v8/test/fuzzer/regexp/" libfuzzer_options = [ "max_len=64" ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_regexp_builtins_fuzzer") { sources = [] deps = [ "//v8:regexp_builtins_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } if (v8_enable_webassembly) { fuzzer_test("v8_multi_return_fuzzer") { sources = [] deps = [ "//v8:multi_return_fuzzer" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_wasm_code_fuzzer") { sources = [] deps = [ "//v8:wasm_code_fuzzer" ] libfuzzer_options = [ "max_len=500" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_wasm_compile_fuzzer") { sources = [] deps = [ "//v8:wasm_compile_fuzzer" ] libfuzzer_options = [ "max_len=500" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_wasm_fuzzer") { sources = [] deps = [ "//v8:wasm_fuzzer" ] dict = "dicts/v8_wasm.dict" seed_corpus = "//v8/test/fuzzer/wasm_corpus/" libfuzzer_options = [ "max_len=500" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_wasm_async_fuzzer") { sources = [] deps = [ "//v8:wasm_async_fuzzer" ] dict = "dicts/v8_wasm.dict" seed_corpus = "//v8/test/fuzzer/wasm_corpus/" libfuzzer_options = [ "max_len=500" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } fuzzer_test("v8_wasm_streaming_fuzzer") { sources = [] deps = [ "//v8:wasm_streaming_fuzzer" ] libfuzzer_options = [ "max_len=500" ] asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ] } } fuzzer_test("convert_woff2ttf_fuzzer") { sources = [ "convert_woff2ttf_fuzzer.cc" ] deps = [ "//third_party/woff2:woff2_dec" ] seed_corpus = "//testing/libfuzzer/fuzzers/woff2_corpus" libfuzzer_options = [ "max_len=803500" ] } fuzzer_test("flatbuffers_verifier_fuzzer") { sources = [ "flatbuffers_verifier_fuzzer.cc" ] deps = [ "//third_party/flatbuffers", "//third_party/flatbuffers:flatbuffers_samplebuffer", ] libfuzzer_options = [ "max_len=1024" ] seed_corpus = "//testing/libfuzzer/fuzzers/flatbuffers_corpus" } fuzzer_test("skia_path_fuzzer") { sources = [ "skia_path_common.cc", "skia_path_common.h", "skia_path_fuzzer.cc", ] deps = [ "//base", "//skia", ] libfuzzer_options = [ "max_len=256" ] if (is_debug) { # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275). additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] } } fuzzer_test("skia_pathop_fuzzer") { sources = [ "skia_path_common.cc", "skia_path_common.h", "skia_pathop_fuzzer.cc", ] deps = [ "//base", "//skia", ] libfuzzer_options = [ "max_len=512" ] if (is_debug) { # Disabled due to crashing on SkASSERT (crbug.com/642750, crbug.com/643275). additional_configs = [ "//testing/libfuzzer:no_clusterfuzz" ] } } fuzzer_test("prtime_fuzzer") { sources = [ "prtime_fuzzer.cc" ] deps = [ "//base" ] dict = "dicts/prtime.dict" libfuzzer_options = [ "max_len=1024" ] } fuzzer_test("angle_translator_fuzzer") { sources = [] deps = [ "//third_party/angle:translator_fuzzer" ] libfuzzer_options = [ "max_len=1000" ] dict = "dicts/webgl-glsl.dict" } fuzzer_test("sha1_fuzzer") { sources = [ "sha1_fuzzer.cc" ] deps = [ "//base" ] } fuzzer_test("hash_fuzzer") { sources = [ "hash_fuzzer.cc" ] deps = [ "//base" ] } action("gen_javascript_parser_proto") { # Only targets in this file and the top-level visibility target can # depend on this. visibility = [ ":*" ] script = "generate_javascript_parser_proto.py" sources = [ "dicts/javascript_parser_proto.dict" ] outputs = [ "$target_gen_dir/javascript_parser.proto", "$target_gen_dir/javascript_parser_proto_to_string.cc", ] args = rebase_path(outputs, root_build_dir) + rebase_path(sources, root_build_dir) } proto_library("javascript_parser_proto") { sources = [ "$target_gen_dir/javascript_parser.proto" ] proto_deps = [ ":gen_javascript_parser_proto" ] proto_out_dir = "" } fuzzer_test("javascript_parser_proto_fuzzer") { generated_sources = [ "$target_gen_dir/javascript_parser_proto_to_string.cc" ] sources = [ "javascript_parser_proto_fuzzer.cc", "javascript_parser_proto_to_string.h", ] deps = [ ":gen_javascript_parser_proto", ":javascript_parser_proto", "//third_party/libprotobuf-mutator", "//v8:v8", "//v8:v8_libplatform", ] } fuzzer_test("v8_fully_instrumented_fuzzer") { sources = [ "v8_fuzzer.cc" ] deps = [ "//base", "//v8:v8", "//v8:v8_libplatform", ] dict = "dicts/generated/javascript.dict" asan_options = [ "allow_user_segv_handler=1", "handle_sigtrap=1", ] msan_options = [ "handle_sigtrap=1" ] ubsan_options = [ "handle_sigtrap=1", "handle_segv=1", ] libfuzzer_options = [ "only_ascii=1" ] } fuzzer_test("skia_image_filter_proto_fuzzer") { sources = [ "skia_image_filter_proto_fuzzer.cc" ] deps = [ "//base", "//base/test:test_support", "//skia", "//testing/libfuzzer/proto:skia_image_filter_converter", "//testing/libfuzzer/proto:skia_image_filter_proto", "//third_party/libprotobuf-mutator", ] } fuzzer_test("libyuv_scale_fuzzer") { sources = [ "libyuv_scale_fuzzer.cc" ] deps = [ "//third_party/libyuv" ] } proto_library("command_buffer_lpm_fuzzer_proto") { sources = [ "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.proto" ] use_protobuf_full = true deps = [ "//third_party/protobuf:protobuf_full" ] } fuzzer_test("command_buffer_lpm_fuzzer") { sources = [ "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.cc", "command_buffer_lpm_fuzzer/cmd_buf_lpm_fuzz.h", "command_buffer_lpm_fuzzer/webgpu_support.cc", "command_buffer_lpm_fuzzer/webgpu_support.h", ] # This is a hack. These files should be pulled in as a result of the # dependency on //gpu:webgpu which has a public dependency on # //gpu/command_buffer/client:webgpu_sources, but for some reason these files # get dropped in component builds, so manually add them to the sources here. if (is_component_build) { sources += [ "//gpu/command_buffer/client/webgpu_implementation.cc", "//gpu/command_buffer/client/webgpu_implementation.h", ] if (use_dawn) { sources += [ "//gpu/command_buffer/client/dawn_client_memory_transfer_service.cc", "//gpu/command_buffer/client/dawn_client_memory_transfer_service.h", "//gpu/command_buffer/client/dawn_client_serializer.cc", "//gpu/command_buffer/client/dawn_client_serializer.h", ] } } deps = [ ":command_buffer_lpm_fuzzer_proto", "//base", "//base/test:test_support", "//base/third_party/dynamic_annotations", "//build:chromeos_buildflags", "//components/viz/common:resource_format", "//components/viz/test:test_support", # TODO: huge; is there something more # targeted? "//content/public/common:static_switches", "//gpu:gles2", "//gpu:gpu", "//gpu:test_support", "//gpu:webgpu", "//gpu/command_buffer/client", "//gpu/command_buffer/client:gles2_c_lib", "//gpu/command_buffer/client:gles2_implementation", "//gpu/command_buffer/common", "//gpu/command_buffer/common:gles2_utils", "//gpu/command_buffer/service", "//gpu/config", "//gpu/ipc:gl_in_process_context", "//gpu/ipc/client", "//gpu/ipc/common", "//gpu/ipc/host", "//gpu/ipc/service:service", "//gpu/webgpu:common", "//mojo/core/embedder", "//mojo/core/embedder", "//mojo/public/cpp/bindings", "//testing/gmock", "//testing/gtest:gtest", "//third_party/libprotobuf-mutator", "//ui/gfx:gfx", "//ui/gl:gl", "//ui/gl:test_support", "//ui/gl/init:init", "//url", ] if (use_dawn) { deps += [ "//third_party/dawn/src/dawn:cpp", "//third_party/dawn/src/dawn:proc", "//third_party/dawn/src/dawn/native", ] } libfuzzer_options = [ "max_len=16384" ] }