Don't allow WebCodecs fuzzers to fuzz if creation aborts.

A review of similar Blink classes shows we should be returning nullptr
during the ::Create() method if there are exceptions. I've updated the
fuzzers to handle a null return value here now.

Fixed: 1167511, 1167532, 1167534
Change-Id: Idbbfaeac2e93eb1f4b8f02ad880724ac5454eac4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2638397
Commit-Queue: Dale Curtis <dalecurtis@chromium.org>
Auto-Submit: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#844991}

third_party/blink/renderer/modules/webcodecs/audio_decoder.cc

@@ -100,8 +100,9 @@ int AudioDecoderTraits::GetMaxDecodeRequests(const MediaDecoderType& decoder) {
 AudioDecoder* AudioDecoder::Create(ScriptState* script_state,
                                    const AudioDecoderInit* init,
                                    ExceptionState& exception_state) {
-  return MakeGarbageCollected<AudioDecoder>(script_state, init,
-                                            exception_state);
+  auto* result =
+      MakeGarbageCollected<AudioDecoder>(script_state, init, exception_state);
+  return exception_state.HadException() ? nullptr : result;
 }
 
 // static

third_party/blink/renderer/modules/webcodecs/audio_decoder_fuzzer.cc

@@ -70,36 +70,38 @@ DEFINE_TEXT_PROTO_FUZZER(
     Persistent<AudioDecoder> audio_decoder = AudioDecoder::Create(
         script_state, audio_decoder_init, IGNORE_EXCEPTION_FOR_TESTING);
 
-    for (auto& invocation : proto.invocations()) {
-      switch (invocation.Api_case()) {
-        case wc_fuzzer::AudioDecoderApiInvocation::kConfigure:
-          audio_decoder->configure(
-              MakeAudioDecoderConfig(invocation.configure()),
-              IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::AudioDecoderApiInvocation::kDecode:
-          audio_decoder->decode(
-              MakeEncodedAudioChunk(invocation.decode().chunk()),
-              IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::AudioDecoderApiInvocation::kFlush: {
-          // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
-          // of the flush promise.
-          audio_decoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
+    if (audio_decoder) {
+      for (auto& invocation : proto.invocations()) {
+        switch (invocation.Api_case()) {
+          case wc_fuzzer::AudioDecoderApiInvocation::kConfigure:
+            audio_decoder->configure(
+                MakeAudioDecoderConfig(invocation.configure()),
+                IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::AudioDecoderApiInvocation::kDecode:
+            audio_decoder->decode(
+                MakeEncodedAudioChunk(invocation.decode().chunk()),
+                IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::AudioDecoderApiInvocation::kFlush: {
+            // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
+            // of the flush promise.
+            audio_decoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          }
+          case wc_fuzzer::AudioDecoderApiInvocation::kReset:
+            audio_decoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::AudioDecoderApiInvocation::kClose:
+            audio_decoder->close(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::AudioDecoderApiInvocation::API_NOT_SET:
+            break;
         }
-        case wc_fuzzer::AudioDecoderApiInvocation::kReset:
-          audio_decoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::AudioDecoderApiInvocation::kClose:
-          audio_decoder->close(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::AudioDecoderApiInvocation::API_NOT_SET:
-          break;
-      }
 
-      // Give other tasks a chance to run (e.g. calling our output callback).
-      base::RunLoop().RunUntilIdle();
+        // Give other tasks a chance to run (e.g. calling our output callback).
+        base::RunLoop().RunUntilIdle();
+      }
     }
   }
 

third_party/blink/renderer/modules/webcodecs/audio_encoder.cc

@@ -23,8 +23,9 @@ const char* AudioEncoderTraits::GetNameForDevTools() {
 AudioEncoder* AudioEncoder::Create(ScriptState* script_state,
                                    const AudioEncoderInit* init,
                                    ExceptionState& exception_state) {
-  return MakeGarbageCollected<AudioEncoder>(script_state, init,
-                                            exception_state);
+  auto* result =
+      MakeGarbageCollected<AudioEncoder>(script_state, init, exception_state);
+  return exception_state.HadException() ? nullptr : result;
 }
 
 AudioEncoder::AudioEncoder(ScriptState* script_state,

third_party/blink/renderer/modules/webcodecs/image_decoder_external.cc

@@ -33,8 +33,9 @@ ImageDecoderExternal* ImageDecoderExternal::Create(
     ScriptState* script_state,
     const ImageDecoderInit* init,
     ExceptionState& exception_state) {
-  return MakeGarbageCollected<ImageDecoderExternal>(script_state, init,
-                                                    exception_state);
+  auto* result = MakeGarbageCollected<ImageDecoderExternal>(script_state, init,
+                                                            exception_state);
+  return exception_state.HadException() ? nullptr : result;
 }
 
 ImageDecoderExternal::DecodeRequest::DecodeRequest(

third_party/blink/renderer/modules/webcodecs/image_decoder_external_test.cc

@@ -89,7 +89,7 @@ TEST_F(ImageDecoderTest, DecodeEmpty) {
       DOMArrayBuffer::Create(SharedBuffer::Create())));
   auto* decoder = ImageDecoderExternal::Create(v8_scope.GetScriptState(), init,
                                                v8_scope.GetExceptionState());
-  EXPECT_TRUE(decoder);
+  EXPECT_FALSE(decoder);
   EXPECT_TRUE(v8_scope.GetExceptionState().HadException());
 }
 
@@ -108,7 +108,7 @@ TEST_F(ImageDecoderTest, DecodeNeuteredAtConstruction) {
 
   auto* decoder = ImageDecoderExternal::Create(v8_scope.GetScriptState(), init,
                                                v8_scope.GetExceptionState());
-  EXPECT_TRUE(decoder);
+  EXPECT_FALSE(decoder);
   EXPECT_TRUE(v8_scope.GetExceptionState().HadException());
 }
 
@@ -150,7 +150,7 @@ TEST_F(ImageDecoderTest, DecodeUnsupported) {
   EXPECT_FALSE(ImageDecoderExternal::canDecodeType(kImageType));
   auto* decoder =
       CreateDecoder(&v8_scope, "images/resources/test.svg", kImageType);
-  EXPECT_TRUE(decoder);
+  EXPECT_FALSE(decoder);
   EXPECT_TRUE(v8_scope.GetExceptionState().HadException());
 }
 

third_party/blink/renderer/modules/webcodecs/image_decoder_fuzzer.cc

@@ -125,32 +125,34 @@ DEFINE_BINARY_PROTO_FUZZER(
         ImageDecoderExternal::Create(script_state, image_decoder_init,
                                      IGNORE_EXCEPTION_FOR_TESTING);
 
-    // Promises will be fulfilled synchronously since we're using an array
-    // buffer based source.
-    for (auto& invocation : proto.invocations()) {
-      switch (invocation.Api_case()) {
-        case wc_fuzzer::ImageDecoderApiInvocation::kDecodeImage:
-          image_decoder->decode(
-              invocation.decode_image().frame_index(),
-              invocation.decode_image().complete_frames_only());
-          break;
-        case wc_fuzzer::ImageDecoderApiInvocation::kDecodeMetadata:
-          image_decoder->decodeMetadata();
-          break;
-        case wc_fuzzer::ImageDecoderApiInvocation::kSelectTrack:
-          image_decoder->selectTrack(invocation.select_track().track_id(),
-                                     IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::ImageDecoderApiInvocation::API_NOT_SET:
-          break;
+    if (image_decoder) {
+      // Promises will be fulfilled synchronously since we're using an array
+      // buffer based source.
+      for (auto& invocation : proto.invocations()) {
+        switch (invocation.Api_case()) {
+          case wc_fuzzer::ImageDecoderApiInvocation::kDecodeImage:
+            image_decoder->decode(
+                invocation.decode_image().frame_index(),
+                invocation.decode_image().complete_frames_only());
+            break;
+          case wc_fuzzer::ImageDecoderApiInvocation::kDecodeMetadata:
+            image_decoder->decodeMetadata();
+            break;
+          case wc_fuzzer::ImageDecoderApiInvocation::kSelectTrack:
+            image_decoder->selectTrack(invocation.select_track().track_id(),
+                                       IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::ImageDecoderApiInvocation::API_NOT_SET:
+            break;
+        }
+
+        // Give other tasks a chance to run (e.g. calling our output callback).
+        base::RunLoop().RunUntilIdle();
       }
-
-      // Give other tasks a chance to run (e.g. calling our output callback).
-      base::RunLoop().RunUntilIdle();
-
-      // TODO(crbug.com/1166925): Push the same image data incrementally into
-      // the fuzzer via a ReadableSource.
     }
+
+    // TODO(crbug.com/1166925): Push the same image data incrementally into
+    // the fuzzer via a ReadableSource.
   }
 
   // Request a V8 GC. Oilpan will be invoked by the GC epilogue.

third_party/blink/renderer/modules/webcodecs/video_decoder.cc

@@ -213,8 +213,9 @@ int VideoDecoderTraits::GetMaxDecodeRequests(const MediaDecoderType& decoder) {
 VideoDecoder* VideoDecoder::Create(ScriptState* script_state,
                                    const VideoDecoderInit* init,
                                    ExceptionState& exception_state) {
-  return MakeGarbageCollected<VideoDecoder>(script_state, init,
-                                            exception_state);
+  auto* result =
+      MakeGarbageCollected<VideoDecoder>(script_state, init, exception_state);
+  return exception_state.HadException() ? nullptr : result;
 }
 
 // static

third_party/blink/renderer/modules/webcodecs/video_decoder_fuzzer.cc

@@ -70,36 +70,38 @@ DEFINE_TEXT_PROTO_FUZZER(
     Persistent<VideoDecoder> video_decoder = VideoDecoder::Create(
         script_state, video_decoder_init, IGNORE_EXCEPTION_FOR_TESTING);
 
-    for (auto& invocation : proto.invocations()) {
-      switch (invocation.Api_case()) {
-        case wc_fuzzer::VideoDecoderApiInvocation::kConfigure:
-          video_decoder->configure(
-              MakeVideoDecoderConfig(invocation.configure()),
-              IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoDecoderApiInvocation::kDecode:
-          video_decoder->decode(
-              MakeEncodedVideoChunk(invocation.decode().chunk()),
-              IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoDecoderApiInvocation::kFlush: {
-          // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
-          // of the flush promise.
-          video_decoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
+    if (video_decoder) {
+      for (auto& invocation : proto.invocations()) {
+        switch (invocation.Api_case()) {
+          case wc_fuzzer::VideoDecoderApiInvocation::kConfigure:
+            video_decoder->configure(
+                MakeVideoDecoderConfig(invocation.configure()),
+                IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoDecoderApiInvocation::kDecode:
+            video_decoder->decode(
+                MakeEncodedVideoChunk(invocation.decode().chunk()),
+                IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoDecoderApiInvocation::kFlush: {
+            // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
+            // of the flush promise.
+            video_decoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          }
+          case wc_fuzzer::VideoDecoderApiInvocation::kReset:
+            video_decoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoDecoderApiInvocation::kClose:
+            video_decoder->close(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoDecoderApiInvocation::API_NOT_SET:
+            break;
         }
-        case wc_fuzzer::VideoDecoderApiInvocation::kReset:
-          video_decoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoDecoderApiInvocation::kClose:
-          video_decoder->close(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoDecoderApiInvocation::API_NOT_SET:
-          break;
-      }
 
-      // Give other tasks a chance to run (e.g. calling our output callback).
-      base::RunLoop().RunUntilIdle();
+        // Give other tasks a chance to run (e.g. calling our output callback).
+        base::RunLoop().RunUntilIdle();
+      }
     }
   }
 

third_party/blink/renderer/modules/webcodecs/video_encoder.cc

@@ -185,8 +185,9 @@ const char* VideoEncoderTraits::GetNameForDevTools() {
 VideoEncoder* VideoEncoder::Create(ScriptState* script_state,
                                    const VideoEncoderInit* init,
                                    ExceptionState& exception_state) {
-  return MakeGarbageCollected<VideoEncoder>(script_state, init,
-                                            exception_state);
+  auto* result =
+      MakeGarbageCollected<VideoEncoder>(script_state, init, exception_state);
+  return exception_state.HadException() ? nullptr : result;
 }
 
 VideoEncoder::VideoEncoder(ScriptState* script_state,

third_party/blink/renderer/modules/webcodecs/video_encoder_fuzzer.cc

@@ -77,45 +77,47 @@ DEFINE_TEXT_PROTO_FUZZER(
     Persistent<VideoEncoder> video_encoder = VideoEncoder::Create(
         script_state, video_encoder_init, IGNORE_EXCEPTION_FOR_TESTING);
 
-    for (auto& invocation : proto.invocations()) {
-      switch (invocation.Api_case()) {
-        case wc_fuzzer::VideoEncoderApiInvocation::kConfigure:
-          video_encoder->configure(MakeEncoderConfig(invocation.configure()),
-                                   IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoEncoderApiInvocation::kEncode: {
-          VideoFrame* frame =
-              MakeVideoFrame(script_state, invocation.encode().frame());
-          // Often the fuzzer input will be too crazy to produce a valid frame
-          // (e.g. bitmap width > bitmap length). In these cases, return early
-          // to discourage this sort of fuzzer input. WebIDL doesn't allow
-          // callers to pass null, so this is not a real concern.
-          if (!frame)
-            return;
-
-          video_encoder->encode(
-              frame, MakeEncodeOptions(invocation.encode().options()),
-              IGNORE_EXCEPTION_FOR_TESTING);
-          break;
+    if (video_encoder) {
+      for (auto& invocation : proto.invocations()) {
+        switch (invocation.Api_case()) {
+          case wc_fuzzer::VideoEncoderApiInvocation::kConfigure:
+            video_encoder->configure(MakeEncoderConfig(invocation.configure()),
+                                     IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoEncoderApiInvocation::kEncode: {
+            VideoFrame* frame =
+                MakeVideoFrame(script_state, invocation.encode().frame());
+            // Often the fuzzer input will be too crazy to produce a valid frame
+            // (e.g. bitmap width > bitmap length). In these cases, return early
+            // to discourage this sort of fuzzer input. WebIDL doesn't allow
+            // callers to pass null, so this is not a real concern.
+            if (!frame)
+              return;
+
+            video_encoder->encode(
+                frame, MakeEncodeOptions(invocation.encode().options()),
+                IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          }
+          case wc_fuzzer::VideoEncoderApiInvocation::kFlush: {
+            // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
+            // of the flush promise.
+            video_encoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          }
+          case wc_fuzzer::VideoEncoderApiInvocation::kReset:
+            video_encoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoEncoderApiInvocation::kClose:
+            video_encoder->close(IGNORE_EXCEPTION_FOR_TESTING);
+            break;
+          case wc_fuzzer::VideoEncoderApiInvocation::API_NOT_SET:
+            break;
         }
-        case wc_fuzzer::VideoEncoderApiInvocation::kFlush: {
-          // TODO(https://crbug.com/1119253): Fuzz whether to await resolution
-          // of the flush promise.
-          video_encoder->flush(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        }
-        case wc_fuzzer::VideoEncoderApiInvocation::kReset:
-          video_encoder->reset(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoEncoderApiInvocation::kClose:
-          video_encoder->close(IGNORE_EXCEPTION_FOR_TESTING);
-          break;
-        case wc_fuzzer::VideoEncoderApiInvocation::API_NOT_SET:
-          break;
-      }
 
-      // Give other tasks a chance to run (e.g. calling our output callback).
-      base::RunLoop().RunUntilIdle();
+        // Give other tasks a chance to run (e.g. calling our output callback).
+        base::RunLoop().RunUntilIdle();
+      }
     }
   }