Add idempotency check to gurl_fuzzer.

The fuzzer will now check that recanonicalizing a GURL spec string returns the original spec. This CL also adds some inputs from the linked bug to the fuzzer's dict. Bug: 1128999 Change-Id: I8143fd027eaa3a084f913f49f4b13b2b499880b0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414615 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Cr-Commit-Position: refs/heads/master@{#809069}

Add idempotency check to gurl_fuzzer.
The fuzzer will now check that recanonicalizing a GURL spec string returns the original spec. This CL also adds some inputs from the linked bug to the fuzzer's dict. Bug: 1128999 Change-Id: I8143fd027eaa3a084f913f49f4b13b2b499880b0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414615 Commit-Queue: Dan McArdle <dmcardle@chromium.org> Reviewed-by: Charlie Harrison <csharrison@chromium.org> Cr-Commit-Position: refs/heads/master@{#809069}
4adfd136 · Dan McArdle · Commit Bot · b6f76c3e · 4adfd136 · 4adfd136
Commit 4adfd136 authored Sep 21, 2020 by Dan McArdle Committed by Commit Bot Sep 21, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

url/gurl_fuzzer.cc url/gurl_fuzzer.cc +13 -0

url/gurl_fuzzer.dict url/gurl_fuzzer.dict +4 -0

No files found.
--- a/url/gurl_fuzzer.cc
+++ b/url/gurl_fuzzer.cc
@@ -18,6 +18,17 @@ TestCase* test_case = new TestCase();
 // Empty replacements cause no change when applied.
 GURL::Replacements* no_op = new GURL::Replacements();

+// Checks that GURL's canonicalization is idempotent. This can help discover
+// issues like https://crbug.com/1128999.
+void CheckIdempotency(const GURL& url) {
+  if (!url.is_valid())
+    return;
+  const std::string& spec = url.spec();
+  GURL recanonicalized(spec);
+  CHECK(recanonicalized.is_valid());
+  CHECK_EQ(spec, recanonicalized.spec());
+}
+
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (size < 1)
@@ -26,6 +37,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  base::StringPiece string_piece_input(reinterpret_cast<const char*>(data),
                                       size);
  GURL url_from_string_piece(string_piece_input);
+  CheckIdempotency(url_from_string_piece);
  // Copying by applying empty replacements exercises interesting code paths.
  // This can help discover issues like https://crbug.com/1075515.
  GURL copy = url_from_string_piece.ReplaceComponents(*no_op);
@@ -40,6 +52,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
        reinterpret_cast<const base::char16*>(data), size / 2);

    GURL url_from_string_piece16(string_piece_input16);
+    CheckIdempotency(url_from_string_piece16);
  }

  // Resolve relative url tests.

--- a/url/gurl_fuzzer.dict
+++ b/url/gurl_fuzzer.dict
@@ -403,3 +403,7 @@

 # This comes from https://crbug.com/1075515.
 "FilEsysteM:htTp:E=/."
+
+# This comes from https://crbug.com/1128999.
+"file:///.//"
+"file:////"