oop: Ignore DrawTextBlob ops in the paint op buffer equality fuzzer.

DrawTextBlob pose an issue to the equality fuzzer in that we don't reconstruct typefaces at deserialization, making the op impossible to serialize again (it asserts). This patch ignores these ops in the equality fuzzer. R=enne@chromium.org Bug: 798939 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Change-Id: I50c039e88737ac443c834b2207f77acb798c3612 Reviewed-on: https://chromium-review.googlesource.com/850538Reviewed-by: enne <enne@chromium.org> Commit-Queue: vmpstr <vmpstr@chromium.org> Cr-Commit-Position: refs/heads/master@{#527055}

oop: Ignore DrawTextBlob ops in the paint op buffer equality fuzzer.
DrawTextBlob pose an issue to the equality fuzzer in that we don't reconstruct typefaces at deserialization, making the op impossible to serialize again (it asserts). This patch ignores these ops in the equality fuzzer. R=enne@chromium.org Bug: 798939 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Change-Id: I50c039e88737ac443c834b2207f77acb798c3612 Reviewed-on: https://chromium-review.googlesource.com/850538Reviewed-by: enne <enne@chromium.org> Commit-Queue: vmpstr <vmpstr@chromium.org> Cr-Commit-Position: refs/heads/master@{#527055}
a2649687 · Vladimir Levin · Commit Bot · 6010031f · a2649687
Commit a2649687 authored Jan 04, 2018 by Vladimir Levin Committed by Commit Bot Jan 04, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 12 deletions

cc/paint/paint_op_buffer_eq_fuzzer.cc cc/paint/paint_op_buffer_eq_fuzzer.cc +16 -12

No files found.
--- a/cc/paint/paint_op_buffer_eq_fuzzer.cc
+++ b/cc/paint/paint_op_buffer_eq_fuzzer.cc
@@ -65,18 +65,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  if (!deserialized_op1)
    return 0;

-  // TODO(enne): Text blobs sometimes are "valid" but null, which is an
-  // interim state as text blob serialization has not been completed.
-  // It needs to be valid in practice (so that web pages don't crash) but
-  // should be invalid for the fuzzer (as this cannot reserialize).
-  // See also: TODO in PaintOpReader::Read(scoped_refptr<PaintTextBlob>*)
-  if (deserialized_op1->GetType() == cc::PaintOpType::DrawTextBlob) {
-    auto* draw_text_op = static_cast<cc::DrawTextBlobOp*>(deserialized_op1);
-    if (!draw_text_op->blob->ToSkTextBlob()) {
-      deserialized_op1->DestroyThis();
-      return 0;
-    }
-  }
+  // DrawTextBlob ops contain two pieces of information: a text blob, and a
+  // vector of typefaces that are used in the blob. However, during
+  // deserialization we never need to reconstruct the vector of typefaces, since
+  // it is only used to reconstruct the blob directly. This, however, poses a
+  // problem for this fuzzer since we will then try to serialize the op again,
+  // resulting in an assert. The assert says that we don't have typefaces
+  // (serialized from the vector) that are required to serialize the text blob.
+  // The solution is to skip the equality fuzzer for DrawTextBlob ops.
+  //
+  // Normally the initial deserialization would also fail and we would early out
+  // above, since the transfer cache doesn't have any entries to reconstruct the
+  // text blob. However, Skia, given some data, seems to be able to construct an
+  // SkTextBlob without accessing the given cataloger. See crbug.com/798939 for
+  // an example of such a test case.
+  if (deserialized_op1->GetType() == cc::PaintOpType::DrawTextBlob)
+    return 0;

  // If we get to this point, then the op should be ok to serialize/deserialize
  // and any failure is a dcheck.