Add fuzzer infra to blink and fuzz CSS parser

This patch adds initialization for blink fuzzers that need the full unit test environment, as well as a simple fuzzer for the CSS tokenizer + parser. BUG=642570,642572 Review-Url: https://codereview.chromium.org/2274563002 Cr-Commit-Position: refs/heads/master@{#415634}

Add fuzzer infra to blink and fuzz CSS parser
This patch adds initialization for blink fuzzers that need the full unit test environment, as well as a simple fuzzer for the CSS tokenizer + parser. BUG=642570,642572 Review-Url: https://codereview.chromium.org/2274563002 Cr-Commit-Position: refs/heads/master@{#415634}
b85a5c40 · csharrison · Commit bot · 91dc56cc · b85a5c40 · b85a5c40
Commit b85a5c40 authored Aug 31, 2016 by csharrison Committed by Commit bot Aug 31, 2016
6 changed files
--- a/third_party/WebKit/Source/core/BUILD.gn
+++ b/third_party/WebKit/Source/core/BUILD.gn
@@ -1425,3 +1425,16 @@ source_set("unit_tests") {
    "//testing/gtest",
  ]
 }
+
+# Fuzzer for blink::StyleSheetContents
+fuzzer_test("stylesheet_contents_fuzzer") {
+  sources = [
+    "css/StyleSheetContentsFuzzer.cpp",
+  ]
+  deps = [
+    ":core",
+    "../platform:blink_fuzzer_test_support",
+  ]
+  seed_corpus = "//third_party/WebKit/LayoutTests/fast/css/resources"
+  libfuzzer_options = [ "max_len=2048" ]
+}
--- a/third_party/WebKit/Source/core/css/StyleSheetContentsFuzzer.cpp
+++ b/third_party/WebKit/Source/core/css/StyleSheetContentsFuzzer.cpp
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/css/StyleSheetContents.h"
+
+#include "platform/testing/BlinkFuzzerTestSupport.h"
+#include "wtf/text/WTFString.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    blink::CSSParserContext context(blink::HTMLStandardMode, nullptr);
+    blink::StyleSheetContents* styleSheet = blink::StyleSheetContents::create(context);
+    styleSheet->parseString(String::fromUTF8WithLatin1Fallback(reinterpret_cast<const char*>(data), size));
+    return 0;
+}
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
+{
+    blink::InitializeBlinkFuzzTest(argc, argv);
+    return 0;
+}
--- a/third_party/WebKit/Source/platform/BUILD.gn
+++ b/third_party/WebKit/Source/platform/BUILD.gn
@@ -668,6 +668,24 @@ if (current_cpu == "x86" || current_cpu == "x64") {
  }
 }

+# This source set is used for fuzzers that need an environment similar to unit
+# tests.
+source_set("blink_fuzzer_test_support") {
+  testonly = true
+  visibility = []  # Allow re-assignment of list.
+  visibility = [ "*" ]
+  sources = [
+    "testing/BlinkFuzzerTestSupport.cpp",
+    "testing/BlinkFuzzerTestSupport.h",
+  ]
+  deps = [
+    ":platform",
+    ":test_support",
+    "//content/test:test_support",
+    "//mojo/edk/system:system",
+  ]
+}
+
 # Fuzzer for blink::MHTMLParser.
 fuzzer_test("mhtml_parser_fuzzer") {
  sources = [

--- a/third_party/WebKit/Source/platform/testing/BlinkFuzzerTestSupport.cpp
+++ b/third_party/WebKit/Source/platform/testing/BlinkFuzzerTestSupport.cpp
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "platform/testing/BlinkFuzzerTestSupport.h"
+
+#include "base/at_exit.h"
+#include "base/command_line.h"
+#include "mojo/edk/embedder/embedder.h"
+#include "platform/weborigin/SchemeRegistry.h"
+#include <content/test/blink_test_environment.h>
+
+namespace blink {
+
+void InitializeBlinkFuzzTest(int* argc, char ***argv)
+{
+    // Note: we don't tear anything down here after an iteration of the fuzzer
+    // is complete, this is for efficiency. We rerun the fuzzer with the same
+    // environment as the previous iteration.
+    base::AtExitManager atExit;
+
+    mojo::edk::Init();
+    base::CommandLine::Init(*argc, *argv);
+
+    content::SetUpBlinkTestEnvironment();
+
+    blink::SchemeRegistry::initialize();
+}
+
+} // namespace blink
--- a/third_party/WebKit/Source/platform/testing/BlinkFuzzerTestSupport.h
+++ b/third_party/WebKit/Source/platform/testing/BlinkFuzzerTestSupport.h
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BlinkFuzzerTestSupport_h
+#define BlinkFuzzerTestSupport_h
+
+namespace blink {
+
+// InitializeBlinkFuzzTest will spin up an environment similar to
+// webkit_unit_tests. It should be called in LLVMFuzzerInitialize.
+void InitializeBlinkFuzzTest(int* argc, char*** argv);
+
+} // namespace blink
+
+#endif // BlinkFuzzerTestSupport_h
--- a/third_party/WebKit/Source/platform/testing/DEPS
+++ b/third_party/WebKit/Source/platform/testing/DEPS
 include_rules = [
    # To whitelist base/ stuff Blink is allowed to include, we list up all
    # directories and files instead of writing 'base/'.
+    "+base/at_exit.h",
    "+base/command_line.h",
    "+base/i18n/icu_util.h",
    "+base/path_service.h",