Place a limit on the number of async operations in FuzzedSocket.

It can take an order of magnitude more time to spin a message loop and
handle a result asynchronously than it does to handle the same result
synchronously, and tests were timing out as a result. Placing a limit
on async results will hopefully reduce the number of fuzzers using
FuzzedSocket that time out.

Bug: 823012
Change-Id: I110fbf2ce0b96cce12cb84ea21c3f44e6b45005b
Reviewed-on: https://chromium-review.googlesource.com/972377
Commit-Queue: Matt Menke <mmenke@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544697}

net/socket/fuzzed_socket.cc

@@ -19,6 +19,8 @@ namespace net {
 
 namespace {
 
+const int kMaxAsyncReadsAndWrites = 1000;
+
 // Some of the socket errors that can be returned by normal socket connection
 // attempts.
 const Error kConnectErrors[] = {
@@ -57,8 +59,12 @@ int FuzzedSocket::Read(IOBuffer* buf,
     result = net_error_;
     sync = !error_pending_;
   } else {
-    // Otherwise, use |data_provider_|.
-    sync = data_provider_->ConsumeBool();
+    // Otherwise, use |data_provider_|. Always consume a bool, even when
+    // ForceSync() is true, to behave more consistently against input mutations.
+    sync = data_provider_->ConsumeBool() || ForceSync();
+
+    num_async_reads_and_writes_ += static_cast<int>(!sync);
+
     std::string data = data_provider_->ConsumeRandomLengthString(buf_len);
     result = data.size();
 
@@ -106,8 +112,12 @@ int FuzzedSocket::Write(
     result = net_error_;
     sync = !error_pending_;
   } else {
-    // Otherwise, use |data_|.
-    sync = data_provider_->ConsumeBool();
+    // Otherwise, use |data_provider_|. Always consume a bool, even when
+    // ForceSync() is true, to behave more consistently against input mutations.
+    sync = data_provider_->ConsumeBool() || ForceSync();
+
+    num_async_reads_and_writes_ += static_cast<int>(!sync);
+
     result = data_provider_->ConsumeUint8();
     if (result > buf_len)
       result = buf_len;
@@ -283,4 +293,8 @@ void FuzzedSocket::OnConnectComplete(const CompletionCallback& callback,
   callback.Run(result);
 }
 
+bool FuzzedSocket::ForceSync() const {
+  return (num_async_reads_and_writes_ >= kMaxAsyncReadsAndWrites);
+}
+
 }  // namespace net

net/socket/fuzzed_socket.h

@@ -99,6 +99,12 @@ class FuzzedSocket : public StreamSocket {
   void OnWriteComplete(const CompletionCallback& callback, int result);
   void OnConnectComplete(const CompletionCallback& callback, int result);
 
+  // Returns whether all operations should be synchronous.  Starts returning
+  // true once there have been too many async reads and writes, as spinning the
+  // message loop too often tends to cause fuzzers to time out.
+  // See https://crbug.com/823012
+  bool ForceSync() const;
+
   base::FuzzedDataProvider* data_provider_;
 
   // If true, the result of the Connect() call is fuzzed - it can succeed or
@@ -122,6 +128,8 @@ class FuzzedSocket : public StreamSocket {
   int64_t total_bytes_read_ = 0;
   int64_t total_bytes_written_ = 0;
 
+  int num_async_reads_and_writes_ = 0;
+
   NetLogWithSource net_log_;
 
   IPEndPoint remote_address_;