blob: b2f703c6b3991b1bf2e5b55d70e1ceaee7699d21 [file]
// Copyright 2016 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "ui/accessibility/ax_tree.h"
#include "base/compiler_specific.h"
#include "base/containers/span.h"
#include "base/logging.h"
#include "testing/libfuzzer/libfuzzer_base_wrappers.h"
#include "ui/accessibility/ax_tree_observer.h"
// Entry point for LibFuzzer.
DEFINE_LLVM_FUZZER_TEST_ONE_INPUT_SPAN(base::span<const uint8_t> data) {
ui::AXTreeUpdate initial_state;
size_t i = 0;
while (i < data.size()) {
ui::AXNodeData node;
node.id = data[i++];
if (i < data.size()) {
size_t child_count = data[i++];
for (size_t j = 0; j < child_count && i < data.size(); j++) {
node.child_ids.push_back(data[i++]);
}
}
initial_state.nodes.push_back(node);
}
// Don't test absurdly large trees, it might time out.
#if defined(NDEBUG)
constexpr size_t kMaxNodes = 500000;
#else
constexpr size_t kMaxNodes = 50000;
#endif
if (initial_state.nodes.size() > kMaxNodes) {
LOG(WARNING) << "Skipping input because it's too large";
return 0;
}
// Run with --v=1 to aid in debugging a specific crash.
VLOG(1) << "Input accessibility tree:\n" << initial_state.ToString();
ui::AXTreeObserver observer;
ui::AXTree tree;
tree.AddObserver(&observer);
tree.Unserialize(initial_state);
tree.RemoveObserver(&observer);
return 0;
}