tools/gn/parser_fuzzer.cc - chromium/src - Git at Google

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include <stdint.h>

 #include "tools/gn/input_file.h"
 #include "tools/gn/parser.h"
 #include "tools/gn/source_file.h"
 #include "tools/gn/tokenizer.h"

 namespace {

 enum { kMaxContentDepth = 256, kMaxDodgy = 256 };

 // Some auto generated input is too unreasonable for fuzzing GN.
 // We see stack overflow when the parser hits really deeply "nested" input.
 // (I.E.: certain input that causes nested parsing function calls).
 //
 // Abstract max limits are undesirable in the release GN code, so some sanity
 // checks in the fuzzer to prevent stack overflow are done here.
 // - 1) Too many opening bracket, paren, or brace in a row.
 // - 2) Too many '!', '<' or '>' operators in a row.
 bool SanityCheckContent(const std::vector<Token>& tokens) {
   int depth = 0;
   int dodgy_count = 0;
   for (const auto& token : tokens) {
     switch (token.type()) {
       case Token::LEFT_PAREN:
       case Token::LEFT_BRACKET:
       case Token::LEFT_BRACE:
         ++depth;
         break;
       case Token::RIGHT_PAREN:
       case Token::RIGHT_BRACKET:
       case Token::RIGHT_BRACE:
         --depth;
         break;
       case Token::BANG:
       case Token::LESS_THAN:
       case Token::GREATER_THAN:
         ++dodgy_count;
         break;
       default:
         break;
     }
     // Bail out as soon as a boundary is hit, inside the loop.
     if (depth >= kMaxContentDepth || dodgy_count >= kMaxDodgy)
       return false;
   }

   return true;
 }

 }  // namespace

 extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) {
   SourceFile source;
   InputFile input(source);
   input.SetContents(std::string(reinterpret_cast<const char*>(data), size));

   Err err;
   std::vector<Token> tokens = Tokenizer::Tokenize(&input, &err);
   if (!SanityCheckContent(tokens))
     return 0;

   if (!err.has_error())
     Parser::Parse(tokens, &err);

   return 0;
 }
	// Copyright 2016 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include <stdint.h>

	#include "tools/gn/input_file.h"
	#include "tools/gn/parser.h"
	#include "tools/gn/source_file.h"
	#include "tools/gn/tokenizer.h"

	namespace {

	enum { kMaxContentDepth = 256, kMaxDodgy = 256 };

	// Some auto generated input is too unreasonable for fuzzing GN.
	// We see stack overflow when the parser hits really deeply "nested" input.
	// (I.E.: certain input that causes nested parsing function calls).
	//
	// Abstract max limits are undesirable in the release GN code, so some sanity
	// checks in the fuzzer to prevent stack overflow are done here.
	// - 1) Too many opening bracket, paren, or brace in a row.
	// - 2) Too many '!', '<' or '>' operators in a row.
	bool SanityCheckContent(const std::vector<Token>& tokens) {
	int depth = 0;
	int dodgy_count = 0;
	for (const auto& token : tokens) {
	switch (token.type()) {
	case Token::LEFT_PAREN:
	case Token::LEFT_BRACKET:
	case Token::LEFT_BRACE:
	++depth;
	break;
	case Token::RIGHT_PAREN:
	case Token::RIGHT_BRACKET:
	case Token::RIGHT_BRACE:
	--depth;
	break;
	case Token::BANG:
	case Token::LESS_THAN:
	case Token::GREATER_THAN:
	++dodgy_count;
	break;
	default:
	break;
	}
	// Bail out as soon as a boundary is hit, inside the loop.
	if (depth >= kMaxContentDepth \|\| dodgy_count >= kMaxDodgy)
	return false;
	}

	return true;
	}

	} // namespace

	extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) {
	SourceFile source;
	InputFile input(source);
	input.SetContents(std::string(reinterpret_cast<const char*>(data), size));

	Err err;
	std::vector<Token> tokens = Tokenizer::Tokenize(&input, &err);
	if (!SanityCheckContent(tokens))
	return 0;

	if (!err.has_error())
	Parser::Parse(tokens, &err);

	return 0;
	}