OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "bindings/core/v8/SerializedScriptValue.h" | 5 #include "bindings/core/v8/SerializedScriptValue.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <cstddef> | 8 #include <cstddef> |
9 #include <cstdint> | 9 #include <cstdint> |
10 | 10 |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
61 | 61 |
62 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { | 62 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
63 // Odd sizes are handled in various ways, depending how they arrive. | 63 // Odd sizes are handled in various ways, depending how they arrive. |
64 // Let's not worry about that case here. | 64 // Let's not worry about that case here. |
65 if (size % sizeof(UChar)) | 65 if (size % sizeof(UChar)) |
66 return 0; | 66 return 0; |
67 | 67 |
68 // Used to control what kind of extra data is provided to the deserializer. | 68 // Used to control what kind of extra data is provided to the deserializer. |
69 unsigned hash = StringHasher::hashMemory(data, size); | 69 unsigned hash = StringHasher::hashMemory(data, size); |
70 | 70 |
| 71 SerializedScriptValue::DeserializeOptions options; |
| 72 |
71 // If message ports are requested, make some. | 73 // If message ports are requested, make some. |
72 MessagePortArray* messagePorts = nullptr; | 74 MessagePortArray* messagePorts = nullptr; |
73 if (hash & kFuzzMessagePorts) { | 75 if (hash & kFuzzMessagePorts) { |
74 messagePorts = new MessagePortArray(3); | 76 options.messagePorts = new MessagePortArray(3); |
75 std::generate(messagePorts->begin(), messagePorts->end(), []() { | 77 std::generate(messagePorts->begin(), messagePorts->end(), []() { |
76 WebMessagePortChannelUniquePtr channel(new WebMessagePortChannelImpl()); | 78 WebMessagePortChannelUniquePtr channel(new WebMessagePortChannelImpl()); |
77 MessagePort* port = MessagePort::create(pageHolder->document()); | 79 MessagePort* port = MessagePort::create(pageHolder->document()); |
78 port->entangle(std::move(channel)); | 80 port->entangle(std::move(channel)); |
79 return port; | 81 return port; |
80 }); | 82 }); |
81 } | 83 } |
82 | 84 |
83 // If blobs are requested, supply blob info. | 85 // If blobs are requested, supply blob info. |
84 const auto* blobs = (hash & kFuzzBlobInfo) ? blobInfoArray : nullptr; | 86 options.blobInfo = (hash & kFuzzBlobInfo) ? blobInfoArray : nullptr; |
85 | 87 |
86 // Set up. | 88 // Set up. |
87 ScriptState* scriptState = ScriptState::forMainWorld(&pageHolder->frame()); | 89 ScriptState* scriptState = ScriptState::forMainWorld(&pageHolder->frame()); |
88 v8::Isolate* isolate = scriptState->isolate(); | 90 v8::Isolate* isolate = scriptState->isolate(); |
89 ScriptState::Scope scope(scriptState); | 91 ScriptState::Scope scope(scriptState); |
90 v8::TryCatch tryCatch(isolate); | 92 v8::TryCatch tryCatch(isolate); |
91 | 93 |
92 // Deserialize. | 94 // Deserialize. |
93 RefPtr<SerializedScriptValue> serializedScriptValue = | 95 RefPtr<SerializedScriptValue> serializedScriptValue = |
94 SerializedScriptValue::create(reinterpret_cast<const char*>(data), size); | 96 SerializedScriptValue::create(reinterpret_cast<const char*>(data), size); |
95 serializedScriptValue->deserialize(isolate, messagePorts, blobs); | 97 serializedScriptValue->deserialize(isolate, options); |
96 CHECK(!tryCatch.HasCaught()) | 98 CHECK(!tryCatch.HasCaught()) |
97 << "deserialize() should return null rather than throwing an exception."; | 99 << "deserialize() should return null rather than throwing an exception."; |
98 | 100 |
99 // Request a V8 GC. Oilpan will be invoked by the GC epilogue. | 101 // Request a V8 GC. Oilpan will be invoked by the GC epilogue. |
100 // | 102 // |
101 // Multiple GCs may be required to ensure everything is collected (due to | 103 // Multiple GCs may be required to ensure everything is collected (due to |
102 // a chain of persistent handles), so some objects may not be collected until | 104 // a chain of persistent handles), so some objects may not be collected until |
103 // a subsequent iteration. This is slow enough as is, so we compromise on one | 105 // a subsequent iteration. This is slow enough as is, so we compromise on one |
104 // major GC, as opposed to the 5 used in V8GCController for unit tests. | 106 // major GC, as opposed to the 5 used in V8GCController for unit tests. |
105 V8PerIsolateData::mainThreadIsolate()->RequestGarbageCollectionForTesting( | 107 V8PerIsolateData::mainThreadIsolate()->RequestGarbageCollectionForTesting( |
106 v8::Isolate::kFullGarbageCollection); | 108 v8::Isolate::kFullGarbageCollection); |
107 | 109 |
108 return 0; | 110 return 0; |
109 } | 111 } |
110 | 112 |
111 } // namespace blink | 113 } // namespace blink |
112 | 114 |
113 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { | 115 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { |
114 return blink::LLVMFuzzerInitialize(argc, argv); | 116 return blink::LLVMFuzzerInitialize(argc, argv); |
115 } | 117 } |
116 | 118 |
117 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { | 119 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
118 return blink::LLVMFuzzerTestOneInput(data, size); | 120 return blink::LLVMFuzzerTestOneInput(data, size); |
119 } | 121 } |
OLD | NEW |