Merge branch 'fuzz-it' into error

5abe38bb · Craig Tiller · 95b9064d · 7987d793 · 5abe38bb · 5abe38bb
Commit 5abe38bb authored 8 years ago by Craig Tiller
--- a/test/core/end2end/fuzzers/api_fuzzer.c
+++ b/test/core/end2end/fuzzers/api_fuzzer.c
@@ -345,6 +345,8 @@ static void free_non_null(void *p) {
 typedef enum { ROOT, CLIENT, SERVER, PENDING_SERVER } call_state_type;
+#define DONE_FLAG_CALL_CLOSED ((uint64_t)(1 << 0))
 typedef struct call_state {
  call_state_type type;
  grpc_call *call;
@@ -357,6 +359,10 @@ typedef struct call_state {
  int cancelled;
  int pending_ops;
  grpc_call_details call_details;
+  grpc_byte_buffer *send_message;
+  // starts at 0, individual flags from DONE_FLAG_xxx are set
+  // as different operations are completed
+  uint64_t done_flags;
  // array of pointers to free later
  size_t num_to_free;
@@ -454,10 +460,41 @@ static void finished_request_call(void *csp, bool success) {
  }
 }
-static void finished_batch(void *csp, bool success) {
+typedef struct {
-  call_state *cs = csp;
+  call_state *cs;
-  --cs->pending_ops;
+  uint8_t has_ops;
-  maybe_delete_call_state(cs);
+} batch_info;
+static void finished_batch(void *p, bool success) {
+  batch_info *bi = p;
+  --bi->cs->pending_ops;
+  if ((bi->has_ops & (1u << GRPC_OP_RECV_MESSAGE)) &&
+      (bi->cs->done_flags & DONE_FLAG_CALL_CLOSED)) {
+    GPR_ASSERT(bi->cs->recv_message == NULL);
+  }
+  if ((bi->has_ops & (1u << GRPC_OP_RECV_MESSAGE) &&
+       bi->cs->recv_message != NULL)) {
+    grpc_byte_buffer_destroy(bi->cs->recv_message);
+    bi->cs->recv_message = NULL;
+  }
+  if ((bi->has_ops & (1u << GRPC_OP_SEND_MESSAGE))) {
+    grpc_byte_buffer_destroy(bi->cs->send_message);
+    bi->cs->send_message = NULL;
+  }
+  if ((bi->has_ops & (1u << GRPC_OP_RECV_STATUS_ON_CLIENT)) ||
+      (bi->has_ops & (1u << GRPC_OP_RECV_CLOSE_ON_SERVER))) {
+    bi->cs->done_flags |= DONE_FLAG_CALL_CLOSED;
+  }
+  maybe_delete_call_state(bi->cs);
+  gpr_free(bi);
+}
+static validator *make_finished_batch_validator(call_state *cs,
+                                                uint8_t has_ops) {
+  batch_info *bi = gpr_malloc(sizeof(*bi));
+  bi->cs = cs;
+  bi->has_ops = has_ops;
+  return create_validator(finished_batch, bi);
 }
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@@ -584,6 +621,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        } else {
          end(&inp);
        }
+        break;
      }
      // begin server shutdown
      case 5: {
@@ -705,6 +743,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        bool ok = true;
        size_t i;
        grpc_op *op;
+        uint8_t has_ops = 0;
        for (i = 0; i < num_ops; i++) {
          op = &ops[i];
          switch (next_byte(&inp)) {
@@ -715,19 +754,28 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
              break;
            case GRPC_OP_SEND_INITIAL_METADATA:
              op->op = GRPC_OP_SEND_INITIAL_METADATA;
+              has_ops |= 1 << GRPC_OP_SEND_INITIAL_METADATA;
              read_metadata(&inp, &op->data.send_initial_metadata.count,
                            &op->data.send_initial_metadata.metadata,
                            g_active_call);
              break;
            case GRPC_OP_SEND_MESSAGE:
              op->op = GRPC_OP_SEND_MESSAGE;
-              op->data.send_message = read_message(&inp);
+              if (g_active_call->send_message != NULL) {
+                ok = false;
+              } else {
+                has_ops |= 1 << GRPC_OP_SEND_MESSAGE;
+                g_active_call->send_message = op->data.send_message =
+                    read_message(&inp);
+              }
              break;
            case GRPC_OP_SEND_CLOSE_FROM_CLIENT:
              op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
+              has_ops |= 1 << GRPC_OP_SEND_CLOSE_FROM_CLIENT;
              break;
            case GRPC_OP_SEND_STATUS_FROM_SERVER:
              op->op = GRPC_OP_SEND_STATUS_FROM_SERVER;
+              has_ops |= 1 << GRPC_OP_SEND_STATUS_FROM_SERVER;
              read_metadata(
                  &inp,
                  &op->data.send_status_from_server.trailing_metadata_count,
@@ -739,11 +787,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
              break;
            case GRPC_OP_RECV_INITIAL_METADATA:
              op->op = GRPC_OP_RECV_INITIAL_METADATA;
+              has_ops |= 1 << GRPC_OP_RECV_INITIAL_METADATA;
              op->data.recv_initial_metadata =
                  &g_active_call->recv_initial_metadata;
              break;
            case GRPC_OP_RECV_MESSAGE:
              op->op = GRPC_OP_RECV_MESSAGE;
+              has_ops |= 1 << GRPC_OP_RECV_MESSAGE;
              op->data.recv_message = &g_active_call->recv_message;
              break;
            case GRPC_OP_RECV_STATUS_ON_CLIENT:
@@ -758,6 +808,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
              break;
            case GRPC_OP_RECV_CLOSE_ON_SERVER:
              op->op = GRPC_OP_RECV_CLOSE_ON_SERVER;
+              has_ops |= 1 << GRPC_OP_RECV_CLOSE_ON_SERVER;
              op->data.recv_close_on_server.cancelled =
                  &g_active_call->cancelled;
              break;
@@ -766,7 +817,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
          op->flags = read_uint32(&inp);
        }
        if (ok) {
-          validator *v = create_validator(finished_batch, g_active_call);
+          validator *v = make_finished_batch_validator(g_active_call, has_ops);
          g_active_call->pending_ops++;
          grpc_call_error error =
              grpc_call_start_batch(g_active_call->call, ops, num_ops, v, NULL);
@@ -777,17 +828,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
        } else {
          end(&inp);
        }
+        if (!ok && (has_ops & (1 << GRPC_OP_SEND_MESSAGE))) {
+          grpc_byte_buffer_destroy(g_active_call->send_message);
+          g_active_call->send_message = NULL;
+        }
        for (i = 0; i < num_ops; i++) {
          op = &ops[i];
          switch (op->op) {
-            case GRPC_OP_SEND_INITIAL_METADATA:
-              break;
-            case GRPC_OP_SEND_MESSAGE:
-              grpc_byte_buffer_destroy(op->data.send_message);
-              break;
            case GRPC_OP_SEND_STATUS_FROM_SERVER:
              gpr_free((void *)op->data.send_status_from_server.status_details);
              break;
+            case GRPC_OP_SEND_MESSAGE:
+            case GRPC_OP_SEND_INITIAL_METADATA:
            case GRPC_OP_SEND_CLOSE_FROM_CLIENT:
            case GRPC_OP_RECV_INITIAL_METADATA:
            case GRPC_OP_RECV_MESSAGE:

--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/001ea98069c10f808c281da9bbdd84cc05c3bad1
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/001ea98069c10f808c281da9bbdd84cc05c3bad1
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/01f52e31dfffdab89d83acd39925c3dd81baa76f
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/01f52e31dfffdab89d83acd39925c3dd81baa76f
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/02c3cf8d52fbc43f89b5f516a17cea23b68fc8d5
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/02c3cf8d52fbc43f89b5f516a17cea23b68fc8d5
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/032744b59cafd3320cc932ad39926a9bc92f589e
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/032744b59cafd3320cc932ad39926a9bc92f589e
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0385c7b41263419e25a4342fbfc44fbd65eb2ed5
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0385c7b41263419e25a4342fbfc44fbd65eb2ed5
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/04d93c9df413717f71abd091592b5238afb799e8
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/04d93c9df413717f71abd091592b5238afb799e8
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/064d50aee4416ccf32f4e4fe7b770b7802265ffe
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/064d50aee4416ccf32f4e4fe7b770b7802265ffe
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/066e7fcb68e83b432c414f63f6de73e5f5099e49
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/066e7fcb68e83b432c414f63f6de73e5f5099e49
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/06c714e289673cf982ce2ac0670707a15f2ac5ea
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/06c714e289673cf982ce2ac0670707a15f2ac5ea
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/071247b8fddda8aa520d9142c89039fbf8bf6cee
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/071247b8fddda8aa520d9142c89039fbf8bf6cee
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/07cb3b9baca1bbcce2e199e551073ba2fdd4e05c
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/07cb3b9baca1bbcce2e199e551073ba2fdd4e05c
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/07fa2b6ed650d436f423adcccfcbe63ce6253de0
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/07fa2b6ed650d436f423adcccfcbe63ce6253de0
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/081e3248dfca2b32837c4738daee3a4698caaf15
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/081e3248dfca2b32837c4738daee3a4698caaf15
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/088bf259e854abd9508d91b23983737f8e9e242c
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/088bf259e854abd9508d91b23983737f8e9e242c
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0976de1461fb037c6987d77d088416440b524dde
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0976de1461fb037c6987d77d088416440b524dde
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0adaf5f559e1fb9cd8cd5b29911e13bca315c606
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0adaf5f559e1fb9cd8cd5b29911e13bca315c606
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0af5adf68560b3a7036ad23af62e4f9749eca690
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0af5adf68560b3a7036ad23af62e4f9749eca690
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0becc6ede499ddc452fd4e6c3c0413a1107a8373
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0becc6ede499ddc452fd4e6c3c0413a1107a8373
--- a/test/core/end2end/fuzzers/api_fuzzer_corpus/0c531e03e56a5cf48bdd531a8c11a19e4a3b0aeb
+++ b/test/core/end2end/fuzzers/api_fuzzer_corpus/0c531e03e56a5cf48bdd531a8c11a19e4a3b0aeb