1 /*
2  *
3  * Copyright 2016 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <string.h>
20 
21 #include <grpc/grpc.h>
22 #include <grpc/support/alloc.h>
23 #include <grpc/support/string_util.h>
24 
25 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
26 #include "src/core/lib/iomgr/executor.h"
27 #include "src/core/lib/slice/slice_internal.h"
28 #include "src/core/lib/surface/channel.h"
29 #include "test/core/util/memory_counters.h"
30 #include "test/core/util/mock_endpoint.h"
31 
32 bool squelch = true;
33 bool leak_check = true;
34 
discard_write(grpc_slice slice)35 static void discard_write(grpc_slice slice) {}
36 
tag(int n)37 static void* tag(int n) { return (void*)static_cast<uintptr_t>(n); }
38 
dont_log(gpr_log_func_args * args)39 static void dont_log(gpr_log_func_args* args) {}
40 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)41 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
42   grpc_test_only_set_slice_hash_seed(0);
43   struct grpc_memory_counters counters;
44   if (squelch) gpr_set_log_function(dont_log);
45   if (leak_check) grpc_memory_counters_init();
46   grpc_init();
47   {
48     grpc_core::ExecCtx exec_ctx;
49     grpc_executor_set_threading(false);
50 
51     grpc_resource_quota* resource_quota =
52         grpc_resource_quota_create("client_fuzzer");
53     grpc_endpoint* mock_endpoint =
54         grpc_mock_endpoint_create(discard_write, resource_quota);
55     grpc_resource_quota_unref_internal(resource_quota);
56 
57     grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
58     grpc_transport* transport =
59         grpc_create_chttp2_transport(nullptr, mock_endpoint, true);
60     grpc_chttp2_transport_start_reading(transport, nullptr, nullptr);
61 
62     grpc_arg authority_arg = grpc_channel_arg_string_create(
63         const_cast<char*>(GRPC_ARG_DEFAULT_AUTHORITY),
64         const_cast<char*>("test-authority"));
65     grpc_channel_args* args =
66         grpc_channel_args_copy_and_add(nullptr, &authority_arg, 1);
67     grpc_channel* channel = grpc_channel_create(
68         "test-target", args, GRPC_CLIENT_DIRECT_CHANNEL, transport);
69     grpc_channel_args_destroy(args);
70     grpc_slice host = grpc_slice_from_static_string("localhost");
71     grpc_call* call = grpc_channel_create_call(
72         channel, nullptr, 0, cq, grpc_slice_from_static_string("/foo"), &host,
73         gpr_inf_future(GPR_CLOCK_REALTIME), nullptr);
74 
75     grpc_metadata_array initial_metadata_recv;
76     grpc_metadata_array_init(&initial_metadata_recv);
77     grpc_byte_buffer* response_payload_recv = nullptr;
78     grpc_metadata_array trailing_metadata_recv;
79     grpc_metadata_array_init(&trailing_metadata_recv);
80     grpc_status_code status;
81     grpc_slice details = grpc_empty_slice();
82 
83     grpc_op ops[6];
84     memset(ops, 0, sizeof(ops));
85     grpc_op* op = ops;
86     op->op = GRPC_OP_SEND_INITIAL_METADATA;
87     op->data.send_initial_metadata.count = 0;
88     op->flags = 0;
89     op->reserved = nullptr;
90     op++;
91     op->op = GRPC_OP_SEND_CLOSE_FROM_CLIENT;
92     op->flags = 0;
93     op->reserved = nullptr;
94     op++;
95     op->op = GRPC_OP_RECV_INITIAL_METADATA;
96     op->data.recv_initial_metadata.recv_initial_metadata =
97         &initial_metadata_recv;
98     op->flags = 0;
99     op->reserved = nullptr;
100     op++;
101     op->op = GRPC_OP_RECV_MESSAGE;
102     op->data.recv_message.recv_message = &response_payload_recv;
103     op->flags = 0;
104     op->reserved = nullptr;
105     op++;
106     op->op = GRPC_OP_RECV_STATUS_ON_CLIENT;
107     op->data.recv_status_on_client.trailing_metadata = &trailing_metadata_recv;
108     op->data.recv_status_on_client.status = &status;
109     op->data.recv_status_on_client.status_details = &details;
110     op->flags = 0;
111     op->reserved = nullptr;
112     op++;
113     grpc_call_error error =
114         grpc_call_start_batch(call, ops, (size_t)(op - ops), tag(1), nullptr);
115     int requested_calls = 1;
116     GPR_ASSERT(GRPC_CALL_OK == error);
117 
118     grpc_mock_endpoint_put_read(
119         mock_endpoint, grpc_slice_from_copied_buffer((const char*)data, size));
120 
121     grpc_event ev;
122     while (1) {
123       grpc_core::ExecCtx::Get()->Flush();
124       ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
125                                       nullptr);
126       switch (ev.type) {
127         case GRPC_QUEUE_TIMEOUT:
128           goto done;
129         case GRPC_QUEUE_SHUTDOWN:
130           break;
131         case GRPC_OP_COMPLETE:
132           requested_calls--;
133           break;
134       }
135     }
136 
137   done:
138     if (requested_calls) {
139       grpc_call_cancel(call, nullptr);
140     }
141     for (int i = 0; i < requested_calls; i++) {
142       ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
143                                       nullptr);
144       GPR_ASSERT(ev.type == GRPC_OP_COMPLETE);
145     }
146     grpc_completion_queue_shutdown(cq);
147     for (int i = 0; i < requested_calls; i++) {
148       ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
149                                       nullptr);
150       GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
151     }
152     grpc_call_unref(call);
153     grpc_completion_queue_destroy(cq);
154     grpc_metadata_array_destroy(&initial_metadata_recv);
155     grpc_metadata_array_destroy(&trailing_metadata_recv);
156     grpc_slice_unref(details);
157     grpc_channel_destroy(channel);
158     if (response_payload_recv != nullptr) {
159       grpc_byte_buffer_destroy(response_payload_recv);
160     }
161   }
162   grpc_shutdown();
163   if (leak_check) {
164     counters = grpc_memory_counters_snapshot();
165     grpc_memory_counters_destroy();
166     GPR_ASSERT(counters.total_size_relative == 0);
167   }
168   return 0;
169 }
170