1 /*
2  *
3  * Copyright 2016 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <grpc/grpc.h>
20 
21 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
22 #include "src/core/lib/iomgr/executor.h"
23 #include "src/core/lib/slice/slice_internal.h"
24 #include "src/core/lib/surface/server.h"
25 #include "test/core/util/memory_counters.h"
26 #include "test/core/util/mock_endpoint.h"
27 
28 bool squelch = true;
29 bool leak_check = true;
30 
discard_write(grpc_slice slice)31 static void discard_write(grpc_slice slice) {}
32 
tag(int n)33 static void* tag(int n) { return (void*)static_cast<uintptr_t>(n); }
detag(void * p)34 static int detag(void* p) { return static_cast<int>((uintptr_t)p); }
35 
dont_log(gpr_log_func_args * args)36 static void dont_log(gpr_log_func_args* args) {}
37 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)38 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
39   grpc_test_only_set_slice_hash_seed(0);
40   struct grpc_memory_counters counters;
41   if (squelch) gpr_set_log_function(dont_log);
42   if (leak_check) grpc_memory_counters_init();
43   grpc_init();
44   {
45     grpc_core::ExecCtx exec_ctx;
46     grpc_executor_set_threading(false);
47 
48     grpc_resource_quota* resource_quota =
49         grpc_resource_quota_create("server_fuzzer");
50     grpc_endpoint* mock_endpoint =
51         grpc_mock_endpoint_create(discard_write, resource_quota);
52     grpc_resource_quota_unref_internal(resource_quota);
53     grpc_mock_endpoint_put_read(
54         mock_endpoint, grpc_slice_from_copied_buffer((const char*)data, size));
55 
56     grpc_server* server = grpc_server_create(nullptr, nullptr);
57     grpc_completion_queue* cq = grpc_completion_queue_create_for_next(nullptr);
58     grpc_server_register_completion_queue(server, cq, nullptr);
59     // TODO(ctiller): add registered methods (one for POST, one for PUT)
60     // void *registered_method =
61     //    grpc_server_register_method(server, "/reg", NULL, 0);
62     grpc_server_start(server);
63     grpc_transport* transport =
64         grpc_create_chttp2_transport(nullptr, mock_endpoint, false);
65     grpc_server_setup_transport(server, transport, nullptr, nullptr);
66     grpc_chttp2_transport_start_reading(transport, nullptr, nullptr);
67 
68     grpc_call* call1 = nullptr;
69     grpc_call_details call_details1;
70     grpc_metadata_array request_metadata1;
71     grpc_call_details_init(&call_details1);
72     grpc_metadata_array_init(&request_metadata1);
73     int requested_calls = 0;
74 
75     GPR_ASSERT(GRPC_CALL_OK ==
76                grpc_server_request_call(server, &call1, &call_details1,
77                                         &request_metadata1, cq, cq, tag(1)));
78     requested_calls++;
79 
80     grpc_event ev;
81     while (1) {
82       grpc_core::ExecCtx::Get()->Flush();
83       ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
84                                       nullptr);
85       switch (ev.type) {
86         case GRPC_QUEUE_TIMEOUT:
87           goto done;
88         case GRPC_QUEUE_SHUTDOWN:
89           break;
90         case GRPC_OP_COMPLETE:
91           switch (detag(ev.tag)) {
92             case 1:
93               requested_calls--;
94               // TODO(ctiller): keep reading that call!
95               break;
96           }
97       }
98     }
99 
100   done:
101     if (call1 != nullptr) grpc_call_unref(call1);
102     grpc_call_details_destroy(&call_details1);
103     grpc_metadata_array_destroy(&request_metadata1);
104     grpc_server_shutdown_and_notify(server, cq, tag(0xdead));
105     grpc_server_cancel_all_calls(server);
106     grpc_millis deadline = grpc_core::ExecCtx::Get()->Now() + 5000;
107     for (int i = 0; i <= requested_calls; i++) {
108       // A single grpc_completion_queue_next might not be sufficient for getting
109       // the tag from shutdown, because we might potentially get blocked by
110       // an operation happening on the timer thread.
111       // For example, the deadline timer might expire, leading to the timer
112       // thread trying to cancel the RPC and thereby acquiring a few references
113       // to the call. This will prevent the shutdown to complete till the timer
114       // thread releases those references.
115       // As a solution, we are going to keep performing a cq_next for a
116       // liberal period of 5 seconds for the timer thread to complete its work.
117       do {
118         ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
119                                         nullptr);
120         grpc_core::ExecCtx::Get()->InvalidateNow();
121       } while (ev.type != GRPC_OP_COMPLETE &&
122                grpc_core::ExecCtx::Get()->Now() < deadline);
123       GPR_ASSERT(ev.type == GRPC_OP_COMPLETE);
124     }
125     grpc_completion_queue_shutdown(cq);
126     for (int i = 0; i <= requested_calls; i++) {
127       do {
128         ev = grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME),
129                                         nullptr);
130         grpc_core::ExecCtx::Get()->InvalidateNow();
131       } while (ev.type != GRPC_QUEUE_SHUTDOWN &&
132                grpc_core::ExecCtx::Get()->Now() < deadline);
133       GPR_ASSERT(ev.type == GRPC_QUEUE_SHUTDOWN);
134     }
135     grpc_server_destroy(server);
136     grpc_completion_queue_destroy(cq);
137   }
138   grpc_shutdown();
139   if (leak_check) {
140     counters = grpc_memory_counters_snapshot();
141     grpc_memory_counters_destroy();
142     GPR_ASSERT(counters.total_size_relative == 0);
143   }
144   return 0;
145 }
146