Starting server fuzzer

Makefile

@@ -966,6 +966,7 @@ resolve_address_test: $(BINDIR)/$(CONFIG)/resolve_address_test
 secure_channel_create_test: $(BINDIR)/$(CONFIG)/secure_channel_create_test
 secure_endpoint_test: $(BINDIR)/$(CONFIG)/secure_endpoint_test
 server_chttp2_test: $(BINDIR)/$(CONFIG)/server_chttp2_test
+server_fuzzer: $(BINDIR)/$(CONFIG)/server_fuzzer
 server_test: $(BINDIR)/$(CONFIG)/server_test
 set_initial_connect_string_test: $(BINDIR)/$(CONFIG)/set_initial_connect_string_test
 sockaddr_resolver_test: $(BINDIR)/$(CONFIG)/sockaddr_resolver_test
@@ -1113,6 +1114,7 @@ h2_uds_nosec_test: $(BINDIR)/$(CONFIG)/h2_uds_nosec_test
 hpack_parser_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/hpack_parser_fuzzer_test_one_entry
 http_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/http_fuzzer_test_one_entry
 json_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/json_fuzzer_test_one_entry
+server_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/server_fuzzer_one_entry
 uri_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/uri_fuzzer_test_one_entry
 
 run_dep_checks:
@@ -1335,6 +1337,7 @@ buildtests_c: privatelibs_c \
   $(BINDIR)/$(CONFIG)/hpack_parser_fuzzer_test_one_entry \
   $(BINDIR)/$(CONFIG)/http_fuzzer_test_one_entry \
   $(BINDIR)/$(CONFIG)/json_fuzzer_test_one_entry \
+  $(BINDIR)/$(CONFIG)/server_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/uri_fuzzer_test_one_entry \
 
 
@@ -8819,6 +8822,38 @@ endif
 endif
 
 
+SERVER_FUZZER_SRC = \
+    test/core/end2end/fuzzers/server_fuzzer.c \
+
+SERVER_FUZZER_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(SERVER_FUZZER_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/server_fuzzer: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/server_fuzzer: $(SERVER_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LDXX) $(LDFLAGS) $(SERVER_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -lFuzzer -o $(BINDIR)/$(CONFIG)/server_fuzzer
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/end2end/fuzzers/server_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_server_fuzzer: $(SERVER_FUZZER_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(SERVER_FUZZER_OBJS:.o=.dep)
+endif
+endif
+
+
 SERVER_TEST_SRC = \
     test/core/surface/server_test.c \
 
@@ -13668,6 +13703,38 @@ endif
 endif
 
 
+SERVER_FUZZER_ONE_ENTRY_SRC = \
+    test/core/end2end/fuzzers/server_fuzzer.c \
+
+SERVER_FUZZER_ONE_ENTRY_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(SERVER_FUZZER_ONE_ENTRY_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/server_fuzzer_one_entry: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/server_fuzzer_one_entry: $(SERVER_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libone_input_fuzzer.a $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LD) $(LDFLAGS) $(SERVER_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libone_input_fuzzer.a $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -o $(BINDIR)/$(CONFIG)/server_fuzzer_one_entry
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/end2end/fuzzers/server_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libone_input_fuzzer.a $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_server_fuzzer_one_entry: $(SERVER_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(SERVER_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+endif
+endif
+
+
 URI_FUZZER_TEST_ONE_ENTRY_SRC = \
     test/core/client_config/uri_fuzzer_test.c \
 

build.yaml

@@ -1946,6 +1946,18 @@ targets:
   - grpc
   - gpr_test_util
   - gpr
+- name: server_fuzzer
+  build: fuzzer
+  language: c
+  src:
+  - test/core/end2end/fuzzers/server_fuzzer.c
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr_test_util
+  - gpr
+  corpus_dirs:
+  - test/core/end2end/fuzzers/server_fuzzer_corpus
 - name: server_test
   build: test
   language: c

test/core/bad_client/bad_client.c

@@ -34,12 +34,15 @@
 #include "test/core/bad_client/bad_client.h"
 
 #include <grpc/support/alloc.h>
+#include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 #include <grpc/support/thd.h>
+#include <stdio.h>
 #include "src/core/ext/transport/chttp2/transport/chttp2_transport.h"
 #include "src/core/lib/channel/channel_stack.h"
 #include "src/core/lib/channel/http_server_filter.h"
 #include "src/core/lib/iomgr/endpoint_pair.h"
+#include "src/core/lib/support/murmur_hash.h"
 #include "src/core/lib/support/string.h"
 #include "src/core/lib/surface/completion_queue.h"
 #include "src/core/lib/surface/server.h"
@@ -86,6 +89,15 @@ void grpc_run_bad_client_test(grpc_bad_client_server_side_validator validator,
   grpc_closure done_write_closure;
   grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
 
+  uint32_t hash = gpr_murmur_hash3(client_payload, client_payload_length, 0);
+  char *fn;
+  gpr_asprintf(&fn, "test/core/end2end/fuzzers/server_fuzzer_corpus/%08x.bin",
+               hash);
+  FILE *f = fopen(fn, "w");
+  fwrite(client_payload, 1, client_payload_length, f);
+  fclose(f);
+  gpr_free(fn);
+
   hex = gpr_dump(client_payload, client_payload_length,
                  GPR_DUMP_HEX | GPR_DUMP_ASCII);
 

test/core/end2end/fuzzers/server_fuzzer.c

@@ -0,0 +1,89 @@
+/*
+ *
+ * Copyright 2016, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <grpc/grpc.h>
+
+#if 0
+static void discard_write(gpr_slice slice) { gpr_slice_unref(slice); }
+
+static void *tag(int n) { return (void *)(uintptr_t)n; }
+#endif
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+#if 0
+  grpc_init();
+
+  grpc_endpoint *mock_endpoint = grpc_mock_endpoint_create(discard_write);
+  grpc_mock_endpoint_put_read(mock_endpoint,
+                              gpr_slice_from_copied_buffer(data, size));
+
+  grpc_server *server = grpc_server_create(NULL, NULL);
+  grpc_completion_queue *cq = grpc_completion_queue_create();
+  grpc_server_register_completion_queue(server, cq);
+  // TODO(ctiller): add registered methods (one for POST, one for PUT)
+  // void *registered_method =
+  //    grpc_server_register_method(server, "/reg", NULL, 0);
+  grpc_server_start(server, NULL);
+  grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+  grpc_transport *transport =
+      grpc_create_chttp2_transport(&exec_ctx, NULL, mock_endpoint, 0);
+  grpc_server_setup_transport(&exec_ctx, server, transport, NULL);
+  grpc_chttp2_transport_start_reading(&exec_ctx, transport, NULL, 0);
+  grpc_exec_ctx_flush(&exec_ctx);
+
+  grpc_call *call1;
+  grpc_call_details call_details1;
+  grpc_metadata_array request_metadata1;
+  grpc_server_request_call(server, &call1, &call_details1, &request_metadata1,
+                           cq, cq, tag(1));
+
+  while (1) {
+    grpc_event ev =
+        grpc_completion_queue_next(cq, gpr_inf_past(GPR_CLOCK_REALTIME));
+    switch (ev.type) {
+      case GRPC_QUEUE_TIMEOUT:
+        goto done;
+      case GRPC_QUEUE_SHUTDOWN:
+        break;
+      case GRPC_OP_COMPLETE:
+        switch (detag(ev.tag)) {
+          case 1:
+            abort();
+        }
+    }
+  }
+done:
+  grpc_shutdown();
+#endif
+  return 0;
+}

test/core/end2end/fuzzers/server_fuzzer_corpus/0aa7b949.bin

@@ -0,0 +1 @@
+PRI * HTTP/2X

test/core/end2end/fuzzers/server_fuzzer_corpus/0abd533e.bin

@@ -0,0 +1,2 @@
+PRI * HTTP/2.0
+
X

test/core/end2end/fuzzers/server_fuzzer_corpus/18f00b5f.bin

@@ -0,0 +1 @@
+PRI * HTTX

test/core/end2end/fuzzers/server_fuzzer_corpus/1ea5651f.bin

@@ -0,0 +1 @@
+PRI * X

test/core/end2end/fuzzers/server_fuzzer_corpus/2814d70c.bin

@@ -0,0 +1 @@
+X

test/core/end2end/fuzzers/server_fuzzer_corpus/2e4805c3.bin

@@ -0,0 +1,3 @@
+PRI * HTTP/2.0
+
+SX

test/core/end2end/fuzzers/server_fuzzer_corpus/326ec4d5.bin

@@ -0,0 +1 @@
+PRIX

test/core/end2end/fuzzers/server_fuzzer_corpus/39ea47bb.bin

@@ -0,0 +1 @@
+PRI * HTTP/2.X

test/core/end2end/fuzzers/server_fuzzer_corpus/3ca5da2f.bin

@@ -0,0 +1,3 @@
+PRI * HTTP/2.0
+
+SMX

test/core/end2end/fuzzers/server_fuzzer_corpus/422708b4.bin

@@ -0,0 +1 @@
+PRI * HTTP/X

test/core/end2end/fuzzers/server_fuzzer_corpus/4d55d5ae.bin

@@ -0,0 +1 @@
+PRI *X

test/core/end2end/fuzzers/server_fuzzer_corpus/53de507f.bin

@@ -0,0 +1,5 @@
+PRI * HTTP/2.0
+
+SM
+
+

test/core/end2end/fuzzers/server_fuzzer_corpus/54d0fc6c.bin

@@ -0,0 +1,4 @@
+PRI * HTTP/2.0
+
+SM
+X

test/core/end2end/fuzzers/server_fuzzer_corpus/57918260.bin

@@ -0,0 +1 @@
+PRI * HTTPX

test/core/end2end/fuzzers/server_fuzzer_corpus/59dcfde4.bin

@@ -0,0 +1,3 @@
+PRI * HTTP/2.0
+
+SM
X

test/core/end2end/fuzzers/server_fuzzer_corpus/5f758756.bin

@@ -0,0 +1,2 @@
+PRI * HTTP/2.0
+X

test/core/end2end/fuzzers/server_fuzzer_corpus/7f15bbce.bin

@@ -0,0 +1 @@
+PRI * HX

test/core/end2end/fuzzers/server_fuzzer_corpus/9bf7553a.bin

@@ -0,0 +1 @@
+PRX

test/core/end2end/fuzzers/server_fuzzer_corpus/a357658d.bin

@@ -0,0 +1 @@
+PX