Extend gurl_fuzzer to use empty replacements

https://crbug.com/1075515 was discovered, because password form parser was using URL replacements and happened to be covered by a fuzzer. Notably, the bug was not found by the GURL fuzzer, because that fuzzer did not involve that particular codepath. To increase the likelihood of finding errors along codepaths involving replacements, this CL adds replacement handling to the GURL fuzzer directly. Empty replacements are used at the moment, to keep the fuzzer fast (this set-up would still have found the issue of https://crbug.com/1075515). Bug: 1075515 Change-Id: Ib97f5282493bbf78b814360801386771df3045dc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2172782 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Vaclav Brozek <vabr@chromium.org> Cr-Commit-Position: refs/heads/master@{#765505}
marcosholgado · May 5, 2020 · 6c77991 · 6c77991
1 parent 31e97e7
commit 6c77991
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/url/gurl_fuzzer.cc b/url/gurl_fuzzer.cc
@@ -15,6 +15,9 @@ struct TestCase {
 
 TestCase* test_case = new TestCase();
 
+// Empty replacements cause no change when applied.
+GURL::Replacements* no_op = new GURL::Replacements();
+
 // Entry point for LibFuzzer.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   if (size < 1)
@@ -23,6 +26,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   base::StringPiece string_piece_input(reinterpret_cast<const char*>(data),
                                        size);
   GURL url_from_string_piece(string_piece_input);
+  // Copying by applying empty replacements exercises interesting code paths.
+  // This can help discover issues like https://crbug.com/1075515.
+  GURL copy = url_from_string_piece.ReplaceComponents(*no_op);
+  CHECK_EQ(url_from_string_piece.is_valid(), copy.is_valid());
+  if (url_from_string_piece.is_valid()) {
+    CHECK_EQ(url_from_string_piece.spec(), copy.spec());
+  }
 
   // Test for StringPiece16 if size is even.
   if (size % 2 == 0) {

diff --git a/url/gurl_fuzzer.dict b/url/gurl_fuzzer.dict
@@ -2,7 +2,7 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-# This file has been generated with testing/libfuzzer/dictionary_generator.py
+# This block has been generated with testing/libfuzzer/dictionary_generator.py
 # using url_parse_fuzzer binary and RFC 3986.
 "DNS"
 "text"
@@ -401,3 +401,5 @@
 "H.,"
 "\"MIME"
 
+# This comes from https://crbug.com/1075515.
+"FilEsysteM:htTp:E=/."