chromium/ui/accessibility/ax_tree_fuzzer.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "ui/accessibility/ax_tree.h"
#include "ui/accessibility/ax_tree_observer.h"

class EmptyAXTreeObserver : public ui::AXTreeObserver {
 public:
  EmptyAXTreeObserver() {}
  ~EmptyAXTreeObserver() override {}
};

// Entry point for LibFuzzer.
extern "C" int LLVMFuzzerTestOneInput(const unsigned char* data, size_t size) {
  ui::AXTreeUpdate initial_state;
  size_t i = 0;
  while (i < size) {
    ui::AXNodeData node;
    node.id = data[i++];
    if (i < size) {
      size_t child_count = data[i++];
      for (size_t j = 0; j < child_count && i < size; j++)
        node.child_ids.push_back(data[i++]);
    }
    initial_state.nodes.push_back(node);
  }

  // Don't test absurdly large trees, it might time out.
#if defined(NDEBUG)
  constexpr size_t kMaxNodes = 500000;
#else
  constexpr size_t kMaxNodes = 50000;
#endif
  if (initial_state.nodes.size() > kMaxNodes) {
    LOG(WARNING) << "Skipping input because it's too large";
    return 0;
  }

  // Run with --v=1 to aid in debugging a specific crash.
  VLOG(1) << "Input accessibility tree:\n" << initial_state.ToString();

  EmptyAXTreeObserver observer;
  ui::AXTree tree;
  tree.AddObserver(&observer);
  tree.Unserialize(initial_state);
  tree.RemoveObserver(&observer);

  return 0;
}