Fix test bugs, expand corpus

src/core/ext/transport/chttp2/transport/hpack_parser.c

@@ -639,7 +639,7 @@ static int on_hdr(grpc_chttp2_hpack_parser *p, grpc_mdelem *md,
     }
   }
   if (p->on_header == NULL) {
-    grpc_mdelem_unref(md);
+    GRPC_MDELEM_UNREF(md);
     return 0;
   }
   p->on_header(p->on_header_user_data, md);

src/core/lib/transport/metadata.h

@@ -120,6 +120,7 @@ void grpc_mdelem_set_user_data(grpc_mdelem *md, void (*destroy_func)(void *),
                                void *user_data);
 
 /* Reference counting */
+//#define GRPC_METADATA_REFCOUNT_DEBUG
 #ifdef GRPC_METADATA_REFCOUNT_DEBUG
 #define GRPC_MDSTR_REF(s) grpc_mdstr_ref((s), __FILE__, __LINE__)
 #define GRPC_MDSTR_UNREF(s) grpc_mdstr_unref((s), __FILE__, __LINE__)

test/core/end2end/fuzzers/api_fuzzer.c

@@ -143,19 +143,6 @@ static grpc_byte_buffer *read_message(input_stream *inp) {
   return out;
 }
 
-static void read_metadata(input_stream *inp, size_t *count,
-                          grpc_metadata **metadata) {
-  *count = next_byte(inp);
-  *metadata = gpr_malloc(*count * sizeof(**metadata));
-  memset(*metadata, 0, *count * sizeof(**metadata));
-  for (size_t i = 0; i < *count; i++) {
-    (*metadata)[i].key = read_string(inp);
-    read_buffer(inp, (char **)&(*metadata)[i].value,
-                &(*metadata)[i].value_length);
-    (*metadata)[i].flags = read_uint32(inp);
-  }
-}
-
 static int read_int(input_stream *inp) { return (int)read_uint32(inp); }
 
 static grpc_channel_args *read_args(input_stream *inp) {
@@ -366,6 +353,11 @@ typedef struct call_state {
   int pending_ops;
   grpc_call_details call_details;
 
+  // array of pointers to free later
+  size_t num_to_free;
+  size_t cap_to_free;
+  void **to_free;
+
   struct call_state *next;
   struct call_state *prev;
 } call_state;
@@ -403,11 +395,42 @@ static call_state *maybe_delete_call_state(call_state *call) {
   grpc_metadata_array_destroy(&call->recv_trailing_metadata);
   gpr_free(call->recv_status_details);
   grpc_call_details_destroy(&call->call_details);
+
+  for (size_t i = 0; i < call->num_to_free; i++) {
+    gpr_free(call->to_free[i]);
+  }
+  gpr_free(call->to_free);
+
   gpr_free(call);
 
   return next;
 }
 
+static void add_to_free(call_state *call, void *p) {
+  if (call->num_to_free == call->cap_to_free) {
+    call->cap_to_free = GPR_MAX(8, 2 * call->cap_to_free);
+    call->to_free =
+        gpr_realloc(call->to_free, sizeof(*call->to_free) * call->cap_to_free);
+  }
+  call->to_free[call->num_to_free++] = p;
+}
+
+static void read_metadata(input_stream *inp, size_t *count,
+                          grpc_metadata **metadata, call_state *cs) {
+  *count = next_byte(inp);
+  *metadata = gpr_malloc(*count * sizeof(**metadata));
+  memset(*metadata, 0, *count * sizeof(**metadata));
+  for (size_t i = 0; i < *count; i++) {
+    (*metadata)[i].key = read_string(inp);
+    read_buffer(inp, (char **)&(*metadata)[i].value,
+                &(*metadata)[i].value_length);
+    (*metadata)[i].flags = read_uint32(inp);
+    add_to_free(cs, (void *)(*metadata)[i].key);
+    add_to_free(cs, (void *)(*metadata)[i].value);
+  }
+  add_to_free(cs, *metadata);
+}
+
 static call_state *destroy_call(call_state *call) {
   grpc_call_destroy(call->call);
   call->call = NULL;
@@ -688,7 +711,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             case GRPC_OP_SEND_INITIAL_METADATA:
               op->op = GRPC_OP_SEND_INITIAL_METADATA;
               read_metadata(&inp, &op->data.send_initial_metadata.count,
-                            &op->data.send_initial_metadata.metadata);
+                            &op->data.send_initial_metadata.metadata,
+                            g_active_call);
               break;
             case GRPC_OP_SEND_MESSAGE:
               op->op = GRPC_OP_SEND_MESSAGE;
@@ -702,7 +726,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
               read_metadata(
                   &inp,
                   &op->data.send_status_from_server.trailing_metadata_count,
-                  &op->data.send_status_from_server.trailing_metadata);
+                  &op->data.send_status_from_server.trailing_metadata,
+                  g_active_call);
               op->data.send_status_from_server.status = next_byte(&inp);
               op->data.send_status_from_server.status_details =
                   read_string(&inp);
@@ -751,30 +776,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
           op = &ops[i];
           switch (op->op) {
             case GRPC_OP_SEND_INITIAL_METADATA:
-              for (size_t j = 0; j < op->data.send_initial_metadata.count;
-                   j++) {
-                gpr_free(
-                    (void *)op->data.send_initial_metadata.metadata[j].key);
-                gpr_free(
-                    (void *)op->data.send_initial_metadata.metadata[j].value);
-              }
-              gpr_free(op->data.send_initial_metadata.metadata);
               break;
             case GRPC_OP_SEND_MESSAGE:
               grpc_byte_buffer_destroy(op->data.send_message);
               break;
             case GRPC_OP_SEND_STATUS_FROM_SERVER:
-              for (size_t j = 0;
-                   j < op->data.send_status_from_server.trailing_metadata_count;
-                   j++) {
-                gpr_free((void *)op->data.send_status_from_server
-                             .trailing_metadata[j]
-                             .key);
-                gpr_free((void *)op->data.send_status_from_server
-                             .trailing_metadata[j]
-                             .value);
-              }
-              gpr_free(op->data.send_status_from_server.trailing_metadata);
               gpr_free((void *)op->data.send_status_from_server.status_details);
               break;
             case GRPC_OP_SEND_CLOSE_FROM_CLIENT:

tools/run_tests/tests.json

@@ -23454,6 +23454,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/0433cabb8c28820bda0a6eac35d17d120f1b6865"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/0452ea591951af85724608917fda16926dad7451"
@@ -23608,6 +23630,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/07aa7d6c71878eb78b25ca12d79082f70ae7f64c"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/07ae5ed3dedbd83e376c892a9546cc0cd733c26f"
@@ -24554,6 +24598,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/253b8946a7cf403dd466f1685df2f741d4660a34"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/2743ee5a764fb0c4e04cdf84c9b3810ac8093998"
@@ -25148,6 +25214,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/3465fb573ac3c59a0804aadeba2f205870abcc3d"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/368d2b5d4c6776afbed8e5e76cc3a4ccdde1df42"
@@ -26160,6 +26248,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/595603f4ed37e3716cbe53b3ef180e5cdf8005f0"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/5a6491ab9c23fae58967d4a4b5d5cfb23f620001"
@@ -26336,6 +26446,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/6186bfc21ff7df3982e5d9757e5c7160da0f493a"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/6230cce2862a18c4c92dc6fb4e034a1d15e1ff18"
@@ -26424,6 +26556,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/66ac31199d08e7a3b066059cd409457a850847b2"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/682cb8ad9fe4641e7a140ae3d3ee27c841ba397f"
@@ -27172,6 +27326,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/83c29132911949c65d508753420708e9a0ffd6ab"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/8492f54a92f9a2a05af1a078489a3a68145d8985"
@@ -27436,6 +27612,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/8a912877743b165b233303efaf502f5092b3c5b0"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/8a9f7329b30a562837353767313df7fa9a1f31f7"
@@ -28184,6 +28382,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/a8f87a7038125bd0e3b753c2a42ebdc3e4c75cba"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/a967ca556a517366de03b8a9d21e991783f0896c"
@@ -28360,6 +28580,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/af042d0ae8cd624acfa12788ffc0154e6f49394b"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/af0a181159725d308833841738c5d14d478228e8"
@@ -28822,6 +29064,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/bc6770a9bad24599ea4970735e9b17702a12b651"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/bc7f0b79a1781772d7f48e168462f99da27b03e2"
@@ -28844,6 +29108,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/bc96b9415e9bb48d27f37d91c51d10ec08139974"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/bcae3229d884c5cfc36ae28c672f9b960e30042f"
@@ -28910,6 +29196,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/bd4786be14d852c68e605eaefa782f79064f32e2"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/bde8a553b10a613c32f800429a07f0b5a2d37e53"
@@ -29130,6 +29438,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/c69863dd21c782e609d6ecdb9150f887a0f39989"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/c73e85bdaa195d9659ae9b08995a9fb716f9c92a"
@@ -29416,6 +29746,50 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/crash-1b9aeaf762bb1a972dda8f3a455df2628efd693b"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/crash-7ca23a3e10cdbf579cf81a50e51af358f86631eb"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/crash-82b2ae1d2174f5782b32c89ce60f68bf5a30c0e1"
@@ -29900,6 +30274,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/d712d007679af5438c7bda723ddc724c2e57b0c1"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/d91e9bf6b6c78f35a68ba877f3325b3c1ee3db35"
@@ -30274,6 +30670,28 @@
       "posix"
     ]
   }, 
+  {
+    "args": [
+      "test/core/end2end/fuzzers/api_fuzzer_corpus/e33f7d7998fe6e12ecc4014c8434e4ca591371b3"
+    ], 
+    "ci_platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ], 
+    "cpu_cost": 0.1, 
+    "exclude_configs": [], 
+    "flaky": false, 
+    "language": "c", 
+    "name": "api_fuzzer_one_entry", 
+    "platforms": [
+      "linux", 
+      "mac", 
+      "windows", 
+      "posix"
+    ]
+  }, 
   {
     "args": [
       "test/core/end2end/fuzzers/api_fuzzer_corpus/e401c1abdd1ef0458dd46e35167c4734667ebcc0"