From patchwork Fri Dec  6 22:59:22 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 16649
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 05AD8449F12
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Sat,  7 Dec 2019 00:59:31 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D8E7D68B663;
	Sat,  7 Dec 2019 00:59:30 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net
	[217.70.183.200])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F1E6068B60F
	for <ffmpeg-devel@ffmpeg.org>; Sat,  7 Dec 2019 00:59:23 +0200 (EET)
X-Originating-IP: 213.47.68.29
Received: from localhost (213-47-68-29.cable.dynamic.surfer.at
	[213.47.68.29]) (Authenticated sender: michael@niedermayer.cc)
	by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 2AC0720002
	for <ffmpeg-devel@ffmpeg.org>; Fri,  6 Dec 2019 22:59:22 +0000 (UTC)
Date: Fri, 6 Dec 2019 23:59:22 +0100
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20191206225922.GN3089@michaelspb>
References: <20191206191623.2669-1-jamrial@gmail.com>
MIME-Version: 1.0
In-Reply-To: <20191206191623.2669-1-jamrial@gmail.com>
Subject: Re: [FFmpeg-devel] [PATCH] tools/target_dec_bsf: call
	avcodec_flush_buffers() on random keyframes
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

On Fri, Dec 06, 2019 at 04:16:23PM -0300, James Almer wrote:
> This should increase coverage on some decoders by executing flushing code.
> 
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
>  tools/target_dec_fuzzer.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index dcf47b0f4d..3c2f9125bb 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>              error("Failed memory allocation");
>          memcpy(parsepkt.data, last, data - last);
>          parsepkt.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
> +        int flush = !!(keyframes & 4);
>          keyframes = (keyframes >> 2) + (keyframes<<62);
>          data += sizeof(fuzz_tag);
>          last = data;
> @@ -289,6 +290,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>                  av_packet_move_ref(&avpkt, &parsepkt);
>              }
>  
> +          if (avpkt.flags & AV_PKT_FLAG_KEY && flush)
> +              avcodec_flush_buffers(ctx);
> +
>            // Iterate through all data
>            while (avpkt.size > 0 && it++ < maxiteration) {
>              av_frame_unref(frame);

This would call flush in a pattern locked onto the keyframe and discard flags.
Not sure if that could affect coverage
An alternative would be to use a seperate pattern for flush. (see patch below)

That said, both these patches will disrupt existing test cases


commit 1a1f747a7afd181f6b763d4dca59cd848e7acb20 (HEAD -> master)
Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Fri Dec 6 23:42:28 2019 +0100

    tools/target_dec_fuzzer: Call avcodec_flush_buffers() in a fuzzer choosen pattern
    
    This should increase coverage
    
    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>


[...]

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index dcf47b0f4d..c11a11514c 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                           const AVPacket *avpkt) = NULL;
     AVCodecParserContext *parser = NULL;
     uint64_t keyframes = 0;
+    uint64_t flushpattern = -1;
 
 
     if (!c) {
@@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         ctx->block_align                        = bytestream2_get_le32(&gbc);
         ctx->codec_tag                          = bytestream2_get_le32(&gbc);
         keyframes                               = bytestream2_get_le64(&gbc);
+        flushpattern                            = bytestream2_get_le64(&gbc);
 
         if (extradata_size < size) {
             ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
@@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
                 av_packet_move_ref(&avpkt, &parsepkt);
             }
 
+          if (!(flushpattern & 7))
+              avcodec_flush_buffers(ctx);
+          flushpattern = (flushpattern >> 3) + (flushpattern<<61);
+
           // Iterate through all data
           while (avpkt.size > 0 && it++ < maxiteration) {
             av_frame_unref(frame);