diff options
| -rw-r--r-- | libs/gui/fuzzer/Android.bp | 147 | ||||
| -rw-r--r-- | libs/gui/fuzzer/README.md | 219 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_bufferQueue_fuzzer.cpp | 392 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_consumer_fuzzer.cpp | 82 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_displayEvent_fuzzer.cpp | 107 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_fuzzer_utils.h | 332 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_parcelable_fuzzer.cpp | 175 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_surfaceComposerClient_fuzzer.cpp | 328 | ||||
| -rw-r--r-- | libs/gui/fuzzer/libgui_surfaceComposer_fuzzer.cpp | 41 |
9 files changed, 0 insertions, 1823 deletions
diff --git a/libs/gui/fuzzer/Android.bp b/libs/gui/fuzzer/Android.bp deleted file mode 100644 index 35dd9ecd81..0000000000 --- a/libs/gui/fuzzer/Android.bp +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright 2021 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package { - // See: http://go/android-license-faq - // A large-scale-change added 'default_applicable_licenses' to import - // all of the 'license_kinds' from "frameworks_native_license" - // to get the below license kinds: - // SPDX-license-identifier-Apache-2.0 - default_applicable_licenses: ["frameworks_native_license"], - default_team: "trendy_team_android_core_graphics_stack", -} - -cc_defaults { - name: "libgui_fuzzer_defaults", - defaults: ["android.hardware.power-ndk_shared"], - static_libs: [ - "android.hidl.token@1.0-utils", - "libbinder_random_parcel", - "libgui_aidl_static", - "libgui_window_info_static", - "libpdx", - "libgmock", - "libgui_mocks", - "libgmock_ndk", - "libgmock_main", - "libgtest_ndk_c++", - "libgmock_main_ndk", - "librenderengine_mocks", - "perfetto_trace_protos", - "libcompositionengine_mocks", - "perfetto_trace_protos", - ], - shared_libs: [ - "android.hardware.configstore@1.0", - "android.hardware.configstore-utils", - "android.hardware.graphics.bufferqueue@1.0", - "android.hardware.graphics.bufferqueue@2.0", - "android.hidl.token@1.0", - "libSurfaceFlingerProp", - "libgui", - "libbase", - "liblog", - "libEGL", - "libGLESv2", - "libbinder", - "libcutils", - "libhidlbase", - "libinput", - "libui", - "libutils", - "libnativewindow", - "libvndksupport", - ], - header_libs: [ - "libdvr_headers", - "libui_fuzzableDataspaces_headers", - ], - fuzz_config: { - cc: [ - "android-media-fuzzing-reports@google.com", - ], - componentid: 155276, - hotlists: [ - "4593311", - ], - description: "The fuzzer targets the APIs of libgui library", - vector: "local_no_privileges_required", - service_privilege: "privileged", - users: "multi_user", - fuzzed_code_usage: "shipped", - }, -} - -cc_fuzz { - name: "libgui_surfaceComposer_fuzzer", - srcs: [ - "libgui_surfaceComposer_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - "service_fuzzer_defaults", - ], -} - -cc_fuzz { - name: "libgui_surfaceComposerClient_fuzzer", - srcs: [ - "libgui_surfaceComposerClient_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - "service_fuzzer_defaults", - ], -} - -cc_fuzz { - name: "libgui_parcelable_fuzzer", - srcs: [ - "libgui_parcelable_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - ], -} - -cc_fuzz { - name: "libgui_bufferQueue_fuzzer", - srcs: [ - "libgui_bufferQueue_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - ], -} - -cc_fuzz { - name: "libgui_consumer_fuzzer", - srcs: [ - "libgui_consumer_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - ], -} - -cc_fuzz { - name: "libgui_displayEvent_fuzzer", - srcs: [ - "libgui_displayEvent_fuzzer.cpp", - ], - defaults: [ - "libgui_fuzzer_defaults", - ], -} diff --git a/libs/gui/fuzzer/README.md b/libs/gui/fuzzer/README.md deleted file mode 100644 index 96e27c989f..0000000000 --- a/libs/gui/fuzzer/README.md +++ /dev/null @@ -1,219 +0,0 @@ -# Fuzzers for Libgui - -## Table of contents -+ [libgui_surfaceComposer_fuzzer](#SurfaceComposer) -+ [libgui_surfaceComposerClient_fuzzer](#SurfaceComposerClient) -+ [libgui_parcelable_fuzzer](#Libgui_Parcelable) -+ [libgui_bufferQueue_fuzzer](#BufferQueue) -+ [libgui_consumer_fuzzer](#Libgui_Consumer) -+ [libgui_displayEvent_fuzzer](#LibGui_DisplayEvent) - -# <a name="libgui_surfaceComposer_fuzzer"></a> Fuzzer for SurfaceComposer - -SurfaceComposer supports the following parameters: -1. SurfaceWidth (parameter name:`width`) -2. SurfaceHeight (parameter name:`height`) -3. TransactionStateFlags (parameter name:`flags`) -4. TransformHint (parameter name:`outTransformHint`) -5. SurfacePixelFormat (parameter name:`format`) -6. LayerId (parameter name:`outLayerId`) -7. SurfaceComposerTags (parameter name:`surfaceTag`) -8. PowerBoostID (parameter name:`boostId`) -9. VsyncSource (parameter name:`vsyncSource`) -10. EventRegistrationFlags (parameter name:`eventRegistration`) -11. FrameRateCompatibility (parameter name:`frameRateCompatibility`) -12. ChangeFrameRateStrategy (parameter name:`changeFrameRateStrategy`) -13. HdrTypes (parameter name:`hdrTypes`) - -| Parameter| Valid Values| Configured Value| -|------------- |-------------| ----- | -|`surfaceTag` | 0.`BnSurfaceComposer::BOOT_FINISHED`, 1.`BnSurfaceComposer::CREATE_CONNECTION`, 2.`BnSurfaceComposer::GET_STATIC_DISPLAY_INFO`, 3.`BnSurfaceComposer::CREATE_DISPLAY_EVENT_CONNECTION`, 4.`BnSurfaceComposer::CREATE_DISPLAY`, 5.`BnSurfaceComposer::DESTROY_DISPLAY`, 6.`BnSurfaceComposer::GET_PHYSICAL_DISPLAY_TOKEN`, 7.`BnSurfaceComposer::SET_TRANSACTION_STATE`, 8.`BnSurfaceComposer::AUTHENTICATE_SURFACE`, 9.`BnSurfaceComposer::GET_SUPPORTED_FRAME_TIMESTAMPS`, 10.`BnSurfaceComposer::GET_DISPLAY_STATE`, 11.`BnSurfaceComposer::CAPTURE_DISPLAY`, 12.`BnSurfaceComposer::CAPTURE_LAYERS`, 13.`BnSurfaceComposer::CLEAR_ANIMATION_FRAME_STATS`, 14.`BnSurfaceComposer::GET_ANIMATION_FRAME_STATS`, 15.`BnSurfaceComposer::SET_POWER_MODE`, 16.`BnSurfaceComposer::GET_DISPLAY_STATS`, 17.`BnSurfaceComposer::SET_ACTIVE_COLOR_MODE`, 18.`BnSurfaceComposer::ENABLE_VSYNC_INJECTIONS`, 19.`BnSurfaceComposer::INJECT_VSYNC`, 20.`BnSurfaceComposer::GET_LAYER_DEBUG_INFO`, 21.`BnSurfaceComposer::GET_COMPOSITION_PREFERENCE`, 22.`BnSurfaceComposer::GET_COLOR_MANAGEMENT`, 23.`BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLING_ATTRIBUTES`, 24.`BnSurfaceComposer::SET_DISPLAY_CONTENT_SAMPLING_ENABLED`, 25.`BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLE`, 26.`BnSurfaceComposer::GET_PROTECTED_CONTENT_SUPPORT`, 27.`BnSurfaceComposer::IS_WIDE_COLOR_DISPLAY`, 28.`BnSurfaceComposer::GET_DISPLAY_NATIVE_PRIMARIES`, 29.`BnSurfaceComposer::GET_PHYSICAL_DISPLAY_IDS`, 30.`BnSurfaceComposer::ADD_REGION_SAMPLING_LISTENER`, 31.`BnSurfaceComposer::REMOVE_REGION_SAMPLING_LISTENER`, 32.`BnSurfaceComposer::SET_DESIRED_DISPLAY_MODE_SPECS`, 33.`BnSurfaceComposer::GET_DESIRED_DISPLAY_MODE_SPECS`, 34.`BnSurfaceComposer::GET_DISPLAY_BRIGHTNESS_SUPPORT`, 35.`BnSurfaceComposer::SET_DISPLAY_BRIGHTNESS`, 36.`BnSurfaceComposer::CAPTURE_DISPLAY_BY_ID`, 37.`BnSurfaceComposer::NOTIFY_POWER_BOOST`, 38.`BnSurfaceComposer::SET_GLOBAL_SHADOW_SETTINGS`, 39.`BnSurfaceComposer::SET_AUTO_LOW_LATENCY_MODE`, 40.`BnSurfaceComposer::SET_GAME_CONTENT_TYPE`, 41.`BnSurfaceComposer::SET_FRAME_RATE`, 42.`BnSurfaceComposer::ACQUIRE_FRAME_RATE_FLEXIBILITY_TOKEN`, 43.`BnSurfaceComposer::SET_FRAME_TIMELINE_INFO`, 44.`BnSurfaceComposer::ADD_TRANSACTION_TRACE_LISTENER`, 45.`BnSurfaceComposer::GET_GPU_CONTEXT_PRIORITY`, 46.`BnSurfaceComposer::GET_MAX_ACQUIRED_BUFFER_COUNT`, 47.`BnSurfaceComposer::GET_DYNAMIC_DISPLAY_INFO`, 48.`BnSurfaceComposer::ADD_FPS_LISTENER`, 49.`BnSurfaceComposer::REMOVE_FPS_LISTENER`, 50.`BnSurfaceComposer::OVERRIDE_HDR_TYPES`, 51.`BnSurfaceComposer::ADD_HDR_LAYER_INFO_LISTENER`, 52.`BnSurfaceComposer::REMOVE_HDR_LAYER_INFO_LISTENER`, 53.`BnSurfaceComposer::ON_PULL_ATOM`, 54.`BnSurfaceComposer::ADD_TUNNEL_MODE_ENABLED_LISTENER`, 55.`BnSurfaceComposer::REMOVE_TUNNEL_MODE_ENABLED_LISTENER` | Value obtained from FuzzedDataProvider| -|`boostId`| 0.`hardware::power::Boost::INTERACTION`, 1.`hardware::power::Boost::DISPLAY_UPDATE_IMMINENT`, 2.`hardware::power::Boost::ML_ACC`, 3.`hardware::power::Boost::AUDIO_LAUNCH`, 4.`hardware::power::Boost::CAMERA_LAUNCH`, 5.`hardware::power::Boost::CAMERA_SHOT` |Value obtained from FuzzedDataProvider| -|`vsyncSource`| 0.`ISurfaceComposer::eVsyncSourceApp`, 1.`ISurfaceComposer::eVsyncSourceSurfaceFlinger`, |Value obtained from FuzzedDataProvider| -|`eventRegistration`| 0.`ISurfaceComposer::EventRegistration::modeChanged`, 1.`ISurfaceComposer::EventRegistration::frameRateOverride` |Value obtained from FuzzedDataProvider| -|`frameRateCompatibility`| 0.`ANATIVEWINDOW_FRAME_RATE_COMPATIBILITY_DEFAULT`, 1.`ANATIVEWINDOW_FRAME_RATE_COMPATIBILITY_FIXED_SOURCE` |Value obtained from FuzzedDataProvider| -|`changeFrameRateStrategy`| 0.`ANATIVEWINDOW_CHANGE_FRAME_RATE_ONLY_IF_SEAMLESS`, 1.`ANATIVEWINDOW_CHANGE_FRAME_RATE_ALWAYS` |Value obtained from FuzzedDataProvider| -|`hdrTypes`| 0.`ui::Hdr::DOLBY_VISION`, 1.`ui::Hdr::HDR10`, 2.`ui::Hdr::HLG`, 3.`ui::Hdr::HDR10_PLUS` |Value obtained from FuzzedDataProvider| - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_surfaceComposer_fuzzer -``` -2. Run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_surfaceComposer_fuzzer/libgui_surfaceComposer_fuzzer -``` - -# <a name="libgui_surfaceComposerClient_fuzzer"></a> Fuzzer for SurfaceComposerClient - -SurfaceComposerClient supports the following data sources: -1. SurfaceWidth (parameter name:`width`) -2. SurfaceHeight (parameter name:`height`) -3. TransactionStateFlags (parameter name:`flags`) -4. TransformHint (parameter name:`outTransformHint`) -5. SurfacePixelFormat (parameter name:`format`) -6. LayerId (parameter name:`outLayerId`) -7. SurfaceComposerClientTags (parameter name:`surfaceTag`) -8. DefaultMode (parameter name:`defaultMode`) -9. PrimaryRefreshRateMin (parameter name:`primaryRefreshRateMin`) -10. PrimaryRefreshRateMax (parameter name:`primaryRefreshRateMax`) -11. AppRefreshRateMin (parameter name:`appRefreshRateMin`) -12. AppRefreshRateMax (parameter name:`appRefreshRateMax`) -13. DisplayPowerMode (parameter name:`mode`) -14. CacheId (parameter name:`cacheId`) -15. DisplayBrightness (parameter name:`brightness`) -16. PowerBoostID (parameter name:`boostId`) -17. AtomId (parameter name:`atomId`) -18. ComponentMask (parameter name:`componentMask`) -19. MaxFrames (parameter name:`maxFrames`) -20. TaskId (parameter name:`taskId`) -21. Alpha (parameter name:`aplha`) -22. CornerRadius (parameter name:`cornerRadius`) -23. BackgroundBlurRadius (parameter name:`backgroundBlurRadius`) -24. Half3Color (parameter name:`color`) -25. LayerStack (parameter name:`layerStack`) -26. Dataspace (parameter name:`dataspace`) -27. Api (parameter name:`api`) -28. Priority (parameter name:`priority`) -29. TouchableRegionPointX (parameter name:`pointX`) -30. TouchableRegionPointY (parameter name:`pointY`) -31. ColorMode (parameter name:`colorMode`) -32. WindowInfoFlags (parameter name:`flags`) -33. WindowInfoTransformOrientation (parameter name:`transform`) - -| Parameter| Valid Values| Configured Value| -|------------- |-------------| ----- | -|`surfaceTag`| 0.`Tag::CREATE_SURFACE`, 1.`Tag::CREATE_WITH_SURFACE_PARENT`, 2.`Tag::CLEAR_LAYER_FRAME_STATS`, 3.`Tag::GET_LAYER_FRAME_STATS`, 4.`Tag::MIRROR_SURFACE`, 5.`Tag::LAST` |Value obtained from FuzzedDataProvider| -|`mode`| 0.`gui::TouchOcclusionMode::BLOCK_UNTRUSTED`, 1.`gui::TouchOcclusionMode::USE_OPACITY`, 2.`gui::TouchOcclusionMode::ALLOW` |Value obtained from FuzzedDataProvider| -|`boostId`| 0.`hardware::power::Boost::INTERACTION`, 1.`hardware::power::Boost::DISPLAY_UPDATE_IMMINENT`, 2.`hardware::power::Boost::ML_ACC`, 3.`hardware::power::Boost::AUDIO_LAUNCH`, 4.`hardware::power::Boost::CAMERA_LAUNCH`, 5.`hardware::power::Boost::CAMERA_SHOT` |Value obtained from FuzzedDataProvider| -|`colorMode`|0.`ui::ColorMode::NATIVE`, 1.`ui::ColorMode::STANDARD_BT601_625`, 2.`ui::ColorMode::STANDARD_BT601_625_UNADJUSTED`, 3.`ui::ColorMode::STANDARD_BT601_525`, 4.`ui::ColorMode::STANDARD_BT601_525_UNADJUSTED`, 5.`ui::ColorMode::STANDARD_BT709`, 6.`ui::ColorMode::DCI_P3`, 7.`ui::ColorMode::SRGB`, 8.`ui::ColorMode::ADOBE_RGB`, 9.`ui::ColorMode::DISPLAY_P3`, 10.`ui::ColorMode::BT2020`, 11.`ui::ColorMode::BT2100_PQ`, 12.`ui::ColorMode::BT2100_HLG`, 13.`ui::ColorMode::DISPLAY_BT2020` |Value obtained from FuzzedDataProvider| -|`flags`|0 .`gui::WindowInfo::Flag::ALLOW_LOCK_WHILE_SCREEN_ON`, 1.`gui::WindowInfo::Flag::DIM_BEHIND`, 2.`gui::WindowInfo::Flag::BLUR_BEHIND`, 3.`gui::WindowInfo::Flag::NOT_FOCUSABLE`, 4.`gui::WindowInfo::Flag::NOT_TOUCHABLE`, 5.`gui::WindowInfo::Flag::NOT_TOUCH_MODAL`, 6.`gui::WindowInfo::Flag::TOUCHABLE_WHEN_WAKING`, 7.`gui::WindowInfo::Flag::KEEP_SCREEN_ON`, 8.`gui::WindowInfo::Flag::LAYOUT_IN_SCREEN`, 9.`gui::WindowInfo::Flag::LAYOUT_NO_LIMITS`, 10.`gui::WindowInfo::Flag::FULLSCREEN`, 11.`gui::WindowInfo::Flag::FORCE_NOT_FULLSCREEN`, 12.`gui::WindowInfo::Flag::DITHER`, 13.`gui::WindowInfo::Flag::SECURE`, 14.`gui::WindowInfo::Flag::SCALED`, 15.`gui::WindowInfo::Flag::IGNORE_CHEEK_PRESSES`, 16.`gui::WindowInfo::Flag::LAYOUT_INSET_DECOR`, 17.`gui::WindowInfo::Flag::ALT_FOCUSABLE_IM`, 18.`gui::WindowInfo::Flag::WATCH_OUTSIDE_TOUCH`, 19.`gui::WindowInfo::Flag::SHOW_WHEN_LOCKED`, 20.`gui::WindowInfo::Flag::SHOW_WALLPAPER`, 21.`gui::WindowInfo::Flag::TURN_SCREEN_ON`, 22.`gui::WindowInfo::Flag::DISMISS_KEYGUARD`, 23.`gui::WindowInfo::Flag::SPLIT_TOUCH`, 24.`gui::WindowInfo::Flag::HARDWARE_ACCELERATED`, 25.`gui::WindowInfo::Flag::LAYOUT_IN_OVERSCAN`, 26.`gui::WindowInfo::Flag::TRANSLUCENT_STATUS`, 27.`gui::WindowInfo::Flag::TRANSLUCENT_NAVIGATION`, 28.`gui::WindowInfo::Flag::LOCAL_FOCUS_MODE`, 29.`gui::WindowInfo::Flag::SLIPPERY`, 30.`gui::WindowInfo::Flag::LAYOUT_ATTACHED_IN_DECOR`, 31.`gui::WindowInfo::Flag::DRAWS_SYSTEM_BAR_BACKGROUNDS`, |Value obtained from FuzzedDataProvider| -|`dataspace`| 0.`ui::Dataspace::UNKNOWN`, 1.`ui::Dataspace::ARBITRARY`, 2.`ui::Dataspace::STANDARD_SHIFT`, 3.`ui::Dataspace::STANDARD_MASK`, 4.`ui::Dataspace::STANDARD_UNSPECIFIED`, 5.`ui::Dataspace::STANDARD_BT709`, 6.`ui::Dataspace::STANDARD_BT601_625`, 7.`ui::Dataspace::STANDARD_BT601_625_UNADJUSTED`, 8.`ui::Dataspace::STANDARD_BT601_525`, 9.`ui::Dataspace::STANDARD_BT601_525_UNADJUSTED`, 10.`ui::Dataspace::STANDARD_BT2020`, 11.`ui::Dataspace::STANDARD_BT2020_CONSTANT_LUMINANCE`, 12.`ui::Dataspace::STANDARD_BT470M`, 13.`ui::Dataspace::STANDARD_FILM`, 14.`ui::Dataspace::STANDARD_DCI_P3`, 15.`ui::Dataspace::STANDARD_ADOBE_RGB`, 16.`ui::Dataspace::TRANSFER_SHIFT`, 17.`ui::Dataspace::TRANSFER_MASK`, 18.`ui::Dataspace::TRANSFER_UNSPECIFIED`, 19.`ui::Dataspace::TRANSFER_LINEAR`, 20.`ui::Dataspace::TRANSFER_SRGB`, 21.`ui::Dataspace::TRANSFER_SMPTE_170M`, 22.`ui::Dataspace::TRANSFER_GAMMA2_2`, 23.`ui::Dataspace::TRANSFER_GAMMA2_6`, 24.`ui::Dataspace::TRANSFER_GAMMA2_8`, 25.`ui::Dataspace::TRANSFER_ST2084`, 26.`ui::Dataspace::TRANSFER_HLG`, 27.`ui::Dataspace::RANGE_SHIFT`, 28.`ui::Dataspace::RANGE_MASK`, 29.`ui::Dataspace::RANGE_UNSPECIFIED`, 30.`ui::Dataspace::RANGE_FULL`, 31.`ui::Dataspace::RANGE_LIMITED`, 32.`ui::Dataspace::RANGE_EXTENDED`, 33.`ui::Dataspace::SRGB_LINEAR`, 34.`ui::Dataspace::V0_SRGB_LINEAR`, 35.`ui::Dataspace::V0_SCRGB_LINEAR`, 36.`ui::Dataspace::SRGB`, 37.`ui::Dataspace::V0_SRGB`, 38.`ui::Dataspace::V0_SCRGB`, 39.`ui::Dataspace::JFIF`, 40.`ui::Dataspace::V0_JFIF`, 41.`ui::Dataspace::BT601_625`, 42.`ui::Dataspace::V0_BT601_625`, 43.`ui::Dataspace::BT601_525`, 44.`ui::Dataspace::V0_BT601_525`, 45.`ui::Dataspace::BT709`, 46.`ui::Dataspace::V0_BT709`, 47.`ui::Dataspace::DCI_P3_LINEAR`, 48.`ui::Dataspace::DCI_P3`, 49.`ui::Dataspace::DISPLAY_P3_LINEAR`, 50.`ui::Dataspace::DISPLAY_P3`, 51.`ui::Dataspace::ADOBE_RGB`, 52.`ui::Dataspace::BT2020_LINEAR`, 53.`ui::Dataspace::BT2020`, 54.`ui::Dataspace::BT2020_PQ`, 55.`ui::Dataspace::DEPTH`, 56.`ui::Dataspace::SENSOR`, 57.`ui::Dataspace::BT2020_ITU`, 58.`ui::Dataspace::BT2020_ITU_PQ`, 59.`ui::Dataspace::BT2020_ITU_HLG`, 60.`ui::Dataspace::BT2020_HLG`, 61.`ui::Dataspace::DISPLAY_BT2020`, 62.`ui::Dataspace::DYNAMIC_DEPTH`, 63.`ui::Dataspace::JPEG_APP_SEGMENTS`, 64.`ui::Dataspace::HEIF`, |Value obtained from FuzzedDataProvider| -|`transform`| 0.`ui::Transform::ROT_0`, 1.`ui::Transform::FLIP_H`, 2.`ui::Transform::FLIP_V`, 3.`ui::Transform::ROT_90`, 4.`ui::Transform::ROT_180`, 5.`ui::Transform::ROT_270` |Value obtained from FuzzedDataProvider| - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_surfaceComposerClient_fuzzer -``` -2. To run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_surfaceComposerClient_fuzzer/libgui_surfaceComposerClient_fuzzer -``` - -# <a name="libgui_parcelable_fuzzer"></a> Fuzzer for Libgui_Parcelable - -Libgui_Parcelable supports the following parameters: -1. LayerMetadataKey (parameter name:`key`) -2. Dataspace (parameter name:`mDataspace`) - -| Parameter| Valid Values| Configured Value| -|------------- |-------------| ----- | -|`key`| 0.`view::LayerMetadataKey::METADATA_OWNER_UID`, 1.`view::LayerMetadataKey::METADATA_WINDOW_TYPE`, 2.`view::LayerMetadataKey::METADATA_TASK_ID`, 3.`view::LayerMetadataKey::METADATA_MOUSE_CURSOR`, 4.`view::LayerMetadataKey::METADATA_ACCESSIBILITY_ID`, 5.`view::LayerMetadataKey::METADATA_OWNER_PID`, 6.`view::LayerMetadataKey::METADATA_DEQUEUE_TIME`, 7.`view::LayerMetadataKey::METADATA_GAME_MODE`, |Value obtained from FuzzedDataProvider| -|`mDataSpace`| 0.`ui::Dataspace::UNKNOWN`, 1.`ui::Dataspace::ARBITRARY`, 2.`ui::Dataspace::STANDARD_SHIFT`, 3.`ui::Dataspace::STANDARD_MASK`, 4.`ui::Dataspace::STANDARD_UNSPECIFIED`, 5.`ui::Dataspace::STANDARD_BT709`, 6.`ui::Dataspace::STANDARD_BT601_625`, 7.`ui::Dataspace::STANDARD_BT601_625_UNADJUSTED`, 8.`ui::Dataspace::STANDARD_BT601_525`, 9.`ui::Dataspace::STANDARD_BT601_525_UNADJUSTED`, 10.`ui::Dataspace::STANDARD_BT2020`, 11.`ui::Dataspace::STANDARD_BT2020_CONSTANT_LUMINANCE`, 12.`ui::Dataspace::STANDARD_BT470M`, 13.`ui::Dataspace::STANDARD_FILM`, 14.`ui::Dataspace::STANDARD_DCI_P3`, 15.`ui::Dataspace::STANDARD_ADOBE_RGB`, 16.`ui::Dataspace::TRANSFER_SHIFT`, 17.`ui::Dataspace::TRANSFER_MASK`, 18.`ui::Dataspace::TRANSFER_UNSPECIFIED`, 19.`ui::Dataspace::TRANSFER_LINEAR`, 20.`ui::Dataspace::TRANSFER_SRGB`, 21.`ui::Dataspace::TRANSFER_SMPTE_170M`, 22.`ui::Dataspace::TRANSFER_GAMMA2_2`, 23.`ui::Dataspace::TRANSFER_GAMMA2_6`, 24.`ui::Dataspace::TRANSFER_GAMMA2_8`, 25.`ui::Dataspace::TRANSFER_ST2084`, 26.`ui::Dataspace::TRANSFER_HLG`, 27.`ui::Dataspace::RANGE_SHIFT`, 28.`ui::Dataspace::RANGE_MASK`, 29.`ui::Dataspace::RANGE_UNSPECIFIED`, 30.`ui::Dataspace::RANGE_FULL`, 31.`ui::Dataspace::RANGE_LIMITED`, 32.`ui::Dataspace::RANGE_EXTENDED`, 33.`ui::Dataspace::SRGB_LINEAR`, 34.`ui::Dataspace::V0_SRGB_LINEAR`, 35.`ui::Dataspace::V0_SCRGB_LINEAR`, 36.`ui::Dataspace::SRGB`, 37.`ui::Dataspace::V0_SRGB`, 38.`ui::Dataspace::V0_SCRGB`, 39.`ui::Dataspace::JFIF`, 40.`ui::Dataspace::V0_JFIF`, 41.`ui::Dataspace::BT601_625`, 42.`ui::Dataspace::V0_BT601_625`, 43.`ui::Dataspace::BT601_525`, 44.`ui::Dataspace::V0_BT601_525`, 45.`ui::Dataspace::BT709`, 46.`ui::Dataspace::V0_BT709`, 47.`ui::Dataspace::DCI_P3_LINEAR`, 48.`ui::Dataspace::DCI_P3`, 49.`ui::Dataspace::DISPLAY_P3_LINEAR`, 50.`ui::Dataspace::DISPLAY_P3`, 51.`ui::Dataspace::ADOBE_RGB`, 52.`ui::Dataspace::BT2020_LINEAR`, 53.`ui::Dataspace::BT2020`, 54.`ui::Dataspace::BT2020_PQ`, 55.`ui::Dataspace::DEPTH`, 56.`ui::Dataspace::SENSOR`, 57.`ui::Dataspace::BT2020_ITU`, 58.`ui::Dataspace::BT2020_ITU_PQ`, 59.`ui::Dataspace::BT2020_ITU_HLG`, 60.`ui::Dataspace::BT2020_HLG`, 61.`ui::Dataspace::DISPLAY_BT2020`, 62.`ui::Dataspace::DYNAMIC_DEPTH`, 63.`ui::Dataspace::JPEG_APP_SEGMENTS`, 64.`ui::Dataspace::HEIF`, |Value obtained from FuzzedDataProvider| - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_fuzzer -``` -2. Run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_fuzzer/libgui_fuzzer -``` - -# <a name="libgui_bufferQueue_fuzzer"></a> Fuzzer for BufferQueue - -BufferQueue supports the following parameters: -1. SurfaceWidth (parameter name:`width`) -2. SurfaceHeight (parameter name:`height`) -3. TransactionStateFlags (parameter name:`flags`) -4. TransformHint (parameter name:`outTransformHint`) -5. SurfacePixelFormat (parameter name:`format`) -6. LayerId (parameter name:`layerId`) -7. BufferId (parameter name:`bufferId`) -8. FrameNumber (parameter name:`frameNumber`) -9. FrameRate (parameter name:`frameRate`) -10. Compatability (parameter name:`compatability`) -11. LatchTime (parameter name:`latchTime`) -12. AcquireTime (parameter name:`acquireTime`) -13. RefreshTime (parameter name:`refreshTime`) -14. DequeueTime (parameter name:`dequeueTime`) -15. Slot (parameter name:`slot`) -16. MaxBuffers (parameter name:`maxBuffers`) -17. GenerationNumber (parameter name:`generationNumber`) -18. Api (parameter name:`api`) -19. Usage (parameter name:`usage`) -20. MaxFrameNumber (parameter name:`maxFrameNumber`) -21. BufferCount (parameter name:`bufferCount`) -22. MaxAcquredBufferCount (parameter name:`maxAcquredBufferCount`) -23. Status (parameter name:`status`) -24. ApiConnection (parameter name:`apiConnection`) -25. Dataspace (parameter name:`dataspace`) - -| Parameter| Valid Values| Configured Value| -|------------- |-------------| ----- | -|`status`| 0.`OK`, 1.`NO_MEMORY`, 2.`NO_INIT`, 3.`BAD_VALUE`, 4.`DEAD_OBJECT`, 5.`INVALID_OPERATION`, 6.`TIMED_OUT`, 7.`WOULD_BLOCK`, 8.`UNKNOWN_ERROR`, 9.`ALREADY_EXISTS`, |Value obtained from FuzzedDataProvider| -|`apiConnection`| 0.`BufferQueueCore::CURRENTLY_CONNECTED_API`, 1.`BufferQueueCore::NO_CONNECTED_API`, 2.`NATIVE_WINDOW_API_EGL`, 3.`NATIVE_WINDOW_API_CPU`, 4.`NATIVE_WINDOW_API_MEDIA`, 5.`NATIVE_WINDOW_API_CAMERA`, |Value obtained from FuzzedDataProvider| -|`dataspace`| 0.`ui::Dataspace::UNKNOWN`, 1.`ui::Dataspace::ARBITRARY`, 2.`ui::Dataspace::STANDARD_SHIFT`, 3.`ui::Dataspace::STANDARD_MASK`, 4.`ui::Dataspace::STANDARD_UNSPECIFIED`, 5.`ui::Dataspace::STANDARD_BT709`, 6.`ui::Dataspace::STANDARD_BT601_625`, 7.`ui::Dataspace::STANDARD_BT601_625_UNADJUSTED`, 8.`ui::Dataspace::STANDARD_BT601_525`, 9.`ui::Dataspace::STANDARD_BT601_525_UNADJUSTED`, 10.`ui::Dataspace::STANDARD_BT2020`, 11.`ui::Dataspace::STANDARD_BT2020_CONSTANT_LUMINANCE`, 12.`ui::Dataspace::STANDARD_BT470M`, 13.`ui::Dataspace::STANDARD_FILM`, 14.`ui::Dataspace::STANDARD_DCI_P3`, 15.`ui::Dataspace::STANDARD_ADOBE_RGB`, 16.`ui::Dataspace::TRANSFER_SHIFT`, 17.`ui::Dataspace::TRANSFER_MASK`, 18.`ui::Dataspace::TRANSFER_UNSPECIFIED`, 19.`ui::Dataspace::TRANSFER_LINEAR`, 20.`ui::Dataspace::TRANSFER_SRGB`, 21.`ui::Dataspace::TRANSFER_SMPTE_170M`, 22.`ui::Dataspace::TRANSFER_GAMMA2_2`, 23.`ui::Dataspace::TRANSFER_GAMMA2_6`, 24.`ui::Dataspace::TRANSFER_GAMMA2_8`, 25.`ui::Dataspace::TRANSFER_ST2084`, 26.`ui::Dataspace::TRANSFER_HLG`, 27.`ui::Dataspace::RANGE_SHIFT`, 28.`ui::Dataspace::RANGE_MASK`, 29.`ui::Dataspace::RANGE_UNSPECIFIED`, 30.`ui::Dataspace::RANGE_FULL`, 31.`ui::Dataspace::RANGE_LIMITED`, 32.`ui::Dataspace::RANGE_EXTENDED`, 33.`ui::Dataspace::SRGB_LINEAR`, 34.`ui::Dataspace::V0_SRGB_LINEAR`, 35.`ui::Dataspace::V0_SCRGB_LINEAR`, 36.`ui::Dataspace::SRGB`, 37.`ui::Dataspace::V0_SRGB`, 38.`ui::Dataspace::V0_SCRGB`, 39.`ui::Dataspace::JFIF`, 40.`ui::Dataspace::V0_JFIF`, 41.`ui::Dataspace::BT601_625`, 42.`ui::Dataspace::V0_BT601_625`, 43.`ui::Dataspace::BT601_525`, 44.`ui::Dataspace::V0_BT601_525`, 45.`ui::Dataspace::BT709`, 46.`ui::Dataspace::V0_BT709`, 47.`ui::Dataspace::DCI_P3_LINEAR`, 48.`ui::Dataspace::DCI_P3`, 49.`ui::Dataspace::DISPLAY_P3_LINEAR`, 50.`ui::Dataspace::DISPLAY_P3`, 51.`ui::Dataspace::ADOBE_RGB`, 52.`ui::Dataspace::BT2020_LINEAR`, 53.`ui::Dataspace::BT2020`, 54.`ui::Dataspace::BT2020_PQ`, 55.`ui::Dataspace::DEPTH`, 56.`ui::Dataspace::SENSOR`, 57.`ui::Dataspace::BT2020_ITU`, 58.`ui::Dataspace::BT2020_ITU_PQ`, 59.`ui::Dataspace::BT2020_ITU_HLG`, 60.`ui::Dataspace::BT2020_HLG`, 61.`ui::Dataspace::DISPLAY_BT2020`, 62.`ui::Dataspace::DYNAMIC_DEPTH`, 63.`ui::Dataspace::JPEG_APP_SEGMENTS`, 64.`ui::Dataspace::HEIF`, |Value obtained from FuzzedDataProvider| - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_bufferQueue_fuzzer -``` -2. To run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_bufferQueue_fuzzer/libgui_bufferQueue_fuzzer -``` - -# <a name="libgui_consumer_fuzzer"></a> Fuzzer for Libgui_Consumer - -Libgui_Consumer supports the following parameters: -1. GraphicWidth (parameter name:`graphicWidth`) -2. GraphicHeight (parameter name:`graphicHeight`) -4. TransformHint (parameter name:`outTransformHint`) -5. GraphicPixelFormat (parameter name:`format`) -6. Usage (parameter name:`usage`) - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_consumer_fuzzer -``` -2. Run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_consumer_fuzzer/libgui_consumer_fuzzer -``` - -# <a name="libgui_displayEvent_fuzzer"></a> Fuzzer for LibGui_DisplayEvent - -LibGui_DisplayEvent supports the following parameters: -1. DisplayEventType (parameter name:`type`) -2. Events (parameter name:`events`) -3. VsyncSource (parameter name:`vsyncSource`) -4. EventRegistrationFlags (parameter name:`flags`) - -| Parameter| Valid Values| Configured Value| -|------------- |-------------| ----- | -|`vsyncSource`| 0.`ISurfaceComposer::eVsyncSourceApp`, 1.`ISurfaceComposer::eVsyncSourceSurfaceFlinger`, |Value obtained from FuzzedDataProvider| -|`flags`| 0.`ISurfaceComposer::EventRegistration::modeChanged`, 1.`ISurfaceComposer::EventRegistration::frameRateOverride`, |Value obtained from FuzzedDataProvider| -|`type`| 0.`DisplayEventReceiver::DISPLAY_EVENT_NULL`, 1.`DisplayEventReceiver::DISPLAY_EVENT_VSYNC`, 2.`DisplayEventReceiver::DISPLAY_EVENT_HOTPLUG`, 3.`DisplayEventReceiver::DISPLAY_EVENT_MODE_CHANGE`, 4.`DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE`, 5.`DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE_FLUSH`, |Value obtained from FuzzedDataProvider| -|`events`| 0.`Looper::EVENT_INPUT`, 1.`Looper::EVENT_OUTPUT`, 2.`Looper::EVENT_ERROR`, 3.`Looper::EVENT_HANGUP`, 4.`Looper::EVENT_INVALID`, |Value obtained from FuzzedDataProvider| - -#### Steps to run -1. Build the fuzzer -``` - $ mm -j$(nproc) libgui_displayEvent_fuzzer -``` -2. Run on device -``` - $ adb sync data - $ adb shell /data/fuzz/arm64/libgui_displayEvent_fuzzer/libgui_displayEvent_fuzzer -``` diff --git a/libs/gui/fuzzer/libgui_bufferQueue_fuzzer.cpp b/libs/gui/fuzzer/libgui_bufferQueue_fuzzer.cpp deleted file mode 100644 index 2e270b721f..0000000000 --- a/libs/gui/fuzzer/libgui_bufferQueue_fuzzer.cpp +++ /dev/null @@ -1,392 +0,0 @@ -/* - * Copyright 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <android-base/stringprintf.h> -#include <gui/BufferQueueConsumer.h> -#include <gui/BufferQueueCore.h> -#include <gui/BufferQueueProducer.h> -#include <gui/bufferqueue/2.0/types.h> -#include <system/window.h> - -#include <libgui_fuzzer_utils.h> - -using namespace android; -using namespace hardware::graphics::bufferqueue; -using namespace V1_0::utils; -using namespace V2_0::utils; - -constexpr int32_t kMaxBytes = 256; - -constexpr int32_t kError[] = { - OK, NO_MEMORY, NO_INIT, BAD_VALUE, DEAD_OBJECT, INVALID_OPERATION, - TIMED_OUT, WOULD_BLOCK, UNKNOWN_ERROR, ALREADY_EXISTS, -}; - -constexpr int32_t kAPIConnection[] = { - BufferQueueCore::CURRENTLY_CONNECTED_API, - BufferQueueCore::NO_CONNECTED_API, - NATIVE_WINDOW_API_EGL, - NATIVE_WINDOW_API_CPU, - NATIVE_WINDOW_API_MEDIA, - NATIVE_WINDOW_API_CAMERA, -}; - -class BufferQueueFuzzer { -public: - BufferQueueFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){}; - void process(); - -private: - void invokeTypes(); - void invokeH2BGraphicBufferV1(); - void invokeH2BGraphicBufferV2(); - void invokeBufferQueueConsumer(); - void invokeBufferQueueProducer(); - void invokeBlastBufferQueue(); - void invokeQuery(sp<BufferQueueProducer>); - void invokeQuery(sp<V1_0::utils::H2BGraphicBufferProducer>); - void invokeQuery(sp<V2_0::utils::H2BGraphicBufferProducer>); - void invokeAcquireBuffer(sp<BufferQueueConsumer>); - void invokeOccupancyTracker(sp<BufferQueueConsumer>); - sp<SurfaceControl> makeSurfaceControl(); - sp<BLASTBufferQueue> makeBLASTBufferQueue(sp<SurfaceControl>); - - FuzzedDataProvider mFdp; -}; - -class ManageResourceHandle { -public: - ManageResourceHandle(FuzzedDataProvider* fdp) { - mNativeHandle = native_handle_create(0 /*numFds*/, 1 /*numInts*/); - mShouldOwn = fdp->ConsumeBool(); - mStream = NativeHandle::create(mNativeHandle, mShouldOwn); - } - ~ManageResourceHandle() { - if (!mShouldOwn) { - native_handle_close(mNativeHandle); - native_handle_delete(mNativeHandle); - } - } - sp<NativeHandle> getStream() { return mStream; } - -private: - bool mShouldOwn; - sp<NativeHandle> mStream; - native_handle_t* mNativeHandle; -}; - -sp<SurfaceControl> BufferQueueFuzzer::makeSurfaceControl() { - sp<IBinder> handle; - const sp<FakeBnSurfaceComposerClient> testClient(new FakeBnSurfaceComposerClient()); - sp<SurfaceComposerClient> client = new SurfaceComposerClient(testClient); - sp<BnGraphicBufferProducer> producer; - uint32_t layerId = mFdp.ConsumeIntegral<uint32_t>(); - std::string layerName = base::StringPrintf("#%d", layerId); - return sp<SurfaceControl>::make(client, handle, layerId, layerName, - mFdp.ConsumeIntegral<int32_t>(), - mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<int32_t>(), - mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>()); -} - -sp<BLASTBufferQueue> BufferQueueFuzzer::makeBLASTBufferQueue(sp<SurfaceControl> surface) { - return sp<BLASTBufferQueue>::make(mFdp.ConsumeRandomLengthString(kMaxBytes), surface, - mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<int32_t>()); -} - -void BufferQueueFuzzer::invokeBlastBufferQueue() { - sp<SurfaceControl> surface = makeSurfaceControl(); - sp<BLASTBufferQueue> queue = makeBLASTBufferQueue(surface); - - BufferItem item; - queue->onFrameAvailable(item); - queue->onFrameReplaced(item); - uint64_t bufferId = mFdp.ConsumeIntegral<uint64_t>(); - queue->onFrameDequeued(bufferId); - queue->onFrameCancelled(bufferId); - - SurfaceComposerClient::Transaction next; - uint64_t frameNumber = mFdp.ConsumeIntegral<uint64_t>(); - queue->mergeWithNextTransaction(&next, frameNumber); - queue->applyPendingTransactions(frameNumber); - - queue->update(surface, mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<int32_t>()); - queue->setFrameRate(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeIntegral<int8_t>(), - mFdp.ConsumeBool() /*shouldBeSeamless*/); - FrameTimelineInfo info; - queue->setFrameTimelineInfo(mFdp.ConsumeIntegral<uint64_t>(), info); - - ManageResourceHandle handle(&mFdp); - queue->setSidebandStream(handle.getStream()); - - queue->getLastTransformHint(); - queue->getLastAcquiredFrameNum(); - - CompositorTiming compTiming; - sp<Fence> previousFence = new Fence(memfd_create("pfd", MFD_ALLOW_SEALING)); - sp<Fence> gpuFence = new Fence(memfd_create("gfd", MFD_ALLOW_SEALING)); - FrameEventHistoryStats frameStats(frameNumber, mFdp.ConsumeIntegral<uint64_t>(), gpuFence, - compTiming, mFdp.ConsumeIntegral<int64_t>(), - mFdp.ConsumeIntegral<int64_t>()); - std::vector<SurfaceControlStats> stats; - sp<Fence> presentFence = new Fence(memfd_create("fd", MFD_ALLOW_SEALING)); - SurfaceControlStats controlStats(surface, mFdp.ConsumeIntegral<int64_t>(), - mFdp.ConsumeIntegral<int64_t>(), presentFence, previousFence, - mFdp.ConsumeIntegral<uint32_t>(), frameStats, - mFdp.ConsumeIntegral<uint32_t>()); - stats.push_back(controlStats); -} - -void BufferQueueFuzzer::invokeQuery(sp<BufferQueueProducer> producer) { - int32_t value; - producer->query(mFdp.ConsumeIntegral<int32_t>(), &value); -} - -void BufferQueueFuzzer::invokeQuery(sp<V1_0::utils::H2BGraphicBufferProducer> producer) { - int32_t value; - producer->query(mFdp.ConsumeIntegral<int32_t>(), &value); -} - -void BufferQueueFuzzer::invokeQuery(sp<V2_0::utils::H2BGraphicBufferProducer> producer) { - int32_t value; - producer->query(mFdp.ConsumeIntegral<int32_t>(), &value); -} - -void BufferQueueFuzzer::invokeBufferQueueProducer() { - sp<BufferQueueCore> core(new BufferQueueCore()); - sp<BufferQueueProducer> producer(new BufferQueueProducer(core)); - const sp<android::IProducerListener> listener; - android::IGraphicBufferProducer::QueueBufferOutput output; - uint32_t api = mFdp.ConsumeIntegral<uint32_t>(); - producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output); - - sp<GraphicBuffer> buffer; - int32_t slot = mFdp.ConsumeIntegral<int32_t>(); - uint32_t maxBuffers = mFdp.ConsumeIntegral<uint32_t>(); - producer->requestBuffer(slot, &buffer); - producer->setMaxDequeuedBufferCount(maxBuffers); - producer->setAsyncMode(mFdp.ConsumeBool() /*async*/); - - android::IGraphicBufferProducer::QueueBufferInput input; - producer->attachBuffer(&slot, buffer); - producer->queueBuffer(slot, input, &output); - - int32_t format = mFdp.ConsumeIntegral<int32_t>(); - uint32_t width = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t height = mFdp.ConsumeIntegral<uint32_t>(); - uint64_t usage = mFdp.ConsumeIntegral<uint64_t>(); - uint64_t outBufferAge; - FrameEventHistoryDelta outTimestamps; - sp<android::Fence> fence; - producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge, - &outTimestamps); - producer->detachBuffer(slot); - producer->detachNextBuffer(&buffer, &fence); - producer->cancelBuffer(slot, fence); - - invokeQuery(producer); - - ManageResourceHandle handle(&mFdp); - producer->setSidebandStream(handle.getStream()); - - producer->allocateBuffers(width, height, format, usage); - producer->allowAllocation(mFdp.ConsumeBool() /*allow*/); - producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/); - producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/); - producer->setLegacyBufferDrop(mFdp.ConsumeBool() /*drop*/); - producer->setAutoPrerotation(mFdp.ConsumeBool() /*autoPrerotation*/); - - producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>()); - producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>()); - producer->disconnect(api); -} - -void BufferQueueFuzzer::invokeAcquireBuffer(sp<BufferQueueConsumer> consumer) { - BufferItem item; - consumer->acquireBuffer(&item, mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint64_t>()); -} - -void BufferQueueFuzzer::invokeOccupancyTracker(sp<BufferQueueConsumer> consumer) { - String8 outResult; - String8 prefix((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str()); - consumer->dumpState(prefix, &outResult); - - std::vector<OccupancyTracker::Segment> outHistory; - consumer->getOccupancyHistory(mFdp.ConsumeBool() /*forceFlush*/, &outHistory); -} - -void BufferQueueFuzzer::invokeBufferQueueConsumer() { - sp<BufferQueueCore> core(new BufferQueueCore()); - sp<BufferQueueConsumer> consumer(new BufferQueueConsumer(core)); - sp<android::IConsumerListener> listener; - consumer->consumerConnect(listener, mFdp.ConsumeBool() /*controlledByApp*/); - invokeAcquireBuffer(consumer); - - int32_t slot = mFdp.ConsumeIntegral<int32_t>(); - sp<GraphicBuffer> buffer = - new GraphicBuffer(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint64_t>()); - consumer->attachBuffer(&slot, buffer); - consumer->detachBuffer(slot); - - consumer->setDefaultBufferSize(mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>()); - consumer->setMaxBufferCount(mFdp.ConsumeIntegral<int32_t>()); - consumer->setMaxAcquiredBufferCount(mFdp.ConsumeIntegral<int32_t>()); - - String8 name((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str()); - consumer->setConsumerName(name); - consumer->setDefaultBufferFormat(mFdp.ConsumeIntegral<int32_t>()); - android_dataspace dataspace = - static_cast<android_dataspace>(mFdp.PickValueInArray(kDataspaces)); - consumer->setDefaultBufferDataSpace(dataspace); - - consumer->setTransformHint(mFdp.ConsumeIntegral<uint32_t>()); - consumer->setConsumerUsageBits(mFdp.ConsumeIntegral<uint64_t>()); - consumer->setConsumerIsProtected(mFdp.ConsumeBool() /*isProtected*/); - invokeOccupancyTracker(consumer); - - sp<Fence> releaseFence = new Fence(memfd_create("fd", MFD_ALLOW_SEALING)); - consumer->releaseBuffer(mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint64_t>(), - EGL_NO_DISPLAY, EGL_NO_SYNC_KHR, releaseFence); - consumer->consumerDisconnect(); -} - -void BufferQueueFuzzer::invokeTypes() { - HStatus hStatus; - int32_t status = mFdp.PickValueInArray(kError); - bool bufferNeedsReallocation = mFdp.ConsumeBool(); - bool releaseAllBuffers = mFdp.ConsumeBool(); - b2h(status, &hStatus, &bufferNeedsReallocation, &releaseAllBuffers); - h2b(hStatus, &status); - - HConnectionType type; - int32_t apiConnection = mFdp.PickValueInArray(kAPIConnection); - b2h(apiConnection, &type); - h2b(type, &apiConnection); -} - -void BufferQueueFuzzer::invokeH2BGraphicBufferV1() { - sp<V1_0::utils::H2BGraphicBufferProducer> producer( - new V1_0::utils::H2BGraphicBufferProducer(new FakeGraphicBufferProducerV1())); - const sp<android::IProducerListener> listener; - android::IGraphicBufferProducer::QueueBufferOutput output; - uint32_t api = mFdp.ConsumeIntegral<uint32_t>(); - producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output); - - sp<GraphicBuffer> buffer; - int32_t slot = mFdp.ConsumeIntegral<int32_t>(); - producer->requestBuffer(slot, &buffer); - producer->setMaxDequeuedBufferCount(mFdp.ConsumeIntegral<int32_t>()); - producer->setAsyncMode(mFdp.ConsumeBool()); - - android::IGraphicBufferProducer::QueueBufferInput input; - input.fence = new Fence(memfd_create("ffd", MFD_ALLOW_SEALING)); - producer->attachBuffer(&slot, buffer); - producer->queueBuffer(slot, input, &output); - - int32_t format = mFdp.ConsumeIntegral<int32_t>(); - uint32_t width = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t height = mFdp.ConsumeIntegral<uint32_t>(); - uint64_t usage = mFdp.ConsumeIntegral<uint64_t>(); - uint64_t outBufferAge; - FrameEventHistoryDelta outTimestamps; - sp<android::Fence> fence; - producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge, - &outTimestamps); - producer->detachBuffer(slot); - producer->cancelBuffer(slot, fence); - - invokeQuery(producer); - - ManageResourceHandle handle(&mFdp); - producer->setSidebandStream(handle.getStream()); - - producer->allocateBuffers(width, height, format, usage); - producer->allowAllocation(mFdp.ConsumeBool() /*allow*/); - producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/); - producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/); - - producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>()); - producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>()); - producer->disconnect(api); -} - -void BufferQueueFuzzer::invokeH2BGraphicBufferV2() { - sp<V2_0::utils::H2BGraphicBufferProducer> producer( - new V2_0::utils::H2BGraphicBufferProducer(new FakeGraphicBufferProducerV2())); - const sp<android::IProducerListener> listener; - android::IGraphicBufferProducer::QueueBufferOutput output; - uint32_t api = mFdp.ConsumeIntegral<uint32_t>(); - producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output); - - sp<GraphicBuffer> buffer; - int32_t slot = mFdp.ConsumeIntegral<int32_t>(); - producer->requestBuffer(slot, &buffer); - producer->setMaxDequeuedBufferCount(mFdp.ConsumeIntegral<uint32_t>()); - producer->setAsyncMode(mFdp.ConsumeBool()); - - android::IGraphicBufferProducer::QueueBufferInput input; - input.fence = new Fence(memfd_create("ffd", MFD_ALLOW_SEALING)); - producer->attachBuffer(&slot, buffer); - producer->queueBuffer(slot, input, &output); - - int32_t format = mFdp.ConsumeIntegral<int32_t>(); - uint32_t width = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t height = mFdp.ConsumeIntegral<uint32_t>(); - uint64_t usage = mFdp.ConsumeIntegral<uint64_t>(); - uint64_t outBufferAge; - FrameEventHistoryDelta outTimestamps; - sp<android::Fence> fence; - producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge, - &outTimestamps); - producer->detachBuffer(slot); - producer->cancelBuffer(slot, fence); - - invokeQuery(producer); - - ManageResourceHandle handle(&mFdp); - producer->setSidebandStream(handle.getStream()); - - producer->allocateBuffers(width, height, format, usage); - producer->allowAllocation(mFdp.ConsumeBool() /*allow*/); - producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/); - producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/); - - producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>()); - producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>()); - producer->disconnect(api); -} - -void BufferQueueFuzzer::process() { - invokeBlastBufferQueue(); - invokeH2BGraphicBufferV1(); - invokeH2BGraphicBufferV2(); - invokeTypes(); - invokeBufferQueueConsumer(); - invokeBufferQueueProducer(); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - BufferQueueFuzzer bufferQueueFuzzer(data, size); - bufferQueueFuzzer.process(); - return 0; -} diff --git a/libs/gui/fuzzer/libgui_consumer_fuzzer.cpp b/libs/gui/fuzzer/libgui_consumer_fuzzer.cpp deleted file mode 100644 index 24a046d3a9..0000000000 --- a/libs/gui/fuzzer/libgui_consumer_fuzzer.cpp +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <gui/BufferQueueConsumer.h> -#include <gui/BufferQueueCore.h> -#include <gui/BufferQueueProducer.h> -#include <gui/GLConsumer.h> -#include <libgui_fuzzer_utils.h> - -using namespace android; - -constexpr int32_t kMinBuffer = 0; -constexpr int32_t kMaxBuffer = 100000; - -class ConsumerFuzzer { -public: - ConsumerFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){}; - void process(); - -private: - FuzzedDataProvider mFdp; -}; - -void ConsumerFuzzer::process() { - sp<BufferQueueCore> core(new BufferQueueCore()); - sp<IGraphicBufferConsumer> consumer(new BufferQueueConsumer(core)); - - uint64_t maxBuffers = mFdp.ConsumeIntegralInRange<uint64_t>(kMinBuffer, kMaxBuffer); - sp<CpuConsumer> cpu( - new CpuConsumer(consumer, maxBuffers, mFdp.ConsumeBool() /*controlledByApp*/)); - CpuConsumer::LockedBuffer lockBuffer; - cpu->lockNextBuffer(&lockBuffer); - cpu->unlockBuffer(lockBuffer); - cpu->abandon(); - - uint32_t tex = mFdp.ConsumeIntegral<uint32_t>(); - sp<GLConsumer> glComsumer(new GLConsumer(consumer, tex, GLConsumer::TEXTURE_EXTERNAL, - mFdp.ConsumeBool() /*useFenceSync*/, - mFdp.ConsumeBool() /*isControlledByApp*/)); - sp<Fence> releaseFence = new Fence(memfd_create("rfd", MFD_ALLOW_SEALING)); - glComsumer->setReleaseFence(releaseFence); - glComsumer->updateTexImage(); - glComsumer->releaseTexImage(); - - sp<GraphicBuffer> buffer = - new GraphicBuffer(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint64_t>()); - float mtx[16]; - glComsumer->getTransformMatrix(mtx); - glComsumer->computeTransformMatrix(mtx, buffer, getRect(&mFdp), - mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeBool() /*filtering*/); - glComsumer->scaleDownCrop(getRect(&mFdp), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>()); - - glComsumer->setDefaultBufferSize(mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>()); - glComsumer->setFilteringEnabled(mFdp.ConsumeBool() /*enabled*/); - - glComsumer->setConsumerUsageBits(mFdp.ConsumeIntegral<uint64_t>()); - glComsumer->attachToContext(tex); - glComsumer->abandon(); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - ConsumerFuzzer consumerFuzzer(data, size); - consumerFuzzer.process(); - return 0; -} diff --git a/libs/gui/fuzzer/libgui_displayEvent_fuzzer.cpp b/libs/gui/fuzzer/libgui_displayEvent_fuzzer.cpp deleted file mode 100644 index 0d2a52b576..0000000000 --- a/libs/gui/fuzzer/libgui_displayEvent_fuzzer.cpp +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <android/gui/ISurfaceComposer.h> - -#include <libgui_fuzzer_utils.h> - -using namespace android; - -constexpr gui::ISurfaceComposer::VsyncSource kVsyncSource[] = { - gui::ISurfaceComposer::VsyncSource::eVsyncSourceApp, - gui::ISurfaceComposer::VsyncSource::eVsyncSourceSurfaceFlinger, -}; - -constexpr gui::ISurfaceComposer::EventRegistration kEventRegistration[] = { - gui::ISurfaceComposer::EventRegistration::modeChanged, - gui::ISurfaceComposer::EventRegistration::frameRateOverride, -}; - -constexpr uint32_t kDisplayEvent[] = { - DisplayEventReceiver::DISPLAY_EVENT_NULL, - DisplayEventReceiver::DISPLAY_EVENT_VSYNC, - DisplayEventReceiver::DISPLAY_EVENT_HOTPLUG, - DisplayEventReceiver::DISPLAY_EVENT_MODE_CHANGE, - DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE, - DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE_FLUSH, -}; - -constexpr int32_t kEvents[] = { - Looper::EVENT_INPUT, Looper::EVENT_OUTPUT, Looper::EVENT_ERROR, - Looper::EVENT_HANGUP, Looper::EVENT_INVALID, -}; - -DisplayEventReceiver::Event buildDisplayEvent(FuzzedDataProvider* fdp, uint32_t type, - DisplayEventReceiver::Event event) { - switch (type) { - case DisplayEventReceiver::DISPLAY_EVENT_VSYNC: { - event.vsync.count = fdp->ConsumeIntegral<uint32_t>(); - event.vsync.vsyncData.frameInterval = fdp->ConsumeIntegral<uint64_t>(); - event.vsync.vsyncData.preferredFrameTimelineIndex = fdp->ConsumeIntegral<uint32_t>(); - for (size_t idx = 0; idx < gui::VsyncEventData::kFrameTimelinesCapacity; ++idx) { - event.vsync.vsyncData.frameTimelines[idx].vsyncId = fdp->ConsumeIntegral<int64_t>(); - event.vsync.vsyncData.frameTimelines[idx].deadlineTimestamp = - fdp->ConsumeIntegral<uint64_t>(); - event.vsync.vsyncData.frameTimelines[idx].expectedPresentationTime = - fdp->ConsumeIntegral<uint64_t>(); - } - break; - - } - case DisplayEventReceiver::DISPLAY_EVENT_HOTPLUG: { - event.hotplug = - DisplayEventReceiver::Event::Hotplug{fdp->ConsumeBool() /*connected*/, - fdp->ConsumeIntegral< - int32_t>() /*connectionError*/}; - break; - } - case DisplayEventReceiver::DISPLAY_EVENT_MODE_CHANGE: { - event.modeChange = - DisplayEventReceiver::Event::ModeChange{fdp->ConsumeIntegral<int32_t>(), - fdp->ConsumeIntegral<int64_t>()}; - break; - } - case DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE: - case DisplayEventReceiver::DISPLAY_EVENT_FRAME_RATE_OVERRIDE_FLUSH: { - event.frameRateOverride = - DisplayEventReceiver::Event::FrameRateOverride{fdp->ConsumeIntegral<uint32_t>(), - fdp->ConsumeFloatingPoint< - float>()}; - break; - } - } - return event; -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - FuzzedDataProvider fdp(data, size); - sp<Looper> looper; - sp<FakeDisplayEventDispatcher> dispatcher( - new FakeDisplayEventDispatcher(looper, fdp.PickValueInArray(kVsyncSource), - fdp.PickValueInArray(kEventRegistration))); - - dispatcher->initialize(); - DisplayEventReceiver::Event event; - uint32_t type = fdp.PickValueInArray(kDisplayEvent); - PhysicalDisplayId displayId; - event.header = - DisplayEventReceiver::Event::Header{type, displayId, fdp.ConsumeIntegral<int64_t>()}; - event = buildDisplayEvent(&fdp, type, event); - - dispatcher->injectEvent(event); - dispatcher->handleEvent(0, fdp.PickValueInArray(kEvents), nullptr); - return 0; -} diff --git a/libs/gui/fuzzer/libgui_fuzzer_utils.h b/libs/gui/fuzzer/libgui_fuzzer_utils.h deleted file mode 100644 index 2bdbd43233..0000000000 --- a/libs/gui/fuzzer/libgui_fuzzer_utils.h +++ /dev/null @@ -1,332 +0,0 @@ -/* - * Copyright 2021 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <android/gui/BnRegionSamplingListener.h> -#include <android/gui/BnSurfaceComposer.h> -#include <android/gui/BnSurfaceComposerClient.h> -#include <android/gui/IDisplayEventConnection.h> -#include <android/gui/ISurfaceComposerClient.h> -#include <fuzzer/FuzzedDataProvider.h> -#include <gmock/gmock.h> -#include <gui/BLASTBufferQueue.h> -#include <gui/DisplayEventDispatcher.h> -#include <gui/IGraphicBufferProducer.h> -#include <gui/LayerDebugInfo.h> -#include <gui/LayerState.h> -#include <gui/bufferqueue/1.0/H2BGraphicBufferProducer.h> -#include <gui/bufferqueue/2.0/H2BGraphicBufferProducer.h> -#include <ui/fuzzer/FuzzableDataspaces.h> - -namespace android { - -constexpr uint32_t kOrientation[] = { - ui::Transform::ROT_0, ui::Transform::FLIP_H, ui::Transform::FLIP_V, - ui::Transform::ROT_90, ui::Transform::ROT_180, ui::Transform::ROT_270, -}; - -Rect getRect(FuzzedDataProvider* fdp) { - const int32_t left = fdp->ConsumeIntegral<int32_t>(); - const int32_t top = fdp->ConsumeIntegral<int32_t>(); - const int32_t right = fdp->ConsumeIntegral<int32_t>(); - const int32_t bottom = fdp->ConsumeIntegral<int32_t>(); - return Rect(left, top, right, bottom); -} - -gui::DisplayBrightness getBrightness(FuzzedDataProvider* fdp) { - static constexpr float kMinBrightness = 0; - static constexpr float kMaxBrightness = 1; - gui::DisplayBrightness brightness; - brightness.sdrWhitePoint = - fdp->ConsumeFloatingPointInRange<float>(kMinBrightness, kMaxBrightness); - brightness.sdrWhitePointNits = - fdp->ConsumeFloatingPointInRange<float>(kMinBrightness, kMaxBrightness); - brightness.displayBrightness = - fdp->ConsumeFloatingPointInRange<float>(kMinBrightness, kMaxBrightness); - brightness.displayBrightnessNits = - fdp->ConsumeFloatingPointInRange<float>(kMinBrightness, kMaxBrightness); - return brightness; -} - -class FakeBnSurfaceComposer : public gui::BnSurfaceComposer { -public: - MOCK_METHOD(binder::Status, bootFinished, (), (override)); - MOCK_METHOD(binder::Status, createDisplayEventConnection, - (gui::ISurfaceComposer::VsyncSource, gui::ISurfaceComposer::EventRegistration, - const sp<IBinder>& /*layerHandle*/, sp<gui::IDisplayEventConnection>*), - (override)); - MOCK_METHOD(binder::Status, createConnection, (sp<gui::ISurfaceComposerClient>*), (override)); - MOCK_METHOD(binder::Status, createDisplay, (const std::string&, bool, float, sp<IBinder>*), - (override)); - MOCK_METHOD(binder::Status, destroyDisplay, (const sp<IBinder>&), (override)); - MOCK_METHOD(binder::Status, getPhysicalDisplayIds, (std::vector<int64_t>*), (override)); - MOCK_METHOD(binder::Status, getPhysicalDisplayToken, (int64_t, sp<IBinder>*), (override)); - MOCK_METHOD(binder::Status, setPowerMode, (const sp<IBinder>&, int), (override)); - MOCK_METHOD(binder::Status, getSupportedFrameTimestamps, (std::vector<FrameEvent>*), - (override)); - MOCK_METHOD(binder::Status, getDisplayStats, (const sp<IBinder>&, gui::DisplayStatInfo*), - (override)); - MOCK_METHOD(binder::Status, getDisplayState, (const sp<IBinder>&, gui::DisplayState*), - (override)); - MOCK_METHOD(binder::Status, getStaticDisplayInfo, (int64_t, gui::StaticDisplayInfo*), - (override)); - MOCK_METHOD(binder::Status, getDynamicDisplayInfoFromId, (int64_t, gui::DynamicDisplayInfo*), - (override)); - MOCK_METHOD(binder::Status, getDynamicDisplayInfoFromToken, - (const sp<IBinder>&, gui::DynamicDisplayInfo*), (override)); - MOCK_METHOD(binder::Status, getDisplayNativePrimaries, - (const sp<IBinder>&, gui::DisplayPrimaries*), (override)); - MOCK_METHOD(binder::Status, setActiveColorMode, (const sp<IBinder>&, int), (override)); - MOCK_METHOD(binder::Status, setBootDisplayMode, (const sp<IBinder>&, int), (override)); - MOCK_METHOD(binder::Status, clearBootDisplayMode, (const sp<IBinder>&), (override)); - MOCK_METHOD(binder::Status, getBootDisplayModeSupport, (bool*), (override)); - MOCK_METHOD(binder::Status, getHdrConversionCapabilities, - (std::vector<gui::HdrConversionCapability>*), (override)); - MOCK_METHOD(binder::Status, setHdrConversionStrategy, - (const gui::HdrConversionStrategy&, int32_t*), (override)); - MOCK_METHOD(binder::Status, getHdrOutputConversionSupport, (bool*), (override)); - MOCK_METHOD(binder::Status, setAutoLowLatencyMode, (const sp<IBinder>&, bool), (override)); - MOCK_METHOD(binder::Status, setGameContentType, (const sp<IBinder>&, bool), (override)); - MOCK_METHOD(binder::Status, captureDisplay, - (const DisplayCaptureArgs&, const sp<IScreenCaptureListener>&), (override)); - MOCK_METHOD(binder::Status, captureDisplayById, - (int64_t, const gui::CaptureArgs&, const sp<IScreenCaptureListener>&), (override)); - MOCK_METHOD(binder::Status, captureLayers, - (const LayerCaptureArgs&, const sp<IScreenCaptureListener>&), (override)); - MOCK_METHOD(binder::Status, captureLayersSync, - (const LayerCaptureArgs&, gui::ScreenCaptureResults*), (override)); - MOCK_METHOD(binder::Status, clearAnimationFrameStats, (), (override)); - MOCK_METHOD(binder::Status, getAnimationFrameStats, (gui::FrameStats*), (override)); - MOCK_METHOD(binder::Status, overrideHdrTypes, (const sp<IBinder>&, const std::vector<int32_t>&), - (override)); - MOCK_METHOD(binder::Status, onPullAtom, (int32_t, gui::PullAtomData*), (override)); - MOCK_METHOD(binder::Status, getLayerDebugInfo, (std::vector<gui::LayerDebugInfo>*), (override)); - MOCK_METHOD(binder::Status, getCompositionPreference, (gui::CompositionPreference*), - (override)); - MOCK_METHOD(binder::Status, getDisplayedContentSamplingAttributes, - (const sp<IBinder>&, gui::ContentSamplingAttributes*), (override)); - MOCK_METHOD(binder::Status, setDisplayContentSamplingEnabled, - (const sp<IBinder>&, bool, int8_t, int64_t), (override)); - MOCK_METHOD(binder::Status, getDisplayedContentSample, - (const sp<IBinder>&, int64_t, int64_t, gui::DisplayedFrameStats*), (override)); - MOCK_METHOD(binder::Status, getProtectedContentSupport, (bool*), (override)); - MOCK_METHOD(binder::Status, isWideColorDisplay, (const sp<IBinder>&, bool*), (override)); - MOCK_METHOD(binder::Status, addRegionSamplingListener, - (const gui::ARect&, const sp<IBinder>&, const sp<gui::IRegionSamplingListener>&), - (override)); - MOCK_METHOD(binder::Status, removeRegionSamplingListener, - (const sp<gui::IRegionSamplingListener>&), (override)); - MOCK_METHOD(binder::Status, addFpsListener, (int32_t, const sp<gui::IFpsListener>&), - (override)); - MOCK_METHOD(binder::Status, removeFpsListener, (const sp<gui::IFpsListener>&), (override)); - MOCK_METHOD(binder::Status, addTunnelModeEnabledListener, - (const sp<gui::ITunnelModeEnabledListener>&), (override)); - MOCK_METHOD(binder::Status, removeTunnelModeEnabledListener, - (const sp<gui::ITunnelModeEnabledListener>&), (override)); - MOCK_METHOD(binder::Status, setDesiredDisplayModeSpecs, - (const sp<IBinder>&, const gui::DisplayModeSpecs&), (override)); - MOCK_METHOD(binder::Status, getDesiredDisplayModeSpecs, - (const sp<IBinder>&, gui::DisplayModeSpecs*), (override)); - MOCK_METHOD(binder::Status, getDisplayBrightnessSupport, (const sp<IBinder>&, bool*), - (override)); - MOCK_METHOD(binder::Status, setDisplayBrightness, - (const sp<IBinder>&, const gui::DisplayBrightness&), (override)); - MOCK_METHOD(binder::Status, addHdrLayerInfoListener, - (const sp<IBinder>&, const sp<gui::IHdrLayerInfoListener>&), (override)); - MOCK_METHOD(binder::Status, removeHdrLayerInfoListener, - (const sp<IBinder>&, const sp<gui::IHdrLayerInfoListener>&), (override)); - MOCK_METHOD(binder::Status, notifyPowerBoost, (int), (override)); - MOCK_METHOD(binder::Status, setGlobalShadowSettings, - (const gui::Color&, const gui::Color&, float, float, float), (override)); - MOCK_METHOD(binder::Status, getDisplayDecorationSupport, - (const sp<IBinder>&, std::optional<gui::DisplayDecorationSupport>*), (override)); - MOCK_METHOD(binder::Status, setGameModeFrameRateOverride, (int32_t, float), (override)); - MOCK_METHOD(binder::Status, setGameDefaultFrameRateOverride, (int32_t, float), (override)); - MOCK_METHOD(binder::Status, enableRefreshRateOverlay, (bool), (override)); - MOCK_METHOD(binder::Status, setDebugFlash, (int), (override)); - MOCK_METHOD(binder::Status, scheduleComposite, (), (override)); - MOCK_METHOD(binder::Status, scheduleCommit, (), (override)); - MOCK_METHOD(binder::Status, forceClientComposition, (bool), (override)); - MOCK_METHOD(binder::Status, updateSmallAreaDetection, - (const std::vector<int32_t>&, const std::vector<float>&), (override)); - MOCK_METHOD(binder::Status, setSmallAreaDetectionThreshold, (int32_t, float), (override)); - MOCK_METHOD(binder::Status, getGpuContextPriority, (int32_t*), (override)); - MOCK_METHOD(binder::Status, getMaxAcquiredBufferCount, (int32_t*), (override)); - MOCK_METHOD(binder::Status, addWindowInfosListener, - (const sp<gui::IWindowInfosListener>&, gui::WindowInfosListenerInfo*), (override)); - MOCK_METHOD(binder::Status, removeWindowInfosListener, (const sp<gui::IWindowInfosListener>&), - (override)); - MOCK_METHOD(binder::Status, getOverlaySupport, (gui::OverlayProperties*), (override)); - MOCK_METHOD(binder::Status, getStalledTransactionInfo, - (int32_t, std::optional<gui::StalledTransactionInfo>*), (override)); - MOCK_METHOD(binder::Status, getSchedulingPolicy, (gui::SchedulingPolicy*), (override)); -}; - -class FakeBnSurfaceComposerClient : public gui::BnSurfaceComposerClient { -public: - MOCK_METHOD(binder::Status, createSurface, - (const std::string& name, int32_t flags, const sp<IBinder>& parent, - const gui::LayerMetadata& metadata, gui::CreateSurfaceResult* outResult), - (override)); - - MOCK_METHOD(binder::Status, clearLayerFrameStats, (const sp<IBinder>& handle), (override)); - - MOCK_METHOD(binder::Status, getLayerFrameStats, - (const sp<IBinder>& handle, gui::FrameStats* outStats), (override)); - - MOCK_METHOD(binder::Status, mirrorSurface, - (const sp<IBinder>& mirrorFromHandle, gui::CreateSurfaceResult* outResult), - (override)); - - MOCK_METHOD(binder::Status, mirrorDisplay, - (int64_t displayId, gui::CreateSurfaceResult* outResult), (override)); - - MOCK_METHOD(binder::Status, getSchedulingPolicy, (gui::SchedulingPolicy*), (override)); -}; - -class FakeDisplayEventDispatcher : public DisplayEventDispatcher { -public: - FakeDisplayEventDispatcher(const sp<Looper>& looper, - gui::ISurfaceComposer::VsyncSource vsyncSource, - gui::ISurfaceComposer::EventRegistration eventRegistration) - : DisplayEventDispatcher(looper, vsyncSource, eventRegistration){}; - - MOCK_METHOD4(dispatchVsync, void(nsecs_t, PhysicalDisplayId, uint32_t, VsyncEventData)); - MOCK_METHOD3(dispatchHotplug, void(nsecs_t, PhysicalDisplayId, bool)); - MOCK_METHOD2(dispatchHotplugConnectionError, void(nsecs_t, int32_t)); - MOCK_METHOD4(dispatchModeChanged, void(nsecs_t, PhysicalDisplayId, int32_t, nsecs_t)); - MOCK_METHOD2(dispatchNullEvent, void(nsecs_t, PhysicalDisplayId)); - MOCK_METHOD3(dispatchFrameRateOverrides, - void(nsecs_t, PhysicalDisplayId, std::vector<FrameRateOverride>)); - MOCK_METHOD3(dispatchHdcpLevelsChanged, void(PhysicalDisplayId, int32_t, int32_t)); -}; - -} // namespace android - -namespace android::hardware { - -namespace graphics::bufferqueue::V1_0::utils { - -class FakeGraphicBufferProducerV1 : public HGraphicBufferProducer { -public: - FakeGraphicBufferProducerV1() { - ON_CALL(*this, setMaxDequeuedBufferCount).WillByDefault([]() { return 0; }); - ON_CALL(*this, setAsyncMode).WillByDefault([]() { return 0; }); - ON_CALL(*this, detachBuffer).WillByDefault([]() { return 0; }); - ON_CALL(*this, cancelBuffer).WillByDefault([]() { return 0; }); - ON_CALL(*this, disconnect).WillByDefault([]() { return 0; }); - ON_CALL(*this, setSidebandStream).WillByDefault([]() { return 0; }); - ON_CALL(*this, allowAllocation).WillByDefault([]() { return 0; }); - ON_CALL(*this, setGenerationNumber).WillByDefault([]() { return 0; }); - ON_CALL(*this, setSharedBufferMode).WillByDefault([]() { return 0; }); - ON_CALL(*this, setAutoRefresh).WillByDefault([]() { return 0; }); - ON_CALL(*this, setDequeueTimeout).WillByDefault([]() { return 0; }); - ON_CALL(*this, setLegacyBufferDrop).WillByDefault([]() { return 0; }); - }; - MOCK_METHOD2(requestBuffer, Return<void>(int, requestBuffer_cb)); - MOCK_METHOD1(setMaxDequeuedBufferCount, Return<int32_t>(int32_t)); - MOCK_METHOD1(setAsyncMode, Return<int32_t>(bool)); - MOCK_METHOD6(dequeueBuffer, - Return<void>(uint32_t, uint32_t, graphics::common::V1_0::PixelFormat, uint32_t, - bool, dequeueBuffer_cb)); - MOCK_METHOD1(detachBuffer, Return<int32_t>(int)); - MOCK_METHOD1(detachNextBuffer, Return<void>(detachNextBuffer_cb)); - MOCK_METHOD2(attachBuffer, Return<void>(const media::V1_0::AnwBuffer&, attachBuffer_cb)); - MOCK_METHOD3( - queueBuffer, - Return<void>( - int, - const graphics::bufferqueue::V1_0::IGraphicBufferProducer::QueueBufferInput&, - queueBuffer_cb)); - MOCK_METHOD2(cancelBuffer, Return<int32_t>(int, const hidl_handle&)); - MOCK_METHOD2(query, Return<void>(int32_t, query_cb)); - MOCK_METHOD4(connect, - Return<void>(const sp<graphics::bufferqueue::V1_0::IProducerListener>&, int32_t, - bool, connect_cb)); - MOCK_METHOD2(disconnect, - Return<int32_t>( - int, graphics::bufferqueue::V1_0::IGraphicBufferProducer::DisconnectMode)); - MOCK_METHOD1(setSidebandStream, Return<int32_t>(const hidl_handle&)); - MOCK_METHOD4(allocateBuffers, - Return<void>(uint32_t, uint32_t, graphics::common::V1_0::PixelFormat, uint32_t)); - MOCK_METHOD1(allowAllocation, Return<int32_t>(bool)); - MOCK_METHOD1(setGenerationNumber, Return<int32_t>(uint32_t)); - MOCK_METHOD1(getConsumerName, Return<void>(getConsumerName_cb)); - MOCK_METHOD1(setSharedBufferMode, Return<int32_t>(bool)); - MOCK_METHOD1(setAutoRefresh, Return<int32_t>(bool)); - MOCK_METHOD1(setDequeueTimeout, Return<int32_t>(nsecs_t)); - MOCK_METHOD1(setLegacyBufferDrop, Return<int32_t>(bool)); - MOCK_METHOD1(getLastQueuedBuffer, Return<void>(getLastQueuedBuffer_cb)); - MOCK_METHOD1(getFrameTimestamps, Return<void>(getFrameTimestamps_cb)); - MOCK_METHOD1(getUniqueId, Return<void>(getUniqueId_cb)); -}; - -}; // namespace graphics::bufferqueue::V1_0::utils - -namespace graphics::bufferqueue::V2_0::utils { - -class FakeGraphicBufferProducerV2 : public HGraphicBufferProducer { -public: - FakeGraphicBufferProducerV2() { - ON_CALL(*this, setMaxDequeuedBufferCount).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, setAsyncMode).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, detachBuffer).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, cancelBuffer).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, disconnect).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, allocateBuffers).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, allowAllocation).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, setGenerationNumber).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, setDequeueTimeout).WillByDefault([]() { return Status::OK; }); - ON_CALL(*this, getUniqueId).WillByDefault([]() { return 0; }); - }; - MOCK_METHOD2(requestBuffer, Return<void>(int, requestBuffer_cb)); - MOCK_METHOD1(setMaxDequeuedBufferCount, Return<graphics::bufferqueue::V2_0::Status>(int)); - MOCK_METHOD1(setAsyncMode, Return<graphics::bufferqueue::V2_0::Status>(bool)); - MOCK_METHOD2( - dequeueBuffer, - Return<void>( - const graphics::bufferqueue::V2_0::IGraphicBufferProducer::DequeueBufferInput&, - dequeueBuffer_cb)); - MOCK_METHOD1(detachBuffer, Return<graphics::bufferqueue::V2_0::Status>(int)); - MOCK_METHOD1(detachNextBuffer, Return<void>(detachNextBuffer_cb)); - MOCK_METHOD3(attachBuffer, - Return<void>(const graphics::common::V1_2::HardwareBuffer&, uint32_t, - attachBuffer_cb)); - MOCK_METHOD3( - queueBuffer, - Return<void>( - int, - const graphics::bufferqueue::V2_0::IGraphicBufferProducer::QueueBufferInput&, - queueBuffer_cb)); - MOCK_METHOD2(cancelBuffer, - Return<graphics::bufferqueue::V2_0::Status>(int, const hidl_handle&)); - MOCK_METHOD2(query, Return<void>(int32_t, query_cb)); - MOCK_METHOD4(connect, - Return<void>(const sp<graphics::bufferqueue::V2_0::IProducerListener>&, - graphics::bufferqueue::V2_0::ConnectionType, bool, connect_cb)); - MOCK_METHOD1(disconnect, - Return<graphics::bufferqueue::V2_0::Status>( - graphics::bufferqueue::V2_0::ConnectionType)); - MOCK_METHOD4(allocateBuffers, - Return<graphics::bufferqueue::V2_0::Status>(uint32_t, uint32_t, uint32_t, - uint64_t)); - MOCK_METHOD1(allowAllocation, Return<graphics::bufferqueue::V2_0::Status>(bool)); - MOCK_METHOD1(setGenerationNumber, Return<graphics::bufferqueue::V2_0::Status>(uint32_t)); - MOCK_METHOD1(getConsumerName, Return<void>(getConsumerName_cb)); - MOCK_METHOD1(setDequeueTimeout, Return<graphics::bufferqueue::V2_0::Status>(int64_t)); - MOCK_METHOD0(getUniqueId, Return<uint64_t>()); -}; - -}; // namespace graphics::bufferqueue::V2_0::utils -}; // namespace android::hardware diff --git a/libs/gui/fuzzer/libgui_parcelable_fuzzer.cpp b/libs/gui/fuzzer/libgui_parcelable_fuzzer.cpp deleted file mode 100644 index 9f0f6cac19..0000000000 --- a/libs/gui/fuzzer/libgui_parcelable_fuzzer.cpp +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <gui/BufferQueueConsumer.h> -#include <gui/BufferQueueCore.h> -#include <gui/BufferQueueProducer.h> -#include <gui/LayerMetadata.h> -#include <gui/OccupancyTracker.h> -#include <gui/StreamSplitter.h> -#include <gui/Surface.h> -#include <gui/SurfaceControl.h> -#include <gui/view/Surface.h> -#include <libgui_fuzzer_utils.h> -#include "android/view/LayerMetadataKey.h" - -using namespace android; - -constexpr int32_t kMaxBytes = 256; -constexpr int32_t kMatrixSize = 4; -constexpr int32_t kLayerMetadataKeyCount = 8; - -constexpr uint32_t kMetadataKey[] = { - (uint32_t)view::LayerMetadataKey::METADATA_OWNER_UID, - (uint32_t)view::LayerMetadataKey::METADATA_WINDOW_TYPE, - (uint32_t)view::LayerMetadataKey::METADATA_TASK_ID, - (uint32_t)view::LayerMetadataKey::METADATA_MOUSE_CURSOR, - (uint32_t)view::LayerMetadataKey::METADATA_ACCESSIBILITY_ID, - (uint32_t)view::LayerMetadataKey::METADATA_OWNER_PID, - (uint32_t)view::LayerMetadataKey::METADATA_DEQUEUE_TIME, - (uint32_t)view::LayerMetadataKey::METADATA_GAME_MODE, -}; - -class ParcelableFuzzer { -public: - ParcelableFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){}; - void process(); - -private: - void invokeStreamSplitter(); - void invokeOccupancyTracker(); - void invokeLayerDebugInfo(); - void invokeLayerMetadata(); - void invokeViewSurface(); - - FuzzedDataProvider mFdp; -}; - -void ParcelableFuzzer::invokeViewSurface() { - view::Surface surface; - surface.name = String16((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str()); - Parcel parcel; - surface.writeToParcel(&parcel); - parcel.setDataPosition(0); - surface.readFromParcel(&parcel); - bool nameAlreadyWritten = mFdp.ConsumeBool(); - surface.writeToParcel(&parcel, nameAlreadyWritten); - parcel.setDataPosition(0); - surface.readFromParcel(&parcel, mFdp.ConsumeBool()); -} - -void ParcelableFuzzer::invokeLayerMetadata() { - std::unordered_map<uint32_t, std::vector<uint8_t>> map; - for (size_t idx = 0; idx < kLayerMetadataKeyCount; ++idx) { - std::vector<uint8_t> data; - for (size_t idx1 = 0; idx1 < mFdp.ConsumeIntegral<uint32_t>(); ++idx1) { - data.push_back(mFdp.ConsumeIntegral<uint8_t>()); - } - map[kMetadataKey[idx]] = data; - } - LayerMetadata metadata(map); - uint32_t key = mFdp.PickValueInArray(kMetadataKey); - metadata.setInt32(key, mFdp.ConsumeIntegral<int32_t>()); - metadata.itemToString(key, (mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str()); - - Parcel parcel; - metadata.writeToParcel(&parcel); - parcel.setDataPosition(0); - metadata.readFromParcel(&parcel); -} - -void ParcelableFuzzer::invokeLayerDebugInfo() { - gui::LayerDebugInfo info; - info.mName = mFdp.ConsumeRandomLengthString(kMaxBytes); - info.mParentName = mFdp.ConsumeRandomLengthString(kMaxBytes); - info.mType = mFdp.ConsumeRandomLengthString(kMaxBytes); - info.mLayerStack = mFdp.ConsumeIntegral<uint32_t>(); - info.mX = mFdp.ConsumeFloatingPoint<float>(); - info.mY = mFdp.ConsumeFloatingPoint<float>(); - info.mZ = mFdp.ConsumeIntegral<uint32_t>(); - info.mWidth = mFdp.ConsumeIntegral<int32_t>(); - info.mHeight = mFdp.ConsumeIntegral<int32_t>(); - info.mActiveBufferWidth = mFdp.ConsumeIntegral<int32_t>(); - info.mActiveBufferHeight = mFdp.ConsumeIntegral<int32_t>(); - info.mActiveBufferStride = mFdp.ConsumeIntegral<int32_t>(); - info.mActiveBufferFormat = mFdp.ConsumeIntegral<int32_t>(); - info.mNumQueuedFrames = mFdp.ConsumeIntegral<int32_t>(); - - info.mFlags = mFdp.ConsumeIntegral<uint32_t>(); - info.mPixelFormat = mFdp.ConsumeIntegral<int32_t>(); - info.mTransparentRegion = Region(getRect(&mFdp)); - info.mVisibleRegion = Region(getRect(&mFdp)); - info.mSurfaceDamageRegion = Region(getRect(&mFdp)); - info.mCrop = getRect(&mFdp); - info.mDataSpace = static_cast<android_dataspace>(mFdp.PickValueInArray(kDataspaces)); - info.mColor = half4(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(), - mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>()); - for (size_t idx = 0; idx < kMatrixSize; ++idx) { - info.mMatrix[idx / 2][idx % 2] = mFdp.ConsumeFloatingPoint<float>(); - } - info.mIsOpaque = mFdp.ConsumeBool(); - info.mContentDirty = mFdp.ConsumeBool(); - info.mStretchEffect.width = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.height = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.vectorX = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.vectorY = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.maxAmountX = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.maxAmountY = mFdp.ConsumeFloatingPoint<float>(); - info.mStretchEffect.mappedChildBounds = - FloatRect(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(), - mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>()); - - Parcel parcel; - info.writeToParcel(&parcel); - parcel.setDataPosition(0); - info.readFromParcel(&parcel); -} - -void ParcelableFuzzer::invokeOccupancyTracker() { - nsecs_t totalTime = mFdp.ConsumeIntegral<uint32_t>(); - size_t numFrames = mFdp.ConsumeIntegral<size_t>(); - float occupancyAverage = mFdp.ConsumeFloatingPoint<float>(); - OccupancyTracker::Segment segment(totalTime, numFrames, occupancyAverage, - mFdp.ConsumeBool() /*usedThirdBuffer*/); - Parcel parcel; - segment.writeToParcel(&parcel); - parcel.setDataPosition(0); - segment.readFromParcel(&parcel); -} - -void ParcelableFuzzer::invokeStreamSplitter() { - sp<IGraphicBufferProducer> producer; - sp<IGraphicBufferConsumer> consumer; - BufferQueue::createBufferQueue(&producer, &consumer); - sp<StreamSplitter> splitter; - StreamSplitter::createSplitter(consumer, &splitter); - splitter->addOutput(producer); - std::string name = mFdp.ConsumeRandomLengthString(kMaxBytes); - splitter->setName(String8(name.c_str())); -} - -void ParcelableFuzzer::process() { - invokeStreamSplitter(); - invokeOccupancyTracker(); - invokeLayerDebugInfo(); - invokeLayerMetadata(); - invokeViewSurface(); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - ParcelableFuzzer libGuiFuzzer(data, size); - libGuiFuzzer.process(); - return 0; -} diff --git a/libs/gui/fuzzer/libgui_surfaceComposerClient_fuzzer.cpp b/libs/gui/fuzzer/libgui_surfaceComposerClient_fuzzer.cpp deleted file mode 100644 index 4daa3be36f..0000000000 --- a/libs/gui/fuzzer/libgui_surfaceComposerClient_fuzzer.cpp +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright 2022 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <aidl/android/hardware/power/Boost.h> -#include <fuzzbinder/libbinder_driver.h> -#include <gui/Surface.h> -#include <gui/SurfaceComposerClient.h> -#include <libgui_fuzzer_utils.h> -#include "android-base/stringprintf.h" - -using namespace android; - -constexpr int32_t kRandomStringMaxBytes = 256; - -constexpr ui::ColorMode kColormodes[] = {ui::ColorMode::NATIVE, - ui::ColorMode::STANDARD_BT601_625, - ui::ColorMode::STANDARD_BT601_625_UNADJUSTED, - ui::ColorMode::STANDARD_BT601_525, - ui::ColorMode::STANDARD_BT601_525_UNADJUSTED, - ui::ColorMode::STANDARD_BT709, - ui::ColorMode::DCI_P3, - ui::ColorMode::SRGB, - ui::ColorMode::ADOBE_RGB, - ui::ColorMode::DISPLAY_P3, - ui::ColorMode::BT2020, - ui::ColorMode::BT2100_PQ, - ui::ColorMode::BT2100_HLG, - ui::ColorMode::DISPLAY_BT2020}; - -constexpr aidl::android::hardware::power::Boost kBoost[] = { - aidl::android::hardware::power::Boost::INTERACTION, - aidl::android::hardware::power::Boost::DISPLAY_UPDATE_IMMINENT, - aidl::android::hardware::power::Boost::ML_ACC, - aidl::android::hardware::power::Boost::AUDIO_LAUNCH, - aidl::android::hardware::power::Boost::CAMERA_LAUNCH, - aidl::android::hardware::power::Boost::CAMERA_SHOT, -}; - -constexpr gui::TouchOcclusionMode kMode[] = { - gui::TouchOcclusionMode::BLOCK_UNTRUSTED, - gui::TouchOcclusionMode::USE_OPACITY, - gui::TouchOcclusionMode::ALLOW, -}; - -constexpr gui::WindowInfo::Flag kFlags[] = { - gui::WindowInfo::Flag::ALLOW_LOCK_WHILE_SCREEN_ON, - gui::WindowInfo::Flag::DIM_BEHIND, - gui::WindowInfo::Flag::BLUR_BEHIND, - gui::WindowInfo::Flag::NOT_FOCUSABLE, - gui::WindowInfo::Flag::NOT_TOUCHABLE, - gui::WindowInfo::Flag::NOT_TOUCH_MODAL, - gui::WindowInfo::Flag::TOUCHABLE_WHEN_WAKING, - gui::WindowInfo::Flag::KEEP_SCREEN_ON, - gui::WindowInfo::Flag::LAYOUT_IN_SCREEN, - gui::WindowInfo::Flag::LAYOUT_NO_LIMITS, - gui::WindowInfo::Flag::FULLSCREEN, - gui::WindowInfo::Flag::FORCE_NOT_FULLSCREEN, - gui::WindowInfo::Flag::DITHER, - gui::WindowInfo::Flag::SECURE, - gui::WindowInfo::Flag::SCALED, - gui::WindowInfo::Flag::IGNORE_CHEEK_PRESSES, - gui::WindowInfo::Flag::LAYOUT_INSET_DECOR, - gui::WindowInfo::Flag::ALT_FOCUSABLE_IM, - gui::WindowInfo::Flag::WATCH_OUTSIDE_TOUCH, - gui::WindowInfo::Flag::SHOW_WHEN_LOCKED, - gui::WindowInfo::Flag::SHOW_WALLPAPER, - gui::WindowInfo::Flag::TURN_SCREEN_ON, - gui::WindowInfo::Flag::DISMISS_KEYGUARD, - gui::WindowInfo::Flag::SPLIT_TOUCH, - gui::WindowInfo::Flag::HARDWARE_ACCELERATED, - gui::WindowInfo::Flag::LAYOUT_IN_OVERSCAN, - gui::WindowInfo::Flag::TRANSLUCENT_STATUS, - gui::WindowInfo::Flag::TRANSLUCENT_NAVIGATION, - gui::WindowInfo::Flag::LOCAL_FOCUS_MODE, - gui::WindowInfo::Flag::SLIPPERY, - gui::WindowInfo::Flag::LAYOUT_ATTACHED_IN_DECOR, - gui::WindowInfo::Flag::DRAWS_SYSTEM_BAR_BACKGROUNDS, -}; - -constexpr gui::WindowInfo::Type kType[] = { - gui::WindowInfo::Type::UNKNOWN, - gui::WindowInfo::Type::FIRST_APPLICATION_WINDOW, - gui::WindowInfo::Type::BASE_APPLICATION, - gui::WindowInfo::Type::APPLICATION, - gui::WindowInfo::Type::APPLICATION_STARTING, - gui::WindowInfo::Type::LAST_APPLICATION_WINDOW, - gui::WindowInfo::Type::FIRST_SUB_WINDOW, - gui::WindowInfo::Type::APPLICATION_PANEL, - gui::WindowInfo::Type::APPLICATION_MEDIA, - gui::WindowInfo::Type::APPLICATION_SUB_PANEL, - gui::WindowInfo::Type::APPLICATION_ATTACHED_DIALOG, - gui::WindowInfo::Type::APPLICATION_MEDIA_OVERLAY, -}; - -constexpr gui::WindowInfo::InputConfig kFeatures[] = { - gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL, - gui::WindowInfo::InputConfig::DISABLE_USER_ACTIVITY, - gui::WindowInfo::InputConfig::DROP_INPUT, - gui::WindowInfo::InputConfig::DROP_INPUT_IF_OBSCURED, - gui::WindowInfo::InputConfig::SPY, - gui::WindowInfo::InputConfig::INTERCEPTS_STYLUS, -}; - -class SurfaceComposerClientFuzzer { -public: - SurfaceComposerClientFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){}; - void process(); - -private: - void invokeSurfaceComposerClient(); - void invokeSurfaceComposerClientBinder(); - void invokeSurfaceComposerTransaction(); - void getWindowInfo(gui::WindowInfo*); - sp<SurfaceControl> makeSurfaceControl(); - BlurRegion getBlurRegion(); - void fuzzOnPullAtom(); - gui::DisplayModeSpecs getDisplayModeSpecs(); - - FuzzedDataProvider mFdp; -}; - -gui::DisplayModeSpecs SurfaceComposerClientFuzzer::getDisplayModeSpecs() { - const auto getRefreshRateRange = [&] { - gui::DisplayModeSpecs::RefreshRateRanges::RefreshRateRange range; - range.min = mFdp.ConsumeFloatingPoint<float>(); - range.max = mFdp.ConsumeFloatingPoint<float>(); - return range; - }; - - const auto getRefreshRateRanges = [&] { - gui::DisplayModeSpecs::RefreshRateRanges ranges; - ranges.physical = getRefreshRateRange(); - ranges.render = getRefreshRateRange(); - return ranges; - }; - - String8 displayName((mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes)).c_str()); - sp<IBinder> displayToken = - SurfaceComposerClient::createDisplay(displayName, mFdp.ConsumeBool() /*secure*/); - gui::DisplayModeSpecs specs; - specs.defaultMode = mFdp.ConsumeIntegral<int32_t>(); - specs.allowGroupSwitching = mFdp.ConsumeBool(); - specs.primaryRanges = getRefreshRateRanges(); - specs.appRequestRanges = getRefreshRateRanges(); - return specs; -} - -BlurRegion SurfaceComposerClientFuzzer::getBlurRegion() { - int32_t left = mFdp.ConsumeIntegral<int32_t>(); - int32_t right = mFdp.ConsumeIntegral<int32_t>(); - int32_t top = mFdp.ConsumeIntegral<int32_t>(); - int32_t bottom = mFdp.ConsumeIntegral<int32_t>(); - uint32_t blurRadius = mFdp.ConsumeIntegral<uint32_t>(); - float alpha = mFdp.ConsumeFloatingPoint<float>(); - float cornerRadiusTL = mFdp.ConsumeFloatingPoint<float>(); - float cornerRadiusTR = mFdp.ConsumeFloatingPoint<float>(); - float cornerRadiusBL = mFdp.ConsumeFloatingPoint<float>(); - float cornerRadiusBR = mFdp.ConsumeFloatingPoint<float>(); - return BlurRegion{blurRadius, cornerRadiusTL, cornerRadiusTR, cornerRadiusBL, - cornerRadiusBR, alpha, left, top, - right, bottom}; -} - -void SurfaceComposerClientFuzzer::getWindowInfo(gui::WindowInfo* windowInfo) { - windowInfo->id = mFdp.ConsumeIntegral<int32_t>(); - windowInfo->name = mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes); - windowInfo->layoutParamsFlags = mFdp.PickValueInArray(kFlags); - windowInfo->layoutParamsType = mFdp.PickValueInArray(kType); - windowInfo->frame = Rect(mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<int32_t>(), - mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<int32_t>()); - windowInfo->surfaceInset = mFdp.ConsumeIntegral<int32_t>(); - windowInfo->alpha = mFdp.ConsumeFloatingPointInRange<float>(0, 1); - ui::Transform transform(mFdp.PickValueInArray(kOrientation)); - windowInfo->transform = transform; - windowInfo->touchableRegion = Region(getRect(&mFdp)); - windowInfo->replaceTouchableRegionWithCrop = mFdp.ConsumeBool(); - windowInfo->touchOcclusionMode = mFdp.PickValueInArray(kMode); - windowInfo->ownerPid = gui::Pid{mFdp.ConsumeIntegral<pid_t>()}; - windowInfo->ownerUid = gui::Uid{mFdp.ConsumeIntegral<uid_t>()}; - windowInfo->packageName = mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes); - windowInfo->inputConfig = mFdp.PickValueInArray(kFeatures); -} - -sp<SurfaceControl> SurfaceComposerClientFuzzer::makeSurfaceControl() { - sp<IBinder> handle; - const sp<FakeBnSurfaceComposerClient> testClient(new FakeBnSurfaceComposerClient()); - sp<SurfaceComposerClient> client = new SurfaceComposerClient(testClient); - sp<BnGraphicBufferProducer> producer; - uint32_t width = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t height = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t transformHint = mFdp.ConsumeIntegral<uint32_t>(); - uint32_t flags = mFdp.ConsumeIntegral<uint32_t>(); - int32_t format = mFdp.ConsumeIntegral<int32_t>(); - int32_t layerId = mFdp.ConsumeIntegral<int32_t>(); - std::string layerName = base::StringPrintf("#%d", layerId); - return new SurfaceControl(client, handle, layerId, layerName, width, height, format, - transformHint, flags); -} - -void SurfaceComposerClientFuzzer::invokeSurfaceComposerTransaction() { - sp<SurfaceControl> surface = makeSurfaceControl(); - - SurfaceComposerClient::Transaction transaction; - int32_t layer = mFdp.ConsumeIntegral<int32_t>(); - transaction.setLayer(surface, layer); - - sp<SurfaceControl> relativeSurface = makeSurfaceControl(); - transaction.setRelativeLayer(surface, relativeSurface, layer); - - Region transparentRegion(getRect(&mFdp)); - transaction.setTransparentRegionHint(surface, transparentRegion); - transaction.setAlpha(surface, mFdp.ConsumeFloatingPoint<float>()); - - transaction.setCornerRadius(surface, mFdp.ConsumeFloatingPoint<float>()); - transaction.setBackgroundBlurRadius(surface, mFdp.ConsumeFloatingPoint<float>()); - std::vector<BlurRegion> regions; - uint32_t vectorSize = mFdp.ConsumeIntegralInRange<uint32_t>(0, 100); - regions.resize(vectorSize); - for (size_t idx = 0; idx < vectorSize; ++idx) { - regions.push_back(getBlurRegion()); - } - transaction.setBlurRegions(surface, regions); - - transaction.setLayerStack(surface, {mFdp.ConsumeIntegral<uint32_t>()}); - half3 color = {mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(), - mFdp.ConsumeIntegral<uint32_t>()}; - transaction.setColor(surface, color); - transaction.setBackgroundColor(surface, color, mFdp.ConsumeFloatingPoint<float>(), - mFdp.PickValueInArray(kDataspaces)); - - transaction.setApi(surface, mFdp.ConsumeIntegral<int32_t>()); - transaction.setFrameRateSelectionPriority(surface, mFdp.ConsumeIntegral<int32_t>()); - transaction.setColorSpaceAgnostic(surface, mFdp.ConsumeBool() /*agnostic*/); - - gui::WindowInfo windowInfo; - getWindowInfo(&windowInfo); - transaction.setInputWindowInfo(surface, windowInfo); - Parcel windowParcel; - windowInfo.writeToParcel(&windowParcel); - windowParcel.setDataPosition(0); - windowInfo.readFromParcel(&windowParcel); - - windowInfo.addTouchableRegion(getRect(&mFdp)); - int32_t pointX = mFdp.ConsumeIntegral<int32_t>(); - int32_t pointY = mFdp.ConsumeIntegral<int32_t>(); - windowInfo.touchableRegionContainsPoint(pointX, pointY); - windowInfo.frameContainsPoint(pointX, pointY); - - Parcel transactionParcel; - transaction.writeToParcel(&transactionParcel); - transactionParcel.setDataPosition(0); - transaction.readFromParcel(&transactionParcel); - SurfaceComposerClient::Transaction::createFromParcel(&transactionParcel); -} - -void SurfaceComposerClientFuzzer::fuzzOnPullAtom() { - std::string outData; - bool success; - SurfaceComposerClient::onPullAtom(mFdp.ConsumeIntegral<int32_t>(), &outData, &success); -} - -void SurfaceComposerClientFuzzer::invokeSurfaceComposerClient() { - String8 displayName((mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes)).c_str()); - sp<IBinder> displayToken = - SurfaceComposerClient::createDisplay(displayName, mFdp.ConsumeBool() /*secure*/); - SurfaceComposerClient::setDesiredDisplayModeSpecs(displayToken, getDisplayModeSpecs()); - - ui::ColorMode colorMode = mFdp.PickValueInArray(kColormodes); - SurfaceComposerClient::setActiveColorMode(displayToken, colorMode); - SurfaceComposerClient::setAutoLowLatencyMode(displayToken, mFdp.ConsumeBool() /*on*/); - SurfaceComposerClient::setGameContentType(displayToken, mFdp.ConsumeBool() /*on*/); - SurfaceComposerClient::setDisplayPowerMode(displayToken, mFdp.ConsumeIntegral<int32_t>()); - SurfaceComposerClient::doUncacheBufferTransaction(mFdp.ConsumeIntegral<uint64_t>()); - - SurfaceComposerClient::setDisplayBrightness(displayToken, getBrightness(&mFdp)); - aidl::android::hardware::power::Boost boostId = mFdp.PickValueInArray(kBoost); - SurfaceComposerClient::notifyPowerBoost((int32_t)boostId); - - String8 surfaceName((mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes)).c_str()); - sp<BBinder> handle(new BBinder()); - sp<BnGraphicBufferProducer> producer; - sp<Surface> surfaceParent( - new Surface(producer, mFdp.ConsumeBool() /*controlledByApp*/, handle)); - - fuzzOnPullAtom(); - SurfaceComposerClient::setDisplayContentSamplingEnabled(displayToken, - mFdp.ConsumeBool() /*enable*/, - mFdp.ConsumeIntegral<uint8_t>(), - mFdp.ConsumeIntegral<uint64_t>()); - - sp<IBinder> stopLayerHandle; - sp<gui::IRegionSamplingListener> listener = sp<gui::IRegionSamplingListenerDefault>::make(); - sp<gui::IRegionSamplingListenerDelegator> sampleListener = - new gui::IRegionSamplingListenerDelegator(listener); - SurfaceComposerClient::addRegionSamplingListener(getRect(&mFdp), stopLayerHandle, - sampleListener); - sp<gui::IFpsListenerDefault> fpsListener; - SurfaceComposerClient::addFpsListener(mFdp.ConsumeIntegral<int32_t>(), fpsListener); -} - -void SurfaceComposerClientFuzzer::invokeSurfaceComposerClientBinder() { - sp<FakeBnSurfaceComposerClient> client(new FakeBnSurfaceComposerClient()); - fuzzService(client.get(), std::move(mFdp)); -} - -void SurfaceComposerClientFuzzer::process() { - invokeSurfaceComposerClient(); - invokeSurfaceComposerTransaction(); - invokeSurfaceComposerClientBinder(); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - SurfaceComposerClientFuzzer surfaceComposerClientFuzzer(data, size); - surfaceComposerClientFuzzer.process(); - return 0; -} diff --git a/libs/gui/fuzzer/libgui_surfaceComposer_fuzzer.cpp b/libs/gui/fuzzer/libgui_surfaceComposer_fuzzer.cpp deleted file mode 100644 index 6d5427bc9e..0000000000 --- a/libs/gui/fuzzer/libgui_surfaceComposer_fuzzer.cpp +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright 2021 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <fuzzbinder/libbinder_driver.h> -#include <fuzzer/FuzzedDataProvider.h> -#include <libgui_fuzzer_utils.h> - -using namespace android; - -class SurfaceComposerFuzzer { -public: - SurfaceComposerFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){}; - void process(); - -private: - FuzzedDataProvider mFdp; -}; - -void SurfaceComposerFuzzer::process() { - sp<FakeBnSurfaceComposer> composer(new FakeBnSurfaceComposer()); - fuzzService(composer.get(), std::move(mFdp)); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - SurfaceComposerFuzzer surfaceComposerFuzzer(data, size); - surfaceComposerFuzzer.process(); - return 0; -} |