Merge changes Ide3d1dd5,I0d1cc5ba am: 4f7da88f

#include <iostream>

#include <iostream>

#include <android-base/logging.h>

#include <android-base/logging.h>

#include <binder/RpcSession.h>

#include <android/binder_auto_utils.h>

#include <android/binder_libbinder.h>

#include <fuzzbinder/random_parcel.h>

#include <fuzzbinder/random_parcel.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <sys/time.h>

#include <sys/time.h>

using android::fillRandomParcel;

using android::fillRandomParcel;

using android::RpcSession;

using android::sp;

using android::sp;

void fillRandomParcel(::android::hardware::Parcel* p, FuzzedDataProvider&& provider) {

void fillRandomParcel(::android::hardware::Parcel* p, FuzzedDataProvider&& provider) {

    fillRandomParcel(p->parcel(), std::move(provider));

    fillRandomParcel(p->parcel(), std::move(provider));

}

}

template <typename P, typename B>

void doTransactFuzz(const char* backend, const sp<B>& binder, FuzzedDataProvider&& provider) {

    uint32_t code = provider.ConsumeIntegral<uint32_t>();

    uint32_t flag = provider.ConsumeIntegral<uint32_t>();

    FUZZ_LOG() << "backend: " << backend;

    P reply;

    P data;

    fillRandomParcel(&data, std::move(provider));

    (void)binder->transact(code, data, &reply, flag);

}

template <typename P>

template <typename P>

void doFuzz(const char* backend, const std::vector<ParcelRead<P>>& reads,

void doReadFuzz(const char* backend, const std::vector<ParcelRead<P>>& reads,

                FuzzedDataProvider&& provider) {

                FuzzedDataProvider&& provider) {

    // Allow some majority of the bytes to be dedicated to telling us what to

    // Allow some majority of the bytes to be dedicated to telling us what to

    // do. The fixed value added here represents that we want to test doing a

    // do. The fixed value added here represents that we want to test doing a

            provider.ConsumeIntegralInRange<size_t>(0, maxInstructions));

            provider.ConsumeIntegralInRange<size_t>(0, maxInstructions));

    P p;

    P p;

    if constexpr (std::is_same_v<P, android::Parcel>) {

        if (provider.ConsumeBool()) {

            auto session = sp<RpcSession>::make();

            CHECK(session->addNullDebuggingClient());

            p.markForRpc(session);

            fillRandomParcelData(&p, std::move(provider));

        } else {

    fillRandomParcel(&p, std::move(provider));

    fillRandomParcel(&p, std::move(provider));

        }

    } else {

        fillRandomParcel(&p, std::move(provider));

    }

    // since we are only using a byte to index

    // since we are only using a byte to index

    CHECK(reads.size() <= 255) << reads.size();

    CHECK(reads.size() <= 255) << reads.size();

    }

    }

}

}

void* NothingClass_onCreate(void* args) {

    return args;

}

void NothingClass_onDestroy(void* /*userData*/) {}

binder_status_t NothingClass_onTransact(AIBinder*, transaction_code_t, const AParcel*, AParcel*) {

    return STATUS_UNKNOWN_ERROR;

}

static AIBinder_Class* kNothingClass =

        AIBinder_Class_define("nothing", NothingClass_onCreate, NothingClass_onDestroy,

                              NothingClass_onTransact);

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    if (size <= 1) return 0;  // no use

    if (size <= 1) return 0;  // no use

    FuzzedDataProvider provider = FuzzedDataProvider(data, size);

    FuzzedDataProvider provider = FuzzedDataProvider(data, size);

    const std::function<void(FuzzedDataProvider &&)> fuzzBackend[3] = {

    const std::function<void(FuzzedDataProvider &&)> fuzzBackend[] = {

            [](FuzzedDataProvider&& provider) {

                doTransactFuzz<

                        ::android::hardware::Parcel>("hwbinder",

                                                     sp<::android::hardware::BHwBinder>::make(),

                                                     std::move(provider));

            },

            [](FuzzedDataProvider&& provider) {

                doTransactFuzz<::android::Parcel>("binder", sp<::android::BBinder>::make(),

                                                  std::move(provider));

            },

            [](FuzzedDataProvider&& provider) {

                // fuzz from the libbinder layer since it's a superset of the

                // interface you get at the libbinder_ndk layer

                auto ndkBinder = ndk::SpAIBinder(AIBinder_new(kNothingClass, nullptr));

                auto binder = AIBinder_toPlatformBinder(ndkBinder.get());

                doTransactFuzz<::android::Parcel>("binder_ndk", binder, std::move(provider));

            },

            [](FuzzedDataProvider&& provider) {

            [](FuzzedDataProvider&& provider) {

                doFuzz<::android::hardware::Parcel>("hwbinder", HWBINDER_PARCEL_READ_FUNCTIONS,

                doReadFuzz<::android::hardware::Parcel>("hwbinder", HWBINDER_PARCEL_READ_FUNCTIONS,

                                                        std::move(provider));

                                                        std::move(provider));

            },

            },

            [](FuzzedDataProvider&& provider) {

            [](FuzzedDataProvider&& provider) {

                doFuzz<::android::Parcel>("binder", BINDER_PARCEL_READ_FUNCTIONS,

                doReadFuzz<::android::Parcel>("binder", BINDER_PARCEL_READ_FUNCTIONS,

                                              std::move(provider));

                                              std::move(provider));

            },

            },

            [](FuzzedDataProvider&& provider) {

            [](FuzzedDataProvider&& provider) {

                doFuzz<NdkParcelAdapter>("binder_ndk", BINDER_NDK_PARCEL_READ_FUNCTIONS,

                doReadFuzz<NdkParcelAdapter>("binder_ndk", BINDER_NDK_PARCEL_READ_FUNCTIONS,

                                             std::move(provider));

                                             std::move(provider));

            },

            },

    };

    };

#include <android-base/logging.h>

#include <android-base/logging.h>

#include <binder/IServiceManager.h>

#include <binder/IServiceManager.h>

#include <binder/RpcSession.h>

#include <fuzzbinder/random_fd.h>

#include <fuzzbinder/random_fd.h>

#include <utils/String16.h>

#include <utils/String16.h>

};

};

void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {

void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {

    if (provider.ConsumeBool()) {

        auto session = sp<RpcSession>::make();

        CHECK(session->addNullDebuggingClient());

        p->markForRpc(session);

        fillRandomParcelData(p, std::move(provider));

        return;

    }

    while (provider.remaining_bytes() > 0) {

    while (provider.remaining_bytes() > 0) {

        auto fillFunc = provider.PickValueInArray<const std::function<void()>>({

        auto fillFunc = provider.PickValueInArray<const std::function<void()>>({

                // write data

                // write data