Loading libutils/Android.bp +61 −0 Original line number Diff line number Diff line Loading @@ -205,6 +205,7 @@ cc_defaults { shared_libs: [ "libutils", "libbase", "liblog", ], } Loading Loading @@ -238,6 +239,66 @@ cc_fuzz { srcs: ["Vector_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_printer", defaults: ["libutils_fuzz_defaults"], srcs: ["Printer_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_callstack", defaults: ["libutils_fuzz_defaults"], srcs: ["CallStack_fuzz.cpp"], shared_libs: [ "libutilscallstack", ], } cc_fuzz { name: "libutils_fuzz_process_callstack", defaults: ["libutils_fuzz_defaults"], srcs: ["ProcessCallStack_fuzz.cpp"], shared_libs: [ "libutilscallstack", ], } cc_fuzz { name: "libutils_fuzz_stopwatch", defaults: ["libutils_fuzz_defaults"], srcs: ["StopWatch_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_propertymap", defaults: ["libutils_fuzz_defaults"], srcs: ["PropertyMap_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_rwlock", defaults: ["libutils_fuzz_defaults"], srcs: ["RWLock_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_refbase", defaults: ["libutils_fuzz_defaults"], srcs: ["RefBase_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_lrucache", defaults: ["libutils_fuzz_defaults"], srcs: ["LruCache_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_looper", defaults: ["libutils_fuzz_defaults"], srcs: ["Looper_fuzz.cpp"], } cc_test { name: "libutils_test", host_supported: true, Loading libutils/CallStack_fuzz.cpp 0 → 100644 +50 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <memory.h> #include "fuzzer/FuzzedDataProvider.h" #include "utils/CallStack.h" static constexpr int MAX_STRING_SIZE = 500; static constexpr int MAX_IGNORE_DEPTH = 200; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider dataProvider(data, size); size_t ignoreDepth = dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_IGNORE_DEPTH); int logPriority = dataProvider.ConsumeIntegral<int>(); pid_t tid = dataProvider.ConsumeIntegral<pid_t>(); std::string logTag = dataProvider.ConsumeRandomLengthString(MAX_STRING_SIZE); std::string prefix = dataProvider.ConsumeRandomLengthString(MAX_STRING_SIZE); const char* logTagChars = logTag.c_str(); const char* prefixChars = prefix.c_str(); android::CallStack::CallStackUPtr callStack = android::CallStack::getCurrent(ignoreDepth); android::CallStack* callstackPtr = callStack.get(); android::CallStack::logStack(logTagChars, callstackPtr, static_cast<android_LogPriority>(logPriority)); android::CallStack::stackToString(prefixChars); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); callstackPtr->clear(); callstackPtr->getCurrent(ignoreDepth); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); callstackPtr->update(ignoreDepth, tid); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); return 0; } libutils/Looper_fuzz.cpp 0 → 100644 +84 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <sys/select.h> #include <iostream> #include <utils/Looper.h> #include "Looper_test_pipe.h" #include "fuzzer/FuzzedDataProvider.h" using android::Looper; using android::sp; // We don't want this to bog down fuzzing static constexpr int MAX_POLL_DELAY = 50; static constexpr int MAX_OPERATIONS = 500; void doNothing() {} void* doNothingPointer = reinterpret_cast<void*>(doNothing); static int noopCallback(int, int, void*) { return 0; } std::vector<std::function<void(FuzzedDataProvider*, sp<Looper>, Pipe)>> operations = { [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe) -> void { looper->pollOnce(dataProvider->ConsumeIntegralInRange<int>(0, MAX_POLL_DELAY)); }, [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe) -> void { looper->pollAll(dataProvider->ConsumeIntegralInRange<int>(0, MAX_POLL_DELAY)); }, // events and callback are nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), nullptr, nullptr); }, // Events is nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), noopCallback, nullptr); }, // callback is nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), nullptr, doNothingPointer); }, // callback and events both set [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), noopCallback, doNothingPointer); }, [](FuzzedDataProvider*, sp<Looper> looper, Pipe) -> void { looper->wake(); }, [](FuzzedDataProvider*, sp<Looper>, Pipe pipeObj) -> void { pipeObj.writeSignal(); }}; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { Pipe pipeObj; FuzzedDataProvider dataProvider(data, size); sp<Looper> looper = new Looper(dataProvider.ConsumeBool()); size_t opsRun = 0; while (dataProvider.remaining_bytes() > 0 && opsRun++ < MAX_OPERATIONS) { uint8_t op = dataProvider.ConsumeIntegralInRange<uint8_t>(0, operations.size() - 1); operations[op](&dataProvider, looper, pipeObj); } // Clear our pointer looper.clear(); return 0; } libutils/Looper_test.cpp +5 −39 Original line number Diff line number Diff line Loading @@ -2,12 +2,13 @@ // Copyright 2010 The Android Open Source Project // #include <utils/Looper.h> #include <utils/Timers.h> #include <utils/StopWatch.h> #include <gtest/gtest.h> #include <unistd.h> #include <time.h> #include <unistd.h> #include <utils/Looper.h> #include <utils/StopWatch.h> #include <utils/Timers.h> #include "Looper_test_pipe.h" #include <utils/threads.h> Loading @@ -24,41 +25,6 @@ enum { MSG_TEST4 = 4, }; class Pipe { public: int sendFd; int receiveFd; Pipe() { int fds[2]; ::pipe(fds); receiveFd = fds[0]; sendFd = fds[1]; } ~Pipe() { if (sendFd != -1) { ::close(sendFd); } if (receiveFd != -1) { ::close(receiveFd); } } status_t writeSignal() { ssize_t nWritten = ::write(sendFd, "*", 1); return nWritten == 1 ? 0 : -errno; } status_t readSignal() { char buf[1]; ssize_t nRead = ::read(receiveFd, buf, 1); return nRead == 1 ? 0 : nRead == 0 ? -EPIPE : -errno; } }; class DelayedTask : public Thread { int mDelayMillis; Loading libutils/Looper_test_pipe.h 0 → 100644 +55 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <unistd.h> /** * A pipe class for use when testing or fuzzing Looper */ class Pipe { public: int sendFd; int receiveFd; Pipe() { int fds[2]; ::pipe(fds); receiveFd = fds[0]; sendFd = fds[1]; } ~Pipe() { if (sendFd != -1) { ::close(sendFd); } if (receiveFd != -1) { ::close(receiveFd); } } android::status_t writeSignal() { ssize_t nWritten = ::write(sendFd, "*", 1); return nWritten == 1 ? 0 : -errno; } android::status_t readSignal() { char buf[1]; ssize_t nRead = ::read(receiveFd, buf, 1); return nRead == 1 ? 0 : nRead == 0 ? -EPIPE : -errno; } }; Loading
libutils/Android.bp +61 −0 Original line number Diff line number Diff line Loading @@ -205,6 +205,7 @@ cc_defaults { shared_libs: [ "libutils", "libbase", "liblog", ], } Loading Loading @@ -238,6 +239,66 @@ cc_fuzz { srcs: ["Vector_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_printer", defaults: ["libutils_fuzz_defaults"], srcs: ["Printer_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_callstack", defaults: ["libutils_fuzz_defaults"], srcs: ["CallStack_fuzz.cpp"], shared_libs: [ "libutilscallstack", ], } cc_fuzz { name: "libutils_fuzz_process_callstack", defaults: ["libutils_fuzz_defaults"], srcs: ["ProcessCallStack_fuzz.cpp"], shared_libs: [ "libutilscallstack", ], } cc_fuzz { name: "libutils_fuzz_stopwatch", defaults: ["libutils_fuzz_defaults"], srcs: ["StopWatch_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_propertymap", defaults: ["libutils_fuzz_defaults"], srcs: ["PropertyMap_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_rwlock", defaults: ["libutils_fuzz_defaults"], srcs: ["RWLock_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_refbase", defaults: ["libutils_fuzz_defaults"], srcs: ["RefBase_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_lrucache", defaults: ["libutils_fuzz_defaults"], srcs: ["LruCache_fuzz.cpp"], } cc_fuzz { name: "libutils_fuzz_looper", defaults: ["libutils_fuzz_defaults"], srcs: ["Looper_fuzz.cpp"], } cc_test { name: "libutils_test", host_supported: true, Loading
libutils/CallStack_fuzz.cpp 0 → 100644 +50 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <memory.h> #include "fuzzer/FuzzedDataProvider.h" #include "utils/CallStack.h" static constexpr int MAX_STRING_SIZE = 500; static constexpr int MAX_IGNORE_DEPTH = 200; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider dataProvider(data, size); size_t ignoreDepth = dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_IGNORE_DEPTH); int logPriority = dataProvider.ConsumeIntegral<int>(); pid_t tid = dataProvider.ConsumeIntegral<pid_t>(); std::string logTag = dataProvider.ConsumeRandomLengthString(MAX_STRING_SIZE); std::string prefix = dataProvider.ConsumeRandomLengthString(MAX_STRING_SIZE); const char* logTagChars = logTag.c_str(); const char* prefixChars = prefix.c_str(); android::CallStack::CallStackUPtr callStack = android::CallStack::getCurrent(ignoreDepth); android::CallStack* callstackPtr = callStack.get(); android::CallStack::logStack(logTagChars, callstackPtr, static_cast<android_LogPriority>(logPriority)); android::CallStack::stackToString(prefixChars); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); callstackPtr->clear(); callstackPtr->getCurrent(ignoreDepth); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); callstackPtr->update(ignoreDepth, tid); callstackPtr->log(logTagChars, static_cast<android_LogPriority>(logPriority), prefixChars); return 0; }
libutils/Looper_fuzz.cpp 0 → 100644 +84 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <sys/select.h> #include <iostream> #include <utils/Looper.h> #include "Looper_test_pipe.h" #include "fuzzer/FuzzedDataProvider.h" using android::Looper; using android::sp; // We don't want this to bog down fuzzing static constexpr int MAX_POLL_DELAY = 50; static constexpr int MAX_OPERATIONS = 500; void doNothing() {} void* doNothingPointer = reinterpret_cast<void*>(doNothing); static int noopCallback(int, int, void*) { return 0; } std::vector<std::function<void(FuzzedDataProvider*, sp<Looper>, Pipe)>> operations = { [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe) -> void { looper->pollOnce(dataProvider->ConsumeIntegralInRange<int>(0, MAX_POLL_DELAY)); }, [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe) -> void { looper->pollAll(dataProvider->ConsumeIntegralInRange<int>(0, MAX_POLL_DELAY)); }, // events and callback are nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), nullptr, nullptr); }, // Events is nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), noopCallback, nullptr); }, // callback is nullptr [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), nullptr, doNothingPointer); }, // callback and events both set [](FuzzedDataProvider* dataProvider, sp<Looper> looper, Pipe pipeObj) -> void { looper->addFd(pipeObj.receiveFd, dataProvider->ConsumeIntegral<int>(), dataProvider->ConsumeIntegral<int>(), noopCallback, doNothingPointer); }, [](FuzzedDataProvider*, sp<Looper> looper, Pipe) -> void { looper->wake(); }, [](FuzzedDataProvider*, sp<Looper>, Pipe pipeObj) -> void { pipeObj.writeSignal(); }}; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { Pipe pipeObj; FuzzedDataProvider dataProvider(data, size); sp<Looper> looper = new Looper(dataProvider.ConsumeBool()); size_t opsRun = 0; while (dataProvider.remaining_bytes() > 0 && opsRun++ < MAX_OPERATIONS) { uint8_t op = dataProvider.ConsumeIntegralInRange<uint8_t>(0, operations.size() - 1); operations[op](&dataProvider, looper, pipeObj); } // Clear our pointer looper.clear(); return 0; }
libutils/Looper_test.cpp +5 −39 Original line number Diff line number Diff line Loading @@ -2,12 +2,13 @@ // Copyright 2010 The Android Open Source Project // #include <utils/Looper.h> #include <utils/Timers.h> #include <utils/StopWatch.h> #include <gtest/gtest.h> #include <unistd.h> #include <time.h> #include <unistd.h> #include <utils/Looper.h> #include <utils/StopWatch.h> #include <utils/Timers.h> #include "Looper_test_pipe.h" #include <utils/threads.h> Loading @@ -24,41 +25,6 @@ enum { MSG_TEST4 = 4, }; class Pipe { public: int sendFd; int receiveFd; Pipe() { int fds[2]; ::pipe(fds); receiveFd = fds[0]; sendFd = fds[1]; } ~Pipe() { if (sendFd != -1) { ::close(sendFd); } if (receiveFd != -1) { ::close(receiveFd); } } status_t writeSignal() { ssize_t nWritten = ::write(sendFd, "*", 1); return nWritten == 1 ? 0 : -errno; } status_t readSignal() { char buf[1]; ssize_t nRead = ::read(receiveFd, buf, 1); return nRead == 1 ? 0 : nRead == 0 ? -EPIPE : -errno; } }; class DelayedTask : public Thread { int mDelayMillis; Loading
libutils/Looper_test_pipe.h 0 → 100644 +55 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <unistd.h> /** * A pipe class for use when testing or fuzzing Looper */ class Pipe { public: int sendFd; int receiveFd; Pipe() { int fds[2]; ::pipe(fds); receiveFd = fds[0]; sendFd = fds[1]; } ~Pipe() { if (sendFd != -1) { ::close(sendFd); } if (receiveFd != -1) { ::close(receiveFd); } } android::status_t writeSignal() { ssize_t nWritten = ::write(sendFd, "*", 1); return nWritten == 1 ? 0 : -errno; } android::status_t readSignal() { char buf[1]; ssize_t nRead = ::read(receiveFd, buf, 1); return nRead == 1 ? 0 : nRead == 0 ? -EPIPE : -errno; } };
