Added libgui_surfaceComposerClient_fuzzer (0cf30457) · Commits · e / os / platform_frameworks_native

libs/gui/fuzzer/Android.bp

+10 −0

Original line number	Diff line number	Diff line
		@@ -85,3 +85,13 @@ cc_fuzz {
		"libgui_fuzzer_defaults",
		],
		}

		cc_fuzz {
		name: "libgui_surfaceComposerClient_fuzzer",
		srcs: [
		"libgui_surfaceComposerClient_fuzzer.cpp",
		],
		defaults: [
		"libgui_fuzzer_defaults",
		],
		}

libs/gui/fuzzer/README.md

+59 −0

Original line number	Diff line number	Diff line
		@@ -2,6 +2,7 @@

		## Table of contents
		+ [libgui_surfaceComposer_fuzzer](#SurfaceComposer)
		+ [libgui_surfaceComposerClient_fuzzer](#SurfaceComposerClient)

		# <a name="libgui_surfaceComposer_fuzzer"></a> Fuzzer for SurfaceComposer

		@@ -40,3 +41,61 @@ SurfaceComposer supports the following parameters:
		$ adb sync data
		$ adb shell /data/fuzz/arm64/libgui_surfaceComposer_fuzzer/libgui_surfaceComposer_fuzzer
		```

		# <a name="libgui_surfaceComposerClient_fuzzer"></a> Fuzzer for SurfaceComposerClient

		SurfaceComposerClient supports the following data sources:
		1. SurfaceWidth (parameter name:`width`)
		2. SurfaceHeight (parameter name:`height`)
		3. TransactionStateFlags (parameter name:`flags`)
		4. TransformHint (parameter name:`outTransformHint`)
		5. SurfacePixelFormat (parameter name:`format`)
		6. LayerId (parameter name:`outLayerId`)
		7. SurfaceComposerClientTags (parameter name:`surfaceTag`)
		8. DefaultMode (parameter name:`defaultMode`)
		9. PrimaryRefreshRateMin (parameter name:`primaryRefreshRateMin`)
		10. PrimaryRefreshRateMax (parameter name:`primaryRefreshRateMax`)
		11. AppRefreshRateMin (parameter name:`appRefreshRateMin`)
		12. AppRefreshRateMax (parameter name:`appRefreshRateMax`)
		13. DisplayPowerMode (parameter name:`mode`)
		14. CacheId (parameter name:`cacheId`)
		15. DisplayBrightness (parameter name:`brightness`)
		16. PowerBoostID (parameter name:`boostId`)
		17. AtomId (parameter name:`atomId`)
		18. ComponentMask (parameter name:`componentMask`)
		19. MaxFrames (parameter name:`maxFrames`)
		20. TaskId (parameter name:`taskId`)
		21. Alpha (parameter name:`aplha`)
		22. CornerRadius (parameter name:`cornerRadius`)
		23. BackgroundBlurRadius (parameter name:`backgroundBlurRadius`)
		24. Half3Color (parameter name:`color`)
		25. LayerStack (parameter name:`layerStack`)
		26. Dataspace (parameter name:`dataspace`)
		27. Api (parameter name:`api`)
		28. Priority (parameter name:`priority`)
		29. TouchableRegionPointX (parameter name:`pointX`)
		30. TouchableRegionPointY (parameter name:`pointY`)
		31. ColorMode (parameter name:`colorMode`)
		32. WindowInfoFlags (parameter name:`flags`)
		33. WindowInfoTransformOrientation (parameter name:`transform`)

		\| Parameter\| Valid Values\| Configured Value\|
		\|------------- \|-------------\| ----- \|
		\|`surfaceTag`\| 0.`Tag::CREATE_SURFACE`, 1.`Tag::CREATE_WITH_SURFACE_PARENT`, 2.`Tag::CLEAR_LAYER_FRAME_STATS`, 3.`Tag::GET_LAYER_FRAME_STATS`, 4.`Tag::MIRROR_SURFACE`, 5.`Tag::LAST` \|Value obtained from FuzzedDataProvider\|
		\|`mode`\| 0.`gui::TouchOcclusionMode::BLOCK_UNTRUSTED`, 1.`gui::TouchOcclusionMode::USE_OPACITY`, 2.`gui::TouchOcclusionMode::ALLOW` \|Value obtained from FuzzedDataProvider\|
		\|`boostId`\| 0.`hardware::power::Boost::INTERACTION`, 1.`hardware::power::Boost::DISPLAY_UPDATE_IMMINENT`, 2.`hardware::power::Boost::ML_ACC`, 3.`hardware::power::Boost::AUDIO_LAUNCH`, 4.`hardware::power::Boost::CAMERA_LAUNCH`, 5.`hardware::power::Boost::CAMERA_SHOT` \|Value obtained from FuzzedDataProvider\|
		\|`colorMode`\|0.`ui::ColorMode::NATIVE`, 1.`ui::ColorMode::STANDARD_BT601_625`, 2.`ui::ColorMode::STANDARD_BT601_625_UNADJUSTED`, 3.`ui::ColorMode::STANDARD_BT601_525`, 4.`ui::ColorMode::STANDARD_BT601_525_UNADJUSTED`, 5.`ui::ColorMode::STANDARD_BT709`, 6.`ui::ColorMode::DCI_P3`, 7.`ui::ColorMode::SRGB`, 8.`ui::ColorMode::ADOBE_RGB`, 9.`ui::ColorMode::DISPLAY_P3`, 10.`ui::ColorMode::BT2020`, 11.`ui::ColorMode::BT2100_PQ`, 12.`ui::ColorMode::BT2100_HLG`, 13.`ui::ColorMode::DISPLAY_BT2020` \|Value obtained from FuzzedDataProvider\|
		\|`flags`\|0 .`gui::WindowInfo::Flag::ALLOW_LOCK_WHILE_SCREEN_ON`, 1.`gui::WindowInfo::Flag::DIM_BEHIND`, 2.`gui::WindowInfo::Flag::BLUR_BEHIND`, 3.`gui::WindowInfo::Flag::NOT_FOCUSABLE`, 4.`gui::WindowInfo::Flag::NOT_TOUCHABLE`, 5.`gui::WindowInfo::Flag::NOT_TOUCH_MODAL`, 6.`gui::WindowInfo::Flag::TOUCHABLE_WHEN_WAKING`, 7.`gui::WindowInfo::Flag::KEEP_SCREEN_ON`, 8.`gui::WindowInfo::Flag::LAYOUT_IN_SCREEN`, 9.`gui::WindowInfo::Flag::LAYOUT_NO_LIMITS`, 10.`gui::WindowInfo::Flag::FULLSCREEN`, 11.`gui::WindowInfo::Flag::FORCE_NOT_FULLSCREEN`, 12.`gui::WindowInfo::Flag::DITHER`, 13.`gui::WindowInfo::Flag::SECURE`, 14.`gui::WindowInfo::Flag::SCALED`, 15.`gui::WindowInfo::Flag::IGNORE_CHEEK_PRESSES`, 16.`gui::WindowInfo::Flag::LAYOUT_INSET_DECOR`, 17.`gui::WindowInfo::Flag::ALT_FOCUSABLE_IM`, 18.`gui::WindowInfo::Flag::WATCH_OUTSIDE_TOUCH`, 19.`gui::WindowInfo::Flag::SHOW_WHEN_LOCKED`, 20.`gui::WindowInfo::Flag::SHOW_WALLPAPER`, 21.`gui::WindowInfo::Flag::TURN_SCREEN_ON`, 22.`gui::WindowInfo::Flag::DISMISS_KEYGUARD`, 23.`gui::WindowInfo::Flag::SPLIT_TOUCH`, 24.`gui::WindowInfo::Flag::HARDWARE_ACCELERATED`, 25.`gui::WindowInfo::Flag::LAYOUT_IN_OVERSCAN`, 26.`gui::WindowInfo::Flag::TRANSLUCENT_STATUS`, 27.`gui::WindowInfo::Flag::TRANSLUCENT_NAVIGATION`, 28.`gui::WindowInfo::Flag::LOCAL_FOCUS_MODE`, 29.`gui::WindowInfo::Flag::SLIPPERY`, 30.`gui::WindowInfo::Flag::LAYOUT_ATTACHED_IN_DECOR`, 31.`gui::WindowInfo::Flag::DRAWS_SYSTEM_BAR_BACKGROUNDS`, \|Value obtained from FuzzedDataProvider\|
		\|`dataspace`\| 0.`ui::Dataspace::UNKNOWN`, 1.`ui::Dataspace::ARBITRARY`, 2.`ui::Dataspace::STANDARD_SHIFT`, 3.`ui::Dataspace::STANDARD_MASK`, 4.`ui::Dataspace::STANDARD_UNSPECIFIED`, 5.`ui::Dataspace::STANDARD_BT709`, 6.`ui::Dataspace::STANDARD_BT601_625`, 7.`ui::Dataspace::STANDARD_BT601_625_UNADJUSTED`, 8.`ui::Dataspace::STANDARD_BT601_525`, 9.`ui::Dataspace::STANDARD_BT601_525_UNADJUSTED`, 10.`ui::Dataspace::STANDARD_BT2020`, 11.`ui::Dataspace::STANDARD_BT2020_CONSTANT_LUMINANCE`, 12.`ui::Dataspace::STANDARD_BT470M`, 13.`ui::Dataspace::STANDARD_FILM`, 14.`ui::Dataspace::STANDARD_DCI_P3`, 15.`ui::Dataspace::STANDARD_ADOBE_RGB`, 16.`ui::Dataspace::TRANSFER_SHIFT`, 17.`ui::Dataspace::TRANSFER_MASK`, 18.`ui::Dataspace::TRANSFER_UNSPECIFIED`, 19.`ui::Dataspace::TRANSFER_LINEAR`, 20.`ui::Dataspace::TRANSFER_SRGB`, 21.`ui::Dataspace::TRANSFER_SMPTE_170M`, 22.`ui::Dataspace::TRANSFER_GAMMA2_2`, 23.`ui::Dataspace::TRANSFER_GAMMA2_6`, 24.`ui::Dataspace::TRANSFER_GAMMA2_8`, 25.`ui::Dataspace::TRANSFER_ST2084`, 26.`ui::Dataspace::TRANSFER_HLG`, 27.`ui::Dataspace::RANGE_SHIFT`, 28.`ui::Dataspace::RANGE_MASK`, 29.`ui::Dataspace::RANGE_UNSPECIFIED`, 30.`ui::Dataspace::RANGE_FULL`, 31.`ui::Dataspace::RANGE_LIMITED`, 32.`ui::Dataspace::RANGE_EXTENDED`, 33.`ui::Dataspace::SRGB_LINEAR`, 34.`ui::Dataspace::V0_SRGB_LINEAR`, 35.`ui::Dataspace::V0_SCRGB_LINEAR`, 36.`ui::Dataspace::SRGB`, 37.`ui::Dataspace::V0_SRGB`, 38.`ui::Dataspace::V0_SCRGB`, 39.`ui::Dataspace::JFIF`, 40.`ui::Dataspace::V0_JFIF`, 41.`ui::Dataspace::BT601_625`, 42.`ui::Dataspace::V0_BT601_625`, 43.`ui::Dataspace::BT601_525`, 44.`ui::Dataspace::V0_BT601_525`, 45.`ui::Dataspace::BT709`, 46.`ui::Dataspace::V0_BT709`, 47.`ui::Dataspace::DCI_P3_LINEAR`, 48.`ui::Dataspace::DCI_P3`, 49.`ui::Dataspace::DISPLAY_P3_LINEAR`, 50.`ui::Dataspace::DISPLAY_P3`, 51.`ui::Dataspace::ADOBE_RGB`, 52.`ui::Dataspace::BT2020_LINEAR`, 53.`ui::Dataspace::BT2020`, 54.`ui::Dataspace::BT2020_PQ`, 55.`ui::Dataspace::DEPTH`, 56.`ui::Dataspace::SENSOR`, 57.`ui::Dataspace::BT2020_ITU`, 58.`ui::Dataspace::BT2020_ITU_PQ`, 59.`ui::Dataspace::BT2020_ITU_HLG`, 60.`ui::Dataspace::BT2020_HLG`, 61.`ui::Dataspace::DISPLAY_BT2020`, 62.`ui::Dataspace::DYNAMIC_DEPTH`, 63.`ui::Dataspace::JPEG_APP_SEGMENTS`, 64.`ui::Dataspace::HEIF`, \|Value obtained from FuzzedDataProvider\|
		\|`transform`\| 0.`ui::Transform::ROT_0`, 1.`ui::Transform::FLIP_H`, 2.`ui::Transform::FLIP_V`, 3.`ui::Transform::ROT_90`, 4.`ui::Transform::ROT_180`, 5.`ui::Transform::ROT_270` \|Value obtained from FuzzedDataProvider\|

		#### Steps to run
		1. Build the fuzzer
		```
		$ mm -j$(nproc) libgui_surfaceComposerClient_fuzzer
		```
		2. To run on device
		```
		$ adb sync data
		$ adb shell /data/fuzz/arm64/libgui_surfaceComposerClient_fuzzer/libgui_surfaceComposerClient_fuzzer
		```

libs/gui/fuzzer/libgui_surfaceComposerClient_fuzzer.cpp

0 → 100644

+308 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright 2022 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		#include <android/hardware/power/Boost.h>
		#include <fuzzbinder/libbinder_driver.h>
		#include <gui/Surface.h>
		#include <gui/SurfaceComposerClient.h>
		#include <libgui_fuzzer_utils.h>

		using namespace android;

		constexpr int32_t kRandomStringMaxBytes = 256;

		constexpr ui::ColorMode kColormodes[] = {ui::ColorMode::NATIVE,
		ui::ColorMode::STANDARD_BT601_625,
		ui::ColorMode::STANDARD_BT601_625_UNADJUSTED,
		ui::ColorMode::STANDARD_BT601_525,
		ui::ColorMode::STANDARD_BT601_525_UNADJUSTED,
		ui::ColorMode::STANDARD_BT709,
		ui::ColorMode::DCI_P3,
		ui::ColorMode::SRGB,
		ui::ColorMode::ADOBE_RGB,
		ui::ColorMode::DISPLAY_P3,
		ui::ColorMode::BT2020,
		ui::ColorMode::BT2100_PQ,
		ui::ColorMode::BT2100_HLG,
		ui::ColorMode::DISPLAY_BT2020};

		constexpr hardware::power::Boost kBoost[] = {
		hardware::power::Boost::INTERACTION, hardware::power::Boost::DISPLAY_UPDATE_IMMINENT,
		hardware::power::Boost::ML_ACC, hardware::power::Boost::AUDIO_LAUNCH,
		hardware::power::Boost::CAMERA_LAUNCH, hardware::power::Boost::CAMERA_SHOT,
		};

		constexpr gui::TouchOcclusionMode kMode[] = {
		gui::TouchOcclusionMode::BLOCK_UNTRUSTED,
		gui::TouchOcclusionMode::USE_OPACITY,
		gui::TouchOcclusionMode::ALLOW,
		};

		constexpr gui::WindowInfo::Flag kFlags[] = {
		gui::WindowInfo::Flag::ALLOW_LOCK_WHILE_SCREEN_ON,
		gui::WindowInfo::Flag::DIM_BEHIND,
		gui::WindowInfo::Flag::BLUR_BEHIND,
		gui::WindowInfo::Flag::NOT_FOCUSABLE,
		gui::WindowInfo::Flag::NOT_TOUCHABLE,
		gui::WindowInfo::Flag::NOT_TOUCH_MODAL,
		gui::WindowInfo::Flag::TOUCHABLE_WHEN_WAKING,
		gui::WindowInfo::Flag::KEEP_SCREEN_ON,
		gui::WindowInfo::Flag::LAYOUT_IN_SCREEN,
		gui::WindowInfo::Flag::LAYOUT_NO_LIMITS,
		gui::WindowInfo::Flag::FULLSCREEN,
		gui::WindowInfo::Flag::FORCE_NOT_FULLSCREEN,
		gui::WindowInfo::Flag::DITHER,
		gui::WindowInfo::Flag::SECURE,
		gui::WindowInfo::Flag::SCALED,
		gui::WindowInfo::Flag::IGNORE_CHEEK_PRESSES,
		gui::WindowInfo::Flag::LAYOUT_INSET_DECOR,
		gui::WindowInfo::Flag::ALT_FOCUSABLE_IM,
		gui::WindowInfo::Flag::WATCH_OUTSIDE_TOUCH,
		gui::WindowInfo::Flag::SHOW_WHEN_LOCKED,
		gui::WindowInfo::Flag::SHOW_WALLPAPER,
		gui::WindowInfo::Flag::TURN_SCREEN_ON,
		gui::WindowInfo::Flag::DISMISS_KEYGUARD,
		gui::WindowInfo::Flag::SPLIT_TOUCH,
		gui::WindowInfo::Flag::HARDWARE_ACCELERATED,
		gui::WindowInfo::Flag::LAYOUT_IN_OVERSCAN,
		gui::WindowInfo::Flag::TRANSLUCENT_STATUS,
		gui::WindowInfo::Flag::TRANSLUCENT_NAVIGATION,
		gui::WindowInfo::Flag::LOCAL_FOCUS_MODE,
		gui::WindowInfo::Flag::SLIPPERY,
		gui::WindowInfo::Flag::LAYOUT_ATTACHED_IN_DECOR,
		gui::WindowInfo::Flag::DRAWS_SYSTEM_BAR_BACKGROUNDS,
		};

		constexpr gui::WindowInfo::Type kType[] = {
		gui::WindowInfo::Type::UNKNOWN,
		gui::WindowInfo::Type::FIRST_APPLICATION_WINDOW,
		gui::WindowInfo::Type::BASE_APPLICATION,
		gui::WindowInfo::Type::APPLICATION,
		gui::WindowInfo::Type::APPLICATION_STARTING,
		gui::WindowInfo::Type::LAST_APPLICATION_WINDOW,
		gui::WindowInfo::Type::FIRST_SUB_WINDOW,
		gui::WindowInfo::Type::APPLICATION_PANEL,
		gui::WindowInfo::Type::APPLICATION_MEDIA,
		gui::WindowInfo::Type::APPLICATION_SUB_PANEL,
		gui::WindowInfo::Type::APPLICATION_ATTACHED_DIALOG,
		gui::WindowInfo::Type::APPLICATION_MEDIA_OVERLAY,
		};

		constexpr gui::WindowInfo::InputConfig kFeatures[] = {
		gui::WindowInfo::InputConfig::NO_INPUT_CHANNEL,
		gui::WindowInfo::InputConfig::DISABLE_USER_ACTIVITY,
		gui::WindowInfo::InputConfig::DROP_INPUT,
		gui::WindowInfo::InputConfig::DROP_INPUT_IF_OBSCURED,
		gui::WindowInfo::InputConfig::SPY,
		gui::WindowInfo::InputConfig::INTERCEPTS_STYLUS,
		};

		class SurfaceComposerClientFuzzer {
		public:
		SurfaceComposerClientFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};
		void process();

		private:
		void invokeSurfaceComposerClient();
		void invokeSurfaceComposerClientBinder();
		void invokeSurfaceComposerTransaction();
		void getWindowInfo(gui::WindowInfo*);
		sp<SurfaceControl> makeSurfaceControl();
		BlurRegion getBlurRegion();
		void fuzzOnPullAtom();

		FuzzedDataProvider mFdp;
		};

		BlurRegion SurfaceComposerClientFuzzer::getBlurRegion() {
		int32_t left = mFdp.ConsumeIntegral<int32_t>();
		int32_t right = mFdp.ConsumeIntegral<int32_t>();
		int32_t top = mFdp.ConsumeIntegral<int32_t>();
		int32_t bottom = mFdp.ConsumeIntegral<int32_t>();
		uint32_t blurRadius = mFdp.ConsumeIntegral<uint32_t>();
		float alpha = mFdp.ConsumeFloatingPoint<float>();
		float cornerRadiusTL = mFdp.ConsumeFloatingPoint<float>();
		float cornerRadiusTR = mFdp.ConsumeFloatingPoint<float>();
		float cornerRadiusBL = mFdp.ConsumeFloatingPoint<float>();
		float cornerRadiusBR = mFdp.ConsumeFloatingPoint<float>();
		return BlurRegion{blurRadius, cornerRadiusTL, cornerRadiusTR, cornerRadiusBL,
		cornerRadiusBR, alpha, left, top,
		right, bottom};
		}

		void SurfaceComposerClientFuzzer::getWindowInfo(gui::WindowInfo* windowInfo) {
		windowInfo->id = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->name = mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes);
		windowInfo->layoutParamsFlags = mFdp.PickValueInArray(kFlags);
		windowInfo->layoutParamsType = mFdp.PickValueInArray(kType);
		windowInfo->frameLeft = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->frameTop = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->frameRight = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->frameBottom = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->surfaceInset = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->alpha = mFdp.ConsumeFloatingPointInRange<float>(0, 1);
		ui::Transform transform(mFdp.PickValueInArray(kOrientation));
		windowInfo->transform = transform;
		windowInfo->touchableRegion = Region(getRect(&mFdp));
		windowInfo->replaceTouchableRegionWithCrop = mFdp.ConsumeBool();
		windowInfo->touchOcclusionMode = mFdp.PickValueInArray(kMode);
		windowInfo->ownerPid = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->ownerUid = mFdp.ConsumeIntegral<int32_t>();
		windowInfo->packageName = mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes);
		windowInfo->inputConfig = mFdp.PickValueInArray(kFeatures);
		}

		sp<SurfaceControl> SurfaceComposerClientFuzzer::makeSurfaceControl() {
		sp<IBinder> handle;
		const sp<FakeBnSurfaceComposerClient> testClient(new FakeBnSurfaceComposerClient());
		sp<SurfaceComposerClient> client = new SurfaceComposerClient(testClient);
		sp<BnGraphicBufferProducer> producer;
		uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
		uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
		uint32_t transformHint = mFdp.ConsumeIntegral<uint32_t>();
		uint32_t flags = mFdp.ConsumeIntegral<uint32_t>();
		int32_t format = mFdp.ConsumeIntegral<int32_t>();
		int32_t layerId = mFdp.ConsumeIntegral<int32_t>();
		return new SurfaceControl(client, handle, layerId, width, height, format, transformHint, flags);
		}

		void SurfaceComposerClientFuzzer::invokeSurfaceComposerTransaction() {
		sp<SurfaceControl> surface = makeSurfaceControl();

		SurfaceComposerClient::Transaction transaction;
		transaction.setSize(surface, mFdp.ConsumeIntegral<uint32_t>(),
		mFdp.ConsumeIntegral<uint32_t>());
		int32_t layer = mFdp.ConsumeIntegral<int32_t>();
		transaction.setLayer(surface, layer);

		sp<SurfaceControl> relativeSurface = makeSurfaceControl();
		transaction.setRelativeLayer(surface, relativeSurface, layer);

		Region transparentRegion(getRect(&mFdp));
		transaction.setTransparentRegionHint(surface, transparentRegion);
		transaction.setAlpha(surface, mFdp.ConsumeFloatingPoint<float>());

		transaction.setCornerRadius(surface, mFdp.ConsumeFloatingPoint<float>());
		transaction.setBackgroundBlurRadius(surface, mFdp.ConsumeFloatingPoint<float>());
		std::vector<BlurRegion> regions;
		uint32_t vectorSize = mFdp.ConsumeIntegralInRange<uint32_t>(0, 100);
		regions.resize(vectorSize);
		for (size_t idx = 0; idx < vectorSize; ++idx) {
		regions.push_back(getBlurRegion());
		}
		transaction.setBlurRegions(surface, regions);

		transaction.setLayerStack(surface, {mFdp.ConsumeIntegral<uint32_t>()});
		half3 color = {mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
		mFdp.ConsumeIntegral<uint32_t>()};
		transaction.setColor(surface, color);
		transaction.setBackgroundColor(surface, color, mFdp.ConsumeFloatingPoint<float>(),
		mFdp.PickValueInArray(kDataspaces));

		transaction.setApi(surface, mFdp.ConsumeIntegral<int32_t>());
		transaction.setFrameRateSelectionPriority(surface, mFdp.ConsumeIntegral<int32_t>());
		transaction.setColorSpaceAgnostic(surface, mFdp.ConsumeBool() /agnostic/);

		gui::WindowInfo windowInfo;
		getWindowInfo(&windowInfo);
		transaction.setInputWindowInfo(surface, windowInfo);
		Parcel windowParcel;
		windowInfo.writeToParcel(&windowParcel);
		windowParcel.setDataPosition(0);
		windowInfo.readFromParcel(&windowParcel);

		windowInfo.addTouchableRegion(getRect(&mFdp));
		int32_t pointX = mFdp.ConsumeIntegral<int32_t>();
		int32_t pointY = mFdp.ConsumeIntegral<int32_t>();
		windowInfo.touchableRegionContainsPoint(pointX, pointY);
		windowInfo.frameContainsPoint(pointX, pointY);

		Parcel transactionParcel;
		transaction.writeToParcel(&transactionParcel);
		transactionParcel.setDataPosition(0);
		transaction.readFromParcel(&transactionParcel);
		SurfaceComposerClient::Transaction::createFromParcel(&transactionParcel);
		}

		void SurfaceComposerClientFuzzer::fuzzOnPullAtom() {
		std::string outData;
		bool success;
		SurfaceComposerClient::onPullAtom(mFdp.ConsumeIntegral<int32_t>(), &outData, &success);
		}

		void SurfaceComposerClientFuzzer::invokeSurfaceComposerClient() {
		String8 displayName((mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes)).c_str());
		sp<IBinder> displayToken =
		SurfaceComposerClient::createDisplay(displayName, mFdp.ConsumeBool() /secure/);
		SurfaceComposerClient::setDesiredDisplayModeSpecs(displayToken, mFdp.ConsumeIntegral<int32_t>(),
		mFdp.ConsumeBool() /allowGroupSwitching/,
		mFdp.ConsumeFloatingPoint<float>(),
		mFdp.ConsumeFloatingPoint<float>(),
		mFdp.ConsumeFloatingPoint<float>(),
		mFdp.ConsumeFloatingPoint<float>());

		ui::ColorMode colorMode = mFdp.PickValueInArray(kColormodes);
		SurfaceComposerClient::setActiveColorMode(displayToken, colorMode);
		SurfaceComposerClient::setAutoLowLatencyMode(displayToken, mFdp.ConsumeBool() /on/);
		SurfaceComposerClient::setGameContentType(displayToken, mFdp.ConsumeBool() /on/);
		SurfaceComposerClient::setDisplayPowerMode(displayToken, mFdp.ConsumeIntegral<int32_t>());
		SurfaceComposerClient::doUncacheBufferTransaction(mFdp.ConsumeIntegral<uint64_t>());

		SurfaceComposerClient::setDisplayBrightness(displayToken, getBrightness(&mFdp));
		hardware::power::Boost boostId = mFdp.PickValueInArray(kBoost);
		SurfaceComposerClient::notifyPowerBoost((int32_t)boostId);

		String8 surfaceName((mFdp.ConsumeRandomLengthString(kRandomStringMaxBytes)).c_str());
		sp<BBinder> handle(new BBinder());
		sp<BnGraphicBufferProducer> producer;
		sp<Surface> surfaceParent(
		new Surface(producer, mFdp.ConsumeBool() /controlledByApp/, handle));

		SurfaceComposerClient::enableVSyncInjections(mFdp.ConsumeBool() /secure/);
		nsecs_t when = mFdp.ConsumeIntegral<uint32_t>();
		SurfaceComposerClient::injectVSync(when);

		fuzzOnPullAtom();
		SurfaceComposerClient::setDisplayContentSamplingEnabled(displayToken,
		mFdp.ConsumeBool() /enable/,
		mFdp.ConsumeIntegral<uint8_t>(),
		mFdp.ConsumeIntegral<uint64_t>());

		sp<IBinder> stopLayerHandle;
		sp<gui::IRegionSamplingListener> listener = sp<gui::IRegionSamplingListenerDefault>::make();
		sp<gui::IRegionSamplingListenerDelegator> sampleListener =
		new gui::IRegionSamplingListenerDelegator(listener);
		SurfaceComposerClient::addRegionSamplingListener(getRect(&mFdp), stopLayerHandle,
		sampleListener);
		sp<gui::IFpsListenerDefault> fpsListener;
		SurfaceComposerClient::addFpsListener(mFdp.ConsumeIntegral<int32_t>(), fpsListener);
		}

		void SurfaceComposerClientFuzzer::invokeSurfaceComposerClientBinder() {
		sp<FakeBnSurfaceComposerClient> client(new FakeBnSurfaceComposerClient());
		fuzzService(client.get(), std::move(mFdp));
		}

		void SurfaceComposerClientFuzzer::process() {
		invokeSurfaceComposerClient();
		invokeSurfaceComposerTransaction();
		invokeSurfaceComposerClientBinder();
		}

		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		SurfaceComposerClientFuzzer surfaceComposerClientFuzzer(data, size);
		surfaceComposerClientFuzzer.process();
		return 0;
		}