Loading services/inputflinger/tests/fuzzers/CursorInputFuzzer.cpp +19 −10 Original line number Diff line number Diff line Loading @@ -15,22 +15,22 @@ */ #include <CursorInputMapper.h> #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <MapperHelpers.h> namespace android { static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("cursor.mode", "pointer"); }, [&]() -> void { fuzzer.addProperty("cursor.mode", "navigation"); }, {[&]() -> void { eventHub.addProperty("cursor.mode", "pointer"); }, [&]() -> void { eventHub.addProperty("cursor.mode", "navigation"); }, [&]() -> void { fuzzer.addProperty("cursor.mode", fdp->ConsumeRandomLengthString(100).data()); eventHub.addProperty("cursor.mode", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("cursor.orientationAware", eventHub.addProperty("cursor.orientationAware", fdp->ConsumeRandomLengthString(100).data()); }})(); } Loading @@ -38,15 +38,24 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); InputReaderConfiguration policyConfig; CursorInputMapper& mapper = fuzzer.getMapper<CursorInputMapper>(policyConfig); CursorInputMapper& mapper = getMapperForDevice<ThreadSafeFuzzedDataProvider, CursorInputMapper>(*fdp.get(), device, policyConfig); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); configureAndResetDevice(*fdp, device); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading services/inputflinger/tests/fuzzers/FuzzContainer.hdeleted 100644 → 0 +0 −86 Original line number Diff line number Diff line /* * Copyright 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <InputDevice.h> #include <InputMapper.h> #include <InputReader.h> #include <MapperHelpers.h> namespace android { class FuzzContainer { std::shared_ptr<FuzzEventHub> mFuzzEventHub; FuzzInputListener mFuzzListener; std::unique_ptr<FuzzInputReaderContext> mFuzzContext; std::unique_ptr<InputDevice> mFuzzDevice; std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp; public: FuzzContainer(std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) : mFdp(fdp) { // Setup parameters. std::string deviceName = mFdp->ConsumeRandomLengthString(16); std::string deviceLocation = mFdp->ConsumeRandomLengthString(12); int32_t deviceID = mFdp->ConsumeIntegralInRange<int32_t>(0, 5); int32_t deviceGeneration = mFdp->ConsumeIntegralInRange<int32_t>(/*from=*/0, /*to=*/5); // Create mocked objects. mFuzzEventHub = std::make_shared<FuzzEventHub>(mFdp); sp<FuzzInputReaderPolicy> policy = sp<FuzzInputReaderPolicy>::make(mFdp); mFuzzContext = std::make_unique<FuzzInputReaderContext>(mFuzzEventHub, policy, mFuzzListener, mFdp); InputDeviceIdentifier identifier; identifier.name = deviceName; identifier.location = deviceLocation; mFuzzDevice = std::make_unique<InputDevice>(mFuzzContext.get(), deviceID, deviceGeneration, identifier); } ~FuzzContainer() {} void configureDevice() { nsecs_t arbitraryTime = mFdp->ConsumeIntegral<nsecs_t>(); std::list<NotifyArgs> out; out += mFuzzDevice->configure(arbitraryTime, /*readerConfig=*/{}, /*changes=*/{}); out += mFuzzDevice->reset(arbitraryTime); for (const NotifyArgs& args : out) { mFuzzListener.notify(args); } } void addProperty(std::string key, std::string value) { mFuzzEventHub->addProperty(key, value); configureDevice(); } void setAbsoluteAxisInfo(int axis, const RawAbsoluteAxisInfo& axisInfo) { mFuzzEventHub->setAbsoluteAxisInfo(mFuzzDevice->getId(), axis, axisInfo); } template <class T, typename... Args> T& getMapper(Args... args) { int32_t eventhubId = mFdp->ConsumeIntegral<int32_t>(); // ensure a device entry exists for this eventHubId mFuzzDevice->addEmptyEventHubDevice(eventhubId); configureDevice(); return mFuzzDevice->template constructAndAddMapper<T>(eventhubId, args...); } }; } // namespace android services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp +20 −15 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ * limitations under the License. */ #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <KeyboardInputMapper.h> #include <MapperHelpers.h> Loading @@ -23,20 +23,20 @@ namespace android { const int32_t kMaxKeycodes = 100; static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("keyboard.orientationAware", "1"); }, {[&]() -> void { eventHub.addProperty("keyboard.orientationAware", "1"); }, [&]() -> void { fuzzer.addProperty("keyboard.orientationAware", eventHub.addProperty("keyboard.orientationAware", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("keyboard.doNotWakeByDefault", eventHub.addProperty("keyboard.doNotWakeByDefault", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("keyboard.handlesKeyRepeat", eventHub.addProperty("keyboard.handlesKeyRepeat", fdp->ConsumeRandomLengthString(100).data()); }})(); } Loading @@ -44,17 +44,22 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); KeyboardInputMapper& mapper = fuzzer.getMapper<KeyboardInputMapper>(InputReaderConfiguration{}, fdp->ConsumeIntegral<uint32_t>(), fdp->ConsumeIntegral<int32_t>()); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); KeyboardInputMapper& mapper = getMapperForDevice< ThreadSafeFuzzedDataProvider, KeyboardInputMapper>(*fdp.get(), device, InputReaderConfiguration{}, /*source=*/fdp->ConsumeIntegral<uint32_t>(), /*keyboardType=*/fdp->ConsumeIntegral<int32_t>()); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading services/inputflinger/tests/fuzzers/MapperHelpers.h +31 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ #pragma once #include <map> #include <memory> #include <EventHub.h> #include <InputDevice.h> Loading Loading @@ -328,10 +329,8 @@ class FuzzInputReaderContext : public InputReaderContext { public: FuzzInputReaderContext(std::shared_ptr<EventHubInterface> eventHub, const sp<InputReaderPolicyInterface>& policy, InputListenerInterface& listener, std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp) : mEventHub(eventHub), mPolicy(policy), mFdp(mFdp) {} std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) : mEventHub(eventHub), mPolicy(sp<FuzzInputReaderPolicy>::make(fdp)), mFdp(fdp) {} ~FuzzInputReaderContext() {} void updateGlobalMetaState() override {} int32_t getGlobalMetaState() { return mFdp->ConsumeIntegral<int32_t>(); } Loading @@ -358,4 +357,32 @@ public: void notifyStylusGestureStarted(int32_t, nsecs_t) {} }; template <class Fdp> InputDevice getFuzzedInputDevice(Fdp& fdp, FuzzInputReaderContext* context) { InputDeviceIdentifier identifier; identifier.name = fdp.ConsumeRandomLengthString(16); identifier.location = fdp.ConsumeRandomLengthString(12); int32_t deviceID = fdp.ConsumeIntegralInRange(0, 5); int32_t deviceGeneration = fdp.ConsumeIntegralInRange(0, 5); return InputDevice(context, deviceID, deviceGeneration, identifier); } template <class Fdp> void configureAndResetDevice(Fdp& fdp, InputDevice& device) { nsecs_t arbitraryTime = fdp.template ConsumeIntegral<nsecs_t>(); std::list<NotifyArgs> out; out += device.configure(arbitraryTime, /*readerConfig=*/{}, /*changes=*/{}); out += device.reset(arbitraryTime); } template <class Fdp, class T, typename... Args> T& getMapperForDevice(Fdp& fdp, InputDevice& device, Args... args) { int32_t eventhubId = fdp.template ConsumeIntegral<int32_t>(); // ensure a device entry exists for this eventHubId device.addEmptyEventHubDevice(eventhubId); configureAndResetDevice(fdp, device); return device.template constructAndAddMapper<T>(eventhubId, args...); } } // namespace android services/inputflinger/tests/fuzzers/MultiTouchInputFuzzer.cpp +29 −19 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ * limitations under the License. */ #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <MapperHelpers.h> #include <MultiTouchInputMapper.h> Loading @@ -23,37 +23,37 @@ namespace android { const int32_t kMaxKeycodes = 100; static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("touch.deviceType", "touchScreen"); }, {[&]() -> void { eventHub.addProperty("touch.deviceType", "touchScreen"); }, [&]() -> void { fuzzer.addProperty("touch.deviceType", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.deviceType", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.scale", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.size.scale", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.bias", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.size.bias", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.isSummed", eventHub.addProperty("touch.size.isSummed", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.calibration", eventHub.addProperty("touch.size.calibration", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.pressure.scale", eventHub.addProperty("touch.pressure.scale", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.calibration", eventHub.addProperty("touch.size.calibration", fdp->ConsumeBool() ? "diameter" : "area"); }, [&]() -> void { fuzzer.addProperty("touch.pressure.calibration", eventHub.addProperty("touch.pressure.calibration", fdp->ConsumeRandomLengthString(8).data()); }})(); } Loading @@ -61,15 +61,25 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); InputReaderConfiguration policyConfig; MultiTouchInputMapper& mapper = fuzzer.getMapper<MultiTouchInputMapper>(policyConfig); MultiTouchInputMapper& mapper = getMapperForDevice<ThreadSafeFuzzedDataProvider, MultiTouchInputMapper>(*fdp.get(), device, policyConfig); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); configureAndResetDevice(*fdp, device); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading Loading
services/inputflinger/tests/fuzzers/CursorInputFuzzer.cpp +19 −10 Original line number Diff line number Diff line Loading @@ -15,22 +15,22 @@ */ #include <CursorInputMapper.h> #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <MapperHelpers.h> namespace android { static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("cursor.mode", "pointer"); }, [&]() -> void { fuzzer.addProperty("cursor.mode", "navigation"); }, {[&]() -> void { eventHub.addProperty("cursor.mode", "pointer"); }, [&]() -> void { eventHub.addProperty("cursor.mode", "navigation"); }, [&]() -> void { fuzzer.addProperty("cursor.mode", fdp->ConsumeRandomLengthString(100).data()); eventHub.addProperty("cursor.mode", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("cursor.orientationAware", eventHub.addProperty("cursor.orientationAware", fdp->ConsumeRandomLengthString(100).data()); }})(); } Loading @@ -38,15 +38,24 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); InputReaderConfiguration policyConfig; CursorInputMapper& mapper = fuzzer.getMapper<CursorInputMapper>(policyConfig); CursorInputMapper& mapper = getMapperForDevice<ThreadSafeFuzzedDataProvider, CursorInputMapper>(*fdp.get(), device, policyConfig); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); configureAndResetDevice(*fdp, device); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading
services/inputflinger/tests/fuzzers/FuzzContainer.hdeleted 100644 → 0 +0 −86 Original line number Diff line number Diff line /* * Copyright 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <InputDevice.h> #include <InputMapper.h> #include <InputReader.h> #include <MapperHelpers.h> namespace android { class FuzzContainer { std::shared_ptr<FuzzEventHub> mFuzzEventHub; FuzzInputListener mFuzzListener; std::unique_ptr<FuzzInputReaderContext> mFuzzContext; std::unique_ptr<InputDevice> mFuzzDevice; std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp; public: FuzzContainer(std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) : mFdp(fdp) { // Setup parameters. std::string deviceName = mFdp->ConsumeRandomLengthString(16); std::string deviceLocation = mFdp->ConsumeRandomLengthString(12); int32_t deviceID = mFdp->ConsumeIntegralInRange<int32_t>(0, 5); int32_t deviceGeneration = mFdp->ConsumeIntegralInRange<int32_t>(/*from=*/0, /*to=*/5); // Create mocked objects. mFuzzEventHub = std::make_shared<FuzzEventHub>(mFdp); sp<FuzzInputReaderPolicy> policy = sp<FuzzInputReaderPolicy>::make(mFdp); mFuzzContext = std::make_unique<FuzzInputReaderContext>(mFuzzEventHub, policy, mFuzzListener, mFdp); InputDeviceIdentifier identifier; identifier.name = deviceName; identifier.location = deviceLocation; mFuzzDevice = std::make_unique<InputDevice>(mFuzzContext.get(), deviceID, deviceGeneration, identifier); } ~FuzzContainer() {} void configureDevice() { nsecs_t arbitraryTime = mFdp->ConsumeIntegral<nsecs_t>(); std::list<NotifyArgs> out; out += mFuzzDevice->configure(arbitraryTime, /*readerConfig=*/{}, /*changes=*/{}); out += mFuzzDevice->reset(arbitraryTime); for (const NotifyArgs& args : out) { mFuzzListener.notify(args); } } void addProperty(std::string key, std::string value) { mFuzzEventHub->addProperty(key, value); configureDevice(); } void setAbsoluteAxisInfo(int axis, const RawAbsoluteAxisInfo& axisInfo) { mFuzzEventHub->setAbsoluteAxisInfo(mFuzzDevice->getId(), axis, axisInfo); } template <class T, typename... Args> T& getMapper(Args... args) { int32_t eventhubId = mFdp->ConsumeIntegral<int32_t>(); // ensure a device entry exists for this eventHubId mFuzzDevice->addEmptyEventHubDevice(eventhubId); configureDevice(); return mFuzzDevice->template constructAndAddMapper<T>(eventhubId, args...); } }; } // namespace android
services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp +20 −15 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ * limitations under the License. */ #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <KeyboardInputMapper.h> #include <MapperHelpers.h> Loading @@ -23,20 +23,20 @@ namespace android { const int32_t kMaxKeycodes = 100; static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("keyboard.orientationAware", "1"); }, {[&]() -> void { eventHub.addProperty("keyboard.orientationAware", "1"); }, [&]() -> void { fuzzer.addProperty("keyboard.orientationAware", eventHub.addProperty("keyboard.orientationAware", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("keyboard.doNotWakeByDefault", eventHub.addProperty("keyboard.doNotWakeByDefault", fdp->ConsumeRandomLengthString(100).data()); }, [&]() -> void { fuzzer.addProperty("keyboard.handlesKeyRepeat", eventHub.addProperty("keyboard.handlesKeyRepeat", fdp->ConsumeRandomLengthString(100).data()); }})(); } Loading @@ -44,17 +44,22 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); KeyboardInputMapper& mapper = fuzzer.getMapper<KeyboardInputMapper>(InputReaderConfiguration{}, fdp->ConsumeIntegral<uint32_t>(), fdp->ConsumeIntegral<int32_t>()); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); KeyboardInputMapper& mapper = getMapperForDevice< ThreadSafeFuzzedDataProvider, KeyboardInputMapper>(*fdp.get(), device, InputReaderConfiguration{}, /*source=*/fdp->ConsumeIntegral<uint32_t>(), /*keyboardType=*/fdp->ConsumeIntegral<int32_t>()); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading
services/inputflinger/tests/fuzzers/MapperHelpers.h +31 −4 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ #pragma once #include <map> #include <memory> #include <EventHub.h> #include <InputDevice.h> Loading Loading @@ -328,10 +329,8 @@ class FuzzInputReaderContext : public InputReaderContext { public: FuzzInputReaderContext(std::shared_ptr<EventHubInterface> eventHub, const sp<InputReaderPolicyInterface>& policy, InputListenerInterface& listener, std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp) : mEventHub(eventHub), mPolicy(policy), mFdp(mFdp) {} std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) : mEventHub(eventHub), mPolicy(sp<FuzzInputReaderPolicy>::make(fdp)), mFdp(fdp) {} ~FuzzInputReaderContext() {} void updateGlobalMetaState() override {} int32_t getGlobalMetaState() { return mFdp->ConsumeIntegral<int32_t>(); } Loading @@ -358,4 +357,32 @@ public: void notifyStylusGestureStarted(int32_t, nsecs_t) {} }; template <class Fdp> InputDevice getFuzzedInputDevice(Fdp& fdp, FuzzInputReaderContext* context) { InputDeviceIdentifier identifier; identifier.name = fdp.ConsumeRandomLengthString(16); identifier.location = fdp.ConsumeRandomLengthString(12); int32_t deviceID = fdp.ConsumeIntegralInRange(0, 5); int32_t deviceGeneration = fdp.ConsumeIntegralInRange(0, 5); return InputDevice(context, deviceID, deviceGeneration, identifier); } template <class Fdp> void configureAndResetDevice(Fdp& fdp, InputDevice& device) { nsecs_t arbitraryTime = fdp.template ConsumeIntegral<nsecs_t>(); std::list<NotifyArgs> out; out += device.configure(arbitraryTime, /*readerConfig=*/{}, /*changes=*/{}); out += device.reset(arbitraryTime); } template <class Fdp, class T, typename... Args> T& getMapperForDevice(Fdp& fdp, InputDevice& device, Args... args) { int32_t eventhubId = fdp.template ConsumeIntegral<int32_t>(); // ensure a device entry exists for this eventHubId device.addEmptyEventHubDevice(eventhubId); configureAndResetDevice(fdp, device); return device.template constructAndAddMapper<T>(eventhubId, args...); } } // namespace android
services/inputflinger/tests/fuzzers/MultiTouchInputFuzzer.cpp +29 −19 Original line number Diff line number Diff line Loading @@ -14,7 +14,7 @@ * limitations under the License. */ #include <FuzzContainer.h> #include <InputDevice.h> #include <InputReaderBase.h> #include <MapperHelpers.h> #include <MultiTouchInputMapper.h> Loading @@ -23,37 +23,37 @@ namespace android { const int32_t kMaxKeycodes = 100; static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { static void addProperty(FuzzEventHub& eventHub, std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) { // Pick a random property to set for the mapper to have set. fdp->PickValueInArray<std::function<void()>>( {[&]() -> void { fuzzer.addProperty("touch.deviceType", "touchScreen"); }, {[&]() -> void { eventHub.addProperty("touch.deviceType", "touchScreen"); }, [&]() -> void { fuzzer.addProperty("touch.deviceType", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.deviceType", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.scale", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.size.scale", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.bias", fdp->ConsumeRandomLengthString(8).data()); eventHub.addProperty("touch.size.bias", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.isSummed", eventHub.addProperty("touch.size.isSummed", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.calibration", eventHub.addProperty("touch.size.calibration", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.pressure.scale", eventHub.addProperty("touch.pressure.scale", fdp->ConsumeRandomLengthString(8).data()); }, [&]() -> void { fuzzer.addProperty("touch.size.calibration", eventHub.addProperty("touch.size.calibration", fdp->ConsumeBool() ? "diameter" : "area"); }, [&]() -> void { fuzzer.addProperty("touch.pressure.calibration", eventHub.addProperty("touch.pressure.calibration", fdp->ConsumeRandomLengthString(8).data()); }})(); } Loading @@ -61,15 +61,25 @@ static void addProperty(FuzzContainer& fuzzer, std::shared_ptr<ThreadSafeFuzzedD extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) { std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp = std::make_shared<ThreadSafeFuzzedDataProvider>(data, size); FuzzContainer fuzzer(fdp); // Create mocked objects to support the fuzzed input mapper. std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp); FuzzInputReaderContext context(eventHub, fdp); InputDevice device = getFuzzedInputDevice(*fdp, &context); InputReaderConfiguration policyConfig; MultiTouchInputMapper& mapper = fuzzer.getMapper<MultiTouchInputMapper>(policyConfig); MultiTouchInputMapper& mapper = getMapperForDevice<ThreadSafeFuzzedDataProvider, MultiTouchInputMapper>(*fdp.get(), device, policyConfig); // Loop through mapper operations until randomness is exhausted. while (fdp->remaining_bytes() > 0) { fdp->PickValueInArray<std::function<void()>>({ [&]() -> void { addProperty(fuzzer, fdp); }, [&]() -> void { addProperty(*eventHub.get(), fdp); configureAndResetDevice(*fdp, device); }, [&]() -> void { std::string dump; mapper.dump(dump); Loading
