From 213e8bba850888b23bcd5a9eb5fc2ca004a00c09 Mon Sep 17 00:00:00 2001 From: kunal rai Date: Mon, 2 Oct 2023 14:09:36 +0530 Subject: [PATCH] Refactored vehicleManager_fuzzer The following are the updates to the fuzzer: 1. Randomised order of API calls using fdp. 2. Enhanced code coverage by 10%. exec/s: 6 Test: ./vehicleManager_fuzzer Bug: 302903753 Change-Id: I83f0a4121871d5b08b4f00f40dd096854aee63c5 --- .../tests/fuzzer/VehicleManager_fuzzer.cpp | 573 +++++++++++------- .../tests/fuzzer/VehicleManager_fuzzer.h | 8 + 2 files changed, 355 insertions(+), 226 deletions(-) diff --git a/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.cpp b/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.cpp index 8a085e55f5..4d0995d924 100644 --- a/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.cpp +++ b/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.cpp @@ -76,30 +76,20 @@ using ::android::hardware::automotive::vehicle::V2_0::vms::VmsLayerAndPublisher; using ::android::hardware::automotive::vehicle::V2_0::vms::VmsLayerOffering; using ::android::hardware::automotive::vehicle::V2_0::vms::VmsOffers; -constexpr const char kCarMake[] = "Default Car"; -constexpr VehicleProperty kVehicleProp[] = {VehicleProperty::INVALID, - VehicleProperty::HVAC_FAN_SPEED, - VehicleProperty::INFO_MAKE, - VehicleProperty::DISPLAY_BRIGHTNESS, - VehicleProperty::INFO_FUEL_CAPACITY, - VehicleProperty::HVAC_SEAT_TEMPERATURE}; -constexpr DiagnosticIntegerSensorIndex kDiagnosticIntIndex[] = { - DiagnosticIntegerSensorIndex::FUEL_SYSTEM_STATUS, - DiagnosticIntegerSensorIndex::MALFUNCTION_INDICATOR_LIGHT_ON, - DiagnosticIntegerSensorIndex::NUM_OXYGEN_SENSORS_PRESENT, - DiagnosticIntegerSensorIndex::FUEL_TYPE}; -constexpr DiagnosticFloatSensorIndex kDiagnosticFloatIndex[] = { - DiagnosticFloatSensorIndex::CALCULATED_ENGINE_LOAD, - DiagnosticFloatSensorIndex::SHORT_TERM_FUEL_TRIM_BANK1, - DiagnosticFloatSensorIndex::LONG_TERM_FUEL_TRIM_BANK1, - DiagnosticFloatSensorIndex::THROTTLE_POSITION}; -constexpr size_t kVehiclePropArrayLength = std::size(kVehicleProp); -constexpr size_t kIntSensorArrayLength = std::size(kDiagnosticIntIndex); -constexpr size_t kFloatSensorArrayLength = std::size(kDiagnosticFloatIndex); -constexpr VmsMessageType kAvailabilityMessageType[] = {VmsMessageType::AVAILABILITY_CHANGE, - VmsMessageType::AVAILABILITY_RESPONSE}; -constexpr VmsMessageType kSubscriptionMessageType[] = {VmsMessageType::SUBSCRIPTIONS_CHANGE, - VmsMessageType::SUBSCRIPTIONS_RESPONSE}; +std::string kCarMake; +constexpr int32_t kMaxCaseMessage = 8; +constexpr int32_t kMaxRuns = 20; +constexpr int32_t kMaxSize = 1000; +constexpr int32_t kMinSize = 0; +constexpr int32_t kMaxFileSize = 100; +float kFloatValue; +std::vector kVec32; +std::vector kVec64; +std::vector kVec8; +std::vector kVecFloat; +static const std::vector kSampleDtcs = {"P0070", + "P0102" + "P0123"}; MockedVehicleHal::VehiclePropValuePtr MockedVehicleHal::get( const VehiclePropValue& requestedPropValue, StatusCode* outStatus) { @@ -113,23 +103,23 @@ MockedVehicleHal::VehiclePropValuePtr MockedVehicleHal::get( switch (property) { case VehicleProperty::INFO_MAKE: - pValue = getValuePool()->obtainString(kCarMake); + pValue = getValuePool()->obtainString(kCarMake.c_str()); break; case VehicleProperty::INFO_FUEL_CAPACITY: if (mFuelCapacityAttemptsLeft-- > 0) { *outStatus = StatusCode::TRY_AGAIN; } else { - pValue = getValuePool()->obtainFloat(42.42); + pValue = getValuePool()->obtainFloat(kFloatValue); } break; default: if (requestedPropValue.prop == kCustomComplexProperty) { pValue = getValuePool()->obtainComplex(); - pValue->value.int32Values = hidl_vec{10, 20}; - pValue->value.int64Values = hidl_vec{30, 40}; - pValue->value.floatValues = hidl_vec{1.1, 2.2}; - pValue->value.bytes = hidl_vec{1, 2, 3}; - pValue->value.stringValue = kCarMake; + pValue->value.int32Values = hidl_vec{kVec32}; + pValue->value.int64Values = hidl_vec{kVec64}; + pValue->value.floatValues = hidl_vec{kVecFloat}; + pValue->value.bytes = hidl_vec{kVec8}; + pValue->value.stringValue = kCarMake.c_str(); break; } auto key = makeKey(toInt(property), areaId); @@ -145,28 +135,72 @@ MockedVehicleHal::VehiclePropValuePtr MockedVehicleHal::get( return pValue; } +void VehicleHalManagerFuzzer::initValue() { + kCarMake = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxFileSize); + kFloatValue = mFuzzedDataProvider->ConsumeFloatingPoint(); + fillParameter(mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize), + kVec32); + fillParameter(mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize), + kVec64); + fillParameter(mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize), + kVec8); + size_t size = mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize); + for (size_t i = 0; i < size; ++i) { + kVecFloat.push_back(mFuzzedDataProvider->ConsumeFloatingPoint()); + } +} + void VehicleHalManagerFuzzer::process(const uint8_t* data, size_t size) { mFuzzedDataProvider = new FuzzedDataProvider(data, size); - invokeDebug(); - invokePropConfigs(); - invokeSubscribe(); - invokeSetAndGetValues(); - invokeObd2SensorStore(); - invokeVmsUtils(); - invokeVehiclePropStore(); - invokeWatchDogClient(); + initValue(); + /* Limited while loop runs to prevent timeouts caused + * by repeated calls to high-execution-time APIs. + */ + size_t maxRuns = mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxRuns); + size_t itr = 0; + while (mFuzzedDataProvider->remaining_bytes() && ++itr <= maxRuns) { + auto invokeVehicleHalManagerFuzzer = + mFuzzedDataProvider->PickValueInArray>({ + [&]() { invokeDebug(); }, + [&]() { invokePropConfigs(); }, + [&]() { invokeSubscribe(); }, + [&]() { invokeSetAndGetValues(); }, + [&]() { invokeObd2SensorStore(); }, + [&]() { invokeVmsUtils(); }, + [&]() { invokeVehiclePropStore(); }, + [&]() { invokeWatchDogClient(); }, + }); + invokeVehicleHalManagerFuzzer(); + } } void VehicleHalManagerFuzzer::invokeDebug() { - hidl_string debugOption = mFuzzedDataProvider->PickValueInArray( - {"--help", "--list", "--get", "--set", "", "invalid"}); hidl_handle fd = {}; native_handle_t* rawHandle = native_handle_create(/*numFds=*/1, /*numInts=*/0); fd.setTo(native_handle_clone(rawHandle), /*shouldOwn=*/true); + int32_t size = mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxFileSize); + hidl_vec options(size); - mManager->debug(fd, {}); - mManager->debug(fd, {debugOption}); + for (int32_t idx = 0; idx < size; ++idx) { + if (idx == 0 && mFuzzedDataProvider->ConsumeBool()) { + options[idx] = mFuzzedDataProvider->PickValueInArray( + {"--help", "--list", "--get", "--set", "", "invalid"}); + } else if (idx == 2 && mFuzzedDataProvider->ConsumeBool()) { + options[idx] = + mFuzzedDataProvider->PickValueInArray({"-i", "-i64", "-f", "-s", "-b", "-a"}); + } else if (mFuzzedDataProvider->ConsumeBool()) { + options[idx] = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxSize); + } else { + options[idx] = std::to_string(mFuzzedDataProvider->ConsumeIntegral()); + } + } + + if (mFuzzedDataProvider->ConsumeBool()) { + mManager->debug(fd, {}); + } else { + mManager->debug(fd, options); + } native_handle_delete(rawHandle); } @@ -175,178 +209,245 @@ void VehicleHalManagerFuzzer::invokePropConfigs() { int32_t vehicleProp2 = mFuzzedDataProvider->ConsumeIntegral(); hidl_vec properties = {vehicleProp1, vehicleProp2}; + auto invokePropConfigsAPI = mFuzzedDataProvider->PickValueInArray>({ + [&]() { + mManager->getPropConfigs( + properties, []([[maybe_unused]] StatusCode status, + [[maybe_unused]] const hidl_vec& c) {}); + }, + [&]() { + mManager->getPropConfigs( + {mFuzzedDataProvider->ConsumeIntegral()}, + []([[maybe_unused]] StatusCode status, + [[maybe_unused]] const hidl_vec& c) {}); + }, + [&]() { + mManager->getAllPropConfigs( + []([[maybe_unused]] const hidl_vec& propConfigs) {}); + }, - mManager->getPropConfigs(properties, - []([[maybe_unused]] StatusCode status, - [[maybe_unused]] const hidl_vec& c) {}); - - mManager->getPropConfigs({toInt(kVehicleProp[abs(vehicleProp1) % kVehiclePropArrayLength])}, - []([[maybe_unused]] StatusCode status, - [[maybe_unused]] const hidl_vec& c) {}); - - mManager->getAllPropConfigs( - []([[maybe_unused]] const hidl_vec& propConfigs) {}); + }); + invokePropConfigsAPI(); } void VehicleHalManagerFuzzer::invokeSubscribe() { - int32_t vehicleProp1 = mFuzzedDataProvider->ConsumeIntegral(); int32_t vehicleProp2 = mFuzzedDataProvider->ConsumeIntegral(); int32_t vehicleProp3 = mFuzzedDataProvider->ConsumeIntegral(); - const auto prop1 = toInt(kVehicleProp[abs(vehicleProp1) % kVehiclePropArrayLength]); sp cb = new MockedVehicleCallback(); + VehiclePropertyType type = + static_cast(mFuzzedDataProvider->ConsumeIntegral()); - hidl_vec options = { - SubscribeOptions{.propId = prop1, .flags = SubscribeFlags::EVENTS_FROM_CAR}}; + auto invokeSubscribeAPI = mFuzzedDataProvider->PickValueInArray>({ + [&]() { + size_t size = + mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize); + hidl_vec options(size); + for (size_t idx = 0; idx < size; ++idx) { + options[idx] = {SubscribeOptions{ + .propId = mFuzzedDataProvider->ConsumeIntegral(), + .flags = static_cast( + mFuzzedDataProvider->ConsumeIntegral())}}; + } + mManager->subscribe(cb, options); + }, + [&]() { + auto unsubscribedValue = mObjectPool->obtain(type); + if (!unsubscribedValue) { + return; + } + unsubscribedValue->prop = vehicleProp2; + unsubscribedValue->value.int32Values[0] = INT32_MAX; + mHal->sendPropEvent(std::move(unsubscribedValue)); + cb->waitForExpectedEvents(mFuzzedDataProvider->ConsumeIntegral()); + }, + [&]() { + const auto prop1 = mFuzzedDataProvider->ConsumeIntegral(); + mManager->unsubscribe(cb, prop1); + }, + [&]() { + mHal->sendHalError(StatusCode::TRY_AGAIN, vehicleProp3, + mFuzzedDataProvider->ConsumeIntegral() /*areaId=*/); + }, - mManager->subscribe(cb, options); - - auto unsubscribedValue = mObjectPool->obtain(VehiclePropertyType::INT32); - unsubscribedValue->prop = toInt(kVehicleProp[abs(vehicleProp2) % kVehiclePropArrayLength]); - - mHal->sendPropEvent(std::move(unsubscribedValue)); - cb->getReceivedEvents(); - cb->waitForExpectedEvents(0); - - auto subscribedValue = mObjectPool->obtain(VehiclePropertyType::INT32); - subscribedValue->prop = toInt(kVehicleProp[abs(vehicleProp2) % kVehiclePropArrayLength]); - subscribedValue->value.int32Values[0] = INT32_MAX; - - cb->reset(); - VehiclePropValue actualValue(*subscribedValue.get()); - mHal->sendPropEvent(std::move(subscribedValue)); - cb->waitForExpectedEvents(1); - mManager->unsubscribe(cb, prop1); - - sp cb2 = new MockedVehicleCallback(); - - hidl_vec options2 = { - SubscribeOptions{ - .propId = toInt(kVehicleProp[abs(vehicleProp3) % kVehiclePropArrayLength]), - .flags = SubscribeFlags::EVENTS_FROM_CAR}, - }; - - mManager->subscribe(cb2, options2); - - mHal->sendHalError(StatusCode::TRY_AGAIN, - toInt(kVehicleProp[abs(vehicleProp3) % kVehiclePropArrayLength]), - /*areaId=*/0); + }); + invokeSubscribeAPI(); } void VehicleHalManagerFuzzer::invokeSetAndGetValues() { - uint32_t vehicleProp1 = - mFuzzedDataProvider->ConsumeIntegralInRange(0, kVehiclePropArrayLength - 1); - uint32_t vehicleProp2 = - mFuzzedDataProvider->ConsumeIntegralInRange(0, kVehiclePropArrayLength - 1); - uint32_t vehicleProp3 = - mFuzzedDataProvider->ConsumeIntegralInRange(0, kVehiclePropArrayLength - 1); - - invokeGet(kCustomComplexProperty, 0); - invokeGet(toInt(kVehicleProp[vehicleProp2]), 0); - invokeGet(toInt(kVehicleProp[vehicleProp1]), 0); - - auto expectedValue = mObjectPool->obtainInt32(mFuzzedDataProvider->ConsumeIntegral()); - mObjectPool->obtainInt64(mFuzzedDataProvider->ConsumeIntegral()); - mObjectPool->obtainFloat(mFuzzedDataProvider->ConsumeFloatingPoint()); - mObjectPool->obtainBoolean(mFuzzedDataProvider->ConsumeBool()); - expectedValue->prop = toInt(kVehicleProp[vehicleProp2]); - expectedValue->areaId = 0; - - mManager->set(*expectedValue.get()); - invokeGet(toInt(kVehicleProp[vehicleProp2]), 0); - expectedValue->prop = toInt(kVehicleProp[vehicleProp3]); - mManager->set(*expectedValue.get()); - expectedValue->prop = toInt(VehicleProperty::INVALID); - mManager->set(*expectedValue.get()); + auto invokeSetAndGetAPI = mFuzzedDataProvider->PickValueInArray>({ + [&]() { + invokeGet(mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral()); + }, + [&]() { mObjectPool->obtainInt64(mFuzzedDataProvider->ConsumeIntegral()); }, + [&]() { mObjectPool->obtainFloat(mFuzzedDataProvider->ConsumeFloatingPoint()); }, + [&]() { mObjectPool->obtainBoolean(mFuzzedDataProvider->ConsumeBool()); }, + [&]() { + int32_t vehicleProp2 = mFuzzedDataProvider->ConsumeIntegral(); + auto expectedValue = + mObjectPool->obtainInt32(mFuzzedDataProvider->ConsumeIntegral()); + expectedValue->prop = vehicleProp2; + expectedValue->areaId = mFuzzedDataProvider->ConsumeIntegral(); + mManager->set(*expectedValue.get()); + }, + }); + invokeSetAndGetAPI(); } void VehicleHalManagerFuzzer::invokeObd2SensorStore() { - uint32_t diagnosticIntIndex = - mFuzzedDataProvider->ConsumeIntegralInRange(0, kIntSensorArrayLength - 1); - int32_t diagnosticIntValue = mFuzzedDataProvider->ConsumeIntegral(); - uint32_t diagnosticFloatIndex = - mFuzzedDataProvider->ConsumeIntegralInRange(0, kFloatSensorArrayLength - 1); - float diagnosticFloatValue = mFuzzedDataProvider->ConsumeFloatingPoint(); + size_t diagnosticInt = mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize); + size_t diagnosticFloat = + mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize); std::unique_ptr sensorStore( - new Obd2SensorStore(kIntSensorArrayLength, kFloatSensorArrayLength)); - if (sensorStore) { - sensorStore->setIntegerSensor(kDiagnosticIntIndex[diagnosticIntIndex], diagnosticIntValue); - sensorStore->setFloatSensor(kDiagnosticFloatIndex[diagnosticFloatIndex], - diagnosticFloatValue); - sensorStore->getIntegerSensors(); - sensorStore->getFloatSensors(); - sensorStore->getSensorsBitmask(); - static std::vector sampleDtcs = {"P0070", - "P0102" - "P0123"}; - for (auto&& dtc : sampleDtcs) { - auto freezeFrame = createVehiclePropValue(VehiclePropertyType::MIXED, 0); - sensorStore->fillPropValue(dtc, freezeFrame.get()); - freezeFrame->prop = static_cast(VehicleProperty::OBD2_FREEZE_FRAME); - } + new Obd2SensorStore(diagnosticInt, diagnosticFloat)); + + if (!sensorStore.get()) { + return; } + + auto invokeObd2SensorStoreAPI = + mFuzzedDataProvider->PickValueInArray>({ + [&]() { + int32_t diagnosticIntValue = + mFuzzedDataProvider->ConsumeIntegral(); + int32_t diagnosticIntIndex = + mFuzzedDataProvider->ConsumeIntegralInRange( + kMinSize, + toInt(DiagnosticIntegerSensorIndex::LAST_SYSTEM_INDEX) + + diagnosticInt); + sensorStore->setIntegerSensor( + static_cast(diagnosticIntIndex), + diagnosticIntValue); + }, + [&]() { + float diagnosticFloatValue = + mFuzzedDataProvider->ConsumeFloatingPoint(); + int32_t diagnosticFloatIndex = + mFuzzedDataProvider->ConsumeIntegralInRange( + kMinSize, + toInt(DiagnosticFloatSensorIndex::LAST_SYSTEM_INDEX) + + diagnosticFloat); + sensorStore->setFloatSensor( + static_cast(diagnosticFloatIndex), + diagnosticFloatValue); + }, + [&]() { sensorStore->getIntegerSensors(); }, + [&]() { sensorStore->getFloatSensors(); }, + [&]() { sensorStore->getSensorsBitmask(); }, + [&]() { + for (auto&& dtc : kSampleDtcs) { + VehiclePropertyType type = static_cast( + mFuzzedDataProvider->ConsumeIntegral()); + auto freezeFrame = createVehiclePropValue( + type, mFuzzedDataProvider->ConsumeIntegralInRange( + kMinSize, kMaxSize)); + if (!freezeFrame.get()) { + return; + } + freezeFrame->prop = mFuzzedDataProvider->ConsumeIntegral(); + sensorStore->fillPropValue(dtc, freezeFrame.get()); + } + }, + }); + invokeObd2SensorStoreAPI(); } void VehicleHalManagerFuzzer::invokeVmsUtils() { - bool availabilityMsgType = mFuzzedDataProvider->ConsumeBool(); - bool subscriptionMsgType = mFuzzedDataProvider->ConsumeBool(); + std::unique_ptr message; int32_t intValue = mFuzzedDataProvider->ConsumeIntegral(); + VmsLayer layer(mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral()); + VmsOffers offers = { + intValue, + {VmsLayerOffering(VmsLayer(mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral()))}}; + const VmsLayerAndPublisher layer_and_publisher( + VmsLayer(mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral()), + intValue); + + switch (mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxCaseMessage)) { + case 0: { + message = createSubscribeMessage(layer); + break; + } + case 1: { + message = createUnsubscribeMessage(layer); + break; + } + case 2: { + message = createSubscriptionsRequest(); + break; + } + case 3: { + message = createOfferingMessage(offers); + break; + } + case 4: { + message = createAvailabilityRequest(); + break; + } + case 5: { + std::string pub_bytes; + if (mFuzzedDataProvider->ConsumeBool()) { + pub_bytes = "pub_id"; + } else { + pub_bytes = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxFileSize); + } + message = createPublisherIdRequest(pub_bytes); + break; + } + case 6: { + std::string bytes = "placeholder"; + if (mFuzzedDataProvider->ConsumeBool()) { + bytes = "placeholder"; + } else { + bytes = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxFileSize); + } + message = createDataMessageWithLayerPublisherInfo(layer_and_publisher, bytes); + break; + } + case 7: { + message = createBaseVmsMessage( + mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize)); + break; + } + case 8: { + message = createStartSessionMessage(intValue, intValue + 1); + break; + } + } - VmsLayer layer(1, 0, 2); - auto message = createSubscribeMessage(layer); isValidVmsMessage(*message); - message = createUnsubscribeMessage(layer); - - VmsOffers offers = {intValue, {VmsLayerOffering(VmsLayer(1, 0, 2))}}; - message = createOfferingMessage(offers); - std::vector dependencies = {VmsLayer(2, 0, 2), VmsLayer(3, 0, 3)}; - std::vector offering = {VmsLayerOffering(layer, dependencies)}; - offers = {intValue, offering}; - message = createOfferingMessage(offers); - - message = createAvailabilityRequest(); - message = createSubscriptionsRequest(); - - std::string bytes = "placeholder"; - const VmsLayerAndPublisher layer_and_publisher(VmsLayer(2, 0, 1), intValue); - message = createDataMessageWithLayerPublisherInfo(layer_and_publisher, bytes); - parseData(*message); - createSubscribeToPublisherMessage(layer_and_publisher); - createUnsubscribeToPublisherMessage(layer_and_publisher); - - std::string pub_bytes = "pub_id"; - message = createPublisherIdRequest(pub_bytes); - message = createBaseVmsMessage(2); message->value.int32Values = - hidl_vec{toInt(VmsMessageType::PUBLISHER_ID_RESPONSE), intValue}; - parsePublisherIdResponse(*message); + hidl_vec{mFuzzedDataProvider->ConsumeIntegral(), intValue}; - message->value.int32Values = - hidl_vec{toInt(kSubscriptionMessageType[subscriptionMsgType]), intValue}; - getSequenceNumberForSubscriptionsState(*message); - - message->value.int32Values = hidl_vec{toInt(kSubscriptionMessageType[0]), intValue}; - isSequenceNumberNewer(*message, intValue + 1); - invokeGetSubscribedLayers(kSubscriptionMessageType[subscriptionMsgType]); - - message->value.int32Values = - hidl_vec{toInt(kAvailabilityMessageType[availabilityMsgType]), 0}; - hasServiceNewlyStarted(*message); - message = createStartSessionMessage(intValue, intValue + 1); - parseMessageType(*message); - - message->value.int32Values = - hidl_vec{toInt(kAvailabilityMessageType[availabilityMsgType]), intValue}; - isAvailabilitySequenceNumberNewer(*message, intValue + 1); - - message->value.int32Values = - hidl_vec{toInt(kAvailabilityMessageType[availabilityMsgType]), intValue}; - getSequenceNumberForAvailabilityState(*message); - message = createBaseVmsMessage(3); - int new_service_id; - message->value.int32Values = hidl_vec{toInt(VmsMessageType::START_SESSION), 0, -1}; - parseStartSessionMessage(*message, -1, 0, &new_service_id); + auto invokeVmsUtilsAPI = mFuzzedDataProvider->PickValueInArray>({ + [&]() { parseData(*message); }, + [&]() { createSubscribeToPublisherMessage(layer_and_publisher); }, + [&]() { createUnsubscribeToPublisherMessage(layer_and_publisher); }, + [&]() { parsePublisherIdResponse(*message); }, + [&]() { getSequenceNumberForSubscriptionsState(*message); }, + [&]() { isSequenceNumberNewer(*message, intValue + 1); }, + [&]() { + invokeGetSubscribedLayers( + (VmsMessageType)mFuzzedDataProvider->ConsumeIntegral()); + }, + [&]() { hasServiceNewlyStarted(*message); }, + [&]() { parseMessageType(*message); }, + [&]() { isAvailabilitySequenceNumberNewer(*message, intValue + 1); }, + [&]() { getSequenceNumberForAvailabilityState(*message); }, + [&]() { + int32_t new_service_id; + parseStartSessionMessage(*message, -1, 0, &new_service_id); + }, + }); + invokeVmsUtilsAPI(); } void VehicleHalManagerFuzzer::invokeGet(int32_t property, int32_t areaId) { @@ -367,27 +468,31 @@ void VehicleHalManagerFuzzer::invokeGet(int32_t property, int32_t areaId) { mActualStatusCode = refStatus; } -void VehicleHalManagerFuzzer::invokeGetSubscribedLayers(VmsMessageType type) { - VmsOffers offers = {123, - {VmsLayerOffering(VmsLayer(1, 0, 1), {VmsLayer(4, 1, 1)}), - VmsLayerOffering(VmsLayer(2, 0, 1))}}; - auto message = createBaseVmsMessage(16); - message->value.int32Values = hidl_vec{toInt(type), - 1234, // sequence number - 2, // number of layers - 1, // number of associated layers - 1, // layer 1 - 0, 1, - 4, // layer 2 - 1, 1, - 2, // associated layer - 0, 1, - 2, // number of publisher IDs - 111, // publisher IDs - 123}; - isValidVmsMessage(*message); - getSubscribedLayers(*message, offers); - getAvailableLayers(*message); +void VehicleHalManagerFuzzer::invokeGetSubscribedLayers(VmsMessageType /*type*/) { + int32_t intValue = mFuzzedDataProvider->ConsumeIntegral(); + VmsOffers offers = { + intValue, + {VmsLayerOffering(VmsLayer(mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral(), + mFuzzedDataProvider->ConsumeIntegral()))}}; + auto message = createBaseVmsMessage( + mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxFileSize)); + std::vector v; + size_t size = mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize); + for (size_t i = 0; i < size; i++) { + v.push_back(mFuzzedDataProvider->ConsumeIntegralInRange(kMinSize, kMaxSize)); + } + + message->value.int32Values = hidl_vec(v); + if (!isValidVmsMessage(*message)) { + return; + } + + if (mFuzzedDataProvider->ConsumeBool()) { + getSubscribedLayers(*message, offers); + } else { + getAvailableLayers(*message); + } } void VehicleHalManagerFuzzer::invokeVehiclePropStore() { @@ -398,33 +503,49 @@ void VehicleHalManagerFuzzer::invokeVehiclePropStore() { .prop = vehicleProp, .access = VehiclePropertyAccess::READ, .changeMode = VehiclePropertyChangeMode::STATIC, - .areaConfigs = {VehicleAreaConfig{.areaId = (0)}}, + .areaConfigs = {VehicleAreaConfig{ + .areaId = (mFuzzedDataProvider->ConsumeIntegral())}}, }; - store->registerProperty(config); VehiclePropValue propValue{}; propValue.prop = vehicleProp; - propValue.areaId = 0; - store->writeValue(propValue, shouldWriteStatus); - store->readAllValues(); - store->getAllConfigs(); - store->getConfigOrNull(vehicleProp); - store->readValuesForProperty(vehicleProp); - store->readValueOrNull(propValue); - store->readValueOrNull(propValue.prop, propValue.areaId, 0); - store->removeValuesForProperty(vehicleProp); - store->removeValue(propValue); - store->getConfigOrDie(vehicleProp); + propValue.areaId = mFuzzedDataProvider->ConsumeIntegral(); + + auto invokeVehiclePropStoreAPI = + mFuzzedDataProvider->PickValueInArray>({ + [&]() { store->registerProperty(config); }, + [&]() { store->writeValue(propValue, shouldWriteStatus); }, + [&]() { store->readAllValues(); }, + [&]() { store->getAllConfigs(); }, + [&]() { store->getConfigOrNull(vehicleProp); }, + [&]() { store->readValuesForProperty(vehicleProp); }, + [&]() { store->readValueOrNull(propValue); }, + [&]() { + store->readValueOrNull(propValue.prop, propValue.areaId, + mFuzzedDataProvider->ConsumeIntegralInRange( + kMinSize, kMaxFileSize)); + }, + [&]() { store->removeValuesForProperty(vehicleProp); }, + [&]() { store->removeValue(propValue); }, + [&]() { + if (store->getConfigOrNull(vehicleProp)) { + store->getConfigOrDie(vehicleProp); + } + }, + }); + invokeVehiclePropStoreAPI(); } void VehicleHalManagerFuzzer::invokeWatchDogClient() { - auto service = new VehicleHalManager(mHal.get()); sp looper(Looper::prepare(/*opts=*/mFuzzedDataProvider->ConsumeBool())); - if (auto watchdogClient = ndk::SharedRefBase::make(looper, service); + if (auto watchdogClient = ndk::SharedRefBase::make(looper, mManager.get()); watchdogClient->initialize()) { - watchdogClient->checkIfAlive(-1, TimeoutLength::TIMEOUT_NORMAL); + if (mFuzzedDataProvider->ConsumeBool()) { + watchdogClient->checkIfAlive( + mFuzzedDataProvider->ConsumeIntegral(), + (TimeoutLength)mFuzzedDataProvider->ConsumeIntegral()); + } watchdogClient->prepareProcessTermination(); } - delete service; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { diff --git a/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.h b/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.h index e9335d3334..26ac11ebd9 100644 --- a/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.h +++ b/automotive/vehicle/2.0/default/tests/fuzzer/VehicleManager_fuzzer.h @@ -98,6 +98,13 @@ class VehicleHalManagerFuzzer { } void process(const uint8_t* data, size_t size); + template + void fillParameter(size_t size, std::vector& data) { + for (size_t i = 0; i < size; ++i) { + data.push_back(mFuzzedDataProvider->ConsumeIntegral()); + } + } + private: FuzzedDataProvider* mFuzzedDataProvider = nullptr; VehiclePropValue mActualValue = VehiclePropValue{}; @@ -108,6 +115,7 @@ class VehicleHalManagerFuzzer { std::unique_ptr mManager; void invokeDebug(); + void initValue(); void invokePropConfigs(); void invokeSubscribe(); void invokeSetAndGetValues();