• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <stddef.h>
18 #include <stdint.h>
19 #include <unistd.h>
20 
21 #include "perfetto/base/logging.h"
22 #include "perfetto/base/task_runner.h"
23 #include "perfetto/ext/base/utils.h"
24 #include "perfetto/ext/tracing/core/producer.h"
25 #include "perfetto/ext/tracing/core/trace_writer.h"
26 #include "perfetto/ext/tracing/ipc/default_socket.h"
27 #include "perfetto/ext/tracing/ipc/producer_ipc_client.h"
28 #include "perfetto/ext/tracing/ipc/service_ipc_host.h"
29 #include "perfetto/tracing/core/data_source_config.h"
30 #include "perfetto/tracing/core/data_source_descriptor.h"
31 #include "protos/perfetto/trace/test_event.pbzero.h"
32 #include "src/base/test/test_task_runner.h"
33 #include "test/test_helper.h"
34 
35 #include "protos/perfetto/trace/trace_packet.pbzero.h"
36 
37 // If we're building on Android and starting the daemons ourselves,
38 // create the sockets in a world-writable location.
39 #if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) && \
40     PERFETTO_BUILDFLAG(PERFETTO_START_DAEMONS)
41 #define TEST_PRODUCER_SOCK_NAME "/data/local/tmp/traced_producer"
42 #else
43 #define TEST_PRODUCER_SOCK_NAME ::perfetto::GetProducerSocket()
44 #endif
45 
46 namespace perfetto {
47 namespace shm_fuzz {
48 namespace {
49 
50 // Fake producer writing a protozero message of data into shared memory
51 // buffer, followed by a sentinel message to signal completion to the
52 // consumer.
53 class FakeProducer : public Producer {
54  public:
FakeProducer(std::string name,const uint8_t * data,size_t size,std::function<void ()> on_produced_and_committed)55   FakeProducer(std::string name,
56                const uint8_t* data,
57                size_t size,
58                std::function<void()> on_produced_and_committed)
59       : name_(std::move(name)),
60         data_(data),
61         size_(size),
62         on_produced_and_committed_(on_produced_and_committed) {}
63 
Connect(const char * socket_name,base::TaskRunner * task_runner)64   void Connect(const char* socket_name, base::TaskRunner* task_runner) {
65     endpoint_ = ProducerIPCClient::Connect(
66         socket_name, this, "android.perfetto.FakeProducer", task_runner);
67   }
68 
OnConnect()69   void OnConnect() override {
70     DataSourceDescriptor descriptor;
71     descriptor.set_name(name_);
72     endpoint_->RegisterDataSource(descriptor);
73   }
74 
OnDisconnect()75   void OnDisconnect() override {}
76 
SetupDataSource(DataSourceInstanceID,const DataSourceConfig &)77   void SetupDataSource(DataSourceInstanceID, const DataSourceConfig&) override {
78   }
79 
StartDataSource(DataSourceInstanceID,const DataSourceConfig & source_config)80   void StartDataSource(DataSourceInstanceID,
81                        const DataSourceConfig& source_config) override {
82     auto trace_writer = endpoint_->CreateTraceWriter(
83         static_cast<BufferID>(source_config.target_buffer()));
84     {
85       auto packet = trace_writer->NewTracePacket();
86       packet->stream_writer_for_testing()->WriteBytes(data_, size_);
87     }
88     trace_writer->Flush();
89 
90     {
91       auto end_packet = trace_writer->NewTracePacket();
92       end_packet->set_for_testing()->set_str("end");
93     }
94     trace_writer->Flush(on_produced_and_committed_);
95   }
96 
StopDataSource(DataSourceInstanceID)97   void StopDataSource(DataSourceInstanceID) override {}
OnTracingSetup()98   void OnTracingSetup() override {}
Flush(FlushRequestID,const DataSourceInstanceID *,size_t)99   void Flush(FlushRequestID, const DataSourceInstanceID*, size_t) override {}
ClearIncrementalState(const DataSourceInstanceID *,size_t)100   void ClearIncrementalState(const DataSourceInstanceID*, size_t) override {}
101 
102  private:
103   const std::string name_;
104   const uint8_t* data_;
105   const size_t size_;
106   std::unique_ptr<TracingService::ProducerEndpoint> endpoint_;
107   std::function<void()> on_produced_and_committed_;
108 };
109 
110 class FuzzerFakeProducerThread {
111  public:
FuzzerFakeProducerThread(const uint8_t * data,size_t size,std::function<void ()> on_produced_and_committed)112   FuzzerFakeProducerThread(const uint8_t* data,
113                            size_t size,
114                            std::function<void()> on_produced_and_committed)
115       : data_(data),
116         size_(size),
117         on_produced_and_committed_(on_produced_and_committed) {}
118 
~FuzzerFakeProducerThread()119   ~FuzzerFakeProducerThread() {
120     if (!runner_)
121       return;
122     runner_->PostTaskAndWaitForTesting([this]() { producer_.reset(); });
123   }
124 
Connect()125   void Connect() {
126     runner_ = base::ThreadTaskRunner::CreateAndStart("perfetto.prd.fake");
127     runner_->PostTaskAndWaitForTesting([this]() {
128       producer_.reset(new FakeProducer("android.perfetto.FakeProducer", data_,
129                                        size_, on_produced_and_committed_));
130       producer_->Connect(TEST_PRODUCER_SOCK_NAME, runner_->get());
131     });
132   }
133 
134  private:
135   base::Optional<base::ThreadTaskRunner> runner_;  // Keep first.
136 
137   std::unique_ptr<FakeProducer> producer_;
138   const uint8_t* data_;
139   const size_t size_;
140   std::function<void()> on_produced_and_committed_;
141 };
142 
143 int FuzzSharedMemory(const uint8_t* data, size_t size);
144 
FuzzSharedMemory(const uint8_t * data,size_t size)145 int FuzzSharedMemory(const uint8_t* data, size_t size) {
146   base::TestTaskRunner task_runner;
147 
148   TestHelper helper(&task_runner);
149   helper.StartServiceIfRequired();
150 
151   auto cp =
152       helper.WrapTask(task_runner.CreateCheckpoint("produced.and.committed"));
153   FuzzerFakeProducerThread producer_thread(data, size, cp);
154   producer_thread.Connect();
155 
156   helper.ConnectConsumer();
157   helper.WaitForConsumerConnect();
158 
159   TraceConfig trace_config;
160   trace_config.add_buffers()->set_size_kb(8);
161 
162   auto* ds_config = trace_config.add_data_sources()->mutable_config();
163   ds_config->set_name("android.perfetto.FakeProducer");
164   ds_config->set_target_buffer(0);
165 
166   helper.StartTracing(trace_config);
167   task_runner.RunUntilCheckpoint("produced.and.committed");
168 
169   helper.ReadData();
170   helper.WaitForReadData();
171 
172   return 0;
173 }
174 
175 }  // namespace
176 }  // namespace shm_fuzz
177 }  // namespace perfetto
178 
179 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
180 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)181 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
182   return perfetto::shm_fuzz::FuzzSharedMemory(data, size);
183 }
184