1 /*
2 * Copyright 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #include <binder/IPCThreadState.h>
19 #include <binder/IServiceManager.h>
20 #include <binder/ProcessState.h>
21 #include <compositionengine/impl/OutputCompositionState.h>
22 #include <fuzzer/FuzzedDataProvider.h>
23 #include <gui/BLASTBufferQueue.h>
24 #include <gui/IGraphicBufferProducer.h>
25 #include <gui/IProducerListener.h>
26 #include <gui/LayerDebugInfo.h>
27 #include <gui/SurfaceComposerClient.h>
28 #include <hidl/ServiceManagement.h>
29 #include <hwbinder/ProcessState.h>
30 #include <ui/DisplayIdentification.h>
31
32 #include "DisplayHardware/AidlComposerHal.h"
33 #include "DisplayHardware/DisplayMode.h"
34 #include "DisplayHardware/FramebufferSurface.h"
35 #include "DisplayHardware/HWComposer.h"
36 #include "DisplayHardware/PowerAdvisor.h"
37 #include "DisplayHardware/VirtualDisplaySurface.h"
38 #include "SurfaceFlinger.h"
39 #include "surfaceflinger_displayhardware_fuzzer_utils.h"
40
41 #include <FuzzableDataspaces.h>
42
43 namespace android::fuzz {
44
45 using namespace android::hardware::graphics::common;
46 using namespace android::hardware::graphics::composer;
47 namespace aidl = aidl::android::hardware::graphics::composer3;
48 namespace hal = android::hardware::graphics::composer::hal;
49 using Config = hal::V2_1::Config;
50 using Display = hal::V2_1::Display;
51 using RenderIntent = V1_1::RenderIntent;
52 using IComposerClient = hal::V2_4::IComposerClient;
53 using VsyncPeriodChangeTimeline = hal::V2_4::VsyncPeriodChangeTimeline;
54 using PerFrameMetadata = IComposerClient::PerFrameMetadata;
55 using PerFrameMetadataBlob = IComposerClient::PerFrameMetadataBlob;
56 using Vsync = IComposerClient::Vsync;
57
58 static constexpr hal::Transform kTransforms[] = {hal::Transform::FLIP_H, hal::Transform::FLIP_V,
59 hal::Transform::ROT_90, hal::Transform::ROT_180,
60 hal::Transform::ROT_270};
61
62 static constexpr aidl::Capability kCapability[] = {aidl::Capability::INVALID,
63 aidl::Capability::SIDEBAND_STREAM,
64 aidl::Capability::SKIP_CLIENT_COLOR_TRANSFORM,
65 aidl::Capability::PRESENT_FENCE_IS_NOT_RELIABLE,
66 aidl::Capability::SKIP_VALIDATE};
67
68 static constexpr hal::BlendMode kBlendModes[] = {hal::BlendMode::INVALID, hal::BlendMode::NONE,
69 hal::BlendMode::PREMULTIPLIED,
70 hal::BlendMode::COVERAGE};
71
72 static constexpr Composition kCompositions[] = {Composition::INVALID, Composition::CLIENT,
73 Composition::DEVICE, Composition::SOLID_COLOR,
74 Composition::CURSOR, Composition::SIDEBAND};
75
76 static constexpr DisplayCapability kDisplayCapability[] =
77 {DisplayCapability::INVALID,
78 DisplayCapability::SKIP_CLIENT_COLOR_TRANSFORM,
79 DisplayCapability::DOZE,
80 DisplayCapability::BRIGHTNESS,
81 DisplayCapability::PROTECTED_CONTENTS,
82 DisplayCapability::AUTO_LOW_LATENCY_MODE};
83
84 static constexpr VirtualDisplaySurface::CompositionType kCompositionTypes[] =
85 {VirtualDisplaySurface::CompositionType::Unknown,
86 VirtualDisplaySurface::CompositionType::Gpu, VirtualDisplaySurface::CompositionType::Hwc,
87 VirtualDisplaySurface::CompositionType::Mixed};
88
89 static constexpr ui::RenderIntent kRenderIntents[] = {ui::RenderIntent::COLORIMETRIC,
90 ui::RenderIntent::ENHANCE,
91 ui::RenderIntent::TONE_MAP_COLORIMETRIC,
92 ui::RenderIntent::TONE_MAP_ENHANCE};
93
94 static constexpr hal::PowerMode kPowerModes[] = {hal::PowerMode::OFF, hal::PowerMode::DOZE,
95 hal::PowerMode::DOZE_SUSPEND, hal::PowerMode::ON,
96 hal::PowerMode::ON_SUSPEND};
97
98 static constexpr hal::ContentType kContentTypes[] = {hal::ContentType::NONE,
99 hal::ContentType::GRAPHICS,
100 hal::ContentType::PHOTO,
101 hal::ContentType::CINEMA,
102 hal::ContentType::GAME};
103
104 const unsigned char kInternalEdid[] =
105 "\x00\xff\xff\xff\xff\xff\xff\x00\x4c\xa3\x42\x31\x00\x00\x00\x00"
106 "\x00\x15\x01\x03\x80\x1a\x10\x78\x0a\xd3\xe5\x95\x5c\x60\x90\x27"
107 "\x19\x50\x54\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
108 "\x01\x01\x01\x01\x01\x01\x9e\x1b\x00\xa0\x50\x20\x12\x30\x10\x30"
109 "\x13\x00\x05\xa3\x10\x00\x00\x19\x00\x00\x00\x0f\x00\x00\x00\x00"
110 "\x00\x00\x00\x00\x00\x23\x87\x02\x64\x00\x00\x00\x00\xfe\x00\x53"
111 "\x41\x4d\x53\x55\x4e\x47\x0a\x20\x20\x20\x20\x20\x00\x00\x00\xfe"
112 "\x00\x31\x32\x31\x41\x54\x31\x31\x2d\x38\x30\x31\x0a\x20\x00\x45";
113
114 static constexpr hal::HWConfigId kActiveConfig = 0;
115
116 class DisplayHardwareFuzzer {
117 public:
DisplayHardwareFuzzer(const uint8_t * data,size_t size)118 DisplayHardwareFuzzer(const uint8_t* data, size_t size) : mFdp(data, size) {
119 mPhysicalDisplayId = SurfaceComposerClient::getInternalDisplayId().value();
120 };
121 void process();
122
123 private:
124 void invokeComposer();
125 void invokeDisplayIdentification();
126 void invokeLayer(HWC2::Layer* layer);
127 void setSidebandStream(HWC2::Layer* layer);
128 void setCursorPosition(HWC2::Layer* layer);
129 void setBuffer(HWC2::Layer* layer);
130 void setSurfaceDamage(HWC2::Layer* layer);
131 void setDisplayFrame(HWC2::Layer* layer);
132 void setVisibleRegion(HWC2::Layer* layer);
133 void setLayerGenericMetadata(HWC2::Layer* layer);
134 void invokeFrameBufferSurface();
135 void invokeVirtualDisplaySurface();
136 void invokeAidlComposer();
137 Display createVirtualDisplay(Hwc2::AidlComposer*);
138 void validateDisplay(Hwc2::AidlComposer*, Display);
139 void presentOrValidateDisplay(Hwc2::AidlComposer*, Display);
140 void setOutputBuffer(Hwc2::AidlComposer*, Display);
141 void setLayerSidebandStream(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
142 void invokeComposerHal2_2(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
143 void invokeComposerHal2_3(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
144 void invokeComposerHal2_4(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
145 void getDisplayVsyncPeriod();
146 void setActiveModeWithConstraints();
147 void getDisplayIdentificationData();
148 void dumpHwc();
149 void getDisplayedContentSamplingAttributes(HalDisplayId);
150 void getDeviceCompositionChanges(HalDisplayId);
151 void getHdrCapabilities(HalDisplayId);
152 void getDisplayedContentSample(HalDisplayId);
153 void getSupportedContentTypes();
154 ui::Size getFuzzedSize();
155 mat4 getFuzzedMatrix();
156
157 DisplayIdGenerator<HalVirtualDisplayId> mGenerator;
158 FuzzedDataProvider mFdp;
159 PhysicalDisplayId mPhysicalDisplayId;
160 android::impl::HWComposer mHwc{std::make_unique<Hwc2::mock::Composer>()};
161 };
162
validateDisplay(Hwc2::AidlComposer * composer,Display display)163 void DisplayHardwareFuzzer::validateDisplay(Hwc2::AidlComposer* composer, Display display) {
164 uint32_t outNumTypes, outNumRequests;
165 composer->validateDisplay(display, mFdp.ConsumeIntegral<nsecs_t>(), &outNumTypes,
166 &outNumRequests);
167 }
168
presentOrValidateDisplay(Hwc2::AidlComposer * composer,Display display)169 void DisplayHardwareFuzzer::presentOrValidateDisplay(Hwc2::AidlComposer* composer,
170 Display display) {
171 int32_t outPresentFence;
172 uint32_t outNumTypes, outNumRequests, state;
173 composer->presentOrValidateDisplay(display, mFdp.ConsumeIntegral<nsecs_t>(), &outNumTypes,
174 &outNumRequests, &outPresentFence, &state);
175 }
176
setOutputBuffer(Hwc2::AidlComposer * composer,Display display)177 void DisplayHardwareFuzzer::setOutputBuffer(Hwc2::AidlComposer* composer, Display display) {
178 const native_handle_t buffer{};
179 composer->setOutputBuffer(display, &buffer, mFdp.ConsumeIntegral<int32_t>() /*releaseFence*/);
180 }
181
setLayerSidebandStream(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)182 void DisplayHardwareFuzzer::setLayerSidebandStream(Hwc2::AidlComposer* composer, Display display,
183 Hwc2::V2_4::hal::Layer outLayer) {
184 const native_handle_t stream{};
185 composer->setLayerSidebandStream(display, outLayer, &stream);
186 }
187
createVirtualDisplay(Hwc2::AidlComposer * composer)188 Display DisplayHardwareFuzzer::createVirtualDisplay(Hwc2::AidlComposer* composer) {
189 namespace types = hardware::graphics::common;
190 using types::V1_2::PixelFormat;
191 PixelFormat format{};
192 Display display;
193 composer->createVirtualDisplay(mFdp.ConsumeIntegral<uint32_t>() /*width*/,
194 mFdp.ConsumeIntegral<uint32_t>() /*height*/, &format, &display);
195 return display;
196 }
197
getDisplayVsyncPeriod()198 void DisplayHardwareFuzzer::getDisplayVsyncPeriod() {
199 nsecs_t outVsyncPeriod;
200 mHwc.getDisplayVsyncPeriod(mPhysicalDisplayId, &outVsyncPeriod);
201 }
202
setActiveModeWithConstraints()203 void DisplayHardwareFuzzer::setActiveModeWithConstraints() {
204 hal::VsyncPeriodChangeTimeline outTimeline;
205 mHwc.setActiveModeWithConstraints(mPhysicalDisplayId, kActiveConfig, {} /*constraints*/,
206 &outTimeline);
207 }
208
getDisplayIdentificationData()209 void DisplayHardwareFuzzer::getDisplayIdentificationData() {
210 uint8_t outPort;
211 DisplayIdentificationData outData;
212 mHwc.getDisplayIdentificationData(kHwDisplayId, &outPort, &outData);
213 }
214
dumpHwc()215 void DisplayHardwareFuzzer::dumpHwc() {
216 std::string string = mFdp.ConsumeRandomLengthString().c_str();
217 mHwc.dump(string);
218 }
219
getDeviceCompositionChanges(HalDisplayId halDisplayID)220 void DisplayHardwareFuzzer::getDeviceCompositionChanges(HalDisplayId halDisplayID) {
221 std::optional<impl::HWComposer::DeviceRequestedChanges> outChanges;
222 mHwc.getDeviceCompositionChanges(halDisplayID,
223 mFdp.ConsumeBool() /*frameUsesClientComposition*/,
224 std::chrono::steady_clock::now(), FenceTime::NO_FENCE,
225 mFdp.ConsumeIntegral<nsecs_t>(), &outChanges);
226 }
227
getDisplayedContentSamplingAttributes(HalDisplayId halDisplayID)228 void DisplayHardwareFuzzer::getDisplayedContentSamplingAttributes(HalDisplayId halDisplayID) {
229 uint8_t outComponentMask;
230 ui::Dataspace dataSpace;
231 ui::PixelFormat pixelFormat;
232 mHwc.getDisplayedContentSamplingAttributes(halDisplayID, &pixelFormat, &dataSpace,
233 &outComponentMask);
234 }
235
getHdrCapabilities(HalDisplayId halDisplayID)236 void DisplayHardwareFuzzer::getHdrCapabilities(HalDisplayId halDisplayID) {
237 HdrCapabilities outCapabilities;
238 mHwc.getHdrCapabilities(halDisplayID, &outCapabilities);
239 }
240
getDisplayedContentSample(HalDisplayId halDisplayID)241 void DisplayHardwareFuzzer::getDisplayedContentSample(HalDisplayId halDisplayID) {
242 DisplayedFrameStats outStats;
243 mHwc.getDisplayedContentSample(halDisplayID, mFdp.ConsumeIntegral<uint64_t>() /* maxFrames*/,
244 mFdp.ConsumeIntegral<uint64_t>() /*timestamps*/, &outStats);
245 }
246
getSupportedContentTypes()247 void DisplayHardwareFuzzer::getSupportedContentTypes() {
248 std::vector<hal::ContentType> contentType{};
249 mHwc.getSupportedContentTypes(mPhysicalDisplayId, &contentType);
250 }
251
invokeAidlComposer()252 void DisplayHardwareFuzzer::invokeAidlComposer() {
253 hardware::ProcessState::self()->startThreadPool();
254 ProcessState::self()->startThreadPool();
255
256 if (!Hwc2::AidlComposer::isDeclared("default")) {
257 return;
258 }
259
260 Hwc2::AidlComposer composer("default");
261
262 android::hardware::graphics::composer::hal::TestHWC2ComposerCallback composerCallback{};
263 composer.registerCallback(composerCallback);
264
265 Display display = createVirtualDisplay(&composer);
266
267 composer.acceptDisplayChanges(display);
268
269 Hwc2::V2_4::hal::Layer outLayer;
270 composer.createLayer(display, &outLayer);
271
272 int32_t outPresentFence;
273 composer.presentDisplay(display, &outPresentFence);
274
275 composer.setActiveConfig(display, Config{});
276
277 composer.setClientTarget(display, mFdp.ConsumeIntegral<uint32_t>(), sp<GraphicBuffer>(),
278 mFdp.ConsumeIntegral<int32_t>(), mFdp.PickValueInArray(kDataspaces),
279 {});
280
281 composer.setColorMode(display, mFdp.PickValueInArray(kColormodes),
282 mFdp.PickValueInArray(kRenderIntents));
283
284 setOutputBuffer(&composer, display);
285
286 composer.setPowerMode(display, mFdp.PickValueInArray(kPowerModes));
287 composer.setVsyncEnabled(display, mFdp.ConsumeBool() ? Vsync::ENABLE : Vsync::DISABLE);
288
289 composer.setClientTargetSlotCount(display);
290
291 validateDisplay(&composer, display);
292
293 presentOrValidateDisplay(&composer, display);
294
295 composer.setCursorPosition(display, outLayer, mFdp.ConsumeIntegral<uint8_t>() /*x*/,
296 mFdp.ConsumeIntegral<uint8_t>() /*y*/);
297
298 composer.setLayerBuffer(display, outLayer, mFdp.ConsumeIntegral<uint32_t>() /*slot*/,
299 sp<GraphicBuffer>(), mFdp.ConsumeIntegral<int32_t>() /*acquireFence*/);
300
301 composer.setLayerSurfaceDamage(display, outLayer, {} /*damage*/);
302
303 composer.setLayerBlendMode(display, outLayer, mFdp.PickValueInArray(kBlendModes));
304
305 composer.setLayerColor(display, outLayer,
306 {mFdp.ConsumeFloatingPoint<float>() /*red*/,
307 mFdp.ConsumeFloatingPoint<float>() /*green*/,
308 mFdp.ConsumeFloatingPoint<float>() /*blue*/,
309 mFdp.ConsumeFloatingPoint<float>() /*alpha*/});
310 composer.setLayerCompositionType(display, outLayer, mFdp.PickValueInArray(kCompositions));
311 composer.setLayerDataspace(display, outLayer, mFdp.PickValueInArray(kDataspaces));
312 composer.setLayerDisplayFrame(display, outLayer, {} /*frame*/);
313 composer.setLayerPlaneAlpha(display, outLayer, mFdp.ConsumeFloatingPoint<float>());
314
315 setLayerSidebandStream(&composer, display, outLayer);
316
317 composer.setLayerSourceCrop(display, outLayer, {} /*crop*/);
318
319 composer.setLayerTransform(display, outLayer, mFdp.PickValueInArray(kTransforms));
320
321 composer.setLayerVisibleRegion(display, outLayer, std::vector<IComposerClient::Rect>{});
322 composer.setLayerZOrder(display, outLayer, mFdp.ConsumeIntegral<uint32_t>());
323
324 invokeComposerHal2_2(&composer, display, outLayer);
325 invokeComposerHal2_3(&composer, display, outLayer);
326 invokeComposerHal2_4(&composer, display, outLayer);
327
328 composer.executeCommands();
329 composer.resetCommands();
330
331 composer.destroyLayer(display, outLayer);
332 composer.destroyVirtualDisplay(display);
333 }
334
invokeComposerHal2_2(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)335 void DisplayHardwareFuzzer::invokeComposerHal2_2(Hwc2::AidlComposer* composer, Display display,
336 Hwc2::V2_4::hal::Layer outLayer) {
337 const std::vector<PerFrameMetadata> perFrameMetadatas;
338 composer->setLayerPerFrameMetadata(display, outLayer, perFrameMetadatas);
339
340 composer->getPerFrameMetadataKeys(display);
341 std::vector<RenderIntent> outRenderIntents;
342
343 composer->getRenderIntents(display, mFdp.PickValueInArray(kColormodes), &outRenderIntents);
344 mat4 outMatrix;
345 composer->getDataspaceSaturationMatrix(mFdp.PickValueInArray(kDataspaces), &outMatrix);
346 }
347
invokeComposerHal2_3(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)348 void DisplayHardwareFuzzer::invokeComposerHal2_3(Hwc2::AidlComposer* composer, Display display,
349 Hwc2::V2_4::hal::Layer outLayer) {
350 composer->setDisplayContentSamplingEnabled(display, mFdp.ConsumeBool() /*enabled*/,
351 mFdp.ConsumeIntegral<uint8_t>() /*componentMask*/,
352 mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/);
353
354 DisplayedFrameStats outStats;
355 composer->getDisplayedContentSample(display, mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/,
356 mFdp.ConsumeIntegral<uint64_t>() /*timestamp*/, &outStats);
357
358 composer->setLayerPerFrameMetadataBlobs(display, outLayer, std::vector<PerFrameMetadataBlob>{});
359
360 composer->setDisplayBrightness(display, mFdp.ConsumeFloatingPoint<float>(),
361 mFdp.ConsumeFloatingPoint<float>(),
362 Hwc2::Composer::DisplayBrightnessOptions{
363 .applyImmediately = mFdp.ConsumeIntegral<bool>()});
364 }
365
invokeComposerHal2_4(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)366 void DisplayHardwareFuzzer::invokeComposerHal2_4(Hwc2::AidlComposer* composer, Display display,
367 Hwc2::V2_4::hal::Layer outLayer) {
368 VsyncPeriodChangeTimeline outTimeline;
369 composer->setActiveConfigWithConstraints(display, Config{},
370 IComposerClient::VsyncPeriodChangeConstraints{},
371 &outTimeline);
372
373 composer->setAutoLowLatencyMode(display, mFdp.ConsumeBool());
374
375 composer->setContentType(display, mFdp.PickValueInArray(kContentTypes));
376
377 std::vector<uint8_t> value;
378 value.push_back(mFdp.ConsumeIntegral<uint8_t>());
379 composer->setLayerGenericMetadata(display, outLayer, mFdp.ConsumeRandomLengthString() /*key*/,
380 mFdp.ConsumeBool() /*mandatory*/, value);
381 }
382
getFuzzedSize()383 ui::Size DisplayHardwareFuzzer::getFuzzedSize() {
384 ui::Size size{mFdp.ConsumeIntegral<int32_t>() /*width*/,
385 mFdp.ConsumeIntegral<int32_t>() /*height*/};
386 return size;
387 }
388
getFuzzedMatrix()389 mat4 DisplayHardwareFuzzer::getFuzzedMatrix() {
390 mat4 matrix{mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
391 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
392 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
393 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
394 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
395 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
396 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
397 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>()};
398 return matrix;
399 }
400
setCursorPosition(HWC2::Layer * layer)401 void DisplayHardwareFuzzer::setCursorPosition(HWC2::Layer* layer) {
402 layer->setCursorPosition(mFdp.ConsumeIntegral<int32_t>() /*x*/,
403 mFdp.ConsumeIntegral<int32_t>() /*y*/);
404 }
405
setBuffer(HWC2::Layer * layer)406 void DisplayHardwareFuzzer::setBuffer(HWC2::Layer* layer) {
407 layer->setBuffer(mFdp.ConsumeIntegral<uint32_t>() /*slot*/, sp<GraphicBuffer>(),
408 sp<Fence>::make());
409 }
410
setSurfaceDamage(HWC2::Layer * layer)411 void DisplayHardwareFuzzer::setSurfaceDamage(HWC2::Layer* layer) {
412 Rect rhs{mFdp.ConsumeIntegral<uint32_t>() /*width*/,
413 mFdp.ConsumeIntegral<uint32_t>() /*height*/};
414 const Region damage{rhs};
415 layer->setSurfaceDamage(damage);
416 }
417
setVisibleRegion(HWC2::Layer * layer)418 void DisplayHardwareFuzzer::setVisibleRegion(HWC2::Layer* layer) {
419 uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
420 uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
421 Rect rect{width, height};
422 const Region region{rect};
423 layer->setVisibleRegion(region);
424 }
425
setDisplayFrame(HWC2::Layer * layer)426 void DisplayHardwareFuzzer::setDisplayFrame(HWC2::Layer* layer) {
427 uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
428 uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
429 const Rect frame{width, height};
430 layer->setDisplayFrame(frame);
431 }
432
setLayerGenericMetadata(HWC2::Layer * layer)433 void DisplayHardwareFuzzer::setLayerGenericMetadata(HWC2::Layer* layer) {
434 std::vector<uint8_t> value;
435 value.push_back(mFdp.ConsumeIntegral<uint8_t>());
436 layer->setLayerGenericMetadata(mFdp.ConsumeRandomLengthString().c_str() /*name*/,
437 mFdp.ConsumeBool() /*mandatory*/, value);
438 }
439
setSidebandStream(HWC2::Layer * layer)440 void DisplayHardwareFuzzer::setSidebandStream(HWC2::Layer* layer) {
441 const native_handle_t stream{};
442 layer->setSidebandStream(&stream);
443 }
444
invokeLayer(HWC2::Layer * layer)445 void DisplayHardwareFuzzer::invokeLayer(HWC2::Layer* layer) {
446 setCursorPosition(layer);
447 setBuffer(layer);
448 setSurfaceDamage(layer);
449
450 layer->setBlendMode(mFdp.PickValueInArray(kBlendModes));
451 layer->setColor({mFdp.ConsumeFloatingPoint<float>() /*red*/,
452 mFdp.ConsumeFloatingPoint<float>() /*green*/,
453 mFdp.ConsumeFloatingPoint<float>() /*blue*/,
454 mFdp.ConsumeFloatingPoint<float>() /*alpha*/});
455 layer->setCompositionType(mFdp.PickValueInArray(kCompositions));
456 layer->setDataspace(mFdp.PickValueInArray(kDataspaces));
457
458 layer->setPerFrameMetadata(mFdp.ConsumeIntegral<int32_t>(), getFuzzedHdrMetadata(&mFdp));
459 setDisplayFrame(layer);
460
461 layer->setPlaneAlpha(mFdp.ConsumeFloatingPoint<float>());
462
463 setSidebandStream(layer);
464
465 layer->setSourceCrop(getFuzzedFloatRect(&mFdp));
466 layer->setTransform(mFdp.PickValueInArray(kTransforms));
467
468 setVisibleRegion(layer);
469
470 layer->setZOrder(mFdp.ConsumeIntegral<uint32_t>());
471
472 layer->setColorTransform(getFuzzedMatrix());
473
474 setLayerGenericMetadata(layer);
475 }
476
invokeFrameBufferSurface()477 void DisplayHardwareFuzzer::invokeFrameBufferSurface() {
478 sp<IGraphicBufferProducer> bqProducer = sp<mock::GraphicBufferProducer>::make();
479 sp<IGraphicBufferConsumer> bqConsumer;
480 BufferQueue::createBufferQueue(&bqProducer, &bqConsumer);
481
482 sp<FramebufferSurface> surface =
483 new FramebufferSurface(mHwc, mPhysicalDisplayId, bqConsumer, getFuzzedSize() /*size*/,
484 getFuzzedSize() /*maxSize*/);
485 surface->beginFrame(mFdp.ConsumeBool());
486
487 surface->prepareFrame(mFdp.PickValueInArray(kCompositionTypes));
488 surface->advanceFrame();
489 surface->onFrameCommitted();
490 String8 result = String8(mFdp.ConsumeRandomLengthString().c_str());
491 surface->dumpAsString(result);
492 surface->resizeBuffers(getFuzzedSize());
493 surface->getClientTargetAcquireFence();
494 }
495
invokeVirtualDisplaySurface()496 void DisplayHardwareFuzzer::invokeVirtualDisplaySurface() {
497 DisplayIdGenerator<HalVirtualDisplayId> mGenerator;
498 VirtualDisplayId VirtualDisplayId = mGenerator.generateId().value();
499
500 sp<SurfaceComposerClient> mClient = new SurfaceComposerClient();
501 sp<SurfaceControl> mSurfaceControl =
502 mClient->createSurface(String8("TestSurface"), 100, 100, PIXEL_FORMAT_RGBA_8888,
503 ISurfaceComposerClient::eFXSurfaceBufferState,
504 /*parent*/ nullptr);
505
506 sp<BLASTBufferQueue> mBlastBufferQueueAdapter =
507 new BLASTBufferQueue("TestBLASTBufferQueue", mSurfaceControl, 100, 100,
508 PIXEL_FORMAT_RGBA_8888);
509
510 sp<IGraphicBufferProducer> sink = mBlastBufferQueueAdapter->getIGraphicBufferProducer();
511 sp<IGraphicBufferProducer> bqProducer = mBlastBufferQueueAdapter->getIGraphicBufferProducer();
512 sp<IGraphicBufferConsumer> bqConsumer;
513 BufferQueue::createBufferQueue(&bqProducer, &bqConsumer);
514 BufferQueue::createBufferQueue(&sink, &bqConsumer);
515
516 sp<VirtualDisplaySurface> surface =
517 new VirtualDisplaySurface(mHwc, VirtualDisplayId, sink, bqProducer, bqConsumer,
518 mFdp.ConsumeRandomLengthString().c_str() /*name*/);
519
520 surface->beginFrame(mFdp.ConsumeBool());
521 surface->prepareFrame(mFdp.PickValueInArray(kCompositionTypes));
522 surface->resizeBuffers(getFuzzedSize());
523 surface->getClientTargetAcquireFence();
524 surface->advanceFrame();
525 surface->onFrameCommitted();
526 String8 result = String8(mFdp.ConsumeRandomLengthString().c_str());
527 surface->dumpAsString(result);
528 }
529
invokeComposer()530 void DisplayHardwareFuzzer::invokeComposer() {
531 HalVirtualDisplayId halVirtualDisplayId = mGenerator.generateId().value();
532 HalDisplayId halDisplayID = HalDisplayId{halVirtualDisplayId};
533
534 android::hardware::graphics::composer::hal::TestHWC2ComposerCallback composerCallback{};
535 mHwc.setCallback(composerCallback);
536
537 ui::PixelFormat pixelFormat{};
538 if (!mHwc.allocateVirtualDisplay(halVirtualDisplayId, getFuzzedSize(), &pixelFormat)) {
539 return;
540 }
541
542 getDisplayIdentificationData();
543
544 mHwc.hasDisplayCapability(halDisplayID, mFdp.PickValueInArray(kDisplayCapability));
545
546 mHwc.allocatePhysicalDisplay(kHwDisplayId, mPhysicalDisplayId);
547
548 static auto hwcLayer = mHwc.createLayer(halDisplayID);
549 HWC2::Layer* layer = hwcLayer.get();
550 invokeLayer(layer);
551
552 getDeviceCompositionChanges(halDisplayID);
553
554 mHwc.setClientTarget(halDisplayID, mFdp.ConsumeIntegral<uint32_t>(), Fence::NO_FENCE,
555 sp<GraphicBuffer>::make(), mFdp.PickValueInArray(kDataspaces));
556
557 mHwc.presentAndGetReleaseFences(halDisplayID, std::chrono::steady_clock::now(),
558 FenceTime::NO_FENCE);
559
560 mHwc.setPowerMode(mPhysicalDisplayId, mFdp.PickValueInArray(kPowerModes));
561
562 mHwc.setColorTransform(halDisplayID, getFuzzedMatrix());
563
564 mHwc.getPresentFence(halDisplayID);
565
566 mHwc.getLayerReleaseFence(halDisplayID, layer);
567
568 mHwc.setOutputBuffer(halVirtualDisplayId, sp<Fence>::make().get(), sp<GraphicBuffer>::make());
569
570 mHwc.clearReleaseFences(halDisplayID);
571
572 getHdrCapabilities(halDisplayID);
573
574 mHwc.getSupportedPerFrameMetadata(halDisplayID);
575
576 mHwc.getRenderIntents(halDisplayID, ui::ColorMode());
577
578 mHwc.getDataspaceSaturationMatrix(halDisplayID, ui::Dataspace());
579
580 getDisplayedContentSamplingAttributes(halDisplayID);
581
582 mHwc.setDisplayContentSamplingEnabled(halDisplayID, mFdp.ConsumeBool() /*enabled*/,
583 mFdp.ConsumeIntegral<uint8_t>() /*componentMask*/,
584 mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/);
585
586 getDisplayedContentSample(halDisplayID);
587
588 mHwc.setDisplayBrightness(mPhysicalDisplayId, mFdp.ConsumeFloatingPoint<float>(),
589 mFdp.ConsumeFloatingPoint<float>(),
590 Hwc2::Composer::DisplayBrightnessOptions{
591 .applyImmediately = mFdp.ConsumeIntegral<bool>()});
592
593 mHwc.onHotplug(kHwDisplayId, hal::Connection::CONNECTED);
594 mHwc.updatesDeviceProductInfoOnHotplugReconnect();
595
596 mHwc.onVsync(kHwDisplayId, mFdp.ConsumeIntegral<int64_t>());
597 mHwc.setVsyncEnabled(mPhysicalDisplayId,
598 mFdp.ConsumeBool() ? hal::Vsync::ENABLE : hal::Vsync::DISABLE);
599
600 mHwc.isConnected(mPhysicalDisplayId);
601 mHwc.getModes(mPhysicalDisplayId);
602 mHwc.getActiveMode(mPhysicalDisplayId);
603 mHwc.getColorModes(mPhysicalDisplayId);
604 mHwc.hasCapability(mFdp.PickValueInArray(kCapability));
605
606 mHwc.setActiveColorMode(mPhysicalDisplayId, mFdp.PickValueInArray(kColormodes),
607 mFdp.PickValueInArray(kRenderIntents));
608
609 mHwc.getDisplayConnectionType(mPhysicalDisplayId);
610 mHwc.isVsyncPeriodSwitchSupported(mPhysicalDisplayId);
611
612 getDisplayVsyncPeriod();
613
614 setActiveModeWithConstraints();
615
616 mHwc.setAutoLowLatencyMode(mPhysicalDisplayId, mFdp.ConsumeBool());
617
618 getSupportedContentTypes();
619
620 mHwc.setContentType(mPhysicalDisplayId, mFdp.PickValueInArray(kContentTypes));
621
622 dumpHwc();
623
624 mHwc.toPhysicalDisplayId(kHwDisplayId);
625 mHwc.fromPhysicalDisplayId(mPhysicalDisplayId);
626 mHwc.disconnectDisplay(halDisplayID);
627
628 static hal::HWDisplayId displayId = mFdp.ConsumeIntegral<hal::HWDisplayId>();
629 mHwc.onHotplug(displayId,
630 mFdp.ConsumeBool() ? hal::Connection::DISCONNECTED : hal::Connection::CONNECTED);
631 }
632
633 template <size_t N>
asDisplayIdentificationData(const unsigned char (& bytes)[N])634 DisplayIdentificationData asDisplayIdentificationData(const unsigned char (&bytes)[N]) {
635 return DisplayIdentificationData(bytes, bytes + N - 1);
636 }
637
invokeDisplayIdentification()638 void DisplayHardwareFuzzer::invokeDisplayIdentification() {
639 static const DisplayIdentificationData data = asDisplayIdentificationData(kInternalEdid);
640 isEdid(data);
641 parseEdid(data);
642 parseDisplayIdentificationData(mFdp.ConsumeIntegral<uint8_t>(), data);
643 getPnpId(getVirtualDisplayId(mFdp.ConsumeIntegral<uint32_t>()));
644 getPnpId(mFdp.ConsumeIntegral<uint8_t>());
645 }
646
process()647 void DisplayHardwareFuzzer::process() {
648 invokeComposer();
649 invokeAidlComposer();
650 invokeDisplayIdentification();
651 invokeFrameBufferSurface();
652 invokeVirtualDisplaySurface();
653 }
654
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)655 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
656 DisplayHardwareFuzzer displayHardwareFuzzer(data, size);
657 displayHardwareFuzzer.process();
658 return 0;
659 }
660
661 } // namespace android::fuzz
662