1 /*
2 * Copyright 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #include <binder/IPCThreadState.h>
19 #include <binder/IServiceManager.h>
20 #include <binder/ProcessState.h>
21 #include <compositionengine/impl/OutputCompositionState.h>
22 #include <fuzzer/FuzzedDataProvider.h>
23 #include <gui/BLASTBufferQueue.h>
24 #include <gui/IGraphicBufferProducer.h>
25 #include <gui/IProducerListener.h>
26 #include <gui/LayerDebugInfo.h>
27 #include <gui/SurfaceComposerClient.h>
28 #include <hidl/ServiceManagement.h>
29 #include <hwbinder/ProcessState.h>
30 #include <ui/DisplayIdentification.h>
31
32 #include "DisplayHardware/AidlComposerHal.h"
33 #include "DisplayHardware/DisplayMode.h"
34 #include "DisplayHardware/FramebufferSurface.h"
35 #include "DisplayHardware/HWComposer.h"
36 #include "DisplayHardware/PowerAdvisor.h"
37 #include "DisplayHardware/VirtualDisplaySurface.h"
38 #include "SurfaceFlinger.h"
39 #include "surfaceflinger_displayhardware_fuzzer_utils.h"
40
41 #include <FuzzableDataspaces.h>
42
43 namespace android::fuzz {
44
45 using namespace android::hardware::graphics::common;
46 using namespace android::hardware::graphics::composer;
47 namespace aidl = aidl::android::hardware::graphics::composer3;
48 namespace hal = android::hardware::graphics::composer::hal;
49 using Config = hal::V2_1::Config;
50 using Display = hal::V2_1::Display;
51 using RenderIntent = V1_1::RenderIntent;
52 using IComposerClient = hal::V2_4::IComposerClient;
53 using VsyncPeriodChangeTimeline = hal::V2_4::VsyncPeriodChangeTimeline;
54 using PerFrameMetadata = IComposerClient::PerFrameMetadata;
55 using PerFrameMetadataBlob = IComposerClient::PerFrameMetadataBlob;
56 using Vsync = IComposerClient::Vsync;
57
58 static constexpr hal::Transform kTransforms[] = {hal::Transform::FLIP_H, hal::Transform::FLIP_V,
59 hal::Transform::ROT_90, hal::Transform::ROT_180,
60 hal::Transform::ROT_270};
61
62 static constexpr aidl::Capability kCapability[] = {aidl::Capability::INVALID,
63 aidl::Capability::SIDEBAND_STREAM,
64 aidl::Capability::SKIP_CLIENT_COLOR_TRANSFORM,
65 aidl::Capability::PRESENT_FENCE_IS_NOT_RELIABLE,
66 aidl::Capability::SKIP_VALIDATE};
67
68 static constexpr hal::BlendMode kBlendModes[] = {hal::BlendMode::INVALID, hal::BlendMode::NONE,
69 hal::BlendMode::PREMULTIPLIED,
70 hal::BlendMode::COVERAGE};
71
72 static constexpr Composition kCompositions[] = {Composition::INVALID, Composition::CLIENT,
73 Composition::DEVICE, Composition::SOLID_COLOR,
74 Composition::CURSOR, Composition::SIDEBAND};
75
76 static constexpr DisplayCapability kDisplayCapability[] =
77 {DisplayCapability::INVALID,
78 DisplayCapability::SKIP_CLIENT_COLOR_TRANSFORM,
79 DisplayCapability::DOZE,
80 DisplayCapability::BRIGHTNESS,
81 DisplayCapability::PROTECTED_CONTENTS,
82 DisplayCapability::AUTO_LOW_LATENCY_MODE};
83
84 static constexpr VirtualDisplaySurface::CompositionType kCompositionTypes[] =
85 {VirtualDisplaySurface::CompositionType::Unknown,
86 VirtualDisplaySurface::CompositionType::Gpu, VirtualDisplaySurface::CompositionType::Hwc,
87 VirtualDisplaySurface::CompositionType::Mixed};
88
89 static constexpr ui::RenderIntent kRenderIntents[] = {ui::RenderIntent::COLORIMETRIC,
90 ui::RenderIntent::ENHANCE,
91 ui::RenderIntent::TONE_MAP_COLORIMETRIC,
92 ui::RenderIntent::TONE_MAP_ENHANCE};
93
94 static constexpr hal::PowerMode kPowerModes[] = {hal::PowerMode::OFF, hal::PowerMode::DOZE,
95 hal::PowerMode::DOZE_SUSPEND, hal::PowerMode::ON,
96 hal::PowerMode::ON_SUSPEND};
97
98 static constexpr hal::ContentType kContentTypes[] = {hal::ContentType::NONE,
99 hal::ContentType::GRAPHICS,
100 hal::ContentType::PHOTO,
101 hal::ContentType::CINEMA,
102 hal::ContentType::GAME};
103
104 const unsigned char kInternalEdid[] =
105 "\x00\xff\xff\xff\xff\xff\xff\x00\x4c\xa3\x42\x31\x00\x00\x00\x00"
106 "\x00\x15\x01\x03\x80\x1a\x10\x78\x0a\xd3\xe5\x95\x5c\x60\x90\x27"
107 "\x19\x50\x54\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
108 "\x01\x01\x01\x01\x01\x01\x9e\x1b\x00\xa0\x50\x20\x12\x30\x10\x30"
109 "\x13\x00\x05\xa3\x10\x00\x00\x19\x00\x00\x00\x0f\x00\x00\x00\x00"
110 "\x00\x00\x00\x00\x00\x23\x87\x02\x64\x00\x00\x00\x00\xfe\x00\x53"
111 "\x41\x4d\x53\x55\x4e\x47\x0a\x20\x20\x20\x20\x20\x00\x00\x00\xfe"
112 "\x00\x31\x32\x31\x41\x54\x31\x31\x2d\x38\x30\x31\x0a\x20\x00\x45";
113
114 static constexpr hal::HWConfigId kActiveConfig = 0;
115
116 class DisplayHardwareFuzzer {
117 public:
DisplayHardwareFuzzer(const uint8_t * data,size_t size)118 DisplayHardwareFuzzer(const uint8_t* data, size_t size) : mFdp(data, size) {
119 mPhysicalDisplayId = TestableSurfaceFlinger::getFirstDisplayId().value_or(
120 PhysicalDisplayId::fromPort(mFdp.ConsumeIntegral<uint8_t>()));
121 };
122 void process();
123
124 private:
125 void invokeComposer();
126 void invokeDisplayIdentification();
127 void invokeLayer(HWC2::Layer* layer);
128 void setSidebandStream(HWC2::Layer* layer);
129 void setCursorPosition(HWC2::Layer* layer);
130 void setBuffer(HWC2::Layer* layer);
131 void setSurfaceDamage(HWC2::Layer* layer);
132 void setDisplayFrame(HWC2::Layer* layer);
133 void setVisibleRegion(HWC2::Layer* layer);
134 void setLayerGenericMetadata(HWC2::Layer* layer);
135 void invokeFrameBufferSurface();
136 void invokeVirtualDisplaySurface();
137 void invokeAidlComposer();
138 Display createVirtualDisplay(Hwc2::AidlComposer*);
139 void validateDisplay(Hwc2::AidlComposer*, Display);
140 void presentOrValidateDisplay(Hwc2::AidlComposer*, Display);
141 void setOutputBuffer(Hwc2::AidlComposer*, Display);
142 void setLayerSidebandStream(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
143 void invokeComposerHal2_2(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
144 void invokeComposerHal2_3(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
145 void invokeComposerHal2_4(Hwc2::AidlComposer*, Display, Hwc2::V2_4::hal::Layer);
146 void getDisplayVsyncPeriod();
147 void setActiveModeWithConstraints();
148 void getDisplayIdentificationData();
149 void dumpHwc();
150 void getDisplayedContentSamplingAttributes(HalDisplayId);
151 void getDeviceCompositionChanges(HalDisplayId);
152 void getHdrCapabilities(HalDisplayId);
153 void getDisplayedContentSample(HalDisplayId);
154 void getSupportedContentTypes();
155 ui::Size getFuzzedSize();
156 mat4 getFuzzedMatrix();
157
158 DisplayIdGenerator<HalVirtualDisplayId> mGenerator;
159 FuzzedDataProvider mFdp;
160 PhysicalDisplayId mPhysicalDisplayId;
161 android::impl::HWComposer mHwc{std::make_unique<Hwc2::mock::Composer>()};
162 };
163
validateDisplay(Hwc2::AidlComposer * composer,Display display)164 void DisplayHardwareFuzzer::validateDisplay(Hwc2::AidlComposer* composer, Display display) {
165 uint32_t outNumTypes, outNumRequests;
166 composer->validateDisplay(display, mFdp.ConsumeIntegral<nsecs_t>(), &outNumTypes,
167 &outNumRequests);
168 }
169
presentOrValidateDisplay(Hwc2::AidlComposer * composer,Display display)170 void DisplayHardwareFuzzer::presentOrValidateDisplay(Hwc2::AidlComposer* composer,
171 Display display) {
172 int32_t outPresentFence;
173 uint32_t outNumTypes, outNumRequests, state;
174 composer->presentOrValidateDisplay(display, mFdp.ConsumeIntegral<nsecs_t>(), &outNumTypes,
175 &outNumRequests, &outPresentFence, &state);
176 }
177
setOutputBuffer(Hwc2::AidlComposer * composer,Display display)178 void DisplayHardwareFuzzer::setOutputBuffer(Hwc2::AidlComposer* composer, Display display) {
179 const native_handle_t buffer{};
180 composer->setOutputBuffer(display, &buffer, mFdp.ConsumeIntegral<int32_t>() /*releaseFence*/);
181 }
182
setLayerSidebandStream(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)183 void DisplayHardwareFuzzer::setLayerSidebandStream(Hwc2::AidlComposer* composer, Display display,
184 Hwc2::V2_4::hal::Layer outLayer) {
185 const native_handle_t stream{};
186 composer->setLayerSidebandStream(display, outLayer, &stream);
187 }
188
createVirtualDisplay(Hwc2::AidlComposer * composer)189 Display DisplayHardwareFuzzer::createVirtualDisplay(Hwc2::AidlComposer* composer) {
190 namespace types = hardware::graphics::common;
191 using types::V1_2::PixelFormat;
192 PixelFormat format{};
193 Display display;
194 composer->createVirtualDisplay(mFdp.ConsumeIntegral<uint32_t>() /*width*/,
195 mFdp.ConsumeIntegral<uint32_t>() /*height*/, &format, &display);
196 return display;
197 }
198
getDisplayVsyncPeriod()199 void DisplayHardwareFuzzer::getDisplayVsyncPeriod() {
200 nsecs_t outVsyncPeriod;
201 mHwc.getDisplayVsyncPeriod(mPhysicalDisplayId, &outVsyncPeriod);
202 }
203
setActiveModeWithConstraints()204 void DisplayHardwareFuzzer::setActiveModeWithConstraints() {
205 hal::VsyncPeriodChangeTimeline outTimeline;
206 mHwc.setActiveModeWithConstraints(mPhysicalDisplayId, kActiveConfig, {} /*constraints*/,
207 &outTimeline);
208 }
209
getDisplayIdentificationData()210 void DisplayHardwareFuzzer::getDisplayIdentificationData() {
211 uint8_t outPort;
212 DisplayIdentificationData outData;
213 mHwc.getDisplayIdentificationData(kHwDisplayId, &outPort, &outData);
214 }
215
dumpHwc()216 void DisplayHardwareFuzzer::dumpHwc() {
217 std::string string = mFdp.ConsumeRandomLengthString().c_str();
218 mHwc.dump(string);
219 }
220
getDeviceCompositionChanges(HalDisplayId halDisplayID)221 void DisplayHardwareFuzzer::getDeviceCompositionChanges(HalDisplayId halDisplayID) {
222 std::optional<impl::HWComposer::DeviceRequestedChanges> outChanges;
223 mHwc.getDeviceCompositionChanges(halDisplayID,
224 mFdp.ConsumeBool() /*frameUsesClientComposition*/,
225 std::chrono::steady_clock::now(),
226 mFdp.ConsumeIntegral<nsecs_t>(), &outChanges);
227 }
228
getDisplayedContentSamplingAttributes(HalDisplayId halDisplayID)229 void DisplayHardwareFuzzer::getDisplayedContentSamplingAttributes(HalDisplayId halDisplayID) {
230 uint8_t outComponentMask;
231 ui::Dataspace dataSpace;
232 ui::PixelFormat pixelFormat;
233 mHwc.getDisplayedContentSamplingAttributes(halDisplayID, &pixelFormat, &dataSpace,
234 &outComponentMask);
235 }
236
getHdrCapabilities(HalDisplayId halDisplayID)237 void DisplayHardwareFuzzer::getHdrCapabilities(HalDisplayId halDisplayID) {
238 HdrCapabilities outCapabilities;
239 mHwc.getHdrCapabilities(halDisplayID, &outCapabilities);
240 }
241
getDisplayedContentSample(HalDisplayId halDisplayID)242 void DisplayHardwareFuzzer::getDisplayedContentSample(HalDisplayId halDisplayID) {
243 DisplayedFrameStats outStats;
244 mHwc.getDisplayedContentSample(halDisplayID, mFdp.ConsumeIntegral<uint64_t>() /* maxFrames*/,
245 mFdp.ConsumeIntegral<uint64_t>() /*timestamps*/, &outStats);
246 }
247
getSupportedContentTypes()248 void DisplayHardwareFuzzer::getSupportedContentTypes() {
249 std::vector<hal::ContentType> contentType{};
250 mHwc.getSupportedContentTypes(mPhysicalDisplayId, &contentType);
251 }
252
invokeAidlComposer()253 void DisplayHardwareFuzzer::invokeAidlComposer() {
254 hardware::ProcessState::self()->startThreadPool();
255 ProcessState::self()->startThreadPool();
256
257 if (!Hwc2::AidlComposer::isDeclared("default")) {
258 return;
259 }
260
261 Hwc2::AidlComposer composer("default");
262
263 android::hardware::graphics::composer::hal::TestHWC2ComposerCallback composerCallback{};
264 composer.registerCallback(composerCallback);
265
266 Display display = createVirtualDisplay(&composer);
267
268 composer.acceptDisplayChanges(display);
269
270 Hwc2::V2_4::hal::Layer outLayer;
271 composer.createLayer(display, &outLayer);
272
273 int32_t outPresentFence;
274 composer.presentDisplay(display, &outPresentFence);
275
276 composer.setActiveConfig(display, Config{});
277
278 composer.setClientTarget(display, mFdp.ConsumeIntegral<uint32_t>(), sp<GraphicBuffer>(),
279 mFdp.ConsumeIntegral<int32_t>(), mFdp.PickValueInArray(kDataspaces),
280 {});
281
282 composer.setColorMode(display, mFdp.PickValueInArray(kColormodes),
283 mFdp.PickValueInArray(kRenderIntents));
284
285 setOutputBuffer(&composer, display);
286
287 composer.setPowerMode(display, mFdp.PickValueInArray(kPowerModes));
288 composer.setVsyncEnabled(display, mFdp.ConsumeBool() ? Vsync::ENABLE : Vsync::DISABLE);
289
290 composer.setClientTargetSlotCount(display);
291
292 validateDisplay(&composer, display);
293
294 presentOrValidateDisplay(&composer, display);
295
296 composer.setCursorPosition(display, outLayer, mFdp.ConsumeIntegral<uint8_t>() /*x*/,
297 mFdp.ConsumeIntegral<uint8_t>() /*y*/);
298
299 composer.setLayerBuffer(display, outLayer, mFdp.ConsumeIntegral<uint32_t>() /*slot*/,
300 sp<GraphicBuffer>(), mFdp.ConsumeIntegral<int32_t>() /*acquireFence*/);
301
302 composer.setLayerSurfaceDamage(display, outLayer, {} /*damage*/);
303
304 composer.setLayerBlendMode(display, outLayer, mFdp.PickValueInArray(kBlendModes));
305
306 composer.setLayerColor(display, outLayer,
307 {mFdp.ConsumeFloatingPoint<float>() /*red*/,
308 mFdp.ConsumeFloatingPoint<float>() /*green*/,
309 mFdp.ConsumeFloatingPoint<float>() /*blue*/,
310 mFdp.ConsumeFloatingPoint<float>() /*alpha*/});
311 composer.setLayerCompositionType(display, outLayer, mFdp.PickValueInArray(kCompositions));
312 composer.setLayerDataspace(display, outLayer, mFdp.PickValueInArray(kDataspaces));
313 composer.setLayerDisplayFrame(display, outLayer, {} /*frame*/);
314 composer.setLayerPlaneAlpha(display, outLayer, mFdp.ConsumeFloatingPoint<float>());
315
316 setLayerSidebandStream(&composer, display, outLayer);
317
318 composer.setLayerSourceCrop(display, outLayer, {} /*crop*/);
319
320 composer.setLayerTransform(display, outLayer, mFdp.PickValueInArray(kTransforms));
321
322 composer.setLayerVisibleRegion(display, outLayer, std::vector<IComposerClient::Rect>{});
323 composer.setLayerZOrder(display, outLayer, mFdp.ConsumeIntegral<uint32_t>());
324
325 invokeComposerHal2_2(&composer, display, outLayer);
326 invokeComposerHal2_3(&composer, display, outLayer);
327 invokeComposerHal2_4(&composer, display, outLayer);
328
329 composer.executeCommands(display);
330
331 composer.destroyLayer(display, outLayer);
332 composer.destroyVirtualDisplay(display);
333 }
334
invokeComposerHal2_2(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)335 void DisplayHardwareFuzzer::invokeComposerHal2_2(Hwc2::AidlComposer* composer, Display display,
336 Hwc2::V2_4::hal::Layer outLayer) {
337 const std::vector<PerFrameMetadata> perFrameMetadatas;
338 composer->setLayerPerFrameMetadata(display, outLayer, perFrameMetadatas);
339
340 composer->getPerFrameMetadataKeys(display);
341 std::vector<RenderIntent> outRenderIntents;
342
343 composer->getRenderIntents(display, mFdp.PickValueInArray(kColormodes), &outRenderIntents);
344 mat4 outMatrix;
345 composer->getDataspaceSaturationMatrix(mFdp.PickValueInArray(kDataspaces), &outMatrix);
346 }
347
invokeComposerHal2_3(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)348 void DisplayHardwareFuzzer::invokeComposerHal2_3(Hwc2::AidlComposer* composer, Display display,
349 Hwc2::V2_4::hal::Layer outLayer) {
350 composer->setDisplayContentSamplingEnabled(display, mFdp.ConsumeBool() /*enabled*/,
351 mFdp.ConsumeIntegral<uint8_t>() /*componentMask*/,
352 mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/);
353
354 DisplayedFrameStats outStats;
355 composer->getDisplayedContentSample(display, mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/,
356 mFdp.ConsumeIntegral<uint64_t>() /*timestamp*/, &outStats);
357
358 composer->setLayerPerFrameMetadataBlobs(display, outLayer, std::vector<PerFrameMetadataBlob>{});
359
360 composer->setDisplayBrightness(display, mFdp.ConsumeFloatingPoint<float>(),
361 mFdp.ConsumeFloatingPoint<float>(),
362 Hwc2::Composer::DisplayBrightnessOptions{
363 .applyImmediately = mFdp.ConsumeIntegral<bool>()});
364 }
365
invokeComposerHal2_4(Hwc2::AidlComposer * composer,Display display,Hwc2::V2_4::hal::Layer outLayer)366 void DisplayHardwareFuzzer::invokeComposerHal2_4(Hwc2::AidlComposer* composer, Display display,
367 Hwc2::V2_4::hal::Layer outLayer) {
368 VsyncPeriodChangeTimeline outTimeline;
369 composer->setActiveConfigWithConstraints(display, Config{},
370 IComposerClient::VsyncPeriodChangeConstraints{},
371 &outTimeline);
372
373 composer->setAutoLowLatencyMode(display, mFdp.ConsumeBool());
374
375 composer->setContentType(display, mFdp.PickValueInArray(kContentTypes));
376
377 std::vector<uint8_t> value;
378 value.push_back(mFdp.ConsumeIntegral<uint8_t>());
379 composer->setLayerGenericMetadata(display, outLayer, mFdp.ConsumeRandomLengthString() /*key*/,
380 mFdp.ConsumeBool() /*mandatory*/, value);
381 }
382
getFuzzedSize()383 ui::Size DisplayHardwareFuzzer::getFuzzedSize() {
384 ui::Size size{mFdp.ConsumeIntegral<int32_t>() /*width*/,
385 mFdp.ConsumeIntegral<int32_t>() /*height*/};
386 return size;
387 }
388
getFuzzedMatrix()389 mat4 DisplayHardwareFuzzer::getFuzzedMatrix() {
390 mat4 matrix{mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
391 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
392 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
393 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
394 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
395 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
396 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
397 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>()};
398 return matrix;
399 }
400
setCursorPosition(HWC2::Layer * layer)401 void DisplayHardwareFuzzer::setCursorPosition(HWC2::Layer* layer) {
402 layer->setCursorPosition(mFdp.ConsumeIntegral<int32_t>() /*x*/,
403 mFdp.ConsumeIntegral<int32_t>() /*y*/);
404 }
405
setBuffer(HWC2::Layer * layer)406 void DisplayHardwareFuzzer::setBuffer(HWC2::Layer* layer) {
407 layer->setBuffer(mFdp.ConsumeIntegral<uint32_t>() /*slot*/, sp<GraphicBuffer>(),
408 sp<Fence>::make());
409 }
410
setSurfaceDamage(HWC2::Layer * layer)411 void DisplayHardwareFuzzer::setSurfaceDamage(HWC2::Layer* layer) {
412 Rect rhs{mFdp.ConsumeIntegral<uint32_t>() /*width*/,
413 mFdp.ConsumeIntegral<uint32_t>() /*height*/};
414 const Region damage{rhs};
415 layer->setSurfaceDamage(damage);
416 }
417
setVisibleRegion(HWC2::Layer * layer)418 void DisplayHardwareFuzzer::setVisibleRegion(HWC2::Layer* layer) {
419 uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
420 uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
421 Rect rect{width, height};
422 const Region region{rect};
423 layer->setVisibleRegion(region);
424 }
425
setDisplayFrame(HWC2::Layer * layer)426 void DisplayHardwareFuzzer::setDisplayFrame(HWC2::Layer* layer) {
427 uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
428 uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
429 const Rect frame{width, height};
430 layer->setDisplayFrame(frame);
431 }
432
setLayerGenericMetadata(HWC2::Layer * layer)433 void DisplayHardwareFuzzer::setLayerGenericMetadata(HWC2::Layer* layer) {
434 std::vector<uint8_t> value;
435 value.push_back(mFdp.ConsumeIntegral<uint8_t>());
436 layer->setLayerGenericMetadata(mFdp.ConsumeRandomLengthString().c_str() /*name*/,
437 mFdp.ConsumeBool() /*mandatory*/, value);
438 }
439
setSidebandStream(HWC2::Layer * layer)440 void DisplayHardwareFuzzer::setSidebandStream(HWC2::Layer* layer) {
441 const native_handle_t stream{};
442 layer->setSidebandStream(&stream);
443 }
444
invokeLayer(HWC2::Layer * layer)445 void DisplayHardwareFuzzer::invokeLayer(HWC2::Layer* layer) {
446 setCursorPosition(layer);
447 setBuffer(layer);
448 setSurfaceDamage(layer);
449
450 layer->setBlendMode(mFdp.PickValueInArray(kBlendModes));
451 layer->setColor({mFdp.ConsumeFloatingPoint<float>() /*red*/,
452 mFdp.ConsumeFloatingPoint<float>() /*green*/,
453 mFdp.ConsumeFloatingPoint<float>() /*blue*/,
454 mFdp.ConsumeFloatingPoint<float>() /*alpha*/});
455 layer->setCompositionType(mFdp.PickValueInArray(kCompositions));
456 layer->setDataspace(mFdp.PickValueInArray(kDataspaces));
457
458 layer->setPerFrameMetadata(mFdp.ConsumeIntegral<int32_t>(), getFuzzedHdrMetadata(&mFdp));
459 setDisplayFrame(layer);
460
461 layer->setPlaneAlpha(mFdp.ConsumeFloatingPoint<float>());
462
463 setSidebandStream(layer);
464
465 layer->setSourceCrop(getFuzzedFloatRect(&mFdp));
466 layer->setTransform(mFdp.PickValueInArray(kTransforms));
467
468 setVisibleRegion(layer);
469
470 layer->setZOrder(mFdp.ConsumeIntegral<uint32_t>());
471
472 layer->setColorTransform(getFuzzedMatrix());
473
474 setLayerGenericMetadata(layer);
475 }
476
invokeFrameBufferSurface()477 void DisplayHardwareFuzzer::invokeFrameBufferSurface() {
478 sp<IGraphicBufferProducer> bqProducer = sp<mock::GraphicBufferProducer>::make();
479 sp<IGraphicBufferConsumer> bqConsumer;
480 BufferQueue::createBufferQueue(&bqProducer, &bqConsumer);
481
482 sp<FramebufferSurface> surface =
483 sp<FramebufferSurface>::make(mHwc, mPhysicalDisplayId, bqConsumer,
484 getFuzzedSize() /*size*/, getFuzzedSize() /*maxSize*/);
485 surface->beginFrame(mFdp.ConsumeBool());
486
487 surface->prepareFrame(mFdp.PickValueInArray(kCompositionTypes));
488 surface->advanceFrame();
489 surface->onFrameCommitted();
490 String8 result = String8(mFdp.ConsumeRandomLengthString().c_str());
491 surface->dumpAsString(result);
492 surface->resizeBuffers(getFuzzedSize());
493 surface->getClientTargetAcquireFence();
494 }
495
invokeVirtualDisplaySurface()496 void DisplayHardwareFuzzer::invokeVirtualDisplaySurface() {
497 DisplayIdGenerator<HalVirtualDisplayId> mGenerator;
498 VirtualDisplayId VirtualDisplayId = mGenerator.generateId().value();
499
500 sp<SurfaceComposerClient> mClient = sp<SurfaceComposerClient>::make();
501 sp<SurfaceControl> mSurfaceControl =
502 mClient->createSurface(String8("TestSurface"), 100, 100, PIXEL_FORMAT_RGBA_8888,
503 ISurfaceComposerClient::eFXSurfaceBufferState,
504 /*parent*/ nullptr);
505
506 auto mBlastBufferQueueAdapter =
507 sp<BLASTBufferQueue>::make("TestBLASTBufferQueue", mSurfaceControl, 100, 100,
508 PIXEL_FORMAT_RGBA_8888);
509
510 sp<IGraphicBufferProducer> sink = mBlastBufferQueueAdapter->getIGraphicBufferProducer();
511 sp<IGraphicBufferProducer> bqProducer = mBlastBufferQueueAdapter->getIGraphicBufferProducer();
512 sp<IGraphicBufferConsumer> bqConsumer;
513 BufferQueue::createBufferQueue(&bqProducer, &bqConsumer);
514 BufferQueue::createBufferQueue(&sink, &bqConsumer);
515
516 auto surface =
517 sp<VirtualDisplaySurface>::make(mHwc, VirtualDisplayId, sink, bqProducer, bqConsumer,
518 mFdp.ConsumeRandomLengthString().c_str() /*name*/);
519
520 surface->beginFrame(mFdp.ConsumeBool());
521 surface->prepareFrame(mFdp.PickValueInArray(kCompositionTypes));
522 surface->resizeBuffers(getFuzzedSize());
523 surface->getClientTargetAcquireFence();
524 surface->advanceFrame();
525 surface->onFrameCommitted();
526 String8 result = String8(mFdp.ConsumeRandomLengthString().c_str());
527 surface->dumpAsString(result);
528 }
529
invokeComposer()530 void DisplayHardwareFuzzer::invokeComposer() {
531 HalVirtualDisplayId halVirtualDisplayId = mGenerator.generateId().value();
532 HalDisplayId halDisplayID = HalDisplayId{halVirtualDisplayId};
533
534 android::hardware::graphics::composer::hal::TestHWC2ComposerCallback composerCallback{};
535 mHwc.setCallback(composerCallback);
536
537 ui::PixelFormat pixelFormat{};
538 if (!mHwc.allocateVirtualDisplay(halVirtualDisplayId, getFuzzedSize(), &pixelFormat)) {
539 return;
540 }
541
542 getDisplayIdentificationData();
543
544 mHwc.hasDisplayCapability(halDisplayID, mFdp.PickValueInArray(kDisplayCapability));
545
546 mHwc.allocatePhysicalDisplay(kHwDisplayId, mPhysicalDisplayId);
547
548 static auto hwcLayer = mHwc.createLayer(halDisplayID);
549 HWC2::Layer* layer = hwcLayer.get();
550 invokeLayer(layer);
551
552 getDeviceCompositionChanges(halDisplayID);
553
554 mHwc.setClientTarget(halDisplayID, mFdp.ConsumeIntegral<uint32_t>(), Fence::NO_FENCE,
555 sp<GraphicBuffer>::make(), mFdp.PickValueInArray(kDataspaces));
556
557 mHwc.presentAndGetReleaseFences(halDisplayID, std::chrono::steady_clock::now());
558
559 mHwc.setPowerMode(mPhysicalDisplayId, mFdp.PickValueInArray(kPowerModes));
560
561 mHwc.setColorTransform(halDisplayID, getFuzzedMatrix());
562
563 mHwc.getPresentFence(halDisplayID);
564
565 mHwc.getLayerReleaseFence(halDisplayID, layer);
566
567 mHwc.setOutputBuffer(halVirtualDisplayId, sp<Fence>::make(), sp<GraphicBuffer>::make());
568
569 mHwc.clearReleaseFences(halDisplayID);
570
571 getHdrCapabilities(halDisplayID);
572
573 mHwc.getSupportedPerFrameMetadata(halDisplayID);
574
575 mHwc.getRenderIntents(halDisplayID, ui::ColorMode());
576
577 mHwc.getDataspaceSaturationMatrix(halDisplayID, ui::Dataspace());
578
579 getDisplayedContentSamplingAttributes(halDisplayID);
580
581 mHwc.setDisplayContentSamplingEnabled(halDisplayID, mFdp.ConsumeBool() /*enabled*/,
582 mFdp.ConsumeIntegral<uint8_t>() /*componentMask*/,
583 mFdp.ConsumeIntegral<uint64_t>() /*maxFrames*/);
584
585 getDisplayedContentSample(halDisplayID);
586
587 mHwc.setDisplayBrightness(mPhysicalDisplayId, mFdp.ConsumeFloatingPoint<float>(),
588 mFdp.ConsumeFloatingPoint<float>(),
589 Hwc2::Composer::DisplayBrightnessOptions{
590 .applyImmediately = mFdp.ConsumeIntegral<bool>()});
591
592 mHwc.onHotplug(kHwDisplayId, hal::Connection::CONNECTED);
593 mHwc.updatesDeviceProductInfoOnHotplugReconnect();
594
595 mHwc.onVsync(kHwDisplayId, mFdp.ConsumeIntegral<int64_t>());
596 mHwc.setVsyncEnabled(mPhysicalDisplayId,
597 mFdp.ConsumeBool() ? hal::Vsync::ENABLE : hal::Vsync::DISABLE);
598
599 mHwc.isConnected(mPhysicalDisplayId);
600 mHwc.getModes(mPhysicalDisplayId);
601 mHwc.getActiveMode(mPhysicalDisplayId);
602 mHwc.getColorModes(mPhysicalDisplayId);
603 mHwc.hasCapability(mFdp.PickValueInArray(kCapability));
604
605 mHwc.setActiveColorMode(mPhysicalDisplayId, mFdp.PickValueInArray(kColormodes),
606 mFdp.PickValueInArray(kRenderIntents));
607
608 mHwc.getDisplayConnectionType(mPhysicalDisplayId);
609 mHwc.isVsyncPeriodSwitchSupported(mPhysicalDisplayId);
610
611 getDisplayVsyncPeriod();
612
613 setActiveModeWithConstraints();
614
615 mHwc.setAutoLowLatencyMode(mPhysicalDisplayId, mFdp.ConsumeBool());
616
617 getSupportedContentTypes();
618
619 mHwc.setContentType(mPhysicalDisplayId, mFdp.PickValueInArray(kContentTypes));
620
621 dumpHwc();
622
623 mHwc.toPhysicalDisplayId(kHwDisplayId);
624 mHwc.fromPhysicalDisplayId(mPhysicalDisplayId);
625 mHwc.disconnectDisplay(halDisplayID);
626
627 static hal::HWDisplayId displayId = mFdp.ConsumeIntegral<hal::HWDisplayId>();
628 mHwc.onHotplug(displayId,
629 mFdp.ConsumeBool() ? hal::Connection::DISCONNECTED : hal::Connection::CONNECTED);
630 }
631
632 template <size_t N>
asDisplayIdentificationData(const unsigned char (& bytes)[N])633 DisplayIdentificationData asDisplayIdentificationData(const unsigned char (&bytes)[N]) {
634 return DisplayIdentificationData(bytes, bytes + N - 1);
635 }
636
invokeDisplayIdentification()637 void DisplayHardwareFuzzer::invokeDisplayIdentification() {
638 static const DisplayIdentificationData data = asDisplayIdentificationData(kInternalEdid);
639 isEdid(data);
640 parseEdid(data);
641 parseDisplayIdentificationData(mFdp.ConsumeIntegral<uint8_t>(), data);
642 getPnpId(getVirtualDisplayId(mFdp.ConsumeIntegral<uint32_t>()));
643 getPnpId(mFdp.ConsumeIntegral<uint8_t>());
644 }
645
process()646 void DisplayHardwareFuzzer::process() {
647 invokeComposer();
648 invokeAidlComposer();
649 invokeDisplayIdentification();
650 invokeFrameBufferSurface();
651 invokeVirtualDisplaySurface();
652 }
653
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)654 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
655 DisplayHardwareFuzzer displayHardwareFuzzer(data, size);
656 displayHardwareFuzzer.process();
657 return 0;
658 }
659
660 } // namespace android::fuzz
661