1 /*
2 * Copyright 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17 #include <Client.h>
18 #include <DisplayDevice.h>
19 #include <LayerRenderArea.h>
20 #include <ftl/future.h>
21 #include <fuzzer/FuzzedDataProvider.h>
22 #include <gui/IProducerListener.h>
23 #include <gui/LayerDebugInfo.h>
24 #include <gui/SurfaceComposerClient.h>
25 #include <gui/WindowInfo.h>
26 #include <renderengine/mock/FakeExternalTexture.h>
27 #include <ui/DisplayStatInfo.h>
28 #include <ui/Transform.h>
29
30 #include <FuzzableDataspaces.h>
31 #include <surfaceflinger_fuzzers_utils.h>
32
33 namespace android::fuzzer {
34 using namespace renderengine;
35
36 constexpr uint16_t kRandomStringLength = 256;
37
38 class LayerFuzzer {
39 public:
LayerFuzzer(const uint8_t * data,size_t size)40 LayerFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};
41 void init();
42 void invokeBufferStateLayer();
43 void invokeEffectLayer();
44 LayerCreationArgs createLayerCreationArgs(TestableSurfaceFlinger* flinger, sp<Client> client);
45 Rect getFuzzedRect();
46 ui::Transform getFuzzedTransform();
47 FrameTimelineInfo getFuzzedFrameTimelineInfo();
48
49 private:
50 FuzzedDataProvider mFdp;
51 };
52
getFuzzedRect()53 Rect LayerFuzzer::getFuzzedRect() {
54 return Rect(mFdp.ConsumeIntegral<int32_t>() /*left*/, mFdp.ConsumeIntegral<int32_t>() /*top*/,
55 mFdp.ConsumeIntegral<int32_t>() /*right*/,
56 mFdp.ConsumeIntegral<int32_t>() /*bottom*/);
57 }
58
getFuzzedTransform()59 ui::Transform LayerFuzzer::getFuzzedTransform() {
60 return ui::Transform(mFdp.ConsumeIntegral<int32_t>() /*orientation*/,
61 mFdp.ConsumeIntegral<int32_t>() /*width*/,
62 mFdp.ConsumeIntegral<int32_t>() /*height*/);
63 }
64
getFuzzedFrameTimelineInfo()65 FrameTimelineInfo LayerFuzzer::getFuzzedFrameTimelineInfo() {
66 FrameTimelineInfo ftInfo;
67 ftInfo.vsyncId = mFdp.ConsumeIntegral<int64_t>();
68 ftInfo.inputEventId = mFdp.ConsumeIntegral<int32_t>();
69 return ftInfo;
70 }
71
createLayerCreationArgs(TestableSurfaceFlinger * flinger,sp<Client> client)72 LayerCreationArgs LayerFuzzer::createLayerCreationArgs(TestableSurfaceFlinger* flinger,
73 sp<Client> client) {
74 flinger->setupScheduler(std::make_unique<android::mock::VsyncController>(),
75 std::make_unique<android::mock::VSyncTracker>(),
76 std::make_unique<android::mock::EventThread>(),
77 std::make_unique<android::mock::EventThread>());
78
79 return LayerCreationArgs(flinger->flinger(), client,
80 mFdp.ConsumeRandomLengthString(kRandomStringLength) /*name*/,
81 mFdp.ConsumeIntegral<uint32_t>() /*flags*/, {} /*metadata*/);
82 }
83
invokeEffectLayer()84 void LayerFuzzer::invokeEffectLayer() {
85 TestableSurfaceFlinger flinger;
86 sp<Client> client = sp<Client>::make(sp<SurfaceFlinger>::fromExisting(flinger.flinger()));
87 const LayerCreationArgs layerCreationArgs = createLayerCreationArgs(&flinger, client);
88 sp<Layer> effectLayer = sp<Layer>::make(layerCreationArgs);
89
90 effectLayer->setColor({(mFdp.ConsumeFloatingPointInRange<float>(0, 255) /*x*/,
91 mFdp.ConsumeFloatingPointInRange<float>(0, 255) /*y*/,
92 mFdp.ConsumeFloatingPointInRange<float>(0, 255) /*z*/)});
93 effectLayer->setDataspace(mFdp.PickValueInArray(kDataspaces));
94 sp<Layer> parent = sp<Layer>::make(layerCreationArgs);
95 effectLayer->setChildrenDrawingParent(parent);
96
97 const FrameTimelineInfo frameInfo = getFuzzedFrameTimelineInfo();
98 const int64_t postTime = mFdp.ConsumeIntegral<int64_t>();
99 effectLayer->setFrameTimelineVsyncForBufferTransaction(frameInfo, postTime);
100 effectLayer->setFrameTimelineVsyncForBufferlessTransaction(frameInfo, postTime);
101 auto surfaceFrame = effectLayer->createSurfaceFrameForTransaction(frameInfo, postTime);
102 auto surfaceFrame1 =
103 effectLayer->createSurfaceFrameForBuffer(frameInfo, postTime,
104 mFdp.ConsumeRandomLengthString(
105 kRandomStringLength) /*bufferName*/);
106 effectLayer->addSurfaceFramePresentedForBuffer(surfaceFrame,
107 mFdp.ConsumeIntegral<int64_t>() /*acquireTime*/,
108 mFdp.ConsumeIntegral<int64_t>() /*currentTime*/);
109 effectLayer->addSurfaceFrameDroppedForBuffer(surfaceFrame1, mFdp.ConsumeIntegral<nsecs_t>());
110
111 parent.clear();
112 client.clear();
113 effectLayer.clear();
114 }
115
invokeBufferStateLayer()116 void LayerFuzzer::invokeBufferStateLayer() {
117 TestableSurfaceFlinger flinger;
118 sp<Client> client = sp<Client>::make(sp<SurfaceFlinger>::fromExisting(flinger.flinger()));
119 sp<Layer> layer = sp<Layer>::make(createLayerCreationArgs(&flinger, client));
120 sp<Fence> fence = sp<Fence>::make();
121 const std::shared_ptr<FenceTime> fenceTime = std::make_shared<FenceTime>(fence);
122
123 const CompositorTiming compositorTiming(mFdp.ConsumeIntegral<int64_t>(),
124 mFdp.ConsumeIntegral<int64_t>(),
125 mFdp.ConsumeIntegral<int64_t>(),
126 mFdp.ConsumeIntegral<int64_t>());
127
128 layer->onLayerDisplayed(ftl::yield<FenceResult>(fence).share(),
129 ui::LayerStack::fromValue(mFdp.ConsumeIntegral<uint32_t>()));
130 layer->onLayerDisplayed(ftl::yield<FenceResult>(
131 base::unexpected(mFdp.ConsumeIntegral<status_t>()))
132 .share(),
133 ui::LayerStack::fromValue(mFdp.ConsumeIntegral<uint32_t>()));
134
135 layer->releasePendingBuffer(mFdp.ConsumeIntegral<int64_t>());
136 layer->onPostComposition(nullptr, fenceTime, fenceTime, compositorTiming);
137
138 layer->setTransform(mFdp.ConsumeIntegral<uint32_t>());
139 layer->setTransformToDisplayInverse(mFdp.ConsumeBool());
140 layer->setCrop(getFuzzedRect());
141
142 layer->setHdrMetadata(getFuzzedHdrMetadata(&mFdp));
143 layer->setDataspace(mFdp.PickValueInArray(kDataspaces));
144 if (mFdp.ConsumeBool()) {
145 layer->setSurfaceDamageRegion(Region());
146 layer->setTransparentRegionHint(Region());
147 } else {
148 layer->setSurfaceDamageRegion(Region(getFuzzedRect()));
149 layer->setTransparentRegionHint(Region(getFuzzedRect()));
150 }
151 layer->setApi(mFdp.ConsumeIntegral<int32_t>());
152
153 native_handle_t* testHandle = native_handle_create(0, 1);
154 const bool ownsHandle = mFdp.ConsumeBool();
155 sp<NativeHandle> nativeHandle = sp<NativeHandle>::make(testHandle, ownsHandle);
156 layer->setSidebandStream(nativeHandle);
157 layer->computeSourceBounds(getFuzzedFloatRect(&mFdp));
158
159 layer->fenceHasSignaled();
160 layer->onPreComposition(mFdp.ConsumeIntegral<int64_t>());
161 const std::vector<sp<CallbackHandle>> callbacks;
162 layer->setTransactionCompletedListeners(callbacks, mFdp.ConsumeBool());
163
164 std::shared_ptr<renderengine::ExternalTexture> texture = std::make_shared<
165 renderengine::mock::FakeExternalTexture>(mFdp.ConsumeIntegral<uint32_t>(),
166 mFdp.ConsumeIntegral<uint32_t>(),
167 mFdp.ConsumeIntegral<uint64_t>(),
168 static_cast<android::PixelFormat>(
169 mFdp.PickValueInArray(kPixelFormats)),
170 mFdp.ConsumeIntegral<uint64_t>());
171 layer->setBuffer(texture, {} /*bufferData*/, mFdp.ConsumeIntegral<nsecs_t>() /*postTime*/,
172 mFdp.ConsumeIntegral<nsecs_t>() /*desiredTime*/,
173 mFdp.ConsumeBool() /*isAutoTimestamp*/,
174 {mFdp.ConsumeIntegral<nsecs_t>()} /*dequeue*/, {} /*info*/);
175
176 LayerRenderArea layerArea(*(flinger.flinger()), layer, getFuzzedRect(),
177 {mFdp.ConsumeIntegral<int32_t>(),
178 mFdp.ConsumeIntegral<int32_t>()} /*reqSize*/,
179 mFdp.PickValueInArray(kDataspaces), mFdp.ConsumeBool(),
180 mFdp.ConsumeBool(), getFuzzedTransform(), getFuzzedRect(),
181 mFdp.ConsumeBool());
182 layerArea.render([]() {} /*drawLayers*/);
183
184 if (!ownsHandle) {
185 native_handle_close(testHandle);
186 native_handle_delete(testHandle);
187 }
188 nativeHandle.clear();
189 fence.clear();
190 client.clear();
191 layer.clear();
192 }
193
init()194 void LayerFuzzer::init() {
195 invokeBufferStateLayer();
196 invokeEffectLayer();
197 }
198
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)199 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
200 LayerFuzzer layerFuzzer(data, size);
201 layerFuzzer.init();
202 return 0;
203 }
204
205 } // namespace android::fuzzer
206