Updated audioflinger_aidl_fuzzer

exec/s: 2
Test: ./audioflinger_aidl_fuzzer
Bug: 202897137

Merged-In: Iae2b4e10323b397b64cc59b9e1df4e6f418839cf
Change-Id: Iae2b4e10323b397b64cc59b9e1df4e6f418839cf
(cherry picked from commit 91e8bde9ebc3d971dac658a19ad0f858e9c288d1)
diff --git a/media/libaudioclient/aidl/fuzzer/Android.bp b/media/libaudioclient/aidl/fuzzer/Android.bp
index 67258d9..6093933 100644
--- a/media/libaudioclient/aidl/fuzzer/Android.bp
+++ b/media/libaudioclient/aidl/fuzzer/Android.bp
@@ -19,63 +19,57 @@
     static_libs: [
         "android.hardware.audio.common@7.0-enums",
         "effect-aidl-cpp",
-        "liblog",
         "libcgrouprc",
         "libcgrouprc_format",
+        "libfakeservicemanager",
         "libjsoncpp",
+        "liblog",
         "libmediametricsservice",
         "libmedia_helper",
         "libprocessgroup",
         "shared-file-region-aidl-cpp",
-        "libfakeservicemanager"
     ],
     shared_libs: [
-        "libaudioclient",
-        "libaudioflinger",
-        "libmediautils",
-        "libnblog",
-        "libaudioprocessing",
-        "libnbaio",
-        "libpowermanager",
-        "libvibrator",
-        "packagemanager_aidl-cpp",
         "android.hardware.audio.common-util",
         "audioclient-types-aidl-cpp",
-        "audioflinger-aidl-cpp",
         "audiopolicy-aidl-cpp",
         "audiopolicy-types-aidl-cpp",
         "av-types-aidl-cpp",
         "capture_state_listener-aidl-cpp",
+        "framework-permission-aidl-cpp",
+        "libaudioclient",
+        "audioflinger-aidl-cpp",
+        "libaudioflinger",
         "libaudioclient_aidl_conversion",
         "libaudiofoundation",
         "libaudiomanager",
         "libaudiopolicy",
         "libaudioutils",
-        "libdl",
-        "libxml2",
-        "mediametricsservice-aidl-cpp",
-        "framework-permission-aidl-cpp",
-        "libvndksupport",
-        "libmediametrics",
-        "libfakeservicemanager",
-        "libactivitymanager_aidl",
-        "libheadtracking",
         "libaudiopolicyservice",
-        "libsensorprivacy",
         "libaudiopolicymanagerdefault",
         "libaudiohal",
-        "libhidlbase",
-        "libpermission",
-        "libaudiohal@7.0",
+        "libaudioprocessing",
+        "libactivitymanager_aidl",
+        "libdl",
+        "libheadtracking",
+        "libmediautils",
+        "libmediametrics",
+        "libnblog",
+        "libnbaio",
+        "libpowermanager",
+        "libvibrator",
+        "libvndksupport",
+        "libxml2",
+        "mediametricsservice-aidl-cpp",
+        "packagemanager_aidl-cpp",
     ],
     header_libs: [
         "libaudiopolicymanager_interface_headers",
-        "libbinder_headers",
         "libaudiofoundation_headers",
-        "libmedia_headers",
         "libaudiohal_headers",
         "libaudioflinger_headers",
-        "mediautils_headers",
+        "libbinder_headers",
+        "libmedia_headers",
     ],
      fuzz_config: {
         cc: [
diff --git a/media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp b/media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp
index fac5f53..f99cc3b 100644
--- a/media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp
+++ b/media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp
@@ -15,204 +15,74 @@
  *
  */
 #include <AudioFlinger.h>
-#include <ISchedulingPolicyService.h>
-#include <fakeservicemanager/FakeServiceManager.h>
 #include <android-base/logging.h>
 #include <android/binder_interface_utils.h>
 #include <android/binder_process.h>
 #include <android/media/IAudioPolicyService.h>
-#include <binder/IActivityManager.h>
-#include <binder/IPermissionController.h>
-#include <binder/IServiceManager.h>
-#include <binder/PermissionController.h>
+#include <fakeservicemanager/FakeServiceManager.h>
 #include <fuzzbinder/libbinder_driver.h>
+#include <fuzzbinder/random_binder.h>
 #include <fuzzer/FuzzedDataProvider.h>
 #include <media/IAudioFlinger.h>
-#include <mediautils/SchedulingPolicyService.h>
-#include <sensorprivacy/SensorPrivacyManager.h>
 #include <service/AudioPolicyService.h>
 
 using namespace android;
 using namespace android::binder;
 using android::fuzzService;
 
-static sp<media::IAudioFlingerService> gAudioFlingerService;
+[[clang::no_destroy]] static std::once_flag gSmOnce;
+sp<FakeServiceManager> gFakeServiceManager;
 
-class FuzzerSchedulingPolicyService : public BnInterface<ISchedulingPolicyService> {
-    int32_t requestPriority(int32_t /*pid_t*/, int32_t /*tid*/, int32_t /*prio*/, bool /*isForApp*/,
-                            bool /*asynchronous*/) {
-        return 0;
+bool addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,
+                FuzzedDataProvider& fdp) {
+    sp<IBinder> binder = getRandomBinder(&fdp);
+    if (binder == nullptr) {
+        return false;
     }
-
-    int32_t requestCpusetBoost(bool /*enable*/, const sp<IBinder>& /*client*/) { return 0; }
-};
-
-class FuzzerPermissionController : public BnInterface<IPermissionController> {
-  public:
-    bool checkPermission(const String16& /*permission*/, int32_t /*pid*/, int32_t /*uid*/) {
-        return true;
-    }
-    int32_t noteOp(const String16& /*op*/, int32_t /*uid*/, const String16& /*packageName*/) {
-        return 0;
-    }
-    void getPackagesForUid(const uid_t /*uid*/, Vector<String16>& /*packages*/) {}
-    bool isRuntimePermission(const String16& /*permission*/) { return true; }
-    int32_t getPackageUid(const String16& /*package*/, int /*flags*/) { return 0; }
-};
-
-class FuzzerSensorPrivacyManager : public BnInterface<hardware::ISensorPrivacyManager> {
-  public:
-    Status supportsSensorToggle(int32_t /*toggleType*/, int32_t /*sensor*/,
-                                bool* /*_aidl_return*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status addSensorPrivacyListener(
-            const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
-        return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
-    }
-    Status addToggleSensorPrivacyListener(
-            const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status removeSensorPrivacyListener(
-            const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
-        return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
-    }
-    Status removeToggleSensorPrivacyListener(
-            const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
-        return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
-    }
-    Status isSensorPrivacyEnabled(bool* /*_aidl_return*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status isCombinedToggleSensorPrivacyEnabled(int32_t /*sensor*/,
-                                                bool* /*_aidl_return*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status isToggleSensorPrivacyEnabled(int32_t /*toggleType*/, int32_t /*sensor*/,
-                                        bool* /*_aidl_return*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status setSensorPrivacy(bool /*enable*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status setToggleSensorPrivacy(int32_t /*userId*/, int32_t /*source*/, int32_t /*sensor*/,
-                                  bool /*enable*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-    Status setToggleSensorPrivacyForProfileGroup(int32_t /*userId*/, int32_t /*source*/,
-                                                 int32_t /*sensor*/, bool /*enable*/) override {
-        return Status::fromStatusT(UNKNOWN_TRANSACTION);
-    }
-};
-
-class FuzzerActivityManager : public BnInterface<IActivityManager> {
-  public:
-    int32_t openContentUri(const String16& /*stringUri*/) override { return 0; }
-
-    status_t registerUidObserver(const sp<IUidObserver>& /*observer*/, const int32_t /*event*/,
-                                 const int32_t /*cutpoint*/,
-                                 const String16& /*callingPackage*/) override {
-        return OK;
-    }
-
-    status_t unregisterUidObserver(const sp<IUidObserver>& /*observer*/) override { return OK; }
-
-    bool isUidActive(const uid_t /*uid*/, const String16& /*callingPackage*/) override {
-        return true;
-    }
-
-    int32_t getUidProcessState(const uid_t /*uid*/, const String16& /*callingPackage*/) override {
-        return ActivityManager::PROCESS_STATE_UNKNOWN;
-    }
-
-    status_t checkPermission(const String16& /*permission*/, const pid_t /*pid*/,
-                             const uid_t /*uid*/, int32_t* /*outResult*/) override {
-        return NO_ERROR;
-    }
-
-    status_t registerUidObserverForUids(const sp<IUidObserver>& /*observer*/ ,
-                                        const int32_t /*event*/ ,
-                                        const int32_t /*cutpoint*/ ,
-                                        const String16& /*callingPackage*/ ,
-                                        const int32_t uids[] ,
-                                        size_t /*nUids*/ ,
-                                        /*out*/ sp<IBinder>& /*observerToken*/ ) {
-        (void)uids;
-        return OK;
-    }
-
-    status_t addUidToObserver(const sp<IBinder>& /*observerToken*/ ,
-                              const String16& /*callingPackage*/ ,
-                              int32_t /*uid*/ ) override {
-        return NO_ERROR;
-    }
-
-    status_t removeUidFromObserver(const sp<IBinder>& /*observerToken*/ ,
-                                   const String16& /*callingPackage*/ ,
-                                   int32_t /*uid*/ ) override {
-        return NO_ERROR;
-    }
-
-    status_t logFgsApiBegin(int32_t /*apiType*/ , int32_t /*appUid*/ ,
-                            int32_t /*appPid*/ ) override {
-        return NO_ERROR;
-    }
-    status_t logFgsApiEnd(int32_t /*apiType*/ , int32_t /*appUid*/ ,
-                          int32_t /*appPid*/ ) override {
-        return NO_ERROR;
-    }
-    status_t logFgsApiStateChanged(int32_t /*apiType*/ , int32_t /*state*/ ,
-                                   int32_t /*appUid*/ ,
-                                   int32_t /*appPid*/ ) override {
-        return NO_ERROR;
-    }
-};
-
-extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
-    /* Create a FakeServiceManager instance and add required services */
-    sp<FakeServiceManager> fakeServiceManager = new FakeServiceManager();
-    setDefaultServiceManager(fakeServiceManager);
-    ABinderProcess_setThreadPoolMaxThreadCount(0);
-    sp<FuzzerActivityManager> am = new FuzzerActivityManager();
-    fakeServiceManager->addService(String16("activity"), IInterface::asBinder(am));
-
-    sp<FuzzerSensorPrivacyManager> sensorPrivacyManager = new FuzzerSensorPrivacyManager();
-    fakeServiceManager->addService(String16("sensor_privacy"),
-                                   IInterface::asBinder(sensorPrivacyManager));
-    sp<FuzzerPermissionController> permissionController = new FuzzerPermissionController();
-    fakeServiceManager->addService(String16("permission"),
-                                   IInterface::asBinder(permissionController));
-
-    sp<FuzzerSchedulingPolicyService> schedulingService = new FuzzerSchedulingPolicyService();
-    fakeServiceManager->addService(String16("scheduling_policy"),
-                                   IInterface::asBinder(schedulingService));
-
-    const auto audioFlingerObj = sp<AudioFlinger>::make();
-    const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlingerObj);
-
-    fakeServiceManager->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),
-                                   IInterface::asBinder(afAdapter), false /* allowIsolated */,
-                                   IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT);
-
-    const auto audioPolicyService = sp<AudioPolicyService>::make();
-    fakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,
-                                   false /* allowIsolated */,
-                                   IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT);
-
-    sp<IBinder> binder =
-            fakeServiceManager->getService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME));
-    gAudioFlingerService = interface_cast<media::IAudioFlingerService>(binder);
-    return 0;
+    CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));
+    return true;
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-    if (!gAudioFlingerService) {
-        return 0;
+    FuzzedDataProvider fdp(data, size);
+
+    std::call_once(gSmOnce, [&] {
+        /* Create a FakeServiceManager instance and add required services */
+        gFakeServiceManager = sp<FakeServiceManager>::make();
+        setDefaultServiceManager(gFakeServiceManager);
+    });
+    gFakeServiceManager->clear();
+
+    for (const char* service :
+         {"activity", "sensor_privacy", "permission", "scheduling_policy",
+          "android.hardware.audio.core.IConfig", "batterystats", "media.metrics"}) {
+        if (!addService(String16(service), gFakeServiceManager, fdp)) {
+            return 0;
+        }
     }
 
-    fuzzService(media::IAudioFlingerService::asBinder(gAudioFlingerService),
-                FuzzedDataProvider(data, size));
+    const auto audioFlinger = sp<AudioFlinger>::make();
+    const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);
+
+    CHECK_EQ(NO_ERROR,
+             gFakeServiceManager->addService(
+                     String16(IAudioFlinger::DEFAULT_SERVICE_NAME), IInterface::asBinder(afAdapter),
+                     false /* allowIsolated */, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
+
+    AudioSystem::get_audio_flinger_for_fuzzer();
+    const auto audioPolicyService = sp<AudioPolicyService>::make();
+
+    CHECK_EQ(NO_ERROR,
+             gFakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,
+                                             false /* allowIsolated */,
+                                             IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
+
+    sp<IBinder> audioFlingerServiceBinder =
+            gFakeServiceManager->getService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME));
+    sp<media::IAudioFlingerService> audioFlingerService =
+            interface_cast<media::IAudioFlingerService>(audioFlingerServiceBinder);
+
+    fuzzService(media::IAudioFlingerService::asBinder(audioFlingerService), std::move(fdp));
 
     return 0;
 }