libbinder fuzzer driver: uid corpus continuity I was looking at the coverage for some of our fuzzers, and I noticed that some paths were only taken with specific UIDs. This change allows an easily discoverable single bit flip to try a UID which is guaranteed to exist. Bug: N/A Test: run servicemanager_fuzzer for a few minutes Change-Id: Ib0d8c608ec1fc609fa69f1f5b76e8dc25d548f38

commit: 550a3b5d5ed68beb359fb68dbdd827113990b1d4 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Sat May 27 00:20:51 2023 +0000
committer: Steven Moreland <smoreland@google.com> Sat May 27 00:27:53 2023 +0000
tree: 5bc354d9073e666369ebc8037c183bb55e855b37
parent: 2e2a114d4a1256cea0604d7ef02cd215c4d90117 [diff]
diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
index 69f7147..0b3902d 100644
--- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
+++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

@@ -33,9 +33,13 @@
             .extraFds = {},
     };
 
+    // Always take so that a perturbation of just the one ConsumeBool byte will always
+    // take the same path, but with a different UID. Without this, the fuzzer needs to
+    // guess both the change in value and the shift at the same time.
+    int64_t maybeSetUid = provider.ConsumeIntegral<int64_t>();
     if (provider.ConsumeBool()) {
         // set calling uid
-        IPCThreadState::self()->restoreCallingIdentity(provider.ConsumeIntegral<int64_t>());
+        IPCThreadState::self()->restoreCallingIdentity(maybeSetUid);
     }
 
     while (provider.remaining_bytes() > 0) {
commit	550a3b5d5ed68beb359fb68dbdd827113990b1d4	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Sat May 27 00:20:51 2023 +0000
committer	Steven Moreland <smoreland@google.com>	Sat May 27 00:27:53 2023 +0000
tree	5bc354d9073e666369ebc8037c183bb55e855b37
parent	2e2a114d4a1256cea0604d7ef02cd215c4d90117 [diff]