Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 9e094716a8521f5de1d562ab1945d0a1e5ce9d3b^! / . / services / gpuservice / tests / unittests / GpuServiceTest.cpp
commit9e094716a8521f5de1d562ab1945d0a1e5ce9d3b[log] [tgz]
authorsergiuferentz <sergiuferentz@google.com>Mon Jun 26 18:01:47 2023 +0000
committerSergiu Ferentz <sergiuferentz@google.com>Thu Jul 06 14:32:37 2023 +0000
tree035f591a6c2711776367c09a4d971c6e4ebde380
parentb66a46e80d484e7095f2b5859bcb79e34221bdf3 [diff] [blame]
Fix for heap-use-after-free in GPUService.cpp

This adds a unit test and fix for the bug reported by libfuzzer.
Changes made:
 * Expose GPUService as testable code.
 * Update main_gpuservice.cpp to use the new GpuService now located at
   gpuservice/GpuService.h
 * Make initializer threads members of GpuService
 * Join the threads in destructor to prevent heap-use-after-free.
 * Add unit test that waits 3 seconds after deallocation to ensure no
   wrong access is made.

Merged-In: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
Bug: 282919145
Test: Added unit test and ran on device with ASAN
Change-Id: I4d1d2d4658b575bf2c8f425f91f68f03114ad029
(cherry picked from commit 3c00cbc0f119c3f59325aa6d5061529feb58462b)

diff --git a/services/gpuservice/tests/unittests/GpuServiceTest.cpp b/services/gpuservice/tests/unittests/GpuServiceTest.cpp
new file mode 100644
index 0000000..62b3e53
--- /dev/null
+++ b/services/gpuservice/tests/unittests/GpuServiceTest.cpp

@@ -0,0 +1,52 @@
+#undef LOG_TAG
+#define LOG_TAG "gpuservice_unittest"
+
+#include "gpuservice/GpuService.h"
+
+#include <gtest/gtest.h>
+#include <log/log_main.h>
+
+#include <chrono>
+#include <thread>
+
+namespace android {
+namespace {
+
+class GpuServiceTest : public testing::Test {
+public:
+    GpuServiceTest() {
+        const ::testing::TestInfo* const test_info =
+                ::testing::UnitTest::GetInstance()->current_test_info();
+        ALOGD("**** Setting up for %s.%s\n", test_info->test_case_name(), test_info->name());
+    }
+
+    ~GpuServiceTest() {
+        const ::testing::TestInfo* const test_info =
+            ::testing::UnitTest::GetInstance()->current_test_info();
+        ALOGD("**** Tearing down after %s.%s\n", test_info->test_case_name(), test_info->name());
+    }
+
+};
+
+
+/*
+* The behaviour before this test + fixes was UB caused by threads accessing deallocated memory.
+*
+* This test creates the service (which initializes the culprit threads),
+* deallocates it immediately and sleeps.
+*
+* GpuService's destructor gets called and joins the threads.
+* If we haven't crashed by the time the sleep time has elapsed, we're good
+* Let the test pass.
+*/
+TEST_F(GpuServiceTest, onInitializeShouldNotCauseUseAfterFree) {
+    sp<GpuService> service = new GpuService();
+    service.clear();
+    std::this_thread::sleep_for(std::chrono::seconds(3));
+
+    // If we haven't crashed yet due to threads accessing freed up memory, let the test pass
+    EXPECT_TRUE(true);
+}
+
+} // namespace
+} // namespace android