commit f61c0471dedc68b367931cad9e04edf9a24ee05a
author Harry Cutts <hcutts@google.com> Mon Jul 10 14:45:15 2023 +0000
committer Harry Cutts <hcutts@google.com> Wed Jul 19 09:58:34 2023 +0000
tree fc1d0b4a49425eaae7ad4cb2add6ba3cd38f2330
parent 2455b77d1bc34c479f099dfed35c2318212b048f

inputflinger fuzzers: Remove FuzzContainer

As discussed on the touchpad fuzzer CL [0], FuzzContainer was hiding
quite a bit of internal state and making fuzzers harder to understand.
Its constructor appeared to be deduplicating code, but looking more
closely, it wasn't really helping that much, especially for the most
common cases. Replace it with a few static methods, making it clearer
how state is being changed in the fuzzers.

[0] Change ID Ic22ac0f29d433fdf3c17331df620a39937ebd7eb

Bug: 245989146
Test: build and briefly run all modified fuzzers
      $ SANITIZE_TARGET=hwaddress make ${FUZZER_NAME}
      $ cd $ANDROID_PRODUCT_OUT
      $ adb root
      $ adb sync data
      $ adb shell /data/fuzz/$(get_build_var TARGET_ARCH)/${FUZZER_NAME}/${FUZZER_NAME}

Change-Id: I6e28b1f5ec62dc2d084173c1eb461c4bb699678b

services/inputflinger/tests/fuzzers/TouchpadInputFuzzer.cpp

diff --git a/services/inputflinger/tests/fuzzers/TouchpadInputFuzzer.cpp b/services/inputflinger/tests/fuzzers/TouchpadInputFuzzer.cpp
index 796178a..be765cc 100644
--- a/services/inputflinger/tests/fuzzers/TouchpadInputFuzzer.cpp
+++ b/services/inputflinger/tests/fuzzers/TouchpadInputFuzzer.cpp
@@ -15,12 +15,13 @@
  */
 
 #include <limits>
+#include <memory>
 #include <string>
 #include <vector>
 
 #include <linux/input-event-codes.h>
 
-#include <FuzzContainer.h>
+#include <InputDevice.h>
 #include <InputReaderBase.h>
 #include <MapperHelpers.h>
 #include <TouchpadInputMapper.h>
@@ -29,30 +30,30 @@
 
 namespace {
 
-void setAxisInfo(ThreadSafeFuzzedDataProvider& fdp, FuzzContainer& fuzzer, int axis) {
+void setAxisInfo(ThreadSafeFuzzedDataProvider& fdp, FuzzEventHub& eventHub, int32_t id, int axis) {
     if (fdp.ConsumeBool()) {
-        fuzzer.setAbsoluteAxisInfo(axis,
-                                   RawAbsoluteAxisInfo{
-                                           .valid = fdp.ConsumeBool(),
-                                           .minValue = fdp.ConsumeIntegral<int32_t>(),
-                                           .maxValue = fdp.ConsumeIntegral<int32_t>(),
-                                           .flat = fdp.ConsumeIntegral<int32_t>(),
-                                           .fuzz = fdp.ConsumeIntegral<int32_t>(),
-                                           .resolution = fdp.ConsumeIntegral<int32_t>(),
-                                   });
+        eventHub.setAbsoluteAxisInfo(id, axis,
+                                     RawAbsoluteAxisInfo{
+                                             .valid = fdp.ConsumeBool(),
+                                             .minValue = fdp.ConsumeIntegral<int32_t>(),
+                                             .maxValue = fdp.ConsumeIntegral<int32_t>(),
+                                             .flat = fdp.ConsumeIntegral<int32_t>(),
+                                             .fuzz = fdp.ConsumeIntegral<int32_t>(),
+                                             .resolution = fdp.ConsumeIntegral<int32_t>(),
+                                     });
     }
 }
 
-void setAxisInfos(ThreadSafeFuzzedDataProvider& fdp, FuzzContainer& fuzzer) {
-    setAxisInfo(fdp, fuzzer, ABS_MT_SLOT);
-    setAxisInfo(fdp, fuzzer, ABS_MT_POSITION_X);
-    setAxisInfo(fdp, fuzzer, ABS_MT_POSITION_Y);
-    setAxisInfo(fdp, fuzzer, ABS_MT_PRESSURE);
-    setAxisInfo(fdp, fuzzer, ABS_MT_ORIENTATION);
-    setAxisInfo(fdp, fuzzer, ABS_MT_TOUCH_MAJOR);
-    setAxisInfo(fdp, fuzzer, ABS_MT_TOUCH_MINOR);
-    setAxisInfo(fdp, fuzzer, ABS_MT_WIDTH_MAJOR);
-    setAxisInfo(fdp, fuzzer, ABS_MT_WIDTH_MINOR);
+void setAxisInfos(ThreadSafeFuzzedDataProvider& fdp, FuzzEventHub& eventHub, int32_t id) {
+    setAxisInfo(fdp, eventHub, id, ABS_MT_SLOT);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_POSITION_X);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_POSITION_Y);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_PRESSURE);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_ORIENTATION);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_TOUCH_MAJOR);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_TOUCH_MINOR);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_WIDTH_MAJOR);
+    setAxisInfo(fdp, eventHub, id, ABS_MT_WIDTH_MINOR);
 }
 
 const std::vector<std::string> boolPropertiesToFuzz = {
@@ -89,32 +90,32 @@
         "gestureProp.Two_Finger_Vertical_Close_Distance_Thresh",
 };
 
-void setDeviceSpecificConfig(ThreadSafeFuzzedDataProvider& fdp, FuzzContainer& fuzzer) {
+void setDeviceSpecificConfig(ThreadSafeFuzzedDataProvider& fdp, FuzzEventHub& eventHub) {
     // There are a great many gesture properties offered by the Gestures library, all of which could
     // potentially be set in Input Device Configuration files. Maintaining a complete list is
     // impractical, so instead we only fuzz properties which are used in at least one IDC file, or
     // which are likely to be used in future (e.g. ones for controlling palm rejection).
 
     if (fdp.ConsumeBool()) {
-        fuzzer.addProperty("gestureProp.Touchpad_Stack_Version",
-                           std::to_string(fdp.ConsumeIntegral<int>()));
+        eventHub.addProperty("gestureProp.Touchpad_Stack_Version",
+                             std::to_string(fdp.ConsumeIntegral<int>()));
     }
 
     for (auto& propertyName : boolPropertiesToFuzz) {
         if (fdp.ConsumeBool()) {
-            fuzzer.addProperty(propertyName, fdp.ConsumeBool() ? "1" : "0");
+            eventHub.addProperty(propertyName, fdp.ConsumeBool() ? "1" : "0");
         }
     }
 
     for (auto& propertyName : doublePropertiesToFuzz) {
         if (fdp.ConsumeBool()) {
-            fuzzer.addProperty(propertyName, std::to_string(fdp.ConsumeFloatingPoint<double>()));
+            eventHub.addProperty(propertyName, std::to_string(fdp.ConsumeFloatingPoint<double>()));
         }
     }
 
     if (fdp.ConsumeBool()) {
-        fuzzer.addProperty("gestureProp." + fdp.ConsumeRandomLengthString(),
-                           std::to_string(fdp.ConsumeIntegral<int>()));
+        eventHub.addProperty("gestureProp." + fdp.ConsumeRandomLengthString(),
+                             std::to_string(fdp.ConsumeIntegral<int>()));
     }
 }
 
@@ -130,16 +131,23 @@
 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
     std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp =
             std::make_shared<ThreadSafeFuzzedDataProvider>(data, size);
-    FuzzContainer fuzzer(fdp);
-    setAxisInfos(*fdp, fuzzer);
-    setDeviceSpecificConfig(*fdp, fuzzer);
+
+    // Create mocked objects to support the fuzzed input mapper.
+    std::shared_ptr<FuzzEventHub> eventHub = std::make_shared<FuzzEventHub>(fdp);
+    FuzzInputReaderContext context(eventHub, fdp);
+    InputDevice device = getFuzzedInputDevice(*fdp, &context);
+
+    setAxisInfos(*fdp, *eventHub.get(), device.getId());
+    setDeviceSpecificConfig(*fdp, *eventHub.get());
 
     InputReaderConfiguration policyConfig;
     // Some settings are fuzzed here, as well as in the main loop, to provide randomized data to the
     // TouchpadInputMapper constructor.
     setTouchpadSettings(*fdp, policyConfig);
     policyConfig.pointerCaptureRequest.enable = fdp->ConsumeBool();
-    TouchpadInputMapper& mapper = fuzzer.getMapper<TouchpadInputMapper>(policyConfig);
+    TouchpadInputMapper& mapper =
+            getMapperForDevice<ThreadSafeFuzzedDataProvider, TouchpadInputMapper>(*fdp, device,
+                                                                                  policyConfig);
 
     // Loop through mapper operations until randomness is exhausted.
     while (fdp->remaining_bytes() > 0) {