Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / de549d4fe45b5af63bed7ac93adeb9a2715464db / . / services / surfaceflinger / fuzzer / surfaceflinger_fuzzer.cpp
blob: 4f89cd9a45cdd2f9d4c64674168b919db747745e [file] [log] [blame]
Alec Mourib2089a32022-01-15 00:34:20 +0000[diff] [blame]1/*
2 * Copyright 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18#include <FuzzableDataspaces.h>
19#include <binder/IServiceManager.h>
20#include <fuzzer/FuzzedDataProvider.h>
21#include <ui/DisplayStatInfo.h>
22#include "surfaceflinger_fuzzers_utils.h"
23
24namespace android::fuzz {
25
26static constexpr LatchUnsignaledConfig kLatchUnsignaledConfig[] = {
27 LatchUnsignaledConfig::Always,
28 LatchUnsignaledConfig::Auto,
29 LatchUnsignaledConfig::Disabled,
30};
31
32static constexpr ui::PixelFormat kPixelFormats[] = {ui::PixelFormat::RGBA_8888,
33 ui::PixelFormat::RGBX_8888,
34 ui::PixelFormat::RGB_888,
35 ui::PixelFormat::RGB_565,
36 ui::PixelFormat::BGRA_8888,
37 ui::PixelFormat::YCBCR_422_SP,
38 ui::PixelFormat::YCRCB_420_SP,
39 ui::PixelFormat::YCBCR_422_I,
40 ui::PixelFormat::RGBA_FP16,
41 ui::PixelFormat::RAW16,
42 ui::PixelFormat::BLOB,
43 ui::PixelFormat::IMPLEMENTATION_DEFINED,
44 ui::PixelFormat::YCBCR_420_888,
45 ui::PixelFormat::RAW_OPAQUE,
46 ui::PixelFormat::RAW10,
47 ui::PixelFormat::RAW12,
48 ui::PixelFormat::RGBA_1010102,
49 ui::PixelFormat::Y8,
50 ui::PixelFormat::Y16,
51 ui::PixelFormat::YV12,
52 ui::PixelFormat::DEPTH_16,
53 ui::PixelFormat::DEPTH_24,
54 ui::PixelFormat::DEPTH_24_STENCIL_8,
55 ui::PixelFormat::DEPTH_32F,
56 ui::PixelFormat::DEPTH_32F_STENCIL_8,
57 ui::PixelFormat::STENCIL_8,
58 ui::PixelFormat::YCBCR_P010,
59 ui::PixelFormat::HSV_888};
60
61static constexpr ui::Rotation kRotations[] = {ui::Rotation::Rotation0, ui::Rotation::Rotation90,
62 ui::Rotation::Rotation180, ui::Rotation::Rotation270};
63
64static constexpr BnSurfaceComposer::ISurfaceComposerTag kSurfaceComposerTags[]{
65 BnSurfaceComposer::BOOT_FINISHED,
66 BnSurfaceComposer::CREATE_CONNECTION,
67 BnSurfaceComposer::GET_STATIC_DISPLAY_INFO,
68 BnSurfaceComposer::CREATE_DISPLAY_EVENT_CONNECTION,
69 BnSurfaceComposer::CREATE_DISPLAY,
70 BnSurfaceComposer::DESTROY_DISPLAY,
71 BnSurfaceComposer::GET_PHYSICAL_DISPLAY_TOKEN,
72 BnSurfaceComposer::SET_TRANSACTION_STATE,
73 BnSurfaceComposer::AUTHENTICATE_SURFACE,
74 BnSurfaceComposer::GET_SUPPORTED_FRAME_TIMESTAMPS,
75 BnSurfaceComposer::GET_DISPLAY_MODES,
76 BnSurfaceComposer::GET_ACTIVE_DISPLAY_MODE,
77 BnSurfaceComposer::GET_DISPLAY_STATE,
78 BnSurfaceComposer::CAPTURE_DISPLAY,
79 BnSurfaceComposer::CAPTURE_LAYERS,
80 BnSurfaceComposer::CLEAR_ANIMATION_FRAME_STATS,
81 BnSurfaceComposer::GET_ANIMATION_FRAME_STATS,
82 BnSurfaceComposer::SET_POWER_MODE,
83 BnSurfaceComposer::GET_DISPLAY_STATS,
84 BnSurfaceComposer::GET_HDR_CAPABILITIES,
85 BnSurfaceComposer::GET_DISPLAY_COLOR_MODES,
86 BnSurfaceComposer::GET_ACTIVE_COLOR_MODE,
87 BnSurfaceComposer::SET_ACTIVE_COLOR_MODE,
88 BnSurfaceComposer::ENABLE_VSYNC_INJECTIONS,
89 BnSurfaceComposer::INJECT_VSYNC,
90 BnSurfaceComposer::GET_LAYER_DEBUG_INFO,
91 BnSurfaceComposer::GET_COMPOSITION_PREFERENCE,
92 BnSurfaceComposer::GET_COLOR_MANAGEMENT,
93 BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLING_ATTRIBUTES,
94 BnSurfaceComposer::SET_DISPLAY_CONTENT_SAMPLING_ENABLED,
95 BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLE,
96 BnSurfaceComposer::GET_PROTECTED_CONTENT_SUPPORT,
97 BnSurfaceComposer::IS_WIDE_COLOR_DISPLAY,
98 BnSurfaceComposer::GET_DISPLAY_NATIVE_PRIMARIES,
99 BnSurfaceComposer::GET_PHYSICAL_DISPLAY_IDS,
100 BnSurfaceComposer::ADD_REGION_SAMPLING_LISTENER,
101 BnSurfaceComposer::REMOVE_REGION_SAMPLING_LISTENER,
102 BnSurfaceComposer::SET_DESIRED_DISPLAY_MODE_SPECS,
103 BnSurfaceComposer::GET_DESIRED_DISPLAY_MODE_SPECS,
104 BnSurfaceComposer::GET_DISPLAY_BRIGHTNESS_SUPPORT,
105 BnSurfaceComposer::SET_DISPLAY_BRIGHTNESS,
106 BnSurfaceComposer::CAPTURE_DISPLAY_BY_ID,
107 BnSurfaceComposer::NOTIFY_POWER_BOOST,
108 BnSurfaceComposer::SET_GLOBAL_SHADOW_SETTINGS,
109 BnSurfaceComposer::GET_AUTO_LOW_LATENCY_MODE_SUPPORT,
110 BnSurfaceComposer::SET_AUTO_LOW_LATENCY_MODE,
111 BnSurfaceComposer::GET_GAME_CONTENT_TYPE_SUPPORT,
112 BnSurfaceComposer::SET_GAME_CONTENT_TYPE,
113 BnSurfaceComposer::SET_FRAME_RATE,
114 BnSurfaceComposer::ACQUIRE_FRAME_RATE_FLEXIBILITY_TOKEN,
115 BnSurfaceComposer::SET_FRAME_TIMELINE_INFO,
116 BnSurfaceComposer::ADD_TRANSACTION_TRACE_LISTENER,
117 BnSurfaceComposer::GET_GPU_CONTEXT_PRIORITY,
118 BnSurfaceComposer::GET_MAX_ACQUIRED_BUFFER_COUNT,
119 BnSurfaceComposer::GET_DYNAMIC_DISPLAY_INFO,
120 BnSurfaceComposer::ADD_FPS_LISTENER,
121 BnSurfaceComposer::REMOVE_FPS_LISTENER,
122 BnSurfaceComposer::OVERRIDE_HDR_TYPES,
123 BnSurfaceComposer::ADD_HDR_LAYER_INFO_LISTENER,
124 BnSurfaceComposer::REMOVE_HDR_LAYER_INFO_LISTENER,
125 BnSurfaceComposer::ON_PULL_ATOM,
126 BnSurfaceComposer::ADD_TUNNEL_MODE_ENABLED_LISTENER,
127 BnSurfaceComposer::REMOVE_TUNNEL_MODE_ENABLED_LISTENER,
128 BnSurfaceComposer::ADD_WINDOW_INFOS_LISTENER,
129 BnSurfaceComposer::REMOVE_WINDOW_INFOS_LISTENER,
130};
131
132static constexpr uint32_t kMinCode = 1000;
133static constexpr uint32_t kMaxCode = 1050;
134
135class SurfaceFlingerFuzzer {
136public:
137 SurfaceFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
138 mFlinger = mTestableFlinger.flinger();
139 };
140 void process(const uint8_t *data, size_t size);
141
142private:
143 void setUp();
144 void invokeFlinger();
145 void setTransactionState();
146 void setInternalDisplayPrimaries();
147 void setDisplayStateLocked();
148 void onTransact(const uint8_t *data, size_t size);
149
150 FuzzedDataProvider mFdp;
151 TestableSurfaceFlinger mTestableFlinger;
152 sp<SurfaceFlinger> mFlinger = nullptr;
153};
154
155void SurfaceFlingerFuzzer::invokeFlinger() {
156 mFlinger->setSchedFifo(mFdp.ConsumeBool());
157 mFlinger->setSchedAttr(mFdp.ConsumeBool());
158 mFlinger->getServiceName();
159 mFlinger->hasSyncFramework = mFdp.ConsumeBool();
160 mFlinger->dispSyncPresentTimeOffset = mFdp.ConsumeIntegral<int64_t>();
161 mFlinger->useHwcForRgbToYuv = mFdp.ConsumeBool();
162 mFlinger->maxFrameBufferAcquiredBuffers = mFdp.ConsumeIntegral<int64_t>();
163 mFlinger->maxGraphicsWidth = mFdp.ConsumeIntegral<uint32_t>();
164 mFlinger->maxGraphicsHeight = mFdp.ConsumeIntegral<uint32_t>();
165 mFlinger->hasWideColorDisplay = mFdp.ConsumeBool();
166 mFlinger->internalDisplayOrientation = mFdp.PickValueInArray(kRotations);
167 mFlinger->useContextPriority = mFdp.ConsumeBool();
168
169 mFlinger->defaultCompositionDataspace = mFdp.PickValueInArray(kDataspaces);
170 mFlinger->defaultCompositionPixelFormat = mFdp.PickValueInArray(kPixelFormats);
171 mFlinger->wideColorGamutCompositionDataspace = mFdp.PickValueInArray(kDataspaces);
172 mFlinger->wideColorGamutCompositionPixelFormat = mFdp.PickValueInArray(kPixelFormats);
173
174 mFlinger->enableLatchUnsignaledConfig = mFdp.PickValueInArray(kLatchUnsignaledConfig);
175
176 mFlinger->scheduleComposite(mFdp.ConsumeBool()
177 ? scheduler::ISchedulerCallback::FrameHint::kActive
178 : scheduler::ISchedulerCallback::FrameHint::kNone);
179
180 mFlinger->scheduleRepaint();
181 mFlinger->scheduleSample();
182
183 uint32_t texture = mFlinger->getNewTexture();
184 mFlinger->deleteTextureAsync(texture);
185
186 sp<IBinder> handle = defaultServiceManager()->checkService(
187 String16(mFdp.ConsumeRandomLengthString().c_str()));
188 mFlinger->fromHandle(handle);
189 mFlinger->windowInfosReported();
190 mFlinger->disableExpensiveRendering();
191}
192
193void SurfaceFlingerFuzzer::setInternalDisplayPrimaries() {
194 ui::DisplayPrimaries primaries;
195 primaries.red.X = mFdp.ConsumeFloatingPoint<float>();
196 primaries.red.Y = mFdp.ConsumeFloatingPoint<float>();
197 primaries.red.Z = mFdp.ConsumeFloatingPoint<float>();
198 primaries.green.X = mFdp.ConsumeFloatingPoint<float>();
199 primaries.green.Y = mFdp.ConsumeFloatingPoint<float>();
200 primaries.green.Z = mFdp.ConsumeFloatingPoint<float>();
201 primaries.blue.X = mFdp.ConsumeFloatingPoint<float>();
202 primaries.blue.Y = mFdp.ConsumeFloatingPoint<float>();
203 primaries.blue.Z = mFdp.ConsumeFloatingPoint<float>();
204 primaries.white.X = mFdp.ConsumeFloatingPoint<float>();
205 primaries.white.Y = mFdp.ConsumeFloatingPoint<float>();
206 primaries.white.Z = mFdp.ConsumeFloatingPoint<float>();
207 mTestableFlinger.setInternalDisplayPrimaries(primaries);
208}
209
210void SurfaceFlingerFuzzer::setTransactionState() {
211 Vector<ComposerState> states;
212 Vector<DisplayState> displays;
213 ComposerState composerState;
214 composerState.state.what = layer_state_t::eLayerChanged;
215 composerState.state.surface = nullptr;
216 states.add(composerState);
217 uint32_t flags = mFdp.ConsumeIntegral<uint32_t>();
218 const sp<IBinder> applyToken = nullptr;
219 int64_t desiredPresentTime = mFdp.ConsumeIntegral<int64_t>();
220 bool isAutoTimestamp = mFdp.ConsumeBool();
221 bool hasListenerCallbacks = mFdp.ConsumeBool();
222 std::vector<ListenerCallbacks> listenerCallbacks{};
223 uint64_t transactionId = mFdp.ConsumeIntegral<uint64_t>();
224
225 mTestableFlinger.setTransactionState(FrameTimelineInfo{}, states, displays, flags, applyToken,
226 InputWindowCommands{}, desiredPresentTime, isAutoTimestamp,
227 {}, hasListenerCallbacks, listenerCallbacks,
228 transactionId);
229}
230
231void SurfaceFlingerFuzzer::setDisplayStateLocked() {
232 DisplayState state{};
233 mTestableFlinger.setDisplayStateLocked(state);
234}
235
236void SurfaceFlingerFuzzer::onTransact(const uint8_t *data, size_t size) {
237 Parcel fuzzedData, reply;
238 fuzzedData.writeInterfaceToken(String16("android.ui.ISurfaceComposer"));
239 fuzzedData.setData(data, size);
240 fuzzedData.setDataPosition(0);
241 uint32_t code = mFdp.ConsumeBool() ? mFdp.PickValueInArray(kSurfaceComposerTags)
242 : mFdp.ConsumeIntegralInRange<uint32_t>(kMinCode, kMaxCode);
243 mTestableFlinger.onTransact(code, fuzzedData, &reply, 0);
244}
245
246void SurfaceFlingerFuzzer::setUp() {
247 mTestableFlinger.setupScheduler(std::make_unique<android::mock::VsyncController>(),
248 std::make_unique<android::mock::VSyncTracker>(),
249 std::make_unique<android::mock::EventThread>(),
250 std::make_unique<android::mock::EventThread>());
251
252 mTestableFlinger.setupTimeStats(std::make_unique<android::mock::TimeStats>());
253
254 std::unique_ptr<android::renderengine::RenderEngine> renderEngine =
255 std::make_unique<android::renderengine::mock::RenderEngine>();
256 mTestableFlinger.setupRenderEngine(std::move(renderEngine));
257 mTestableFlinger.setupComposer(std::make_unique<android::Hwc2::mock::Composer>());
258}
259
260void SurfaceFlingerFuzzer::process(const uint8_t *data, size_t size) {
261 setUp();
262
263 invokeFlinger();
264
265 mTestableFlinger.fuzzSurfaceFlinger(data, size);
266
267 mTestableFlinger.setCreateBufferQueueFunction(
268 surfaceflinger::test::Factory::CreateBufferQueueFunction());
269 mTestableFlinger.setCreateNativeWindowSurface(
270 surfaceflinger::test::Factory::CreateNativeWindowSurfaceFunction());
271
272 setInternalDisplayPrimaries();
273
274 mTestableFlinger.enableHalVirtualDisplays(mFdp.ConsumeBool());
275
276 mTestableFlinger.commitTransactionsLocked(mFdp.ConsumeIntegral<uint32_t>());
277
278 mTestableFlinger.notifyPowerBoost(mFdp.ConsumeIntegral<int32_t>());
279
280 setDisplayStateLocked();
281
282 setTransactionState();
283 mTestableFlinger.flushTransactionQueues();
284
285 onTransact(data, size);
286}
287
288extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
289 android::fuzz::SurfaceFlingerFuzzer surfaceFlingerFuzzer(data, size);
290 surfaceFlingerFuzzer.process(data, size);
291 return 0;
292}
293
294} // namespace android::fuzz