Add fuzzer for EVS HAL
Bug: 147513710
Test: Follow go/android-fuzzing to build and test
Change-Id: Ia2a64f73d3928bc529a1785e999ed7f032446f8a
diff --git a/automotive/evs/1.1/vts/fuzzing/Android.bp b/automotive/evs/1.1/vts/fuzzing/Android.bp
new file mode 100644
index 0000000..48427ee
--- /dev/null
+++ b/automotive/evs/1.1/vts/fuzzing/Android.bp
@@ -0,0 +1,50 @@
+//
+// Copyright 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+cc_defaults {
+ name: "android.hardware.automotive.evs@fuzz-defaults",
+ defaults: ["VtsHalTargetTestDefaults"],
+ shared_libs: [
+ "libui",
+ "libcamera_metadata",
+ ],
+ static_libs: [
+ "android.hardware.automotive.evs@1.0",
+ "android.hardware.automotive.evs@1.1",
+ "android.hardware.automotive.evs@common-default-lib",
+ "android.hardware.graphics.common@1.0",
+ "android.hardware.graphics.common@1.1",
+ "android.hardware.graphics.common@1.2",
+ "android.hardware.camera.device@3.2",
+ ],
+ cflags: [
+ "-O0",
+ "-g",
+ ],
+}
+
+cc_fuzz {
+ name: "VtsHalEvsV1_1CameraOpenFuzz",
+ defaults: ["android.hardware.automotive.evs@fuzz-defaults"],
+ srcs: [
+ "VtsHalEvsV1_1CameraOpenFuzz.cpp",
+ ],
+ fuzz_config: {
+ // wait for Haiku device ready
+ fuzz_on_haiku_device: false,
+ fuzz_on_haiku_host: false,
+ },
+}
diff --git a/automotive/evs/1.1/vts/fuzzing/VtsHalEvsV1_1CameraOpenFuzz.cpp b/automotive/evs/1.1/vts/fuzzing/VtsHalEvsV1_1CameraOpenFuzz.cpp
new file mode 100644
index 0000000..4f05d21
--- /dev/null
+++ b/automotive/evs/1.1/vts/fuzzing/VtsHalEvsV1_1CameraOpenFuzz.cpp
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common.h"
+
+using ::android::hardware::automotive::evs::V1_0::DisplayDesc;
+using ::android::hardware::camera::device::V3_2::Stream;
+using IEvsCamera_1_1 = ::android::hardware::automotive::evs::V1_1::IEvsCamera;
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+ UNUSED(argc);
+ UNUSED(argv);
+ pEnumerator = IEvsEnumerator::getService(kEnumeratorName);
+ sp<EvsDeathRecipient> dr = new EvsDeathRecipient();
+
+ pEnumerator->linkToDeath(dr, 0);
+
+ loadCameraList();
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ FuzzedDataProvider fdp(data, size);
+
+ std::vector<sp<IEvsCamera_1_1>> camList;
+ Stream nullCfg = {};
+
+ while (fdp.remaining_bytes() > 4) {
+ switch (fdp.ConsumeIntegralInRange<uint32_t>(0, 3)) {
+ case 0: // open camera
+ {
+ uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, cameraInfo.size() - 1);
+ sp<IEvsCamera_1_1> pCam =
+ IEvsCamera_1_1::castFrom(pEnumerator->openCamera_1_1(
+ cameraInfo[whichCam].v1.cameraId, nullCfg))
+ .withDefault(nullptr);
+ camList.emplace_back(pCam);
+ break;
+ }
+ case 1: // close camera
+ {
+ if (!camList.empty()) {
+ uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+ pEnumerator->closeCamera(camList[whichCam]);
+ }
+ break;
+ }
+ case 2: // get camera info
+ {
+ if (!camList.empty()) {
+ uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+ camList[whichCam]->getCameraInfo_1_1([](CameraDesc desc) { UNUSED(desc); });
+ }
+ break;
+ }
+ case 3: // setMaxFramesInFlight
+ {
+ if (!camList.empty()) {
+ uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+ int32_t numFrames = fdp.ConsumeIntegral<int32_t>();
+ camList[whichCam]->setMaxFramesInFlight(numFrames);
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ }
+
+ return 0;
+}
diff --git a/automotive/evs/1.1/vts/fuzzing/common.h b/automotive/evs/1.1/vts/fuzzing/common.h
new file mode 100644
index 0000000..af6fd54
--- /dev/null
+++ b/automotive/evs/1.1/vts/fuzzing/common.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "VtsHalEvsTest"
+#define UNUSED(x) (void)(x)
+
+const static char kEnumeratorName[] = "EvsEnumeratorHw";
+
+#include <android/hardware/automotive/evs/1.1/IEvsEnumerator.h>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <hidl/HidlTransportSupport.h>
+#include <utils/StrongPointer.h>
+
+using namespace ::android::hardware::automotive::evs::V1_1;
+
+using ::android::sp;
+using ::android::hardware::hidl_death_recipient;
+using ::android::hardware::hidl_vec;
+
+static sp<IEvsEnumerator> pEnumerator;
+static std::vector<CameraDesc> cameraInfo;
+
+class EvsDeathRecipient : public hidl_death_recipient {
+ public:
+ void serviceDied(uint64_t /*cookie*/,
+ const android::wp<::android::hidl::base::V1_0::IBase>& /*who*/) override {
+ abort();
+ }
+};
+
+void loadCameraList() {
+ // SetUp() must run first!
+ assert(pEnumerator != nullptr);
+
+ // Get the camera list
+ pEnumerator->getCameraList_1_1([](hidl_vec<CameraDesc> cameraList) {
+ ALOGI("Camera list callback received %zu cameras", cameraList.size());
+ cameraInfo.reserve(cameraList.size());
+ for (auto&& cam : cameraList) {
+ ALOGI("Found camera %s", cam.v1.cameraId.c_str());
+ cameraInfo.push_back(cam);
+ }
+ });
+}