Refactored automotiveCanV1.0_fuzzer
The following are the updates to the fuzzer:
1. Randomised order of API calls using fdp.
2. Added New APIs.
exec/s: 35
Test: ./automotiveCanV1.0_fuzzer
Bug: 301907840
Change-Id: I66b4622bcf93ac5fbead522f6991a62361b85dda
diff --git a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp
index 96110db..e882160 100644
--- a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp
+++ b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp
@@ -18,9 +18,9 @@
namespace android::hardware::automotive::can::V1_0::implementation::fuzzer {
-constexpr CanController::InterfaceType kInterfaceType[] = {CanController::InterfaceType::VIRTUAL,
- CanController::InterfaceType::SOCKETCAN,
- CanController::InterfaceType::SLCAN};
+constexpr CanController::InterfaceType kInterfaceType[] = {
+ CanController::InterfaceType::VIRTUAL, CanController::InterfaceType::SOCKETCAN,
+ CanController::InterfaceType::SLCAN, CanController::InterfaceType::INDEXED};
constexpr FilterFlag kFilterFlag[] = {FilterFlag::DONT_CARE, FilterFlag::SET, FilterFlag::NOT_SET};
constexpr size_t kInterfaceTypeLength = std::size(kInterfaceType);
constexpr size_t kFilterFlagLength = std::size(kFilterFlag);
@@ -28,8 +28,8 @@
constexpr size_t kMaxPayloadBytes = 64;
constexpr size_t kMaxFilters = 20;
constexpr size_t kMaxSerialNumber = 1000;
-constexpr size_t kMaxBuses = 10;
-constexpr size_t kMaxRepeat = 5;
+constexpr size_t kMaxBuses = 100;
+constexpr size_t kMaxRepeat = 100;
Bus CanFuzzer::makeBus() {
ICanController::BusConfig config = {};
@@ -56,9 +56,13 @@
}
void CanFuzzer::invokeUpInterface() {
- const CanController::InterfaceType iftype =
- kInterfaceType[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
- 0, kInterfaceTypeLength - 1)];
+ CanController::InterfaceType controller;
+ if (mFuzzedDataProvider->ConsumeBool()) {
+ controller = (CanController::InterfaceType)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+ } else {
+ controller = kInterfaceType[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+ 0, kInterfaceTypeLength - 1)];
+ }
std::string configName;
if (const bool shouldInvokeValidBus = mFuzzedDataProvider->ConsumeBool();
@@ -73,7 +77,7 @@
ICanController::BusConfig config = {.name = configName};
- if (iftype == CanController::InterfaceType::SOCKETCAN) {
+ if (controller == CanController::InterfaceType::SOCKETCAN) {
CanController::BusConfig::InterfaceId::Socketcan socketcan = {};
if (const bool shouldPassSerialSocket = mFuzzedDataProvider->ConsumeBool();
shouldPassSerialSocket) {
@@ -83,7 +87,7 @@
socketcan.ifname(ifname);
}
config.interfaceId.socketcan(socketcan);
- } else if (iftype == CanController::InterfaceType::SLCAN) {
+ } else if (controller == CanController::InterfaceType::SLCAN) {
CanController::BusConfig::InterfaceId::Slcan slcan = {};
if (const bool shouldPassSerialSlcan = mFuzzedDataProvider->ConsumeBool();
shouldPassSerialSlcan) {
@@ -93,8 +97,12 @@
slcan.ttyname(ifname);
}
config.interfaceId.slcan(slcan);
- } else if (iftype == CanController::InterfaceType::VIRTUAL) {
+ } else if (controller == CanController::InterfaceType::VIRTUAL) {
config.interfaceId.virtualif({ifname});
+ } else if (controller == CanController::InterfaceType::INDEXED) {
+ CanController::BusConfig::InterfaceId::Indexed indexed;
+ indexed.index = mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+ config.interfaceId.indexed(indexed);
}
const size_t numInvocations =
@@ -108,8 +116,13 @@
hidl_string configName;
if (const bool shouldInvokeValidBus = mFuzzedDataProvider->ConsumeBool();
(shouldInvokeValidBus) && (mBusNames.size() > 0)) {
- const size_t busNameIndex =
- mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, mBusNames.size() - 1);
+ size_t busNameIndex;
+ if (mBusNames.size() == 1) {
+ busNameIndex = 0;
+ } else {
+ busNameIndex =
+ mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, mBusNames.size() - 1);
+ }
configName = mBusNames[busNameIndex];
} else {
configName = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxCharacters);
@@ -122,12 +135,6 @@
}
}
-void CanFuzzer::invokeController() {
- getSupportedInterfaceTypes();
- invokeUpInterface();
- invokeDownInterface();
-}
-
void CanFuzzer::invokeBus() {
const size_t numBuses = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(1, kMaxBuses);
for (size_t i = 0; i < numBuses; ++i) {
@@ -152,12 +159,22 @@
for (uint32_t k = 0; k < numFilters; ++k) {
filterVector[k].id = mFuzzedDataProvider->ConsumeIntegral<uint32_t>();
filterVector[k].mask = mFuzzedDataProvider->ConsumeIntegral<uint32_t>();
- filterVector[k].rtr =
- kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
- 0, kFilterFlagLength - 1)];
- filterVector[k].extendedFormat =
- kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
- 0, kFilterFlagLength - 1)];
+ if (mFuzzedDataProvider->ConsumeBool()) {
+ filterVector[k].rtr =
+ (FilterFlag)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+ } else {
+ filterVector[k].rtr =
+ kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+ 0, kFilterFlagLength - 1)];
+ }
+ if (mFuzzedDataProvider->ConsumeBool()) {
+ filterVector[k].extendedFormat =
+ (FilterFlag)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+ } else {
+ filterVector[k].extendedFormat =
+ kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+ 0, kFilterFlagLength - 1)];
+ }
filterVector[k].exclude = mFuzzedDataProvider->ConsumeBool();
}
auto listener = listeningBus.listen(filterVector);
@@ -175,8 +192,16 @@
void CanFuzzer::process(const uint8_t* data, size_t size) {
mFuzzedDataProvider = new FuzzedDataProvider(data, size);
- invokeController();
- invokeBus();
+ while (mFuzzedDataProvider->remaining_bytes()) {
+ auto CanFuzzerFunction =
+ mFuzzedDataProvider->PickValueInArray<const std::function<void()>>({
+ [&]() { getSupportedInterfaceTypes(); },
+ [&]() { invokeUpInterface(); },
+ [&]() { invokeDownInterface(); },
+ [&]() { invokeBus(); },
+ });
+ CanFuzzerFunction();
+ }
}
bool CanFuzzer::init() {
diff --git a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h
index 930cddd..3211bd0 100644
--- a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h
+++ b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h
@@ -116,7 +116,6 @@
hidl_vec<hidl_string> getBusNames();
void getSupportedInterfaceTypes();
void invokeBus();
- void invokeController();
void invokeUpInterface();
void invokeDownInterface();
FuzzedDataProvider* mFuzzedDataProvider = nullptr;