You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 lines
2.5 KiB
65 lines
2.5 KiB
/*
|
|
* Copyright 2020 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#include <chrono>
|
|
#include <thread>
|
|
|
|
#include "fuzzer/FuzzedDataProvider.h"
|
|
#include "mediautils/TimeCheck.h"
|
|
|
|
static constexpr int kMaxStringLen = 256;
|
|
|
|
// While it might be interesting to test long-running
|
|
// jobs, it seems unlikely it'd lead to the types of crashes
|
|
// we're looking for, and would mean a significant increase in fuzzer time.
|
|
// Therefore, we are setting a low cap.
|
|
static constexpr uint32_t kMaxTimeoutMs = 1000;
|
|
static constexpr uint32_t kMinTimeoutMs = 200;
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
FuzzedDataProvider data_provider(data, size);
|
|
|
|
// There's essentially 5 operations that we can access in this class
|
|
// 1. The time it takes to run this operation. As mentioned above,
|
|
// long-running tasks are not good for fuzzing, but there will be
|
|
// some change in the run time.
|
|
uint32_t timeoutMs =
|
|
data_provider.ConsumeIntegralInRange<uint32_t>(kMinTimeoutMs, kMaxTimeoutMs);
|
|
uint8_t pid_size = data_provider.ConsumeIntegral<uint8_t>();
|
|
std::vector<pid_t> pids(pid_size);
|
|
for (auto& pid : pids) {
|
|
pid = data_provider.ConsumeIntegral<pid_t>();
|
|
}
|
|
|
|
// 2. We also have setAudioHalPids, which is populated with the pids set
|
|
// above.
|
|
android::TimeCheck::setAudioHalPids(pids);
|
|
std::string name = data_provider.ConsumeRandomLengthString(kMaxStringLen);
|
|
|
|
// 3. The constructor, which is fuzzed here:
|
|
android::TimeCheck timeCheck(name.c_str(), timeoutMs);
|
|
// We will leave some buffer to avoid sleeping too long
|
|
uint8_t sleep_amount_ms = data_provider.ConsumeIntegralInRange<uint8_t>(0, timeoutMs / 2);
|
|
|
|
// We want to make sure we can cover the time out functionality.
|
|
if (sleep_amount_ms) {
|
|
auto ms = std::chrono::milliseconds(sleep_amount_ms);
|
|
std::this_thread::sleep_for(ms);
|
|
}
|
|
|
|
// 4. Finally, the destructor on timecheck. These seem to be the only factors
|
|
// in play.
|
|
return 0;
|
|
}
|