Refactored automotiveCanV1.0_fuzzer

The following are the updates to the fuzzer: 1. Randomised order of API calls using fdp. 2. Added New APIs. exec/s: 35 Test: ./automotiveCanV1.0_fuzzer Bug: 301907840 Change-Id: I66b4622bcf93ac5fbead522f6991a62361b85dda
2023-08-18 14:18:08 +05:30 · 2023-08-18 14:18:08 +05:30 · f247dafd11
commit f247dafd11
parent ac9f70ee2f
2 changed files with 52 additions and 28 deletions
--- a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp
+++ b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.cpp
@ -18,9 +18,9 @@

 namespace android::hardware::automotive::can::V1_0::implementation::fuzzer {

-constexpr CanController::InterfaceType kInterfaceType[] = {CanController::InterfaceType::VIRTUAL,
-                                                           CanController::InterfaceType::SOCKETCAN,
-                                                           CanController::InterfaceType::SLCAN};
+constexpr CanController::InterfaceType kInterfaceType[] = {
+        CanController::InterfaceType::VIRTUAL, CanController::InterfaceType::SOCKETCAN,
+        CanController::InterfaceType::SLCAN, CanController::InterfaceType::INDEXED};
 constexpr FilterFlag kFilterFlag[] = {FilterFlag::DONT_CARE, FilterFlag::SET, FilterFlag::NOT_SET};
 constexpr size_t kInterfaceTypeLength = std::size(kInterfaceType);
 constexpr size_t kFilterFlagLength = std::size(kFilterFlag);
@ -28,8 +28,8 @@ constexpr size_t kMaxCharacters = 30;
 constexpr size_t kMaxPayloadBytes = 64;
 constexpr size_t kMaxFilters = 20;
 constexpr size_t kMaxSerialNumber = 1000;
-constexpr size_t kMaxBuses = 10;
-constexpr size_t kMaxRepeat = 5;
+constexpr size_t kMaxBuses = 100;
+constexpr size_t kMaxRepeat = 100;

 Bus CanFuzzer::makeBus() {
    ICanController::BusConfig config = {};
@ -56,9 +56,13 @@ hidl_vec<hidl_string> CanFuzzer::getBusNames() {
 }

 void CanFuzzer::invokeUpInterface() {
-    const CanController::InterfaceType iftype =
-            kInterfaceType[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
-                    0, kInterfaceTypeLength - 1)];
+    CanController::InterfaceType controller;
+    if (mFuzzedDataProvider->ConsumeBool()) {
+        controller = (CanController::InterfaceType)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+    } else {
+        controller = kInterfaceType[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+                0, kInterfaceTypeLength - 1)];
+    }
    std::string configName;

    if (const bool shouldInvokeValidBus = mFuzzedDataProvider->ConsumeBool();
@ -73,7 +77,7 @@ void CanFuzzer::invokeUpInterface() {

    ICanController::BusConfig config = {.name = configName};

-    if (iftype == CanController::InterfaceType::SOCKETCAN) {
+    if (controller == CanController::InterfaceType::SOCKETCAN) {
        CanController::BusConfig::InterfaceId::Socketcan socketcan = {};
        if (const bool shouldPassSerialSocket = mFuzzedDataProvider->ConsumeBool();
            shouldPassSerialSocket) {
@ -83,7 +87,7 @@ void CanFuzzer::invokeUpInterface() {
            socketcan.ifname(ifname);
        }
        config.interfaceId.socketcan(socketcan);
-    } else if (iftype == CanController::InterfaceType::SLCAN) {
+    } else if (controller == CanController::InterfaceType::SLCAN) {
        CanController::BusConfig::InterfaceId::Slcan slcan = {};
        if (const bool shouldPassSerialSlcan = mFuzzedDataProvider->ConsumeBool();
            shouldPassSerialSlcan) {
@ -93,8 +97,12 @@ void CanFuzzer::invokeUpInterface() {
            slcan.ttyname(ifname);
        }
        config.interfaceId.slcan(slcan);
-    } else if (iftype == CanController::InterfaceType::VIRTUAL) {
+    } else if (controller == CanController::InterfaceType::VIRTUAL) {
        config.interfaceId.virtualif({ifname});
+    } else if (controller == CanController::InterfaceType::INDEXED) {
+        CanController::BusConfig::InterfaceId::Indexed indexed;
+        indexed.index = mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+        config.interfaceId.indexed(indexed);
    }

    const size_t numInvocations =
@ -108,8 +116,13 @@ void CanFuzzer::invokeDownInterface() {
    hidl_string configName;
    if (const bool shouldInvokeValidBus = mFuzzedDataProvider->ConsumeBool();
        (shouldInvokeValidBus) && (mBusNames.size() > 0)) {
-        const size_t busNameIndex =
-                mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, mBusNames.size() - 1);
+        size_t busNameIndex;
+        if (mBusNames.size() == 1) {
+            busNameIndex = 0;
+        } else {
+            busNameIndex =
+                    mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, mBusNames.size() - 1);
+        }
        configName = mBusNames[busNameIndex];
    } else {
        configName = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxCharacters);
@ -122,12 +135,6 @@ void CanFuzzer::invokeDownInterface() {
    }
 }

-void CanFuzzer::invokeController() {
-    getSupportedInterfaceTypes();
-    invokeUpInterface();
-    invokeDownInterface();
-}
-
 void CanFuzzer::invokeBus() {
    const size_t numBuses = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(1, kMaxBuses);
    for (size_t i = 0; i < numBuses; ++i) {
@ -152,12 +159,22 @@ void CanFuzzer::invokeBus() {
            for (uint32_t k = 0; k < numFilters; ++k) {
                filterVector[k].id = mFuzzedDataProvider->ConsumeIntegral<uint32_t>();
                filterVector[k].mask = mFuzzedDataProvider->ConsumeIntegral<uint32_t>();
-                filterVector[k].rtr =
-                        kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
-                                0, kFilterFlagLength - 1)];
-                filterVector[k].extendedFormat =
-                        kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
-                                0, kFilterFlagLength - 1)];
+                if (mFuzzedDataProvider->ConsumeBool()) {
+                    filterVector[k].rtr =
+                            (FilterFlag)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+                } else {
+                    filterVector[k].rtr =
+                            kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+                                    0, kFilterFlagLength - 1)];
+                }
+                if (mFuzzedDataProvider->ConsumeBool()) {
+                    filterVector[k].extendedFormat =
+                            (FilterFlag)mFuzzedDataProvider->ConsumeIntegral<uint8_t>();
+                } else {
+                    filterVector[k].extendedFormat =
+                            kFilterFlag[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
+                                    0, kFilterFlagLength - 1)];
+                }
                filterVector[k].exclude = mFuzzedDataProvider->ConsumeBool();
            }
            auto listener = listeningBus.listen(filterVector);
@ -175,8 +192,16 @@ void CanFuzzer::deInit() {

 void CanFuzzer::process(const uint8_t* data, size_t size) {
    mFuzzedDataProvider = new FuzzedDataProvider(data, size);
-    invokeController();
-    invokeBus();
+    while (mFuzzedDataProvider->remaining_bytes()) {
+        auto CanFuzzerFunction =
+                mFuzzedDataProvider->PickValueInArray<const std::function<void()>>({
+                        [&]() { getSupportedInterfaceTypes(); },
+                        [&]() { invokeUpInterface(); },
+                        [&]() { invokeDownInterface(); },
+                        [&]() { invokeBus(); },
+                });
+        CanFuzzerFunction();
+    }
 }

 bool CanFuzzer::init() {
--- a/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h
+++ b/automotive/can/1.0/default/tests/fuzzer/AutomotiveCanV1_0Fuzzer.h
@ -116,7 +116,6 @@ class CanFuzzer {
    hidl_vec<hidl_string> getBusNames();
    void getSupportedInterfaceTypes();
    void invokeBus();
-    void invokeController();
    void invokeUpInterface();
    void invokeDownInterface();
    FuzzedDataProvider* mFuzzedDataProvider = nullptr;