1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
/*
* Copyright 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <atomic>
#include <thread>
#include "fuzzer/FuzzedDataProvider.h"
#include "utils/RefBase.h"
#include "utils/StrongPointer.h"
using android::RefBase;
using android::sp;
using android::wp;
static constexpr int REFBASE_INITIAL_STRONG_VALUE = (1 << 28);
static constexpr int REFBASE_MAX_COUNT = 0xfffff;
static constexpr int MAX_OPERATIONS = 100;
static constexpr int MAX_THREADS = 10;
bool canDecrementStrong(RefBase* ref) {
// There's an assert around decrementing the strong count too much that causes an artificial
// crash This is just running BAD_STRONG from RefBase
const int32_t count = ref->getStrongCount() - 1;
return !(count == 0 || ((count) & (~(REFBASE_MAX_COUNT | REFBASE_INITIAL_STRONG_VALUE))) != 0);
}
bool canDecrementWeak(RefBase* ref) {
const int32_t count = ref->getWeakRefs()->getWeakCount() - 1;
return !((count) == 0 || ((count) & (~REFBASE_MAX_COUNT)) != 0);
}
struct RefBaseSubclass : public RefBase {
RefBaseSubclass() {}
virtual ~RefBaseSubclass() {}
};
std::vector<std::function<void(RefBaseSubclass*)>> operations = {
[](RefBaseSubclass* ref) -> void { ref->getStrongCount(); },
[](RefBaseSubclass* ref) -> void { ref->printRefs(); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->printRefs(); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->getWeakCount(); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->refBase(); },
[](RefBaseSubclass* ref) -> void { ref->incStrong(nullptr); },
[](RefBaseSubclass* ref) -> void {
if (canDecrementStrong(ref)) {
ref->decStrong(nullptr);
}
},
[](RefBaseSubclass* ref) -> void { ref->forceIncStrong(nullptr); },
[](RefBaseSubclass* ref) -> void { ref->createWeak(nullptr); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->attemptIncStrong(nullptr); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->attemptIncWeak(nullptr); },
[](RefBaseSubclass* ref) -> void {
if (canDecrementWeak(ref)) {
ref->getWeakRefs()->decWeak(nullptr);
}
},
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->incWeak(nullptr); },
[](RefBaseSubclass* ref) -> void { ref->getWeakRefs()->printRefs(); },
};
void loop(RefBaseSubclass* loopRef, const std::vector<uint8_t>& fuzzOps) {
for (auto op : fuzzOps) {
operations[op % operations.size()](loopRef);
}
}
void spawnThreads(FuzzedDataProvider* dataProvider) {
std::vector<std::thread> threads = std::vector<std::thread>();
// Get the number of threads to generate
uint8_t count = dataProvider->ConsumeIntegralInRange<uint8_t>(1, MAX_THREADS);
// Generate threads
for (uint8_t i = 0; i < count; i++) {
RefBaseSubclass* threadRef = new RefBaseSubclass();
uint8_t opCount = dataProvider->ConsumeIntegralInRange<uint8_t>(1, MAX_OPERATIONS);
std::vector<uint8_t> threadOperations = dataProvider->ConsumeBytes<uint8_t>(opCount);
std::thread tmp = std::thread(loop, threadRef, threadOperations);
threads.push_back(move(tmp));
}
for (auto& th : threads) {
th.join();
}
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
FuzzedDataProvider dataProvider(data, size);
spawnThreads(&dataProvider);
return 0;
}
|
