osi/test/fuzzers/list/fuzz_list.cc - platform/system/bt - Git at Google

 /*
  * Copyright 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <fuzzer/FuzzedDataProvider.h>
 #include "osi/include/list.h"
 #include "osi/test/fuzzers/include/libosiFuzzHelperFunctions.h"

 #define MAX_NUM_FUNCTIONS 512
 #define MAX_BUF_SIZE 256

 struct list_node_t {
   struct list_node_t* next;
   void* data;
 };

 void cb(void* data) {}
 // Pass a ptr to FuzzedDataProvider in context
 bool list_iter_cb_impl(void* data, void* context) {
   FuzzedDataProvider* dataProvider =
       reinterpret_cast<FuzzedDataProvider*>(context);
   return dataProvider->ConsumeBool();
 }

 list_t* createList(FuzzedDataProvider* dataProvider) {
   bool should_callback = dataProvider->ConsumeBool();
   if (should_callback) {
     return list_new(cb);
   } else {
     return list_new(nullptr);
   }
 }

 void* getArbitraryElement(std::vector<void*>* vector,
                           FuzzedDataProvider* dataProvider) {
   if (vector->size() == 0) {
     return nullptr;
   }
   // Get an index
   size_t index =
       dataProvider->ConsumeIntegralInRange<size_t>(0, vector->size() - 1);
   return vector->at(index);
 }

 list_node_t* getArbitraryNode(list_t* list, FuzzedDataProvider* dataProvider) {
   if (list == nullptr || list_is_empty(list)) {
     return nullptr;
   }
   size_t index =
       dataProvider->ConsumeIntegralInRange<size_t>(0, list_length(list) - 1);
   list_node_t* node = list_begin(list);
   for (size_t i = 0; i < index; i++) {
     node = node->next;
   }

   return node;
 }

 void callArbitraryFunction(std::vector<void*>* list_vector,
                            std::vector<void*>* alloc_vector,
                            FuzzedDataProvider* dataProvider) {
   list_t* list = nullptr;
   // Get our function identifier
   switch (dataProvider->ConsumeIntegralInRange<char>(0, 18)) {
     // Let 0 be a NO-OP, as ConsumeIntegral will return 0 on an empty buffer
     // (This will likely bias whatever action is here to run more often)
     case 0:
       return;
     // Create a new list
     case 1:
       list = createList(dataProvider);
       list_vector->push_back(list);
       return;
     // Free a list
     case 2: {
       size_t index = 0;
       if (list_vector->size() > 0) {
         // Get an index
         index = dataProvider->ConsumeIntegralInRange<size_t>(
             0, list_vector->size() - 1);
         list = reinterpret_cast<list_t*>(list_vector->at(index));
       }
       list_free(list);
       // Otherwise free a valid list
       if (list != nullptr) {
         list_vector->erase(list_vector->begin() + index);
       }
       return;
     }
     case 3:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_is_empty(list);
       }
       return;
     case 4:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         void* search_buf = getArbitraryElement(alloc_vector, dataProvider);
         if (search_buf != nullptr) {
           list_contains(list, search_buf);
         }
       }
       return;
     case 5:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_length(list);
       }
       return;
     case 6:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr && !list_is_empty(list)) {
         list_front(list);
       }
       return;
     case 7:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr && !list_is_empty(list)) {
         list_back(list);
       }
       return;
     case 8:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr && !list_is_empty(list)) {
         list_back_node(list);
       }
       return;
     case 9: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list == nullptr) {
         return;
       }
       void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
       alloc_vector->push_back(buf);
       list_node_t* node = getArbitraryNode(list, dataProvider);
       if (node != nullptr && buf != nullptr) {
         list_insert_after(list, node, buf);
       }
       return;
     }
     case 10: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
       alloc_vector->push_back(buf);
       if (list != nullptr && buf != nullptr) {
         list_prepend(list, buf);
       }
       return;
     }
     case 11: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
       alloc_vector->push_back(buf);
       if (list != nullptr && buf != nullptr) {
         list_append(list, buf);
       }
       return;
     }
     case 12: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       // The buffer will be valid, but may be for a different list
       void* buf = getArbitraryElement(alloc_vector, dataProvider);
       if (list != nullptr && buf != nullptr) {
         list_remove(list, buf);
       }
       return;
     }
     case 13:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_clear(list);
       }
       return;
     case 14:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_foreach(list, list_iter_cb_impl, dataProvider);
       }
       return;
     case 15:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_begin(list);
       }
       return;
     case 16:
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list != nullptr) {
         list_end(list);
       }
       return;
     case 17: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list == nullptr) {
         return;
       }
       list_node_t* node = getArbitraryNode(list, dataProvider);
       if (node != nullptr) {
         list_next(node);
       }
       return;
     }
     case 18: {
       list = reinterpret_cast<list_t*>(
           getArbitraryElement(list_vector, dataProvider));
       if (list == nullptr) {
         return;
       }
       list_node_t* node = getArbitraryNode(list, dataProvider);
       if (node != nullptr && node != list_end(list)) {
         list_node(node);
       }
       return;
     }
     default:
       return;
   }
 }

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
   // Init our wrapper
   FuzzedDataProvider dataProvider(Data, Size);

   // Keep a vector of our allocated objects for freeing later
   std::vector<void*> list_vector;
   std::vector<void*> alloc_vector;

   // Call some functions, create some buffers
   size_t num_functions =
       dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_FUNCTIONS);
   for (size_t i = 0; i < num_functions; i++) {
     callArbitraryFunction(&list_vector, &alloc_vector, &dataProvider);
   }

   // Free anything we've allocated
   for (const auto& list : list_vector) {
     if (list != nullptr) {
       list_free(reinterpret_cast<list_t*>(list));
     }
   }
   for (const auto& alloc : alloc_vector) {
     if (alloc != nullptr) {
       free(alloc);
     }
   }
   list_vector.clear();

   return 0;
 }
	/*
	* Copyright 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <fuzzer/FuzzedDataProvider.h>
	#include "osi/include/list.h"
	#include "osi/test/fuzzers/include/libosiFuzzHelperFunctions.h"

	#define MAX_NUM_FUNCTIONS 512
	#define MAX_BUF_SIZE 256

	struct list_node_t {
	struct list_node_t* next;
	void* data;
	};

	void cb(void* data) {}
	// Pass a ptr to FuzzedDataProvider in context
	bool list_iter_cb_impl(void* data, void* context) {
	FuzzedDataProvider* dataProvider =
	reinterpret_cast<FuzzedDataProvider*>(context);
	return dataProvider->ConsumeBool();
	}

	list_t* createList(FuzzedDataProvider* dataProvider) {
	bool should_callback = dataProvider->ConsumeBool();
	if (should_callback) {
	return list_new(cb);
	} else {
	return list_new(nullptr);
	}
	}

	void* getArbitraryElement(std::vector<void> vector,
	FuzzedDataProvider* dataProvider) {
	if (vector->size() == 0) {
	return nullptr;
	}
	// Get an index
	size_t index =
	dataProvider->ConsumeIntegralInRange<size_t>(0, vector->size() - 1);
	return vector->at(index);
	}

	list_node_t* getArbitraryNode(list_t* list, FuzzedDataProvider* dataProvider) {
	if (list == nullptr \|\| list_is_empty(list)) {
	return nullptr;
	}
	size_t index =
	dataProvider->ConsumeIntegralInRange<size_t>(0, list_length(list) - 1);
	list_node_t* node = list_begin(list);
	for (size_t i = 0; i < index; i++) {
	node = node->next;
	}

	return node;
	}

	void callArbitraryFunction(std::vector<void> list_vector,
	std::vector<void> alloc_vector,
	FuzzedDataProvider* dataProvider) {
	list_t* list = nullptr;
	// Get our function identifier
	switch (dataProvider->ConsumeIntegralInRange<char>(0, 18)) {
	// Let 0 be a NO-OP, as ConsumeIntegral will return 0 on an empty buffer
	// (This will likely bias whatever action is here to run more often)
	case 0:
	return;
	// Create a new list
	case 1:
	list = createList(dataProvider);
	list_vector->push_back(list);
	return;
	// Free a list
	case 2: {
	size_t index = 0;
	if (list_vector->size() > 0) {
	// Get an index
	index = dataProvider->ConsumeIntegralInRange<size_t>(
	0, list_vector->size() - 1);
	list = reinterpret_cast<list_t*>(list_vector->at(index));
	}
	list_free(list);
	// Otherwise free a valid list
	if (list != nullptr) {
	list_vector->erase(list_vector->begin() + index);
	}
	return;
	}
	case 3:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_is_empty(list);
	}
	return;
	case 4:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	void* search_buf = getArbitraryElement(alloc_vector, dataProvider);
	if (search_buf != nullptr) {
	list_contains(list, search_buf);
	}
	}
	return;
	case 5:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_length(list);
	}
	return;
	case 6:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr && !list_is_empty(list)) {
	list_front(list);
	}
	return;
	case 7:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr && !list_is_empty(list)) {
	list_back(list);
	}
	return;
	case 8:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr && !list_is_empty(list)) {
	list_back_node(list);
	}
	return;
	case 9: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list == nullptr) {
	return;
	}
	void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
	alloc_vector->push_back(buf);
	list_node_t* node = getArbitraryNode(list, dataProvider);
	if (node != nullptr && buf != nullptr) {
	list_insert_after(list, node, buf);
	}
	return;
	}
	case 10: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
	alloc_vector->push_back(buf);
	if (list != nullptr && buf != nullptr) {
	list_prepend(list, buf);
	}
	return;
	}
	case 11: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	void* buf = generateBuffer(dataProvider, MAX_BUF_SIZE, false);
	alloc_vector->push_back(buf);
	if (list != nullptr && buf != nullptr) {
	list_append(list, buf);
	}
	return;
	}
	case 12: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	// The buffer will be valid, but may be for a different list
	void* buf = getArbitraryElement(alloc_vector, dataProvider);
	if (list != nullptr && buf != nullptr) {
	list_remove(list, buf);
	}
	return;
	}
	case 13:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_clear(list);
	}
	return;
	case 14:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_foreach(list, list_iter_cb_impl, dataProvider);
	}
	return;
	case 15:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_begin(list);
	}
	return;
	case 16:
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list != nullptr) {
	list_end(list);
	}
	return;
	case 17: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list == nullptr) {
	return;
	}
	list_node_t* node = getArbitraryNode(list, dataProvider);
	if (node != nullptr) {
	list_next(node);
	}
	return;
	}
	case 18: {
	list = reinterpret_cast<list_t*>(
	getArbitraryElement(list_vector, dataProvider));
	if (list == nullptr) {
	return;
	}
	list_node_t* node = getArbitraryNode(list, dataProvider);
	if (node != nullptr && node != list_end(list)) {
	list_node(node);
	}
	return;
	}
	default:
	return;
	}
	}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
	// Init our wrapper
	FuzzedDataProvider dataProvider(Data, Size);

	// Keep a vector of our allocated objects for freeing later
	std::vector<void*> list_vector;
	std::vector<void*> alloc_vector;

	// Call some functions, create some buffers
	size_t num_functions =
	dataProvider.ConsumeIntegralInRange<size_t>(0, MAX_NUM_FUNCTIONS);
	for (size_t i = 0; i < num_functions; i++) {
	callArbitraryFunction(&list_vector, &alloc_vector, &dataProvider);
	}

	// Free anything we've allocated
	for (const auto& list : list_vector) {
	if (list != nullptr) {
	list_free(reinterpret_cast<list_t*>(list));
	}
	}
	for (const auto& alloc : alloc_vector) {
	if (alloc != nullptr) {
	free(alloc);
	}
	}
	list_vector.clear();

	return 0;
	}