1  /*
2   * Copyright (c) 2024 Huawei Device Co., Ltd.
3   * Licensed under the Apache License, Version 2.0 (the "License");
4   * you may not use this file except in compliance with the License.
5   * You may obtain a copy of the License at
6   *
7   *     http://www.apache.org/licenses/LICENSE-2.0
8   *
9   * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  #include "cacheprocessmanagerb_fuzzer.h"
17  
18  #include <cstddef>
19  #include <cstdint>
20  
21  #define private public
22  #define protected public
23  #include "cache_process_manager.h"
24  #include "ability_record.h"
25  #undef protected
26  #undef private
27  
28  #include "app_mgr_service_inner.h"
29  
30  using namespace OHOS::AAFwk;
31  using namespace OHOS::AppExecFwk;
32  using namespace OHOS::AbilityRuntime;
33  
34  namespace OHOS {
35  namespace {
36  constexpr int INPUT_ZERO = 0;
37  constexpr int INPUT_ONE = 1;
38  constexpr int INPUT_THREE = 3;
39  constexpr size_t FOO_MAX_LEN = 1024;
40  constexpr size_t U32_AT_SIZE = 4;
41  constexpr uint8_t ENABLE = 2;
42  constexpr size_t OFFSET_ZERO = 24;
43  constexpr size_t OFFSET_ONE = 16;
44  constexpr size_t OFFSET_TWO = 8;
45  }
46  
GetU32Data(const char * ptr)47  uint32_t GetU32Data(const char* ptr)
48  {
49      // convert fuzz input data to an integer
50      return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[ENABLE] << OFFSET_TWO) |
51          ptr[INPUT_THREE];
52  }
53  
GetFuzzAbilityToken()54  sptr<Token> GetFuzzAbilityToken()
55  {
56      sptr<Token> token = nullptr;
57      AbilityRequest abilityRequest;
58      abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
59      abilityRequest.abilityInfo.name = "MainAbility";
60      abilityRequest.abilityInfo.type = AbilityType::DATA;
61      std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
62      if (abilityRecord) {
63          token = abilityRecord->GetToken();
64      }
65      return token;
66  }
67  
CacheProcessManagerFuzztestFunc1(bool boolParam,std::string & stringParam,int32_t int32Param)68  void CacheProcessManagerFuzztestFunc1(bool boolParam, std::string &stringParam, int32_t int32Param)
69  {
70      std::shared_ptr<CacheProcessManager> mgr = std::make_shared<CacheProcessManager>();
71      std::shared_ptr<AppMgrServiceInner> serviceInner1;
72      mgr->GetCurrentCachedProcNum(); // called.
73      std::shared_ptr<ApplicationInfo> appInfo = std::make_shared<ApplicationInfo>();
74      std::shared_ptr<AppRunningRecord> appRecord1 = std::make_shared<AppRunningRecord>(appInfo, int32Param, stringParam);
75      std::shared_ptr<AppRunningRecord> appRecord2 = std::make_shared<AppRunningRecord>(nullptr, int32Param, stringParam);
76      mgr->cachedAppRecordQueue_.emplace_back(appRecord1);
77      mgr->RemoveCacheRecord(appRecord1); // called branch cached.
78      mgr->RemoveCacheRecord(appRecord2); // called branch not cached.
79      mgr->cachedAppRecordQueue_.clear();
80  
81      mgr->maxProcCacheNum_ = 0;
82      mgr->ShrinkAndKillCache(); // called branch
83      mgr->maxProcCacheNum_ = 1; // 1 means maxProcCacheNum
84      mgr->ShrinkAndKillCache(); // called branch current < maxProcCacheNum.
85      mgr->cachedAppRecordQueue_.emplace_back(appRecord1);
86      mgr->cachedAppRecordQueue_.emplace_back(appRecord2);
87      mgr->ShrinkAndKillCache(); // called branch current > maxProcCacheNum.
88      mgr->cachedAppRecordQueue_.clear();
89  
90      mgr->SetAppMgr(serviceInner1);
91      mgr->KillProcessByRecord(nullptr); // called branch appMgr is nullptr.
92      mgr->KillProcessByRecord(appRecord2); // called branch appRecord not null.
93      std::shared_ptr<AppMgrServiceInner> serviceInner2 = std::make_shared<AppMgrServiceInner>();
94      mgr->SetAppMgr(serviceInner2);
95      mgr->KillProcessByRecord(appRecord2); // called branch appRecord not null.
96  
97      mgr->cachedAppRecordQueue_.emplace_back(appRecord1);
98      mgr->cachedAppRecordQueue_.emplace_back(appRecord2);
99      mgr->PrintCacheQueue(); // called branch apprecord exist,
100      mgr->cachedAppRecordQueue_.clear();
101      mgr->PrintCacheQueue(); // called branch no apprecord.
102  
103      mgr->AddToApplicationSet(nullptr); // called nullptr.
104      mgr->AddToApplicationSet(appRecord2); // called.
105      mgr->RemoveFromApplicationSet(nullptr); // called nullptr.
106      mgr->RemoveFromApplicationSet(appRecord2); // called.
107  }
108  
CacheProcessManagerFuzztestFunc2(bool boolParam,std::string & stringParam,int32_t int32Param)109  void CacheProcessManagerFuzztestFunc2(bool boolParam, std::string &stringParam, int32_t int32Param)
110  {
111      std::shared_ptr<CacheProcessManager> mgr = std::make_shared<CacheProcessManager>();
112      std::shared_ptr<AppMgrServiceInner> serviceInner1;
113      std::shared_ptr<ApplicationInfo> appInfo = std::make_shared<ApplicationInfo>();
114      std::shared_ptr<AppRunningRecord> appRecord1 = std::make_shared<AppRunningRecord>(appInfo, int32Param, stringParam);
115      std::shared_ptr<AppRunningRecord> appRecord2 = std::make_shared<AppRunningRecord>(nullptr, int32Param, stringParam);
116  
117      mgr->maxProcCacheNum_ = 0;
118      mgr->PrepareActivateCache(nullptr); // branch 0 maxProcCacheNum_
119      mgr->maxProcCacheNum_ = 1; // 1 means maxProcCacheNum.
120      mgr->PrepareActivateCache(nullptr); // branch 0 null apprecord
121      mgr->PrepareActivateCache(appRecord1);
122  
123      mgr->SetAppMgr(serviceInner1);
124      mgr->cachedAppRecordQueue_.emplace_back(appRecord1);
125      mgr->PrepareActivateCache(appRecord1); // // branch cached & appMgr null.
126      std::shared_ptr<AppMgrServiceInner> serviceInner2 = std::make_shared<AppMgrServiceInner>();
127      mgr->SetAppMgr(serviceInner2);
128      mgr->cachedAppRecordQueue_.emplace_back(appRecord1);
129      mgr->PrepareActivateCache(appRecord1); // branch cached & appMgr not null.
130  }
131  
DoSomethingInterestingWithMyAPI(const char * data,size_t size)132  bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
133  {
134      bool boolParam = *data % ENABLE;
135      std::string stringParam(data, size);
136      int32_t int32Param = static_cast<int32_t>(GetU32Data(data));
137      CacheProcessManagerFuzztestFunc1(boolParam, stringParam, int32Param);
138      CacheProcessManagerFuzztestFunc2(boolParam, stringParam, int32Param);
139      return true;
140  }
141  }
142  
143  /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)144  extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
145  {
146      /* Run your code on data */
147      if (data == nullptr) {
148          return 0;
149      }
150  
151      /* Validate the length of size */
152      if (size < OHOS::U32_AT_SIZE || size > OHOS::FOO_MAX_LEN) {
153          return 0;
154      }
155  
156      char* ch = static_cast<char*>(malloc(size + 1));
157      if (ch == nullptr) {
158          std::cout << "malloc failed." << std::endl;
159          return 0;
160      }
161  
162      (void)memset_s(ch, size + 1, 0x00, size + 1);
163      if (memcpy_s(ch, size, data, size) != EOK) {
164          std::cout << "copy failed." << std::endl;
165          free(ch);
166          ch = nullptr;
167          return 0;
168      }
169  
170      OHOS::DoSomethingInterestingWithMyAPI(ch, size);
171      free(ch);
172      ch = nullptr;
173      return 0;
174  }
175  
176