Adding Presentation Service MojoLPM fuzzer.

Bug: 1113721
Change-Id: I79132bdf3ea1f276994932e8e6a882c60d8ea946
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2364618Reviewed-by: Oliver Chang <ochang@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Commit-Queue: Clovis PJ <clovispj@google.com>
Cr-Commit-Position: refs/heads/master@{#808256}

content/test/fuzzer/BUILD.gn

@@ -4,6 +4,7 @@
 
 # Fuzzers for content/ components.
 
+import("//mojo/public/tools/bindings/mojom.gni")
 import("//mojo/public/tools/fuzzers/mojolpm.gni")
 import("//testing/libfuzzer/fuzzer_test.gni")
 import("//third_party/protobuf/proto_library.gni")
@@ -281,3 +282,72 @@ if (is_linux) {
     proto_deps = [ "//media/capture/mojom:video_capture_mojolpm" ]
   }
 }
+
+mojolpm_fuzzer_test("presentation_service_mojolpm_fuzzer") {
+  sources = [ "presentation_service_mojolpm_fuzzer.cc" ]
+
+  proto_source = "presentation_service_mojolpm_fuzzer.proto"
+
+  deps = [
+    ":controller_presentation_service_delegate_for_fuzzing",
+    "//base/test:test_support",
+    "//content/browser:for_content_tests",
+    "//content/public/browser:browser",
+    "//content/test:content_unittests",
+    "//content/test:test_support",
+    "//services/network:test_support",
+    "//storage/browser:test_support",
+    "//ui/events/devices:devices",
+  ]
+
+  proto_deps = [
+    ":controller_presentation_service_delegate_for_fuzzing_proto",
+    "//third_party/blink/public/mojom:mojom_platform_mojolpm",
+  ]
+}
+
+if (enable_mojom_fuzzer) {
+  static_library("controller_presentation_service_delegate_for_fuzzing") {
+    # Should only be used in the fuzzer this was made for
+    visibility = [ ":presentation_service_mojolpm_fuzzer" ]
+
+    sources = [
+      "controller_presentation_service_delegate_for_fuzzing.cc",
+      "controller_presentation_service_delegate_for_fuzzing.h",
+    ]
+
+    deps = [
+      ":controller_presentation_service_delegate_for_fuzzing_proto",
+      "//base",
+      "//content/public/browser:browser",
+      "//media:test_support",
+      "//third_party/blink/public/mojom:mojom_platform_mojolpm",
+      "//url/mojom:url_mojom_gurl_mojolpm",
+    ]
+
+    testonly = true
+  }
+
+  proto_library("controller_presentation_service_delegate_for_fuzzing_proto") {
+    # Should only be used in the fuzzer this was made for, and its
+    # generated rules
+    visibility = [ "//content/test/fuzzer:*" ]
+
+    proto_in_dir = "//"
+
+    sources = [ "controller_presentation_service_delegate_for_fuzzing.proto" ]
+    generate_python = false
+
+    proto_deps = [
+      "//third_party/blink/public/mojom:mojom_platform_mojolpm",
+      "//url/mojom:url_mojom_gurl_mojolpm",
+    ]
+    link_deps = [
+      "//third_party/blink/public/mojom:mojom_platform_mojolpm",
+      "//url/mojom:url_mojom_gurl_mojolpm",
+    ]
+
+    import_dirs = [ root_gen_dir ]
+    testonly = true
+  }
+}

content/test/fuzzer/controller_presentation_service_delegate_for_fuzzing.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_TEST_FUZZER_CONTROLLER_PRESENTATION_SERVICE_DELEGATE_FOR_FUZZING_H_
+#define CONTENT_TEST_FUZZER_CONTROLLER_PRESENTATION_SERVICE_DELEGATE_FOR_FUZZING_H_
+
+#include <map>
+#include <memory>
+#include <string>
+
+#include "content/public/browser/global_routing_id.h"
+#include "content/public/browser/presentation_screen_availability_listener.h"
+#include "content/public/browser/presentation_service_delegate.h"
+#include "content/test/fuzzer/controller_presentation_service_delegate_for_fuzzing.pb.h"
+#include "media/base/flinging_controller.h"
+#include "third_party/blink/public/mojom/presentation/presentation.mojom.h"
+
+// Fake for the `ControllerPresentationServiceDelegate` interface
+//
+// This fake is limited to do callback, observer and listener behaviours,
+// according to a set of actions specified by a protobuf.
+// So it is not suitable for tests. It is designed for a fuzzer.
+//
+// Usage: call the component as expected as the delegate interface.
+// To run the callables provided, use `NextAction`,
+// provide a protobuf of the `Action` message - there lists the possible calls.
+// This will instruct the fake to run the callbacks accordingly.
+//
+// The callables are run on the UI thread, as the delegate interface is expected
+// to be called on the UI thread.
+// In the case of MojoLPM fuzzers, `NextAction` should be called on the fuzzer
+// thread.
+class ControllerPresentationServiceDelegateForFuzzing
+    : public content::ControllerPresentationServiceDelegate {
+ public:
+  ControllerPresentationServiceDelegateForFuzzing();
+  ~ControllerPresentationServiceDelegateForFuzzing() override;
+
+  // Used to run one callable.
+  // These are set by using this as implementation of the delegate interface.
+  // The callable is specified by the `action`, as defined in assocciated proto.
+  //
+  // All calls must be run on the same sequence
+  // (for MojoLPM fuzzers, it should be the fuzzer thread)
+  void NextAction(
+      const content::fuzzing::
+          controller_presentation_service_delegate_for_fuzzing::proto::Action&
+              action);
+
+  // ControllerPresentationServiceDelegate implementation
+  void AddObserver(int render_process_id,
+                   int render_frame_id,
+                   Observer* observer) override;
+
+  void RemoveObserver(int render_process_id, int render_frame_id) override;
+
+  void Reset(int render_process_id, int render_frame_id) override;
+
+  bool AddScreenAvailabilityListener(
+      int render_process_id,
+      int render_frame_id,
+      content::PresentationScreenAvailabilityListener* listener) override;
+
+  void RemoveScreenAvailabilityListener(
+      int render_process_id,
+      int render_frame_id,
+      content::PresentationScreenAvailabilityListener* listener) override;
+
+  void SetDefaultPresentationUrls(
+      const content::PresentationRequest& request,
+      content::DefaultPresentationConnectionCallback callback) override;
+
+  void StartPresentation(
+      const content::PresentationRequest& request,
+      content::PresentationConnectionCallback success_cb,
+      content::PresentationConnectionErrorCallback error_cb) override;
+
+  void ReconnectPresentation(
+      const content::PresentationRequest& request,
+      const std::string& presentation_id,
+      content::PresentationConnectionCallback success_cb,
+      content::PresentationConnectionErrorCallback error_cb) override;
+
+  void CloseConnection(int render_process_id,
+                       int render_frame_id,
+                       const std::string& presentation_id) override;
+
+  void Terminate(int render_process_id,
+                 int render_frame_id,
+                 const std::string& presentation_id) override;
+
+  std::unique_ptr<media::FlingingController> GetFlingingController(
+      int render_process_id,
+      int render_frame_id,
+      const std::string& presentation_id) override;
+
+  void ListenForConnectionStateChange(
+      int render_process_id,
+      int render_frame_id,
+      const blink::mojom::PresentationInfo& connection,
+      const content::PresentationConnectionStateChangedCallback&
+          state_changed_cb) override;
+
+ private:
+  using Action = content::fuzzing::
+      controller_presentation_service_delegate_for_fuzzing::proto::Action;
+
+  // Use to invoke the callbacks & registered callables
+  // For each, we have two member functions, where the first calls the second.
+  // The first is prefixed by `Handle`, which takes the raw protobuf datatype,
+  // and is run on the same thread as `NextAction` (for MojoLPM: fuzzer thread).
+  // The second is prefixed by `Call` which invokes the call with the converted
+  // datatype, and is run on the UI thread.
+  void HandleListenersGetAvailabilityUrl(
+      const mojolpm::url::mojom::Url& proto_url);
+  void CallListenersGetAvailabilityUrl(GURL url);
+
+  void HandleListenersOnScreenAvailabilityChanged(
+      const mojolpm::url::mojom::Url& proto_url,
+      const mojolpm::blink::mojom::ScreenAvailability&
+          proto_screen_availability);
+  void CallListenersOnScreenAvailabilityChanged(
+      GURL url,
+      blink::mojom::ScreenAvailability screen_availability);
+
+  void HandleSetDefaultPresentationUrls(
+      const mojolpm::blink::mojom::PresentationConnectionResult& proto_result);
+  void CallSetDefaultPresentationUrls(
+      blink::mojom::PresentationConnectionResultPtr result_ptr);
+
+  void HandleStartPresentationSuccess(
+      const mojolpm::blink::mojom::PresentationConnectionResult& proto_result);
+  void CallStartPresentationSuccess(
+      blink::mojom::PresentationConnectionResultPtr result_ptr);
+
+  void HandleStartPresentationError(
+      const mojolpm::blink::mojom::PresentationError& proto_error);
+  void CallStartPresentationError(blink::mojom::PresentationErrorPtr error_ptr);
+
+  void HandleReconnectPresentationSuccess(
+      const mojolpm::blink::mojom::PresentationConnectionResult& proto_result);
+  void CallReconnectPresentationSuccess(
+      blink::mojom::PresentationConnectionResultPtr result_ptr);
+
+  void HandleReconnectPresentationError(
+      const mojolpm::blink::mojom::PresentationError& proto_error);
+  void CallReconnectPresentationError(
+      blink::mojom::PresentationErrorPtr error_ptr);
+
+  void HandleListenForConnectionStateChangeStateChanged(
+      const mojolpm::blink::mojom::PresentationConnectionState&
+          proto_connection_state);
+  void CallListenForConnectionStateChangeStateChanged(
+      blink::mojom::PresentationConnectionState connection_state);
+
+  base::WeakPtr<ControllerPresentationServiceDelegateForFuzzing> GetWeakPtr() {
+    return weak_factory_.GetWeakPtr();
+  }
+
+  // We store all callbacks as single callables; not queued nor out of order,
+  // as this mimics the real delegate as closely as possible
+  std::map<content::GlobalFrameRoutingId,
+           content::PresentationServiceDelegate::Observer*>
+      observers_;
+
+  std::map<GURL, content::PresentationScreenAvailabilityListener*> listeners_;
+
+  content::DefaultPresentationConnectionCallback
+      set_default_presentation_urls_callback_;
+
+  content::PresentationConnectionCallback start_presentation_success_cb_;
+
+  content::PresentationConnectionErrorCallback start_presentation_error_cb_;
+
+  content::PresentationConnectionCallback reconnect_presentation_success_cb_;
+
+  content::PresentationConnectionErrorCallback reconnect_presentation_error_cb_;
+
+  content::PresentationConnectionStateChangedCallback
+      listen_for_connection_state_change_state_changed_cb_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  // `PostTask`ing the calls onto the UI thread is not guaranteed to outlive
+  // `this`. So a weak pointer is necessary for those calls.
+  base::WeakPtrFactory<ControllerPresentationServiceDelegateForFuzzing>
+      weak_factory_{this};
+};
+
+#endif  // CONTENT_TEST_FUZZER_CONTROLLER_PRESENTATION_SERVICE_DELEGATE_FOR_FUZZING_H_

content/test/fuzzer/controller_presentation_service_delegate_for_fuzzing.proto

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Message format for `ControllerPresentationServiceDelegateForFuzzing`
+// An `Action` will run a callable
+
+syntax = "proto2";
+
+package content.fuzzing.controller_presentation_service_delegate_for_fuzzing.proto;
+
+import "third_party/blink/public/mojom/presentation/presentation.mojom.mojolpm.proto";
+import "url/mojom/url.mojom.mojolpm.proto";
+
+// Used to specify actions, which will run the appropriate call onto the
+// specified, by url,`PresentationScreenAvailabilityListener`.
+// Having been registered with the fake, through the interface as the delegate.
+message GetAvailabilityUrlAction {
+  required mojolpm.url.mojom.Url listener_availability_url = 1;
+}
+message OnScreenAvailabilityChangedAction {
+  required mojolpm.url.mojom.Url listener_availability_url = 1;
+  required mojolpm.blink.mojom.ScreenAvailability screen_availability = 2;
+}
+
+// Used to specify actions, which would run a callback established through the
+// interface as the delegate
+message PresentationConnectionAction {
+  required mojolpm.blink.mojom.PresentationConnectionResult
+      presentation_connection_result = 1;
+}
+message PresentationConnectionErrorAction {
+  required mojolpm.blink.mojom.PresentationError presentation_error = 1;
+}
+message PresentationConnectionStateChangedAction {
+  required mojolpm.blink.mojom.PresentationConnectionState
+      presentation_connection_state = 1;
+}
+
+// Actions that can be performed by the fake.
+message Action {
+  oneof action {
+    GetAvailabilityUrlAction listener_get_availability_url = 1;
+    OnScreenAvailabilityChangedAction listener_on_screen_availability_changed =
+        2;
+
+    PresentationConnectionAction set_default_presentation_urls = 3;
+
+    PresentationConnectionAction start_presentation_success = 4;
+    PresentationConnectionErrorAction start_presentation_error = 5;
+
+    PresentationConnectionAction reconnect_presentation_success = 6;
+    PresentationConnectionErrorAction reconnect_presentation_error = 7;
+
+    PresentationConnectionStateChangedAction
+        listen_for_connection_state_change_state_changed = 8;
+  }
+}

content/test/fuzzer/presentation_service_mojolpm_fuzzer.proto

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Message format for the MojoLPM fuzzer for the PresentationService interface.
+
+syntax = "proto2";
+
+package content.fuzzing.presentation_service.proto;
+
+import "content/test/fuzzer/controller_presentation_service_delegate_for_fuzzing.proto";
+import "third_party/blink/public/mojom/presentation/presentation.mojom.mojolpm.proto";
+
+// Bind a new PresentationService remote
+message NewPresentationServiceAction {
+  required uint32 id = 1;
+}
+
+// Run the specific sequence for (an indeterminate) period. This is not
+// intended to create a specific ordering, but to allow the fuzzer to delay a
+// later task until previous tasks have completed.
+message RunThreadAction {
+  enum ThreadId {
+    IO = 0;
+    UI = 1;
+  }
+
+  required ThreadId id = 1;
+}
+
+// Actions that can be performed by the fuzzer.
+message Action {
+  oneof action {
+    RunThreadAction run_thread = 1;
+
+    NewPresentationServiceAction new_presentation_service = 2;
+    mojolpm.blink.mojom.PresentationService.RemoteAction
+        presentation_service_remote_action = 3;
+
+    mojolpm.blink.mojom.PresentationController.ReceiverAction
+        presentation_controller_receiver_action = 4;
+    mojolpm.blink.mojom.PresentationReceiver.ReceiverAction
+        presentation_receiver_receiver_action = 5;
+
+    content.fuzzing.controller_presentation_service_delegate_for_fuzzing.proto
+        .Action controller_delegate_action = 6;
+  }
+}
+
+// Sequence provides a level of indirection which allows Testcase to compactly
+// express repeated sequences of actions.
+message Sequence {
+  repeated uint32 action_indexes = 1 [packed = true];
+}
+
+// Testcase is the top-level message type interpreted by the fuzzer.
+message Testcase {
+  repeated Action actions = 1;
+  repeated Sequence sequences = 2;
+  repeated uint32 sequence_indexes = 3 [packed = true];
+}