PCHG: Fuzz PCHG and ctn730 driver

This patch adds a fuzz test for PCHG and ctn730 driver.

With the given corpus, the test currently reaches all the normal mode
states.

BUG=b:190841496
BRANCH=trogdor
TEST=make run-pchg_fuzz
TEST=pchg_fuzz.exe -seed=1 -runs=1000000 -dict=fuzz/pchg_fuzz.corpus

Change-Id: I6eedbbbdbf3396dfa2b98ca302e16d142ea251d5
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2956076

5 files changed, 167 insertions, 1 deletions

diff --git a/fuzz/build.mk b/fuzz/build.mk
index 44ddb56974..3b5f117d20 100644
--- a/fuzz/build.mk
+++ b/fuzz/build.mk
@@ -10,7 +10,7 @@ fuzz-test-list-host =
 # Fuzzers should only be built for architectures that support sanitizers.
 ifeq ($(ARCH),amd64)
 fuzz-test-list-host += host_command_fuzz usb_pd_fuzz usb_tcpm_v2_rev20_fuzz \
-	usb_tcpm_v2_rev30_fuzz
+	usb_tcpm_v2_rev30_fuzz pchg_fuzz
 endif
 
 # For fuzzing targets libec.a is built from the ro objects and hides functions
@@ -31,3 +31,4 @@ usb_tcpm_v2_rev30_fuzz-y = usb_pd_fuzz.o usb_tcpm_v2_rev30_fuzz.o \
 	../test/fake_battery.o
 usb_tcpm_v2_rev20_fuzz-y = usb_pd_fuzz.o usb_tcpm_v2_rev20_fuzz.o \
 	../test/fake_battery.o
+pchg_fuzz-y = pchg_fuzz.o
\ No newline at end of file
diff --git a/fuzz/fuzz_config.h b/fuzz/fuzz_config.h
index 0569a21b38..fb974ea727 100644
--- a/fuzz/fuzz_config.h
+++ b/fuzz/fuzz_config.h
@@ -84,5 +84,17 @@
 #define CONFIG_USB_PD_3A_PORTS 0 /* Host does not define a 3.0 A PDO */
 #endif /* TEST_USB_TCPM_V2_REV20_FUZZ */
 
+#ifdef TEST_PCHG_FUZZ
+#define CONFIG_CTN730
+#define CONFIG_DEVICE_EVENT
+#define CONFIG_MKBP_EVENT
+#define CONFIG_MKBP_USE_GPIO
+#define CONFIG_PERIPHERAL_CHARGER
+#define I2C_PORT_WLC		0
+#define GPIO_WLC_IRQ_CONN	1
+#define GPIO_WLC_NRST_CONN	2
+#define GPIO_PCHG_P0 GPIO_WLC_IRQ_CONN
+#endif  /* TEST_PCHG_FUZZ */
+
 #endif  /* TEST_FUZZ */
 #endif  /* __FUZZ_FUZZ_CONFIG_H */
diff --git a/fuzz/pchg_fuzz.c b/fuzz/pchg_fuzz.c
new file mode 100644
index 0000000000..14bdb94566
--- /dev/null
+++ b/fuzz/pchg_fuzz.c
@@ -0,0 +1,115 @@
+/* Copyright 2021 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Test peripheral device charger module.
+ */
+
+#define HIDE_EC_STDLIB
+#include "common.h"
+#include "compile_time_macros.h"
+#include "driver/nfc/ctn730.h"
+#include "peripheral_charger.h"
+#include "task.h"
+#include "test_util.h"
+#include "timer.h"
+#include "util.h"
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define TASK_EVENT_FUZZ TASK_EVENT_CUSTOM_BIT(0)
+
+extern struct pchg_drv ctn730_drv;
+struct pchg pchgs[] = {
+	[0] = {
+		.cfg = &(const struct pchg_config) {
+			.drv = &ctn730_drv,
+			.i2c_port = I2C_PORT_WLC,
+			.irq_pin = GPIO_WLC_IRQ_CONN,
+			.full_percent = 96,
+			.block_size = 128,
+		},
+		.events = QUEUE_NULL(PCHG_EVENT_QUEUE_SIZE, enum pchg_event),
+	},
+};
+const int pchg_count = ARRAY_SIZE(pchgs);
+
+static pthread_cond_t done_cond;
+static pthread_mutex_t lock;
+
+#define MAX_MESSAGES 8
+static uint8_t input[
+		MAX_MESSAGES * 256 * member_size(struct ctn730_msg, length)];
+static uint8_t *head, *tail;
+static bool data_available;
+
+int pchg_i2c_xfer(int port, uint16_t addr_flags,
+		  const uint8_t *out, int out_size,
+		  uint8_t *in, int in_size, int flags)
+{
+	if (port != I2C_PORT_WLC || addr_flags != CTN730_I2C_ADDR)
+		return EC_ERROR_INVAL;
+
+	if (in == NULL || in_size == 0)
+		return EC_SUCCESS;
+
+	if (head + in_size >= tail) {
+		data_available = false;
+		return EC_ERROR_OVERFLOW;
+	}
+
+	memcpy(in, head, in_size);
+	head += in_size;
+
+	return EC_SUCCESS;
+}
+DECLARE_TEST_I2C_XFER(pchg_i2c_xfer);
+
+/*
+ * Task for generating IRQs. The task priority is lower than the PCHG task so
+ * that it can yield the CPU to the PCHG task.
+ */
+void irq_task(int argc, char **argv)
+{
+	ccprints("%s task started", __func__);
+	wait_for_task_started();
+
+	while (1) {
+		int i = 0;
+
+		task_wait_event_mask(TASK_EVENT_FUZZ, -1);
+		test_chipset_on();
+
+		while (data_available && i++ < MAX_MESSAGES)
+			pchg_irq(pchgs[0].cfg->irq_pin);
+
+		test_chipset_off();
+
+		pthread_cond_signal(&done_cond);
+	}
+
+}
+
+void run_test(int argc, char **argv)
+{
+	ccprints("Fuzzing task started");
+	task_wait_event(-1);
+}
+
+int test_fuzz_one_input(const uint8_t *data, unsigned int size)
+{
+	if (size < sizeof(struct ctn730_msg))
+		return 0;
+
+	head = input;
+	tail = input + size;
+	memcpy(input, data, size);
+	data_available = true;
+
+	task_set_event(TASK_ID_IRQ, TASK_EVENT_FUZZ);
+	pthread_cond_wait(&done_cond, &lock);
+
+	return 0;
+}
diff --git a/fuzz/pchg_fuzz.corpus b/fuzz/pchg_fuzz.corpus
new file mode 100644
index 0000000000..0b069baf4f
--- /dev/null
+++ b/fuzz/pchg_fuzz.corpus
@@ -0,0 +1,26 @@
+"\xae\x01"
+"\x18\x01\x00\x00"
+"\xff~"
+"\x01u"
+"\x80\x00\x00\x00"
+"Q\x00"
+"5\x00"
+"\xb7\x01\x00\x00"
+"\x01\x00\x00\x00\x01\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00"
+"\xff\xff\xff\x00n_\x0b\xc0"
+"\x92\x00"
+"\xff\xdc"
+"\xa6\x01"
+"\x85f\xfc$\x00\x00\x00\x00"
+"\xff\xff\xff\xff\xff\xff\xff\xff"
+"\xff\xff\xff\xff\x00\x00\x00\x00"
+"\xfff"
+"\x01\xcb"
+"\x8f\x00\x00\x00"
+"\xff\xff\xff\x0d"
+"=\x00\x00\x00"
+"\xbc\x00"
+"\x02\x91"
+"\xff\xff\xff\x00\x00\x00\x00\x00"
+"\x00y"
diff --git a/fuzz/pchg_fuzz.tasklist b/fuzz/pchg_fuzz.tasklist
new file mode 100644
index 0000000000..5b30e09245
--- /dev/null
+++ b/fuzz/pchg_fuzz.tasklist
@@ -0,0 +1,12 @@
+/* Copyright 2021 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/**
+ * See CONFIG_TASK_LIST in config.h for details.
+ */
+#define CONFIG_TEST_TASK_LIST \
+	TASK_TEST(IRQ, irq_task, NULL, TASK_STACK_SIZE) \
+	TASK_TEST(PCHG, pchg_task, NULL, LARGER_TASK_STACK_SIZE) \
+	TASK_TEST(CHIPSET, chipset_task, NULL, LARGER_TASK_STACK_SIZE)