fuzz: Add fuzz test for TCPMv2

Add usb_tcpm_v2_fuzz, a TCPMv2 version of usb_pd_fuzz.

This gives some fuzz test coverage of:
  common/usbc/usb_pe_drp_sm.c
  common/usbc/usb_prl_sm.c
  common/usbc/usb_sm.c
  common/usbc/usb_tc_drp_acc_trysrc_sm.c
  common/usbc/usbc_task.c

BRANCH=none
BUG=none
TEST=make run-usb_tcpm_v2_fuzz

Change-Id: Ic129d9ebbe9bb37c2ca2674106e2a6652d08ee2a
Signed-off-by: Edward Hill <ecgh@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1865017
Reviewed-by: Denis Brockus <dbrockus@chromium.org>
Commit-Queue: Denis Brockus <dbrockus@chromium.org>

4 files changed, 56 insertions, 3 deletions

diff --git a/fuzz/build.mk b/fuzz/build.mk
index 76d7d13f5b..f2f23c9cf8 100644
--- a/fuzz/build.mk
+++ b/fuzz/build.mk
@@ -9,8 +9,7 @@
 fuzz-test-list-host =
 # Fuzzers should only be built for architectures that support sanitizers.
 ifeq ($(ARCH),amd64)
-# TODO(crbug.com/911310) Fix the chromeos-ec build before adding cr50_fuzz back.
-fuzz-test-list-host += cr50_fuzz host_command_fuzz usb_pd_fuzz
+fuzz-test-list-host += cr50_fuzz host_command_fuzz usb_pd_fuzz usb_tcpm_v2_fuzz
 endif
 
 # For fuzzing targets libec.a is built from the ro objects and hides functions
@@ -28,6 +27,7 @@ endif
 cr50_fuzz-rw = cr50_fuzz.o pinweaver_model.o mem_hash_tree.o nvmem_tpm2_mock.o
 host_command_fuzz-y = host_command_fuzz.o
 usb_pd_fuzz-y = usb_pd_fuzz.o
+usb_tcpm_v2_fuzz-y = usb_pd_fuzz.o usb_tcpm_v2_fuzz.o ../test/fake_battery.o
 
 CR50_PROTO_HEADERS := $(out)/gen/fuzz/cr50_fuzz.pb.h \
   $(out)/gen/fuzz/pinweaver/pinweaver.pb.h
diff --git a/fuzz/fuzz_config.h b/fuzz/fuzz_config.h
index 49b5a192d3..f4c325bd99 100644
--- a/fuzz/fuzz_config.h
+++ b/fuzz/fuzz_config.h
@@ -106,7 +106,7 @@ enum nvmem_users {
 
 #endif /* TEST_HOST_COMMAND_FUZZ */
 
-#if defined(TEST_USB_PD_FUZZ)
+#ifdef TEST_USB_PD_FUZZ
 #define CONFIG_USB_POWER_DELIVERY
 #define CONFIG_USB_PD_DUAL_ROLE
 #define CONFIG_USB_PD_PORT_COUNT 2
@@ -114,5 +114,22 @@ enum nvmem_users {
 #define CONFIG_SW_CRC
 #endif /* TEST_USB_PD_FUZZ */
 
+#ifdef TEST_USB_TCPM_V2_FUZZ
+#define CONFIG_USB_PD_DUAL_ROLE
+#define CONFIG_USB_PD_PORT_COUNT 2
+#define CONFIG_USB_PD_TCPC_LOW_POWER
+#define CONFIG_USB_PD_TRY_SRC
+#define CONFIG_USB_PID 0x5555
+#define CONFIG_USB_POWER_DELIVERY
+#define CONFIG_USB_PRL_SM
+#define CONFIG_USB_SM_FRAMEWORK
+#define CONFIG_USB_TYPEC_DRP_ACC_TRYSRC
+#define CONFIG_USBC_VCONN
+#define CONFIG_USBC_VCONN_SWAP
+#define PD_VCONN_SWAP_DELAY 5000
+#define CONFIG_SHA256
+#define CONFIG_SW_CRC
+#endif /* TEST_USB_TCPM_V2_FUZZ */
+
 #endif  /* TEST_FUZZ */
 #endif  /* __FUZZ_FUZZ_CONFIG_H */
diff --git a/fuzz/usb_tcpm_v2_fuzz.c b/fuzz/usb_tcpm_v2_fuzz.c
new file mode 100644
index 0000000000..71ac1fe62b
--- /dev/null
+++ b/fuzz/usb_tcpm_v2_fuzz.c
@@ -0,0 +1,25 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Stubs needed for fuzz testing the USB TCPMv2 state machines.
+ */
+
+#define HIDE_EC_STDLIB
+#include "usb_pd.h"
+#include "charge_manager.h"
+
+const struct svdm_response svdm_rsp = {
+	.identity = NULL,
+	.svids = NULL,
+	.modes = NULL,
+};
+
+int pd_check_vconn_swap(int port)
+{
+	return 1;
+}
+
+void charge_manager_set_ceil(int port, enum ceil_requestor requestor, int ceil)
+{
+}
diff --git a/fuzz/usb_tcpm_v2_fuzz.tasklist b/fuzz/usb_tcpm_v2_fuzz.tasklist
new file mode 100644
index 0000000000..41f5791411
--- /dev/null
+++ b/fuzz/usb_tcpm_v2_fuzz.tasklist
@@ -0,0 +1,11 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/**
+ * See CONFIG_TASK_LIST in config.h for details.
+ */
+#define CONFIG_TEST_TASK_LIST \
+	TASK_TEST(PD_C0, pd_task, NULL, LARGER_TASK_STACK_SIZE) \
+	TASK_TEST(PD_C1, pd_task, NULL, LARGER_TASK_STACK_SIZE)