A mutation that changes the length of an array.
This mutation takes an array and changes its length.
Test: ran dexfuzz until the mutation kicked in and used dexdump2 to find
the diff.
Change-Id: I5078b678673af7a839208c79113f1c1f26090baa
diff --git a/tools/dexfuzz/README b/tools/dexfuzz/README
index 58f6226..271ac2b 100644
--- a/tools/dexfuzz/README
+++ b/tools/dexfuzz/README
@@ -138,6 +138,7 @@
InstructionDuplicator 80
InstructionSwapper 80
InvokeChanger 30
+NewArrayLengthChanger 50
NewMethodCaller 10
NonsenseStringPrinter 10
OppositeBranchChanger 40
diff --git a/tools/dexfuzz/src/dexfuzz/DexFuzz.java b/tools/dexfuzz/src/dexfuzz/DexFuzz.java
index 97cdfee..d7a5325 100644
--- a/tools/dexfuzz/src/dexfuzz/DexFuzz.java
+++ b/tools/dexfuzz/src/dexfuzz/DexFuzz.java
@@ -33,8 +33,9 @@
* Entrypoint class for dexfuzz.
*/
public class DexFuzz {
+ // Last version update 1.4: added array length mutator.
private static int majorVersion = 1;
- private static int minorVersion = 3;
+ private static int minorVersion = 4;
private static int seedChangeVersion = 0;
/**
diff --git a/tools/dexfuzz/src/dexfuzz/program/Program.java b/tools/dexfuzz/src/dexfuzz/program/Program.java
index 1d0c678..b0a06fc 100644
--- a/tools/dexfuzz/src/dexfuzz/program/Program.java
+++ b/tools/dexfuzz/src/dexfuzz/program/Program.java
@@ -31,6 +31,7 @@
import dexfuzz.program.mutators.InstructionDuplicator;
import dexfuzz.program.mutators.InstructionSwapper;
import dexfuzz.program.mutators.InvokeChanger;
+import dexfuzz.program.mutators.NewArrayLengthChanger;
import dexfuzz.program.mutators.NewMethodCaller;
import dexfuzz.program.mutators.NonsenseStringPrinter;
import dexfuzz.program.mutators.OppositeBranchChanger;
@@ -201,6 +202,7 @@
registerMutator(new InstructionDuplicator(rng, mutationStats, mutations));
registerMutator(new InstructionSwapper(rng, mutationStats, mutations));
registerMutator(new InvokeChanger(rng, mutationStats, mutations));
+ registerMutator(new NewArrayLengthChanger(rng, mutationStats, mutations));
registerMutator(new NewMethodCaller(rng, mutationStats, mutations));
registerMutator(new NonsenseStringPrinter(rng, mutationStats, mutations));
registerMutator(new OppositeBranchChanger(rng, mutationStats, mutations));
diff --git a/tools/dexfuzz/src/dexfuzz/program/mutators/NewArrayLengthChanger.java b/tools/dexfuzz/src/dexfuzz/program/mutators/NewArrayLengthChanger.java
new file mode 100644
index 0000000..aba7971
--- /dev/null
+++ b/tools/dexfuzz/src/dexfuzz/program/mutators/NewArrayLengthChanger.java
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dexfuzz.program.mutators;
+
+import dexfuzz.Log;
+import dexfuzz.MutationStats;
+import dexfuzz.program.MInsn;
+import dexfuzz.program.MutatableCode;
+import dexfuzz.program.Mutation;
+import dexfuzz.rawdex.Instruction;
+import dexfuzz.rawdex.Opcode;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Random;
+
+// This mutation might change the length of an array but can also change the
+// value of the register in every place it is used.
+public class NewArrayLengthChanger extends CodeMutator {
+ /**
+ * Every CodeMutator has an AssociatedMutation, representing the
+ * mutation that this CodeMutator can perform, to allow separate
+ * generateMutation() and applyMutation() phases, allowing serialization.
+ */
+ public static class AssociatedMutation extends Mutation {
+ public int newArrayToChangeIdx;
+
+ @Override
+ public String getString() {
+ return Integer.toString(newArrayToChangeIdx);
+ }
+
+ @Override
+ public void parseString(String[] elements) {
+ newArrayToChangeIdx = Integer.parseInt(elements[2]);
+ }
+ }
+
+ // The following two methods are here for the benefit of MutationSerializer,
+ // so it can create a CodeMutator and get the correct associated Mutation, as it
+ // reads in mutations from a dump of mutations.
+ @Override
+ public Mutation getNewMutation() {
+ return new AssociatedMutation();
+ }
+
+ public NewArrayLengthChanger() { }
+
+ public NewArrayLengthChanger(Random rng, MutationStats stats, List<Mutation> mutations) {
+ super(rng, stats, mutations);
+ likelihood = 50;
+ }
+
+ // A cache that should only exist between generateMutation() and applyMutation(),
+ // or be created at the start of applyMutation(), if we're reading in mutations from
+ // a file.
+ private List<MInsn> newArrayLengthInsns = null;
+
+ private void generateCachedArrayLengthInsns(MutatableCode mutatableCode) {
+ if (newArrayLengthInsns != null) {
+ return;
+ }
+
+ newArrayLengthInsns = new ArrayList<MInsn>();
+
+ for (MInsn mInsn : mutatableCode.getInstructions()) {
+ if (isNewArray(mInsn)) {
+ newArrayLengthInsns.add(mInsn);
+ }
+ }
+ }
+
+ @Override
+ protected boolean canMutate(MutatableCode mutatableCode) {
+ for (MInsn mInsn : mutatableCode.getInstructions()) {
+ // TODO: Add filled-new-array and filled-new-array/range with their respective
+ // positions of registers and also proper encoding.
+ if (isNewArray(mInsn)) {
+ return true;
+ }
+ }
+ Log.debug("No New Array instruction in method, skipping...");
+ return false;
+ }
+
+ @Override
+ protected Mutation generateMutation(MutatableCode mutatableCode) {
+ generateCachedArrayLengthInsns(mutatableCode);
+
+ int newArrayIdx = rng.nextInt(newArrayLengthInsns.size());
+
+ AssociatedMutation mutation = new AssociatedMutation();
+ mutation.setup(this.getClass(), mutatableCode);
+ mutation.newArrayToChangeIdx = newArrayIdx;
+ return mutation;
+ }
+
+ @Override
+ protected void applyMutation(Mutation uncastMutation) {
+ // Cast the Mutation to our AssociatedMutation, so we can access its fields.
+ AssociatedMutation mutation = (AssociatedMutation) uncastMutation;
+ MutatableCode mutatableCode = mutation.mutatableCode;
+ MInsn newArrayInsn = newArrayLengthInsns.get(mutation.newArrayToChangeIdx);
+ int newArrayInsnIdx = mutatableCode.getInstructionIndex(newArrayInsn);
+
+ MInsn newInsn = new MInsn();
+ newInsn.insn = new Instruction();
+ newInsn.insn.info = Instruction.getOpcodeInfo(Opcode.CONST_16);
+ newInsn.insn.vregA = (int) newArrayInsn.insn.vregB;
+ // New length chosen randomly between 1 to 100.
+ newInsn.insn.vregB = rng.nextInt(100);
+ mutatableCode.insertInstructionAt(newInsn, newArrayInsnIdx);
+ Log.info("Changed the length of the array to " + newInsn.insn.vregB);
+ stats.incrementStat("Changed length of new array");
+ }
+
+ private boolean isNewArray(MInsn mInsn) {
+ Opcode opcode = mInsn.insn.info.opcode;
+ return opcode == Opcode.NEW_ARRAY;
+ }
+}
\ No newline at end of file
