1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package dexfuzz.program.mutators; 18 19 import dexfuzz.Log; 20 import dexfuzz.MutationStats; 21 import dexfuzz.program.MInsn; 22 import dexfuzz.program.MutatableCode; 23 import dexfuzz.program.Mutation; 24 import dexfuzz.rawdex.Instruction; 25 import dexfuzz.rawdex.Opcode; 26 27 import java.util.ArrayList; 28 import java.util.List; 29 import java.util.Random; 30 31 // This mutation might change the length of an array but can also change the 32 // value of the register in every place it is used. 33 public class NewArrayLengthChanger extends CodeMutator { 34 /** 35 * Every CodeMutator has an AssociatedMutation, representing the 36 * mutation that this CodeMutator can perform, to allow separate 37 * generateMutation() and applyMutation() phases, allowing serialization. 38 */ 39 public static class AssociatedMutation extends Mutation { 40 public int newArrayToChangeIdx; 41 42 @Override 43 public String getString() { 44 return Integer.toString(newArrayToChangeIdx); 45 } 46 47 @Override 48 public void parseString(String[] elements) { 49 newArrayToChangeIdx = Integer.parseInt(elements[2]); 50 } 51 } 52 53 // The following two methods are here for the benefit of MutationSerializer, 54 // so it can create a CodeMutator and get the correct associated Mutation, as it 55 // reads in mutations from a dump of mutations. 56 @Override 57 public Mutation getNewMutation() { 58 return new AssociatedMutation(); 59 } 60 61 public NewArrayLengthChanger() { } 62 63 public NewArrayLengthChanger(Random rng, MutationStats stats, List<Mutation> mutations) { 64 super(rng, stats, mutations); 65 likelihood = 50; 66 } 67 68 // A cache that should only exist between generateMutation() and applyMutation(), 69 // or be created at the start of applyMutation(), if we're reading in mutations from 70 // a file. 71 private List<MInsn> newArrayLengthInsns = null; 72 73 private void generateCachedArrayLengthInsns(MutatableCode mutatableCode) { 74 if (newArrayLengthInsns != null) { 75 return; 76 } 77 78 newArrayLengthInsns = new ArrayList<MInsn>(); 79 80 for (MInsn mInsn : mutatableCode.getInstructions()) { 81 if (isNewArray(mInsn)) { 82 newArrayLengthInsns.add(mInsn); 83 } 84 } 85 } 86 87 @Override 88 protected boolean canMutate(MutatableCode mutatableCode) { 89 for (MInsn mInsn : mutatableCode.getInstructions()) { 90 // TODO: Add filled-new-array and filled-new-array/range with their respective 91 // positions of registers and also proper encoding. 92 if (isNewArray(mInsn)) { 93 return true; 94 } 95 } 96 Log.debug("No New Array instruction in method, skipping..."); 97 return false; 98 } 99 100 @Override 101 protected Mutation generateMutation(MutatableCode mutatableCode) { 102 generateCachedArrayLengthInsns(mutatableCode); 103 104 int newArrayIdx = rng.nextInt(newArrayLengthInsns.size()); 105 106 AssociatedMutation mutation = new AssociatedMutation(); 107 mutation.setup(this.getClass(), mutatableCode); 108 mutation.newArrayToChangeIdx = newArrayIdx; 109 return mutation; 110 } 111 112 @Override 113 protected void applyMutation(Mutation uncastMutation) { 114 // Cast the Mutation to our AssociatedMutation, so we can access its fields. 115 AssociatedMutation mutation = (AssociatedMutation) uncastMutation; 116 MutatableCode mutatableCode = mutation.mutatableCode; 117 MInsn newArrayInsn = newArrayLengthInsns.get(mutation.newArrayToChangeIdx); 118 int newArrayInsnIdx = mutatableCode.getInstructionIndex(newArrayInsn); 119 120 MInsn newInsn = new MInsn(); 121 newInsn.insn = new Instruction(); 122 newInsn.insn.info = Instruction.getOpcodeInfo(Opcode.CONST_16); 123 newInsn.insn.vregA = (int) newArrayInsn.insn.vregB; 124 // New length chosen randomly between 1 to 100. 125 newInsn.insn.vregB = rng.nextInt(100); 126 mutatableCode.insertInstructionAt(newInsn, newArrayInsnIdx); 127 Log.info("Changed the length of the array to " + newInsn.insn.vregB); 128 stats.incrementStat("Changed length of new array"); 129 } 130 131 private boolean isNewArray(MInsn mInsn) { 132 Opcode opcode = mInsn.insn.info.opcode; 133 return opcode == Opcode.NEW_ARRAY; 134 } 135 }