Merge "Add CHECKs to help diagnose a crash seen internally."
diff --git a/compiler/optimizing/induction_var_range.cc b/compiler/optimizing/induction_var_range.cc
index c0ec58f..f35aace 100644
--- a/compiler/optimizing/induction_var_range.cc
+++ b/compiler/optimizing/induction_var_range.cc
@@ -373,21 +373,23 @@
bool InductionVarRange::IsUnitStride(HInstruction* context,
HInstruction* instruction,
+ HGraph* graph,
/*out*/ HInstruction** offset) const {
HLoopInformation* loop = nullptr;
HInductionVarAnalysis::InductionInfo* info = nullptr;
HInductionVarAnalysis::InductionInfo* trip = nullptr;
if (HasInductionInfo(context, instruction, &loop, &info, &trip)) {
if (info->induction_class == HInductionVarAnalysis::kLinear &&
- info->op_b->operation == HInductionVarAnalysis::kFetch &&
!HInductionVarAnalysis::IsNarrowingLinear(info)) {
int64_t stride_value = 0;
if (IsConstant(info->op_a, kExact, &stride_value) && stride_value == 1) {
int64_t off_value = 0;
- if (IsConstant(info->op_b, kExact, &off_value) && off_value == 0) {
- *offset = nullptr;
- } else {
+ if (IsConstant(info->op_b, kExact, &off_value)) {
+ *offset = graph->GetConstant(info->op_b->type, off_value);
+ } else if (info->op_b->operation == HInductionVarAnalysis::kFetch) {
*offset = info->op_b->fetch;
+ } else {
+ return false;
}
return true;
}
diff --git a/compiler/optimizing/induction_var_range.h b/compiler/optimizing/induction_var_range.h
index a8ee829..ab1772b 100644
--- a/compiler/optimizing/induction_var_range.h
+++ b/compiler/optimizing/induction_var_range.h
@@ -163,6 +163,7 @@
*/
bool IsUnitStride(HInstruction* context,
HInstruction* instruction,
+ HGraph* graph,
/*out*/ HInstruction** offset) const;
/**
diff --git a/compiler/optimizing/induction_var_range_test.cc b/compiler/optimizing/induction_var_range_test.cc
index d01d314..67d2093 100644
--- a/compiler/optimizing/induction_var_range_test.cc
+++ b/compiler/optimizing/induction_var_range_test.cc
@@ -770,8 +770,8 @@
EXPECT_TRUE(range_.IsFinite(loop_header_->GetLoopInformation(), &tc));
EXPECT_EQ(1000, tc);
HInstruction* offset = nullptr;
- EXPECT_TRUE(range_.IsUnitStride(phi, phi, &offset));
- EXPECT_TRUE(offset == nullptr);
+ EXPECT_TRUE(range_.IsUnitStride(phi, phi, graph_, &offset));
+ ExpectInt(0, offset);
HInstruction* tce = range_.GenerateTripCount(
loop_header_->GetLoopInformation(), graph_, loop_preheader_);
ASSERT_TRUE(tce != nullptr);
@@ -826,7 +826,7 @@
EXPECT_TRUE(range_.IsFinite(loop_header_->GetLoopInformation(), &tc));
EXPECT_EQ(1000, tc);
HInstruction* offset = nullptr;
- EXPECT_FALSE(range_.IsUnitStride(phi, phi, &offset));
+ EXPECT_FALSE(range_.IsUnitStride(phi, phi, graph_, &offset));
HInstruction* tce = range_.GenerateTripCount(
loop_header_->GetLoopInformation(), graph_, loop_preheader_);
ASSERT_TRUE(tce != nullptr);
@@ -908,8 +908,8 @@
EXPECT_TRUE(range_.IsFinite(loop_header_->GetLoopInformation(), &tc));
EXPECT_EQ(0, tc); // unknown
HInstruction* offset = nullptr;
- EXPECT_TRUE(range_.IsUnitStride(phi, phi, &offset));
- EXPECT_TRUE(offset == nullptr);
+ EXPECT_TRUE(range_.IsUnitStride(phi, phi, graph_, &offset));
+ ExpectInt(0, offset);
HInstruction* tce = range_.GenerateTripCount(
loop_header_->GetLoopInformation(), graph_, loop_preheader_);
ASSERT_TRUE(tce != nullptr);
@@ -994,7 +994,7 @@
EXPECT_TRUE(range_.IsFinite(loop_header_->GetLoopInformation(), &tc));
EXPECT_EQ(0, tc); // unknown
HInstruction* offset = nullptr;
- EXPECT_FALSE(range_.IsUnitStride(phi, phi, &offset));
+ EXPECT_FALSE(range_.IsUnitStride(phi, phi, graph_, &offset));
HInstruction* tce = range_.GenerateTripCount(
loop_header_->GetLoopInformation(), graph_, loop_preheader_);
ASSERT_TRUE(tce != nullptr);
diff --git a/compiler/optimizing/loop_optimization.cc b/compiler/optimizing/loop_optimization.cc
index 32f4002..b61d7b8 100644
--- a/compiler/optimizing/loop_optimization.cc
+++ b/compiler/optimizing/loop_optimization.cc
@@ -620,12 +620,15 @@
// Conservatively assume a potential loop-carried data dependence otherwise, avoided by
// generating an explicit a != b disambiguation runtime test on the two references.
if (x != y) {
- // For now, we reject after one test to avoid excessive overhead.
- if (vector_runtime_test_a_ != nullptr) {
- return false;
+ // To avoid excessive overhead, we only accept one a != b test.
+ if (vector_runtime_test_a_ == nullptr) {
+ // First test found.
+ vector_runtime_test_a_ = a;
+ vector_runtime_test_b_ = b;
+ } else if ((vector_runtime_test_a_ != a || vector_runtime_test_b_ != b) &&
+ (vector_runtime_test_a_ != b || vector_runtime_test_b_ != a)) {
+ return false; // second test would be needed
}
- vector_runtime_test_a_ = a;
- vector_runtime_test_b_ = b;
}
}
}
@@ -842,7 +845,7 @@
HInstruction* offset = nullptr;
if (TrySetVectorType(type, &restrictions) &&
node->loop_info->IsDefinedOutOfTheLoop(base) &&
- induction_range_.IsUnitStride(instruction, index, &offset) &&
+ induction_range_.IsUnitStride(instruction, index, graph_, &offset) &&
VectorizeUse(node, value, generate_code, type, restrictions)) {
if (generate_code) {
GenerateVecSub(index, offset);
@@ -900,7 +903,7 @@
HInstruction* offset = nullptr;
if (type == instruction->GetType() &&
node->loop_info->IsDefinedOutOfTheLoop(base) &&
- induction_range_.IsUnitStride(instruction, index, &offset)) {
+ induction_range_.IsUnitStride(instruction, index, graph_, &offset)) {
if (generate_code) {
GenerateVecSub(index, offset);
GenerateVecMem(instruction, vector_map_->Get(index), nullptr, offset, type);
@@ -1216,7 +1219,8 @@
void HLoopOptimization::GenerateVecSub(HInstruction* org, HInstruction* offset) {
if (vector_map_->find(org) == vector_map_->end()) {
HInstruction* subscript = vector_index_;
- if (offset != nullptr) {
+ int64_t value = 0;
+ if (!IsInt64AndGet(offset, &value) || value != 0) {
subscript = new (global_allocator_) HAdd(Primitive::kPrimInt, subscript, offset);
if (org->IsPhi()) {
Insert(vector_body_, subscript); // lacks layout placeholder
diff --git a/compiler/optimizing/nodes.h b/compiler/optimizing/nodes.h
index b21c4a5..5e072cd 100644
--- a/compiler/optimizing/nodes.h
+++ b/compiler/optimizing/nodes.h
@@ -421,7 +421,7 @@
void SimplifyLoop(HBasicBlock* header);
int32_t GetNextInstructionId() {
- DCHECK_NE(current_instruction_id_, INT32_MAX);
+ CHECK_NE(current_instruction_id_, INT32_MAX);
return current_instruction_id_++;
}
@@ -430,7 +430,7 @@
}
void SetCurrentInstructionId(int32_t id) {
- DCHECK_GE(id, current_instruction_id_);
+ CHECK_GE(id, current_instruction_id_);
current_instruction_id_ = id;
}
diff --git a/compiler/optimizing/ssa_liveness_analysis.cc b/compiler/optimizing/ssa_liveness_analysis.cc
index 7b7495b..185303b 100644
--- a/compiler/optimizing/ssa_liveness_analysis.cc
+++ b/compiler/optimizing/ssa_liveness_analysis.cc
@@ -197,7 +197,7 @@
HInstruction* instruction = environment->GetInstructionAt(i);
bool should_be_live = ShouldBeLiveForEnvironment(current, instruction);
if (should_be_live) {
- DCHECK(instruction->HasSsaIndex());
+ CHECK(instruction->HasSsaIndex()) << instruction->DebugName();
live_in->SetBit(instruction->GetSsaIndex());
}
if (instruction != nullptr) {
diff --git a/runtime/class_linker.cc b/runtime/class_linker.cc
index 928645a..10e0bd2 100644
--- a/runtime/class_linker.cc
+++ b/runtime/class_linker.cc
@@ -4064,7 +4064,10 @@
while (old_status == mirror::Class::kStatusVerifying ||
old_status == mirror::Class::kStatusVerifyingAtRuntime) {
lock.WaitIgnoringInterrupts();
- CHECK(klass->IsErroneous() || (klass->GetStatus() > old_status))
+ // WaitIgnoringInterrupts can still receive an interrupt and return early, in this
+ // case we may see the same status again. b/62912904. This is why the check is
+ // greater or equal.
+ CHECK(klass->IsErroneous() || (klass->GetStatus() >= old_status))
<< "Class '" << klass->PrettyClass()
<< "' performed an illegal verification state transition from " << old_status
<< " to " << klass->GetStatus();
diff --git a/runtime/interpreter/interpreter_switch_impl.cc b/runtime/interpreter/interpreter_switch_impl.cc
index de8c44e..0a2705d 100644
--- a/runtime/interpreter/interpreter_switch_impl.cc
+++ b/runtime/interpreter/interpreter_switch_impl.cc
@@ -17,7 +17,6 @@
#include "interpreter_switch_impl.h"
#include "base/enums.h"
-#include "base/memory_tool.h"
#include "experimental_flags.h"
#include "interpreter_common.h"
#include "jit/jit.h"
@@ -119,15 +118,12 @@
// to detect exceptions thrown by the DexPcMovedEvent itself. These exceptions could be thrown by
// jvmti-agents while handling breakpoint or single step events. We had to move this into its own
// function because it was making ExecuteSwitchImpl have too large a stack.
-#ifdef ADDRESS_SANITIZER
-NO_INLINE
-#endif // ADDRESS_SANITIZER
-static bool DoDexPcMoveEvent(Thread* self,
- const DexFile::CodeItem* code_item,
- const ShadowFrame& shadow_frame,
- uint32_t dex_pc,
- const instrumentation::Instrumentation* instrumentation,
- JValue* save_ref)
+NO_INLINE static bool DoDexPcMoveEvent(Thread* self,
+ const DexFile::CodeItem* code_item,
+ const ShadowFrame& shadow_frame,
+ uint32_t dex_pc,
+ const instrumentation::Instrumentation* instrumentation,
+ JValue* save_ref)
REQUIRES_SHARED(Locks::mutator_lock_) {
DCHECK(instrumentation->HasDexPcListeners());
StackHandleScope<2> hs(self);
diff --git a/runtime/thread.cc b/runtime/thread.cc
index be1614b..5edd071 100644
--- a/runtime/thread.cc
+++ b/runtime/thread.cc
@@ -549,27 +549,40 @@
//
// We map in the stack by reading every page from the stack bottom (highest address)
// to the stack top. (We then madvise this away.) This must be done by reading from the
- // current stack pointer downwards. Any access more than a page below the current SP
- // might cause a segv.
- // TODO: This comment may be out of date. It seems possible to speed this up. As
- // this is normally done once in the zygote on startup, ignore for now.
+ // current stack pointer downwards.
//
- // AddressSanitizer does not like the part of this functions that reads every stack page.
- // Looks a lot like an out-of-bounds access.
+ // Accesses too far below the current machine register corresponding to the stack pointer (e.g.,
+ // ESP on x86[-32], SP on ARM) might cause a SIGSEGV (at least on x86 with newer kernels). We
+ // thus have to move the stack pointer. We do this portably by using a recursive function with a
+ // large stack frame size.
- // (Defensively) first remove the protection on the protected region as will want to read
+ // (Defensively) first remove the protection on the protected region as we'll want to read
// and write it. Ignore errors.
UnprotectStack();
VLOG(threads) << "Need to map in stack for thread at " << std::hex <<
static_cast<void*>(pregion);
- // Read every page from the high address to the low.
- volatile uint8_t dont_optimize_this;
- UNUSED(dont_optimize_this);
- for (uint8_t* p = stack_top; p >= pregion; p -= kPageSize) {
- dont_optimize_this = *p;
- }
+ struct RecurseDownStack {
+ // This function has an intentionally large stack size.
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wframe-larger-than="
+ NO_INLINE
+ static void Touch(uintptr_t target) {
+ volatile size_t zero = 0;
+ // Use a large local volatile array to ensure a large frame size. Do not use anything close
+ // to a full page for ASAN. It would be nice to ensure the frame size is at most a page, but
+ // there is no pragma support for this.
+ volatile char space[kPageSize - 256];
+ char sink ATTRIBUTE_UNUSED = space[zero];
+ if (reinterpret_cast<uintptr_t>(space) >= target + kPageSize) {
+ Touch(target);
+ }
+ zero *= 2; // Try to avoid tail recursion.
+ }
+#pragma GCC diagnostic pop
+ };
+ RecurseDownStack::Touch(reinterpret_cast<uintptr_t>(pregion));
VLOG(threads) << "(again) installing stack protected region at " << std::hex <<
static_cast<void*>(pregion) << " to " <<
diff --git a/test/656-checker-simd-opt/src/Main.java b/test/656-checker-simd-opt/src/Main.java
index 0d0885c..794c9b6 100644
--- a/test/656-checker-simd-opt/src/Main.java
+++ b/test/656-checker-simd-opt/src/Main.java
@@ -46,6 +46,37 @@
}
}
+ /// CHECK-START: void Main.stencil(int[], int[], int) loop_optimization (before)
+ /// CHECK-DAG: <<CP1:i\d+>> IntConstant 1 loop:none
+ /// CHECK-DAG: <<CM1:i\d+>> IntConstant -1 loop:none
+ /// CHECK-DAG: <<Phi:i\d+>> Phi loop:<<Loop:B\d+>> outer_loop:none
+ /// CHECK-DAG: <<Add1:i\d+>> Add [<<Phi>>,<<CM1>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get1:i\d+>> ArrayGet [{{l\d+}},<<Add1>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get2:i\d+>> ArrayGet [{{l\d+}},<<Phi>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add2:i\d+>> Add [<<Get1>>,<<Get2>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add3:i\d+>> Add [<<Phi>>,<<CP1>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get3:i\d+>> ArrayGet [{{l\d+}},<<Add3>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add4:i\d+>> Add [<<Add2>>,<<Get3>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: ArraySet [{{l\d+}},<<Phi>>,<<Add4>>] loop:<<Loop>> outer_loop:none
+ //
+ /// CHECK-START-ARM64: void Main.stencil(int[], int[], int) loop_optimization (after)
+ /// CHECK-DAG: <<CP1:i\d+>> IntConstant 1 loop:none
+ /// CHECK-DAG: <<CP2:i\d+>> IntConstant 2 loop:none
+ /// CHECK-DAG: <<Phi:i\d+>> Phi loop:<<Loop:B\d+>> outer_loop:none
+ /// CHECK-DAG: <<Add1:i\d+>> Add [<<Phi>>,<<CP1>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get1:d\d+>> VecLoad [{{l\d+}},<<Phi>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get2:d\d+>> VecLoad [{{l\d+}},<<Add1>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add2:d\d+>> VecAdd [<<Get1>>,<<Get2>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add3:i\d+>> Add [<<Phi>>,<<CP2>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Get3:d\d+>> VecLoad [{{l\d+}},<<Add3>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: <<Add4:d\d+>> VecAdd [<<Add2>>,<<Get3>>] loop:<<Loop>> outer_loop:none
+ /// CHECK-DAG: VecStore [{{l\d+}},<<Add1>>,<<Add4>>] loop:<<Loop>> outer_loop:none
+ private static void stencil(int[] a, int[] b, int n) {
+ for (int i = 1; i < n - 1; i++) {
+ a[i] = b[i - 1] + b[i] + b[i + 1];
+ }
+ }
+
public static void main(String[] args) {
float[] x = new float[100];
float[] y = new float[100];
@@ -58,6 +89,18 @@
expectEquals(5.0f, x[i]);
expectEquals(2.0f, y[i]);
}
+ int[] a = new int[100];
+ int[] b = new int[100];
+ for (int i = 0; i < 100; i++) {
+ a[i] = 0;
+ b[i] = i;
+ }
+ stencil(a, b, 100);
+ for (int i = 1; i < 99; i++) {
+ int e = i + i + i;
+ expectEquals(e, a[i]);
+ expectEquals(i, b[i]);
+ }
System.out.println("passed");
}
diff --git a/tools/dexfuzz/README b/tools/dexfuzz/README
index 78f73f5..3c0c65e 100644
--- a/tools/dexfuzz/README
+++ b/tools/dexfuzz/README
@@ -139,7 +139,9 @@
InstructionSwapper 80
NewMethodCaller 10
NonsenseStringPrinter 10
+OppositeBranchChanger 40
PoolIndexChanger 30
+RandomBranchChanger 30
RandomInstructionGenerator 30
SwitchBranchShifter 30
TryBlockShifter 40
diff --git a/tools/dexfuzz/src/dexfuzz/DexFuzz.java b/tools/dexfuzz/src/dexfuzz/DexFuzz.java
index 3b28754..41ce7b2 100644
--- a/tools/dexfuzz/src/dexfuzz/DexFuzz.java
+++ b/tools/dexfuzz/src/dexfuzz/DexFuzz.java
@@ -34,7 +34,7 @@
*/
public class DexFuzz {
private static int majorVersion = 1;
- private static int minorVersion = 1;
+ private static int minorVersion = 2;
private static int seedChangeVersion = 0;
/**
diff --git a/tools/dexfuzz/src/dexfuzz/program/Program.java b/tools/dexfuzz/src/dexfuzz/program/Program.java
index 286fe52..e550d30 100644
--- a/tools/dexfuzz/src/dexfuzz/program/Program.java
+++ b/tools/dexfuzz/src/dexfuzz/program/Program.java
@@ -32,7 +32,9 @@
import dexfuzz.program.mutators.InstructionSwapper;
import dexfuzz.program.mutators.NewMethodCaller;
import dexfuzz.program.mutators.NonsenseStringPrinter;
+import dexfuzz.program.mutators.OppositeBranchChanger;
import dexfuzz.program.mutators.PoolIndexChanger;
+import dexfuzz.program.mutators.RandomBranchChanger;
import dexfuzz.program.mutators.RandomInstructionGenerator;
import dexfuzz.program.mutators.SwitchBranchShifter;
import dexfuzz.program.mutators.TryBlockShifter;
@@ -199,7 +201,9 @@
registerMutator(new InstructionSwapper(rng, mutationStats, mutations));
registerMutator(new NewMethodCaller(rng, mutationStats, mutations));
registerMutator(new NonsenseStringPrinter(rng, mutationStats, mutations));
+ registerMutator(new OppositeBranchChanger(rng, mutationStats, mutations));
registerMutator(new PoolIndexChanger(rng, mutationStats, mutations));
+ registerMutator(new RandomBranchChanger(rng, mutationStats, mutations));
registerMutator(new RandomInstructionGenerator(rng, mutationStats, mutations));
registerMutator(new SwitchBranchShifter(rng, mutationStats, mutations));
registerMutator(new TryBlockShifter(rng, mutationStats, mutations));
diff --git a/tools/dexfuzz/src/dexfuzz/program/mutators/IfBranchChanger.java b/tools/dexfuzz/src/dexfuzz/program/mutators/IfBranchChanger.java
new file mode 100644
index 0000000..872b297
--- /dev/null
+++ b/tools/dexfuzz/src/dexfuzz/program/mutators/IfBranchChanger.java
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dexfuzz.program.mutators;
+
+import dexfuzz.Log;
+import dexfuzz.MutationStats;
+import dexfuzz.program.MInsn;
+import dexfuzz.program.MutatableCode;
+import dexfuzz.program.Mutation;
+import dexfuzz.rawdex.Instruction;
+import dexfuzz.rawdex.Opcode;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Random;
+
+/**
+ * This class mutates the comparison operator of the if
+ * statements by taking in a random instruction, checking whether
+ * it is an if statement and, if so, changing the comparison
+ * operator. The inheriting classes implement the way comparison
+ * operator changes. For example, by choosing the opposite
+ * comparison operator or by choosing a random comparison operator.
+ */
+public abstract class IfBranchChanger extends CodeMutator {
+ /**
+ * Every CodeMutator has an AssociatedMutation, representing the
+ * mutation that this CodeMutator can perform, to allow separate
+ * generateMutation() and applyMutation() phases, allowing serialization.
+ */
+ public static class AssociatedMutation extends Mutation {
+ public int ifBranchInsnIdx;
+
+ @Override
+ public String getString() {
+ return Integer.toString(ifBranchInsnIdx);
+ }
+
+ @Override
+ public void parseString(String[] elements) {
+ ifBranchInsnIdx = Integer.parseInt(elements[2]);
+ }
+ }
+
+ // The following two methods are here for the benefit of MutationSerializer,
+ // so it can create a CodeMutator and get the correct associated Mutation, as it
+ // reads in mutations from a dump of mutations.
+ @Override
+ public Mutation getNewMutation() {
+ return new AssociatedMutation();
+ }
+
+ public IfBranchChanger() { }
+
+ public IfBranchChanger(Random rng, MutationStats stats, List<Mutation> mutations) {
+ super(rng, stats, mutations);
+ }
+
+ // A cache that should only exist between generateMutation() and applyMutation(),
+ // or be created at the start of applyMutation(), if we're reading in mutations from
+ // a file.
+ private List<MInsn> ifBranchInsns = null;
+
+ private void generateCachedifBranchInsns(MutatableCode mutatableCode) {
+ if (ifBranchInsns != null) {
+ return;
+ }
+
+ ifBranchInsns = new ArrayList<MInsn>();
+
+ for (MInsn mInsn : mutatableCode.getInstructions()) {
+ if (isIfBranchOperation(mInsn)) {
+ ifBranchInsns.add(mInsn);
+ }
+ }
+ }
+
+ @Override
+ protected boolean canMutate(MutatableCode mutatableCode) {
+ for (MInsn mInsn : mutatableCode.getInstructions()) {
+ if (isIfBranchOperation(mInsn)) {
+ return true;
+ }
+ }
+
+ Log.debug("No if branch operation, skipping...");
+ return false;
+ }
+
+ @Override
+ protected Mutation generateMutation(MutatableCode mutatableCode) {
+ generateCachedifBranchInsns(mutatableCode);
+
+ int ifBranchInsnIdx = rng.nextInt(ifBranchInsns.size());
+
+ AssociatedMutation mutation = new AssociatedMutation();
+ mutation.setup(this.getClass(), mutatableCode);
+ mutation.ifBranchInsnIdx = ifBranchInsnIdx;
+ return mutation;
+ }
+
+ @Override
+ protected void applyMutation(Mutation uncastMutation) {
+ AssociatedMutation mutation = (AssociatedMutation) uncastMutation;
+ MutatableCode mutatableCode = mutation.mutatableCode;
+
+ generateCachedifBranchInsns(mutatableCode);
+
+ MInsn ifBranchInsn = ifBranchInsns.get(mutation.ifBranchInsnIdx);
+
+ String oldInsnString = ifBranchInsn.toString();
+
+ Opcode newOpcode = getModifiedOpcode(ifBranchInsn);
+
+ ifBranchInsn.insn.info = Instruction.getOpcodeInfo(newOpcode);
+
+ Log.info("Changed " + oldInsnString + " to " + ifBranchInsn);
+
+ stats.incrementStat("Changed if branch operator to " + getMutationTag() + " operator");
+
+ // Clear cache.
+ ifBranchInsns = null;
+ }
+
+ /**
+ * Get a different if branch instruction.
+ * @return opcode of the new comparison operator.
+ */
+ protected abstract Opcode getModifiedOpcode(MInsn mInsn);
+
+ /**
+ * Get the tag of the mutation that fired.
+ * @return string tag of the type of mutation used
+ */
+ protected abstract String getMutationTag();
+
+ private boolean isIfBranchOperation(MInsn mInsn) {
+ Opcode opcode = mInsn.insn.info.opcode;
+ if (Opcode.isBetween(opcode, Opcode.IF_EQ, Opcode.IF_LEZ)) {
+ return true;
+ }
+ return false;
+ }
+}
\ No newline at end of file
diff --git a/tools/dexfuzz/src/dexfuzz/program/mutators/OppositeBranchChanger.java b/tools/dexfuzz/src/dexfuzz/program/mutators/OppositeBranchChanger.java
new file mode 100644
index 0000000..cb25b64
--- /dev/null
+++ b/tools/dexfuzz/src/dexfuzz/program/mutators/OppositeBranchChanger.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dexfuzz.program.mutators;
+
+import dexfuzz.Log;
+import dexfuzz.MutationStats;
+import dexfuzz.program.MInsn;
+import dexfuzz.program.Mutation;
+import dexfuzz.rawdex.Opcode;
+import java.util.List;
+import java.util.Random;
+
+public class OppositeBranchChanger extends IfBranchChanger {
+
+ public OppositeBranchChanger(Random rng, MutationStats stats, List<Mutation> mutations) {
+ super(rng, stats, mutations);
+ likelihood = 40;
+ }
+
+ @Override
+ protected Opcode getModifiedOpcode(MInsn mInsn) {
+ Opcode opcode = mInsn.insn.info.opcode;
+ switch (opcode) {
+ case IF_EQ:
+ return Opcode.IF_NE;
+ case IF_NE:
+ return Opcode.IF_EQ;
+ case IF_LT:
+ return Opcode.IF_GE;
+ case IF_GT:
+ return Opcode.IF_LE;
+ case IF_GE:
+ return Opcode.IF_LT;
+ case IF_LE:
+ return Opcode.IF_GT;
+ case IF_EQZ:
+ return Opcode.IF_NEZ;
+ case IF_NEZ:
+ return Opcode.IF_EQZ;
+ case IF_LTZ:
+ return Opcode.IF_GEZ;
+ case IF_GTZ:
+ return Opcode.IF_LEZ;
+ case IF_GEZ:
+ return Opcode.IF_LTZ;
+ case IF_LEZ:
+ return Opcode.IF_GTZ;
+ default:
+ Log.errorAndQuit("Could not find if branch.");
+ return opcode;
+ }
+ }
+
+ @Override
+ protected String getMutationTag() {
+ return "opposite";
+ }
+}
\ No newline at end of file
diff --git a/tools/dexfuzz/src/dexfuzz/program/mutators/RandomBranchChanger.java b/tools/dexfuzz/src/dexfuzz/program/mutators/RandomBranchChanger.java
new file mode 100644
index 0000000..fc42c2e
--- /dev/null
+++ b/tools/dexfuzz/src/dexfuzz/program/mutators/RandomBranchChanger.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dexfuzz.program.mutators;
+
+import dexfuzz.MutationStats;
+import dexfuzz.program.MInsn;
+import dexfuzz.program.Mutation;
+import dexfuzz.rawdex.Opcode;
+import java.util.List;
+import java.util.Random;
+
+public class RandomBranchChanger extends IfBranchChanger {
+
+ private static final Opcode[] EQUALITY_CMP_OP_LIST = {
+ Opcode.IF_EQ,
+ Opcode.IF_NE,
+ Opcode.IF_LT,
+ Opcode.IF_GE,
+ Opcode.IF_GT,
+ Opcode.IF_LE
+ };
+
+ private static final Opcode[] ZERO_CMP_OP_LIST = {
+ Opcode.IF_EQZ,
+ Opcode.IF_NEZ,
+ Opcode.IF_LTZ,
+ Opcode.IF_GEZ,
+ Opcode.IF_GTZ,
+ Opcode.IF_LEZ
+ };
+
+ public RandomBranchChanger(Random rng, MutationStats stats, List<Mutation> mutations) {
+ super(rng, stats, mutations);
+ likelihood = 30;
+ }
+
+ @Override
+ protected Opcode getModifiedOpcode(MInsn mInsn) {
+ Opcode opcode = mInsn.insn.info.opcode;
+ if (Opcode.isBetween(opcode, Opcode.IF_EQ, Opcode.IF_LE)) {
+ int index = opcode.ordinal() - Opcode.IF_EQ.ordinal();
+ int length = EQUALITY_CMP_OP_LIST.length;
+ return EQUALITY_CMP_OP_LIST[(index + 1 + rng.nextInt(length - 1)) % length];
+ } else if (Opcode.isBetween(opcode, Opcode.IF_EQZ, Opcode.IF_LEZ)) {
+ int index = opcode.ordinal() - Opcode.IF_EQZ.ordinal();
+ int length = ZERO_CMP_OP_LIST.length;
+ return ZERO_CMP_OP_LIST[(index + 1 + rng.nextInt(length - 1)) % length];
+ }
+ return opcode;
+ }
+
+ @Override
+ protected String getMutationTag() {
+ return "random";
+ }
+}
\ No newline at end of file
