1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package dexfuzz.executors; 18 19 import dexfuzz.ExecutionResult; 20 import dexfuzz.Options; 21 import dexfuzz.StreamConsumer; 22 import dexfuzz.listeners.BaseListener; 23 24 /** 25 * Base class containing the common methods for executing a particular backend of ART. 26 */ 27 public abstract class Executor { 28 private StreamConsumer outputConsumer; 29 private StreamConsumer errorConsumer; 30 31 protected ExecutionResult executionResult; 32 protected String executeClass; 33 34 // Set by subclasses. 35 protected String name; 36 protected int timeout; 37 protected BaseListener listener; 38 protected String testLocation; 39 protected Architecture architecture; 40 protected Device device; 41 private boolean needsCleanCodeCache; 42 private boolean isBisectable; 43 Executor(String name, int timeout, BaseListener listener, Architecture architecture, Device device, boolean needsCleanCodeCache, boolean isBisectable)44 protected Executor(String name, int timeout, BaseListener listener, Architecture architecture, 45 Device device, boolean needsCleanCodeCache, boolean isBisectable) { 46 executeClass = Options.executeClass; 47 48 if (Options.shortTimeouts) { 49 this.timeout = 2; 50 } else { 51 this.timeout = timeout; 52 } 53 54 this.name = name; 55 this.listener = listener; 56 this.architecture = architecture; 57 this.device = device; 58 this.needsCleanCodeCache = needsCleanCodeCache; 59 this.isBisectable = isBisectable; 60 61 if (Options.executeOnHost) { 62 this.testLocation = System.getProperty("user.dir"); 63 } else { 64 this.testLocation = Options.executeDirectory; 65 } 66 67 outputConsumer = new StreamConsumer(); 68 outputConsumer.start(); 69 errorConsumer = new StreamConsumer(); 70 errorConsumer.start(); 71 } 72 73 /** 74 * Called by subclass Executors in their execute() implementations. 75 */ executeCommandWithTimeout(String command, boolean captureOutput)76 protected ExecutionResult executeCommandWithTimeout(String command, boolean captureOutput) { 77 String timeoutString = "timeout " + timeout + " "; 78 return device.executeCommand(timeoutString + device.getExecutionShellPrefix() + command, 79 captureOutput, outputConsumer, errorConsumer); 80 } 81 82 /** 83 * Call this to make sure the StreamConsumer threads are stopped. 84 */ shutdown()85 public void shutdown() { 86 outputConsumer.shutdown(); 87 errorConsumer.shutdown(); 88 } 89 90 /** 91 * Called by the Fuzzer after each execution has finished, to clear the results. 92 */ reset()93 public void reset() { 94 executionResult = null; 95 } 96 97 /** 98 * Called by the Fuzzer to verify the mutated program using the host-side dex2oat. 99 */ verifyOnHost(String programName)100 public boolean verifyOnHost(String programName) { 101 StringBuilder commandBuilder = new StringBuilder(); 102 commandBuilder.append("dex2oat "); 103 104 commandBuilder.append("--instruction-set=").append(architecture.asString()); 105 commandBuilder.append(" --instruction-set-features=default "); 106 107 // Select the correct boot image. 108 commandBuilder.append("--boot-image=").append(device.getAndroidProductOut()); 109 if (device.noBootImageAvailable()) { 110 commandBuilder.append("/data/art-test/core.art "); 111 } else { 112 commandBuilder.append("/system/framework/boot.art "); 113 } 114 115 commandBuilder.append("--oat-file=output.oat "); 116 commandBuilder.append("--android-root=").append(device.getAndroidHostOut()).append(" "); 117 commandBuilder.append("--dex-file=").append(programName).append(" "); 118 commandBuilder.append("--compiler-filter=verify --runtime-arg -Xnorelocate "); 119 120 ExecutionResult verificationResult = device.executeCommand(commandBuilder.toString(), true, 121 outputConsumer, errorConsumer); 122 123 boolean success = true; 124 125 if (verificationResult.isSigabort()) { 126 listener.handleHostVerificationSigabort(verificationResult); 127 success = false; 128 } 129 130 if (success) { 131 // Search for a keyword that indicates verification was not successful. 132 // TODO: Determine if dex2oat crashed? 133 for (String line : verificationResult.error) { 134 if (line.contains("Verification error") 135 || line.contains("Failure to verify dex file")) { 136 success = false; 137 } 138 if (Options.dumpVerify) { 139 // Strip out the start of the log lines. 140 listener.handleDumpVerify(line.replaceFirst(".*(cc|h):\\d+] ", "")); 141 } 142 } 143 } 144 145 if (!success) { 146 listener.handleFailedHostVerification(verificationResult); 147 } 148 149 device.executeCommand("rm output.oat", false); 150 151 return success; 152 } 153 154 /** 155 * Called by the Fuzzer to upload the program to the target device. 156 */ prepareProgramForExecution(String programName)157 public void prepareProgramForExecution(String programName) { 158 if (!Options.executeOnHost) { 159 device.pushProgramToDevice(programName, testLocation); 160 } 161 162 if (needsCleanCodeCache) { 163 // Get the device to clean the code cache 164 device.cleanCodeCache(architecture, testLocation, programName); 165 } 166 } 167 168 /** 169 * Executor subclasses need to override this, to construct their arguments for dalvikvm 170 * invocation correctly. 171 */ constructCommand(String programName)172 protected abstract String constructCommand(String programName); 173 174 /** 175 * Executes runtime. 176 */ execute(String programName)177 public void execute(String programName) { 178 String command = ""; 179 String androidRoot = Options.androidRoot.trim(); 180 if (androidRoot.length() != 0) { 181 command = "PATH=" + androidRoot + "/bin "; 182 command += "ANDROID_ROOT=" + androidRoot + " "; 183 command += "LD_LIBRARY_PATH="+ androidRoot + "/lib:" + androidRoot + "/lib64 "; 184 } 185 command += constructCommand(programName); 186 executionResult = executeCommandWithTimeout(command, true); 187 } 188 189 /** 190 * Runs bisection bug search. 191 */ runBisectionSearch(String programName, String expectedOutputFile, String logFile)192 public ExecutionResult runBisectionSearch(String programName, String expectedOutputFile, String logFile) { 193 assert(isBisectable); 194 String runtimeCommand = constructCommand(programName); 195 StringBuilder commandBuilder = new StringBuilder(); 196 commandBuilder.append("bisection_search.py --raw-cmd '").append(runtimeCommand); 197 commandBuilder.append("' --expected-output=").append(expectedOutputFile); 198 commandBuilder.append(" --logfile=").append(logFile); 199 if (!device.isHost()) { 200 commandBuilder.append(" --device"); 201 if (device.isUsingSpecificDevice()) { 202 commandBuilder.append(" --specific-device=").append(device.getName()); 203 } 204 } 205 return device.executeCommand(commandBuilder.toString(), true, outputConsumer, errorConsumer); 206 } 207 208 /** 209 * Fuzzer.checkForArchitectureSplit() will use this determine the architecture of the Executor. 210 */ getArchitecture()211 public Architecture getArchitecture() { 212 return architecture; 213 } 214 215 /** 216 * Used by the Fuzzer to get result of execution. 217 */ getResult()218 public ExecutionResult getResult() { 219 return executionResult; 220 } 221 222 /** 223 * Because dex2oat can accept a program with soft errors on the host, and then fail after 224 * performing hard verification on the target, we need to check if the Executor detected 225 * a target verification failure, before doing anything else with the resulting output. 226 * Used by the Fuzzer. 227 */ didTargetVerify()228 public boolean didTargetVerify() { 229 // TODO: Remove this once host-verification can be forced to always fail? 230 String output = executionResult.getFlattenedAll(); 231 if (output.contains("VerifyError") || output.contains("Verification failed on class")) { 232 return false; 233 } 234 return true; 235 } 236 getName()237 public String getName() { 238 return name; 239 } 240 finishedWithProgramOnDevice()241 public void finishedWithProgramOnDevice() { 242 device.resetProgramPushed(); 243 } 244 isBisectable()245 public boolean isBisectable() { 246 return isBisectable; 247 } 248 } 249