1 /*
2  * Copyright 2016, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <cmath>
18 #include <random>
19 
20 #include <inttypes.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <unistd.h>
25 
26 #include <sys/time.h>
27 
28 namespace {
29 
30 /*
31  * Operators.
32  */
33 
34 static constexpr const char* kIncDecOps[]   = { "++", "--" };
35 static constexpr const char* kIntUnaryOps[] = { "+", "-", "~" };
36 static constexpr const char* kFpUnaryOps[]  = { "+", "-" };
37 
38 static constexpr const char* kBoolBinOps[] = { "&&", "||", "&", "|", "^" };  // few less common
39 static constexpr const char* kIntBinOps[]  = { "+", "-", "*", "/", "%",
40                                                ">>", ">>>", "<<", "&", "|", "^" };
41 static constexpr const char* kFpBinOps[]   = { "+", "-", "*", "/" };
42 
43 static constexpr const char* kBoolAssignOps[] = { "=", "&=" , "|=", "^=" };  // few less common
44 static constexpr const char* kIntAssignOps[]  = { "=", "+=", "-=", "*=", "/=", "%=",
45                                                   ">>=", ">>>=", "<<=", "&=", "|=", "^=" };
46 static constexpr const char* kFpAssignOps[]   = { "=", "+=", "-=", "*=", "/=" };
47 
48 static constexpr const char* kBoolRelOps[] = { "==", "!=" };
49 static constexpr const char* kRelOps[]     = { "==", "!=", ">", ">=", "<", "<=" };
50 
51 /*
52  * Exceptions.
53  */
54 static const char* kExceptionTypes[] = {
55   "IllegalStateException",
56   "NullPointerException",
57   "IllegalArgumentException",
58   "ArrayIndexOutOfBoundsException"
59 };
60 
61 /*
62  * Version of JFuzz. Increase this each time changes are made to the program
63  * to preserve the property that a given version of JFuzz yields the same
64  * fuzzed program for a deterministic random seed.
65  */
66 const char* VERSION = "1.5";
67 
68 /*
69  * Maximum number of array dimensions, together with corresponding maximum size
70  * within each dimension (to keep memory/runtime requirements roughly the same).
71  */
72 static const uint32_t kMaxDim = 10;
73 static const uint32_t kMaxDimSize[kMaxDim + 1] = { 0, 1000, 32, 10, 6, 4, 3, 3, 2, 2, 2 };
74 
75 /*
76  * Utility function to return the number of elements in an array.
77  */
78 template <typename T, uint32_t N>
countof(T const (&)[N])79 constexpr uint32_t countof(T const (&)[N]) {
80   return N;
81 }
82 
83 /**
84  * A class that generates a random program that compiles correctly. The program
85  * is generated using rules that generate various programming constructs. Each rule
86  * has a fixed probability to "fire". Running a generated program yields deterministic
87  * output, making it suited to test various modes of execution (e.g an interpreter vs.
88  * an compiler or two different run times) for divergences.
89  */
90 class JFuzz {
91  public:
JFuzz(FILE * out,uint32_t seed,uint32_t expr_depth,uint32_t stmt_length,uint32_t if_nest,uint32_t loop_nest,uint32_t try_nest)92   JFuzz(FILE* out,
93         uint32_t seed,
94         uint32_t expr_depth,
95         uint32_t stmt_length,
96         uint32_t if_nest,
97         uint32_t loop_nest,
98         uint32_t try_nest)
99       : out_(out),
100         fuzz_random_engine_(seed),
101         fuzz_seed_(seed),
102         fuzz_expr_depth_(expr_depth),
103         fuzz_stmt_length_(stmt_length),
104         fuzz_if_nest_(if_nest),
105         fuzz_loop_nest_(loop_nest),
106         fuzz_try_nest_(try_nest),
107         return_type_(randomType()),
108         array_type_(randomType()),
109         array_dim_(random1(kMaxDim)),
110         array_size_(random1(kMaxDimSize[array_dim_])),
111         indentation_(0),
112         expr_depth_(0),
113         stmt_length_(0),
114         if_nest_(0),
115         loop_nest_(0),
116         switch_nest_(0),
117         do_nest_(0),
118         try_nest_(0),
119         boolean_local_(0),
120         int_local_(0),
121         long_local_(0),
122         float_local_(0),
123         double_local_(0),
124         in_inner_(false) { }
125 
~JFuzz()126   ~JFuzz() { }
127 
emitProgram()128   void emitProgram() {
129     emitHeader();
130     emitTestClassWithMain();
131   }
132 
133  private:
134   //
135   // Types.
136   //
137 
138   // Current type of each expression during generation.
139   enum Type {
140     kBoolean,
141     kInt,
142     kLong,
143     kFloat,
144     kDouble
145   };
146 
147   // Test for an integral type.
isInteger(Type tp)148   static bool isInteger(Type tp) {
149     return tp == kInt || tp == kLong;
150   }
151 
152   // Test for a floating-point type.
isFP(Type tp)153   static bool isFP(Type tp) {
154     return tp == kFloat || tp == kDouble;
155   }
156 
157   // Emit type.
emitType(Type tp) const158   void emitType(Type tp) const {
159     switch (tp) {
160       case kBoolean: fputs("boolean", out_); break;
161       case kInt:     fputs("int",     out_); break;
162       case kLong:    fputs("long",    out_); break;
163       case kFloat:   fputs("float",   out_); break;
164       case kDouble:  fputs("double",  out_); break;
165     }
166   }
167 
168   // Emit type class.
emitTypeClass(Type tp) const169   void emitTypeClass(Type tp) const {
170     switch (tp) {
171       case kBoolean: fputs("Boolean", out_); break;
172       case kInt:     fputs("Integer", out_); break;
173       case kLong:    fputs("Long",    out_); break;
174       case kFloat:   fputs("Float",   out_); break;
175       case kDouble:  fputs("Double",  out_); break;
176     }
177   }
178 
179   // Return a random type.
randomType()180   Type randomType() {
181     switch (random1(5)) {
182       case 1:  return kBoolean;
183       case 2:  return kInt;
184       case 3:  return kLong;
185       case 4:  return kFloat;
186       default: return kDouble;
187     }
188   }
189 
190   // Emits a random strong selected from an array of operator strings.
191   template <std::uint32_t N>
emitOneOf(const char * const (& ops)[N])192   inline void emitOneOf(const char* const (&ops)[N]) {
193     fputs(ops[random0(N)], out_);
194   }
195 
196   //
197   // Expressions.
198   //
199 
200   // Emit an unary operator (same type in-out).
emitUnaryOp(Type tp)201   void emitUnaryOp(Type tp) {
202     if (tp == kBoolean) {
203       fputc('!', out_);
204     } else if (isInteger(tp)) {
205       emitOneOf(kIntUnaryOps);
206     } else {  // isFP(tp)
207       emitOneOf(kFpUnaryOps);
208     }
209   }
210 
211   // Emit a pre/post-increment/decrement operator (same type in-out).
emitIncDecOp(Type tp)212   void emitIncDecOp(Type tp) {
213     if (tp == kBoolean) {
214       // Not applicable, just leave "as is".
215     } else {  // isInteger(tp) || isFP(tp)
216       emitOneOf(kIncDecOps);
217     }
218   }
219 
220   // Emit a binary operator (same type in-out).
emitBinaryOp(Type tp)221   void emitBinaryOp(Type tp) {
222     if (tp == kBoolean) {
223       emitOneOf(kBoolBinOps);
224     } else if (isInteger(tp)) {
225       emitOneOf(kIntBinOps);
226     } else {  // isFP(tp)
227       emitOneOf(kFpBinOps);
228     }
229   }
230 
231   // Emit an assignment operator (same type in-out).
emitAssignmentOp(Type tp)232   void emitAssignmentOp(Type tp) {
233     if (tp == kBoolean) {
234       emitOneOf(kBoolAssignOps);
235     } else if (isInteger(tp)) {
236       emitOneOf(kIntAssignOps);
237     } else {  // isFP(tp)
238       emitOneOf(kFpAssignOps);
239     }
240   }
241 
242   // Emit a relational operator (one type in, boolean out).
emitRelationalOp(Type tp)243   void emitRelationalOp(Type tp) {
244     if (tp == kBoolean) {
245       emitOneOf(kBoolRelOps);
246     } else {  // isInteger(tp) || isFP(tp)
247       emitOneOf(kRelOps);
248     }
249   }
250 
251   // Emit a type conversion operator sequence (out type given, new suitable in type picked).
emitTypeConversionOp(Type tp)252   Type emitTypeConversionOp(Type tp) {
253     if (tp == kInt) {
254       switch (random1(5)) {
255         case 1: fputs("(int)", out_); return kLong;
256         case 2: fputs("(int)", out_); return kFloat;
257         case 3: fputs("(int)", out_); return kDouble;
258         // Narrowing-widening.
259         case 4: fputs("(int)(byte)(int)",  out_); return kInt;
260         case 5: fputs("(int)(short)(int)", out_); return kInt;
261       }
262     } else if (tp == kLong) {
263       switch (random1(6)) {
264         case 1: /* implicit */         return kInt;
265         case 2: fputs("(long)", out_); return kFloat;
266         case 3: fputs("(long)", out_); return kDouble;
267         // Narrowing-widening.
268         case 4: fputs("(long)(byte)(long)",  out_); return kLong;
269         case 5: fputs("(long)(short)(long)", out_); return kLong;
270         case 6: fputs("(long)(int)(long)",   out_); return kLong;
271       }
272     } else if (tp == kFloat) {
273       switch (random1(4)) {
274         case 1: fputs("(float)", out_); return kInt;
275         case 2: fputs("(float)", out_); return kLong;
276         case 3: fputs("(float)", out_); return kDouble;
277         // Narrowing-widening.
278         case 4: fputs("(float)(int)(float)", out_); return kFloat;
279       }
280     } else if (tp == kDouble) {
281       switch (random1(5)) {
282         case 1: fputs("(double)", out_); return kInt;
283         case 2: fputs("(double)", out_); return kLong;
284         case 3: fputs("(double)", out_); return kFloat;
285         // Narrowing-widening.
286         case 4: fputs("(double)(int)(double)",   out_); return kDouble;
287         case 5: fputs("(double)(float)(double)", out_); return kDouble;
288       }
289     }
290     return tp;  // nothing suitable, just keep type
291   }
292 
293   // Emit a type conversion (out type given, new suitable in type picked).
emitTypeConversion(Type tp)294   void emitTypeConversion(Type tp) {
295     if (tp == kBoolean) {
296       Type tp = randomType();
297       emitExpression(tp);
298       fputc(' ', out_);
299       emitRelationalOp(tp);
300       fputc(' ', out_);
301       emitExpression(tp);
302     } else {
303       tp = emitTypeConversionOp(tp);
304       fputc(' ', out_);
305       emitExpression(tp);
306     }
307   }
308 
309   // Emit an unary intrinsic (out type given, new suitable in type picked).
emitIntrinsic1(Type tp)310   Type emitIntrinsic1(Type tp) {
311     if (tp == kBoolean) {
312       switch (random1(6)) {
313         case 1: fputs("Float.isNaN",       out_); return kFloat;
314         case 2: fputs("Float.isFinite",    out_); return kFloat;
315         case 3: fputs("Float.isInfinite",  out_); return kFloat;
316         case 4: fputs("Double.isNaN",      out_); return kDouble;
317         case 5: fputs("Double.isFinite",   out_); return kDouble;
318         case 6: fputs("Double.isInfinite", out_); return kDouble;
319       }
320     } else if (isInteger(tp)) {
321       const char* prefix = tp == kLong ? "Long" : "Integer";
322       switch (random1(13)) {
323         case 1: fprintf(out_, "%s.highestOneBit",         prefix); break;
324         case 2: fprintf(out_, "%s.lowestOneBit",          prefix); break;
325         case 3: fprintf(out_, "%s.numberOfLeadingZeros",  prefix); break;
326         case 4: fprintf(out_, "%s.numberOfTrailingZeros", prefix); break;
327         case 5: fprintf(out_, "%s.bitCount",              prefix); break;
328         case 6: fprintf(out_, "%s.signum",                prefix); break;
329         case 7: fprintf(out_, "%s.reverse",               prefix); break;
330         case 8: fprintf(out_, "%s.reverseBytes",          prefix); break;
331         case 9:  fputs("Math.incrementExact", out_); break;
332         case 10: fputs("Math.decrementExact", out_); break;
333         case 11: fputs("Math.negateExact",    out_); break;
334         case 12: fputs("Math.abs",            out_); break;
335         case 13: fputs("Math.round", out_);
336                  return tp == kLong ? kDouble : kFloat;
337       }
338     } else {  // isFP(tp)
339       switch (random1(6)) {
340         case 1: fputs("Math.abs",      out_); break;
341         case 2: fputs("Math.ulp",      out_); break;
342         case 3: fputs("Math.signum",   out_); break;
343         case 4: fputs("Math.nextUp",   out_); break;
344         case 5: fputs("Math.nextDown", out_); break;
345         case 6: if (tp == kDouble) {
346                   fputs("Double.longBitsToDouble", out_);
347                   return kLong;
348                 } else {
349                   fputs("Float.intBitsToFloat", out_);
350                   return kInt;
351                 }
352       }
353     }
354     return tp;  // same type in-out
355   }
356 
357   // Emit a binary intrinsic (out type given, new suitable in type picked).
emitIntrinsic2(Type tp)358   Type emitIntrinsic2(Type tp) {
359     if (tp == kBoolean) {
360       switch (random1(3)) {
361         case 1: fputs("Boolean.logicalAnd", out_); break;
362         case 2: fputs("Boolean.logicalOr",  out_); break;
363         case 3: fputs("Boolean.logicalXor", out_); break;
364       }
365     } else if (isInteger(tp)) {
366       const char* prefix = tp == kLong ? "Long" : "Integer";
367       switch (random1(11)) {
368         case 1: fprintf(out_, "%s.compare", prefix); break;
369         case 2: fprintf(out_, "%s.sum",     prefix); break;
370         case 3: fprintf(out_, "%s.min",     prefix); break;
371         case 4: fprintf(out_, "%s.max",     prefix); break;
372         case 5:  fputs("Math.min",           out_); break;
373         case 6:  fputs("Math.max",           out_); break;
374         case 7:  fputs("Math.floorDiv",      out_); break;
375         case 8:  fputs("Math.floorMod",      out_); break;
376         case 9:  fputs("Math.addExact",      out_); break;
377         case 10: fputs("Math.subtractExact", out_); break;
378         case 11: fputs("Math.multiplyExact", out_); break;
379       }
380     } else {  // isFP(tp)
381       const char* prefix = tp == kDouble ? "Double" : "Float";
382       switch (random1(5)) {
383         case 1: fprintf(out_, "%s.sum", prefix); break;
384         case 2: fprintf(out_, "%s.min", prefix); break;
385         case 3: fprintf(out_, "%s.max", prefix); break;
386         case 4: fputs("Math.min", out_); break;
387         case 5: fputs("Math.max", out_); break;
388       }
389     }
390     return tp;  // same type in-out
391   }
392 
393   // Emit an intrinsic (out type given, new suitable in type picked).
emitIntrinsic(Type tp)394   void emitIntrinsic(Type tp) {
395     if (random1(2) == 1) {
396       tp = emitIntrinsic1(tp);
397       fputc('(', out_);
398       emitExpression(tp);
399       fputc(')', out_);
400     } else {
401       tp = emitIntrinsic2(tp);
402       fputc('(', out_);
403       emitExpression(tp);
404       fputs(", ", out_);
405       emitExpression(tp);
406       fputc(')', out_);
407     }
408   }
409 
410   // Emit a method call (out type given).
emitMethodCall(Type tp)411   void emitMethodCall(Type tp) {
412     if (tp != kBoolean && !in_inner_) {
413       // Accept all numerical types (implicit conversion) and when not
414       // declaring inner classes (to avoid infinite recursion).
415       switch (random1(8)) {
416         case 1: fputs("mA.a()",  out_); break;
417         case 2: fputs("mB.a()",  out_); break;
418         case 3: fputs("mB.x()",  out_); break;
419         case 4: fputs("mBX.x()", out_); break;
420         case 5: fputs("mC.s()",  out_); break;
421         case 6: fputs("mC.c()",  out_); break;
422         case 7: fputs("mC.x()",  out_); break;
423         case 8: fputs("mCX.x()", out_); break;
424       }
425     } else {
426       // Fall back to intrinsic.
427       emitIntrinsic(tp);
428     }
429   }
430 
431   // Emit unboxing boxed object.
emitUnbox(Type tp)432   void emitUnbox(Type tp) {
433     fputc('(', out_);
434     emitType(tp);
435     fputs(") new ", out_);
436     emitTypeClass(tp);
437     fputc('(', out_);
438     emitExpression(tp);
439     fputc(')', out_);
440   }
441 
442   // Emit miscellaneous constructs.
emitMisc(Type tp)443   void emitMisc(Type tp) {
444     if (tp == kBoolean) {
445       fprintf(out_, "this instanceof %s", in_inner_ ? "X" : "Test");
446     } else if (isInteger(tp)) {
447       const char* prefix = tp == kLong ? "Long" : "Integer";
448       switch (random1(2)) {
449         case 1: fprintf(out_, "%s.MIN_VALUE", prefix); break;
450         case 2: fprintf(out_, "%s.MAX_VALUE", prefix); break;
451       }
452     } else {  // isFP(tp)
453       const char* prefix = tp == kDouble ? "Double" : "Float";
454       switch (random1(6)) {
455         case 1: fprintf(out_, "%s.MIN_NORMAL", prefix);        break;
456         case 2: fprintf(out_, "%s.MIN_VALUE", prefix);         break;
457         case 3: fprintf(out_, "%s.MAX_VALUE", prefix);         break;
458         case 4: fprintf(out_, "%s.POSITIVE_INFINITY", prefix); break;
459         case 5: fprintf(out_, "%s.NEGATIVE_INFINITY", prefix); break;
460         case 6: fprintf(out_, "%s.NaN", prefix);               break;
461       }
462     }
463   }
464 
465   // Adjust local of given type and return adjusted value.
adjustLocal(Type tp,int32_t a)466   uint32_t adjustLocal(Type tp, int32_t a) {
467     switch (tp) {
468       case kBoolean: boolean_local_ += a; return boolean_local_;
469       case kInt:     int_local_     += a; return int_local_;
470       case kLong:    long_local_    += a; return long_local_;
471       case kFloat:   float_local_   += a; return float_local_;
472       default:       double_local_  += a; return double_local_;
473     }
474   }
475 
476   // Emit an expression that is a strict upper bound for an array index.
emitUpperBound()477   void emitUpperBound() {
478     if (random1(8) == 1) {
479       fputs("mArray.length", out_);
480     } else if (random1(8) == 1) {
481       fprintf(out_, "%u", random1(array_size_));  // random in range
482     } else {
483       fprintf(out_, "%u", array_size_);
484     }
485   }
486 
487   // Emit an array index, usually within proper range.
emitArrayIndex()488   void emitArrayIndex() {
489     if (loop_nest_ > 0 && random1(2) == 1) {
490       fprintf(out_, "i%u", random0(loop_nest_));
491     } else if (random1(8) == 1) {
492       fputs("mArray.length - 1", out_);
493     } else {
494       fprintf(out_, "%u", random0(array_size_));  // random in range
495     }
496     // Introduce potential off by one errors with low probability.
497     if (random1(100) == 1) {
498       if (random1(2) == 1) {
499         fputs(" - 1", out_);
500       } else {
501         fputs(" + 1", out_);
502       }
503     }
504   }
505 
506   // Emit a literal.
emitLiteral(Type tp)507   void emitLiteral(Type tp) {
508     switch (tp) {
509       case kBoolean: fputs(random1(2) == 1 ? "true" : "false", out_); break;
510       case kInt:     fprintf(out_, "%d",    random()); break;
511       case kLong:    fprintf(out_, "%dL",   random()); break;
512       case kFloat:   fprintf(out_, "%d.0f", random()); break;
513       case kDouble:  fprintf(out_, "%d.0",  random()); break;
514     }
515   }
516 
517   // Emit array variable, if available.
emitArrayVariable(Type tp)518   bool emitArrayVariable(Type tp) {
519     if (tp == array_type_) {
520       fputs("mArray", out_);
521       for (uint32_t i = 0; i < array_dim_; i++) {
522         fputc('[', out_);
523         emitArrayIndex();
524         fputc(']', out_);
525       }
526       return true;
527     }
528     return false;
529   }
530 
531   // Emit a local variable, if available.
emitLocalVariable(Type tp)532   bool emitLocalVariable(Type tp) {
533     uint32_t locals = adjustLocal(tp, 0);
534     if (locals > 0) {
535       uint32_t local = random0(locals);
536       switch (tp) {
537         case kBoolean: fprintf(out_, "lZ%u", local); break;
538         case kInt:     fprintf(out_, "lI%u", local); break;
539         case kLong:    fprintf(out_, "lJ%u", local); break;
540         case kFloat:   fprintf(out_, "lF%u", local); break;
541         case kDouble:  fprintf(out_, "lD%u", local); break;
542       }
543       return true;
544     }
545     return false;
546   }
547 
548   // Emit a field variable.
emitFieldVariable(Type tp)549   void emitFieldVariable(Type tp) {
550     switch (tp) {
551       case kBoolean:fputs("mZ", out_); break;
552       case kInt:    fputs("mI", out_); break;
553       case kLong:   fputs("mJ", out_); break;
554       case kFloat:  fputs("mF", out_); break;
555       case kDouble: fputs("mD", out_); break;
556     }
557   }
558 
559   // Emit a variable.
emitVariable(Type tp)560   void emitVariable(Type tp) {
561     switch (random1(4)) {
562       case 1:
563         if (emitArrayVariable(tp))
564           return;
565         [[fallthrough]];
566       case 2:
567         if (emitLocalVariable(tp))
568           return;
569         [[fallthrough]];
570       default:
571         emitFieldVariable(tp);
572         break;
573     }
574   }
575 
576   // Emit an expression.
emitExpression(Type tp)577   void emitExpression(Type tp) {
578     // Continuing expression becomes less likely as the depth grows.
579     if (random1(expr_depth_ + 1) > fuzz_expr_depth_) {
580       if (random1(2) == 1) {
581         emitLiteral(tp);
582       } else {
583         emitVariable(tp);
584       }
585       return;
586     }
587 
588     expr_depth_++;
589 
590     fputc('(', out_);
591     switch (random1(12)) {  // favor binary operations
592       case 1:
593         // Unary operator: ~ x
594         emitUnaryOp(tp);
595         fputc(' ', out_);
596         emitExpression(tp);
597         break;
598       case 2:
599         // Pre-increment: ++x
600         emitIncDecOp(tp);
601         emitVariable(tp);
602         break;
603       case 3:
604         // Post-increment: x++
605         emitVariable(tp);
606         emitIncDecOp(tp);
607         break;
608       case 4:
609         // Ternary operator: b ? x : y
610         emitExpression(kBoolean);
611         fputs(" ? ", out_);
612         emitExpression(tp);
613         fputs(" : ", out_);
614         emitExpression(tp);
615         break;
616       case 5:
617         // Type conversion: (float) x
618         emitTypeConversion(tp);
619         break;
620       case 6:
621         // Intrinsic: foo(x)
622         emitIntrinsic(tp);
623         break;
624       case 7:
625         // Method call: mA.a()
626         emitMethodCall(tp);
627         break;
628       case 8:
629         // Emit unboxing boxed value: (int) Integer(x)
630         emitUnbox(tp);
631         break;
632       case 9:
633         // Miscellaneous constructs: a.length
634         emitMisc(tp);
635         break;
636       default:
637         // Binary operator: x + y
638         emitExpression(tp);
639         fputc(' ', out_);
640         emitBinaryOp(tp);
641         fputc(' ', out_);
642         emitExpression(tp);
643         break;
644     }
645     fputc(')', out_);
646 
647     --expr_depth_;
648   }
649 
650   //
651   // Statements.
652   //
653 
654   // Emit current indentation.
emitIndentation() const655   void emitIndentation() const {
656     for (uint32_t i = 0; i < indentation_; i++) {
657       fputc(' ', out_);
658     }
659   }
660 
661   // Emit a return statement.
emitReturn(bool mustEmit)662   bool emitReturn(bool mustEmit) {
663     // Only emit when we must, or with low probability inside ifs/loops,
664     // but outside do-while to avoid confusing the may follow status.
665     if (mustEmit || ((if_nest_ + loop_nest_) > 0 && do_nest_ == 0 && random1(10) == 1)) {
666       fputs("return ", out_);
667       emitExpression(return_type_);
668       fputs(";\n", out_);
669       return false;
670     }
671     // Fall back to assignment.
672     return emitAssignment();
673   }
674 
675   // Emit a continue statement.
emitContinue()676   bool emitContinue() {
677     // Only emit with low probability inside loops.
678     if (loop_nest_ > 0 && random1(10) == 1) {
679       fputs("continue;\n", out_);
680       return false;
681     }
682     // Fall back to assignment.
683     return emitAssignment();
684   }
685 
686   // Emit a break statement.
emitBreak()687   bool emitBreak() {
688     // Only emit with low probability inside loops, but outside switches
689     // to avoid confusing the may follow status.
690     if (loop_nest_ > 0 && switch_nest_ == 0 && random1(10) == 1) {
691       fputs("break;\n", out_);
692       return false;
693     }
694     // Fall back to assignment.
695     return emitAssignment();
696   }
697 
698   // Emit a new scope with a local variable declaration statement.
emitScope()699   bool emitScope() {
700     Type tp = randomType();
701     fputs("{\n", out_);
702     indentation_ += 2;
703     emitIndentation();
704     emitType(tp);
705     switch (tp) {
706       case kBoolean: fprintf(out_, " lZ%u = ", boolean_local_); break;
707       case kInt:     fprintf(out_, " lI%u = ", int_local_);     break;
708       case kLong:    fprintf(out_, " lJ%u = ", long_local_);    break;
709       case kFloat:   fprintf(out_, " lF%u = ", float_local_);   break;
710       case kDouble:  fprintf(out_, " lD%u = ", double_local_);  break;
711     }
712     emitExpression(tp);
713     fputs(";\n", out_);
714 
715     adjustLocal(tp, 1);  // local now visible
716 
717     bool mayFollow = emitStatementList();
718 
719     adjustLocal(tp, -1);  // local no longer visible
720 
721     indentation_ -= 2;
722     emitIndentation();
723     fputs("}\n", out_);
724     return mayFollow;
725   }
726 
727   // Emit one dimension of an array initializer, where parameter dim >= 1
728   // denotes the number of remaining dimensions that should be emitted.
emitArrayInitDim(int dim)729   void emitArrayInitDim(int dim) {
730     if (dim == 1) {
731       // Last dimension: set of values.
732       fputs("{ ", out_);
733       for (uint32_t i = 0; i < array_size_; i++) {
734         emitExpression(array_type_);
735         fputs(", ", out_);
736       }
737       fputs("}", out_);
738 
739     } else {
740       // Outer dimensions: set of sets.
741       fputs("{\n", out_);
742       indentation_ += 2;
743       emitIndentation();
744 
745       for (uint32_t i = 0; i < array_size_; i++) {
746         emitArrayInitDim(dim - 1);
747         if (i != array_size_ - 1) {
748           fputs(",\n", out_);
749           emitIndentation();
750         }
751       }
752 
753       fputs(",\n", out_);
754       indentation_ -= 2;
755       emitIndentation();
756       fputs("}", out_);
757     }
758   }
759 
760   // Emit an array initializer of the following form.
761   //   {
762   //     type[]..[] tmp = { .. };
763   //     mArray = tmp;
764   //   }
emitArrayInit()765   bool emitArrayInit() {
766     // Avoid elaborate array initializers.
767     uint64_t p = pow(array_size_, array_dim_);
768     if (p > 20) {
769       return emitAssignment();  // fall back
770     }
771 
772     fputs("{\n", out_);
773 
774     indentation_ += 2;
775     emitIndentation();
776     emitType(array_type_);
777     for (uint32_t i = 0; i < array_dim_; i++) {
778       fputs("[]", out_);
779     }
780     fputs(" tmp = ", out_);
781     emitArrayInitDim(array_dim_);
782     fputs(";\n", out_);
783 
784     emitIndentation();
785     fputs("mArray = tmp;\n", out_);
786 
787     indentation_ -= 2;
788     emitIndentation();
789     fputs("}\n", out_);
790     return true;
791   }
792 
793   // Emit a for loop.
emitForLoop()794   bool emitForLoop() {
795     // Continuing loop nest becomes less likely as the depth grows.
796     if (random1(loop_nest_ + 1) > fuzz_loop_nest_) {
797       return emitAssignment();  // fall back
798     }
799 
800     bool goesUp = random1(2) == 1;
801     fprintf(out_, "for (int i%u = ", loop_nest_);
802     if (goesUp) {
803       fprintf(out_, "0; i%u < ", loop_nest_);
804       emitUpperBound();
805       fprintf(out_, "; i%u++) {\n", loop_nest_);
806     } else {
807       emitUpperBound();
808       fprintf(out_, " - 1; i%d >= 0", loop_nest_);
809       fprintf(out_, "; i%d--) {\n", loop_nest_);
810     }
811 
812     ++loop_nest_;  // now in loop
813 
814     indentation_ += 2;
815     emitStatementList();
816 
817     --loop_nest_;  // no longer in loop
818 
819     indentation_ -= 2;
820     emitIndentation();
821     fprintf(out_, "}\n");
822     return true;  // loop-body does not block flow
823   }
824 
825   // Emit while or do-while loop.
emitDoLoop()826   bool emitDoLoop() {
827     // Continuing loop nest becomes less likely as the depth grows.
828     if (random1(loop_nest_ + 1) > fuzz_loop_nest_) {
829       return emitAssignment();  // fall back
830     }
831 
832     bool isWhile = random1(2) == 1;
833     fputs("{\n", out_);
834     indentation_ += 2;
835     emitIndentation();
836     fprintf(out_, "int i%u = %d;\n", loop_nest_, isWhile ? -1 : 0);
837     emitIndentation();
838     if (isWhile) {
839       fprintf(out_, "while (++i%u < ", loop_nest_);
840       emitUpperBound();
841       fputs(") {\n", out_);
842     } else {
843       fputs("do {\n", out_);
844       do_nest_++;
845     }
846 
847     ++loop_nest_;  // now in loop
848 
849     indentation_ += 2;
850     emitStatementList();
851 
852     --loop_nest_;  // no longer in loop
853 
854     indentation_ -= 2;
855     emitIndentation();
856     if (isWhile) {
857       fputs("}\n", out_);
858     } else {
859       fprintf(out_, "} while (++i%u < ", loop_nest_);
860       emitUpperBound();
861       fputs(");\n", out_);
862       --do_nest_;
863     }
864     indentation_ -= 2;
865     emitIndentation();
866     fputs("}\n", out_);
867     return true;  // loop-body does not block flow
868   }
869 
870   // Emit an if statement.
emitIfStmt()871   bool emitIfStmt() {
872     // Continuing if nest becomes less likely as the depth grows.
873     if (random1(if_nest_ + 1) > fuzz_if_nest_) {
874       return emitAssignment();  // fall back
875     }
876 
877     fputs("if (", out_);
878     emitExpression(kBoolean);
879     fputs(") {\n", out_);
880 
881     ++if_nest_;  // now in if
882 
883     indentation_ += 2;
884     bool mayFollowTrue = emitStatementList();
885     indentation_ -= 2;
886     emitIndentation();
887     fprintf(out_, "} else {\n");
888     indentation_ += 2;
889     bool mayFollowFalse = emitStatementList();
890 
891     --if_nest_;  // no longer in if
892 
893     indentation_ -= 2;
894     emitIndentation();
895     fprintf(out_, "}\n");
896     return mayFollowTrue || mayFollowFalse;
897   }
898 
emitTry()899   bool emitTry() {
900     fputs("try {\n", out_);
901     indentation_ += 2;
902     bool mayFollow = emitStatementList();
903     indentation_ -= 2;
904     emitIndentation();
905     fputc('}', out_);
906     return mayFollow;
907   }
908 
emitCatch()909   bool emitCatch() {
910     uint32_t count = random1(countof(kExceptionTypes));
911     bool mayFollow = false;
912     for (uint32_t i = 0; i < count; ++i) {
913       fprintf(out_, " catch (%s ex%u_%u) {\n", kExceptionTypes[i], try_nest_, i);
914       indentation_ += 2;
915       mayFollow |= emitStatementList();
916       indentation_ -= 2;
917       emitIndentation();
918       fputc('}', out_);
919     }
920     return mayFollow;
921   }
922 
emitFinally()923   bool emitFinally() {
924     fputs(" finally {\n", out_);
925     indentation_ += 2;
926     bool mayFollow = emitStatementList();
927     indentation_ -= 2;
928     emitIndentation();
929     fputc('}', out_);
930     return mayFollow;
931   }
932 
933   // Emit a try-catch-finally block.
emitTryCatchFinally()934   bool emitTryCatchFinally() {
935     // Apply a hard limit on the number of catch blocks. This is for
936     // javac which fails if blocks within try-catch-finally are too
937     // large (much less than you'd expect).
938     if (try_nest_ > fuzz_try_nest_) {
939       return emitAssignment();  // fall back
940     }
941 
942     ++try_nest_;  // Entering try-catch-finally
943 
944     bool mayFollow = emitTry();
945     switch (random0(3)) {
946       case 0:  // try..catch
947         mayFollow |= emitCatch();
948         break;
949       case 1:  // try..finally
950         mayFollow &= emitFinally();
951         break;
952       case 2:  // try..catch..finally
953         // When determining whether code may follow, we observe that a
954         // finally block always follows after try and catch
955         // block. Code may only follow if the finally block permits
956         // and either the try or catch block allows code to follow.
957         mayFollow = (mayFollow | emitCatch());
958         mayFollow &= emitFinally();
959         break;
960     }
961     fputc('\n', out_);
962 
963     --try_nest_;  // Leaving try-catch-finally
964     return mayFollow;
965   }
966 
967   // Emit a switch statement.
emitSwitch()968   bool emitSwitch() {
969     // Continuing if nest becomes less likely as the depth grows.
970     if (random1(if_nest_ + 1) > fuzz_if_nest_) {
971       return emitAssignment();  // fall back
972     }
973 
974     bool mayFollow = false;
975     fputs("switch (", out_);
976     emitArrayIndex();  // restrict its range
977     fputs(") {\n", out_);
978 
979     ++if_nest_;
980     ++switch_nest_;  // now in switch
981 
982     indentation_ += 2;
983     for (uint32_t i = 0; i < 2; i++) {
984       emitIndentation();
985       if (i == 0) {
986         fprintf(out_, "case %u: {\n", random0(array_size_));
987       } else {
988         fprintf(out_, "default: {\n");
989       }
990       indentation_ += 2;
991       if (emitStatementList()) {
992         // Must end with break.
993         emitIndentation();
994         fputs("break;\n", out_);
995         mayFollow = true;
996       }
997       indentation_ -= 2;
998       emitIndentation();
999       fputs("}\n", out_);
1000     }
1001 
1002     --if_nest_;
1003     --switch_nest_;  // no longer in switch
1004 
1005     indentation_ -= 2;
1006     emitIndentation();
1007     fprintf(out_, "}\n");
1008     return mayFollow;
1009   }
1010 
emitNopCall()1011   bool emitNopCall() {
1012     fputs("nop();\n", out_);
1013     return true;
1014   }
1015 
1016   // Emit an assignment statement.
emitAssignment()1017   bool emitAssignment() {
1018     Type tp = randomType();
1019     emitVariable(tp);
1020     fputc(' ', out_);
1021     emitAssignmentOp(tp);
1022     fputc(' ', out_);
1023     emitExpression(tp);
1024     fputs(";\n", out_);
1025     return true;
1026   }
1027 
1028   // Emit a single statement. Returns true if statements may follow.
emitStatement()1029   bool emitStatement() {
1030     switch (random1(16)) {  // favor assignments
1031       case 1:  return emitReturn(false);     break;
1032       case 2:  return emitContinue();        break;
1033       case 3:  return emitBreak();           break;
1034       case 4:  return emitScope();           break;
1035       case 5:  return emitArrayInit();       break;
1036       case 6:  return emitForLoop();         break;
1037       case 7:  return emitDoLoop();          break;
1038       case 8:  return emitIfStmt();          break;
1039       case 9:  return emitSwitch();          break;
1040       case 10: return emitTryCatchFinally(); break;
1041       case 11: return emitNopCall();         break;
1042       default: return emitAssignment();      break;
1043     }
1044   }
1045 
1046   // Emit a statement list. Returns true if statements may follow.
emitStatementList()1047   bool emitStatementList() {
1048     while (stmt_length_ < 1000) {  // avoid run-away
1049       stmt_length_++;
1050       emitIndentation();
1051       if (!emitStatement()) {
1052         return false;  // rest would be dead code
1053       }
1054       // Continuing this list becomes less likely as the total statement list grows.
1055       if (random1(stmt_length_) > fuzz_stmt_length_) {
1056         break;
1057       }
1058     }
1059     return true;
1060   }
1061 
1062   // Emit interface and class declarations.
emitClassDecls()1063   void emitClassDecls() {
1064     in_inner_ = true;
1065     fputs("  private interface X {\n", out_);
1066     fputs("    int x();\n", out_);
1067     fputs("  }\n\n", out_);
1068     fputs("  private class A {\n", out_);
1069     fputs("    public int a() {\n", out_);
1070     fputs("      return ", out_);
1071     emitExpression(kInt);
1072     fputs(";\n    }\n", out_);
1073     fputs("  }\n\n", out_);
1074     fputs("  private class B extends A implements X {\n", out_);
1075     fputs("    public int a() {\n", out_);
1076     fputs("      return super.a() + ", out_);
1077     emitExpression(kInt);
1078     fputs(";\n    }\n", out_);
1079     fputs("    public int x() {\n", out_);
1080     fputs("      return ", out_);
1081     emitExpression(kInt);
1082     fputs(";\n    }\n", out_);
1083     fputs("  }\n\n", out_);
1084     fputs("  private static class C implements X {\n", out_);
1085     fputs("    public static int s() {\n", out_);
1086     fputs("      return ", out_);
1087     emitLiteral(kInt);
1088     fputs(";\n    }\n", out_);
1089     fputs("    public int c() {\n", out_);
1090     fputs("      return ", out_);
1091     emitLiteral(kInt);
1092     fputs(";\n    }\n", out_);
1093     fputs("    public int x() {\n", out_);
1094     fputs("      return ", out_);
1095     emitLiteral(kInt);
1096     fputs(";\n    }\n", out_);
1097     fputs("  }\n\n", out_);
1098     in_inner_ = false;
1099   }
1100 
1101   // Emit field declarations.
emitFieldDecls()1102   void emitFieldDecls() {
1103     fputs("  private A mA  = new B();\n", out_);
1104     fputs("  private B mB  = new B();\n", out_);
1105     fputs("  private X mBX = new B();\n", out_);
1106     fputs("  private C mC  = new C();\n", out_);
1107     fputs("  private X mCX = new C();\n\n", out_);
1108     fputs("  private boolean mZ = false;\n", out_);
1109     fputs("  private int     mI = 0;\n", out_);
1110     fputs("  private long    mJ = 0;\n", out_);
1111     fputs("  private float   mF = 0;\n", out_);
1112     fputs("  private double  mD = 0;\n\n", out_);
1113   }
1114 
1115   // Emit array declaration.
emitArrayDecl()1116   void emitArrayDecl() {
1117     fputs("  private ", out_);
1118     emitType(array_type_);
1119     for (uint32_t i = 0; i < array_dim_; i++) {
1120       fputs("[]", out_);
1121     }
1122     fputs(" mArray = new ", out_);
1123     emitType(array_type_);
1124     for (uint32_t i = 0; i < array_dim_; i++) {
1125       fprintf(out_, "[%d]", array_size_);
1126     }
1127     fputs(";\n\n", out_);
1128   }
1129 
1130   // Emit test constructor.
emitTestConstructor()1131   void emitTestConstructor() {
1132     fputs("  private Test() {\n", out_);
1133     indentation_ += 2;
1134     emitIndentation();
1135     emitType(array_type_);
1136     fputs(" a = ", out_);
1137     emitLiteral(array_type_);
1138     fputs(";\n", out_);
1139     for (uint32_t i = 0; i < array_dim_; i++) {
1140       emitIndentation();
1141       fprintf(out_, "for (int i%u = 0; i%u < %u; i%u++) {\n", i, i, array_size_, i);
1142       indentation_ += 2;
1143     }
1144     emitIndentation();
1145     fputs("mArray", out_);
1146     for (uint32_t i = 0; i < array_dim_; i++) {
1147       fprintf(out_, "[i%u]", i);
1148     }
1149     fputs(" = a;\n", out_);
1150     emitIndentation();
1151     if (array_type_ == kBoolean) {
1152       fputs("a = !a;\n", out_);
1153     } else {
1154       fputs("a++;\n", out_);
1155     }
1156     for (uint32_t i = 0; i < array_dim_; i++) {
1157       indentation_ -= 2;
1158       emitIndentation();
1159       fputs("}\n", out_);
1160     }
1161     indentation_ -= 2;
1162     fputs("  }\n\n", out_);
1163   }
1164 
1165   // Emit test method.
emitTestMethod()1166   void emitTestMethod() {
1167     fputs("  private ", out_);
1168     emitType(return_type_);
1169     fputs(" testMethod() {\n", out_);
1170     indentation_ += 2;
1171     if (emitStatementList()) {
1172       // Must end with return.
1173       emitIndentation();
1174       emitReturn(true);
1175     }
1176     indentation_ -= 2;
1177     fputs("  }\n\n", out_);
1178   }
1179 
1180   // Emit main method driver.
emitMainMethod()1181   void emitMainMethod() {
1182     fputs("  public static void main(String[] args) {\n", out_);
1183     indentation_ += 2;
1184     fputs("    Test t = new Test();\n    ", out_);
1185     emitType(return_type_);
1186     fputs(" r = ", out_);
1187     emitLiteral(return_type_);
1188     fputs(";\n", out_);
1189     fputs("    try {\n", out_);
1190     fputs("      r = t.testMethod();\n", out_);
1191     fputs("    } catch (Exception e) {\n", out_);
1192     fputs("      // Arithmetic, null pointer, index out of bounds, etc.\n", out_);
1193     fputs("      System.out.println(\"An exception was caught.\");\n", out_);
1194     fputs("    }\n", out_);
1195     fputs("    System.out.println(\"r  = \" + r);\n",    out_);
1196     fputs("    System.out.println(\"mZ = \" + t.mZ);\n", out_);
1197     fputs("    System.out.println(\"mI = \" + t.mI);\n", out_);
1198     fputs("    System.out.println(\"mJ = \" + t.mJ);\n", out_);
1199     fputs("    System.out.println(\"mF = \" + t.mF);\n", out_);
1200     fputs("    System.out.println(\"mD = \" + t.mD);\n", out_);
1201     fputs("    System.out.println(\"mArray = \" + ", out_);
1202     if (array_dim_ == 1) {
1203       fputs("Arrays.toString(t.mArray)", out_);
1204     } else {
1205       fputs("Arrays.deepToString(t.mArray)", out_);
1206     }
1207     fputs(");\n", out_);
1208     indentation_ -= 2;
1209     fputs("  }\n", out_);
1210   }
1211 
1212   // Emit a static void method.
emitStaticNopMethod()1213   void emitStaticNopMethod() {
1214     fputs("  public static void nop() {}\n\n", out_);
1215   }
1216 
1217   // Emit program header. Emit command line options in the comments.
emitHeader()1218   void emitHeader() {
1219     fputs("\n/**\n * AOSP JFuzz Tester.\n", out_);
1220     fputs(" * Automatically generated program.\n", out_);
1221     fprintf(out_,
1222             " * jfuzz -s %u -d %u -l %u -i %u -n %u (version %s)\n */\n\n",
1223             fuzz_seed_,
1224             fuzz_expr_depth_,
1225             fuzz_stmt_length_,
1226             fuzz_if_nest_,
1227             fuzz_loop_nest_,
1228             VERSION);
1229     fputs("import java.util.Arrays;\n\n", out_);
1230   }
1231 
1232   // Emit single test class with main driver.
emitTestClassWithMain()1233   void emitTestClassWithMain() {
1234     fputs("public class Test {\n\n", out_);
1235     indentation_ += 2;
1236     emitClassDecls();
1237     emitFieldDecls();
1238     emitArrayDecl();
1239     emitTestConstructor();
1240     emitTestMethod();
1241     emitStaticNopMethod();
1242     emitMainMethod();
1243     indentation_ -= 2;
1244     fputs("}\n\n", out_);
1245   }
1246 
1247   //
1248   // Random integers.
1249   //
1250 
1251   // Return random integer.
random()1252   int32_t random() {
1253     return fuzz_random_engine_();
1254   }
1255 
1256   // Return random integer in range [0,max).
random0(uint32_t max)1257   uint32_t random0(uint32_t max) {
1258     std::uniform_int_distribution<uint32_t> gen(0, max - 1);
1259     return gen(fuzz_random_engine_);
1260   }
1261 
1262   // Return random integer in range [1,max].
random1(uint32_t max)1263   uint32_t random1(uint32_t max) {
1264     std::uniform_int_distribution<uint32_t> gen(1, max);
1265     return gen(fuzz_random_engine_);
1266   }
1267 
1268   // Fuzzing parameters.
1269   FILE* out_;
1270   std::mt19937 fuzz_random_engine_;
1271   const uint32_t fuzz_seed_;
1272   const uint32_t fuzz_expr_depth_;
1273   const uint32_t fuzz_stmt_length_;
1274   const uint32_t fuzz_if_nest_;
1275   const uint32_t fuzz_loop_nest_;
1276   const uint32_t fuzz_try_nest_;
1277 
1278   // Return and array setup.
1279   const Type return_type_;
1280   const Type array_type_;
1281   const uint32_t array_dim_;
1282   const uint32_t array_size_;
1283 
1284   // Current context.
1285   uint32_t indentation_;
1286   uint32_t expr_depth_;
1287   uint32_t stmt_length_;
1288   uint32_t if_nest_;
1289   uint32_t loop_nest_;
1290   uint32_t switch_nest_;
1291   uint32_t do_nest_;
1292   uint32_t try_nest_;
1293   uint32_t boolean_local_;
1294   uint32_t int_local_;
1295   uint32_t long_local_;
1296   uint32_t float_local_;
1297   uint32_t double_local_;
1298   bool in_inner_;
1299 };
1300 
1301 }  // anonymous namespace
1302 
main(int32_t argc,char ** argv)1303 int32_t main(int32_t argc, char** argv) {
1304   // Time-based seed.
1305   struct timeval tp;
1306   gettimeofday(&tp, nullptr);
1307 
1308   // Defaults.
1309   uint32_t seed = (tp.tv_sec * 1000000 + tp.tv_usec);
1310   uint32_t expr_depth = 1;
1311   uint32_t stmt_length = 8;
1312   uint32_t if_nest = 2;
1313   uint32_t loop_nest = 3;
1314   uint32_t try_nest = 2;
1315 
1316   // Parse options.
1317   while (1) {
1318     int32_t option = getopt(argc, argv, "s:d:l:i:n:vh");
1319     if (option < 0) {
1320       break;  // done
1321     }
1322     switch (option) {
1323       case 's':
1324         seed = strtoul(optarg, nullptr, 0);  // deterministic seed
1325         break;
1326       case 'd':
1327         expr_depth = strtoul(optarg, nullptr, 0);
1328         break;
1329       case 'l':
1330         stmt_length = strtoul(optarg, nullptr, 0);
1331         break;
1332       case 'i':
1333         if_nest = strtoul(optarg, nullptr, 0);
1334         break;
1335       case 'n':
1336         loop_nest = strtoul(optarg, nullptr, 0);
1337         break;
1338       case 't':
1339         try_nest = strtoul(optarg, nullptr, 0);
1340         break;
1341       case 'v':
1342         fprintf(stderr, "jfuzz version %s\n", VERSION);
1343         return 0;
1344       case 'h':
1345       default:
1346         fprintf(stderr,
1347                 "usage: %s [-s seed] "
1348                 "[-d expr-depth] [-l stmt-length] "
1349                 "[-i if-nest] [-n loop-nest] [-t try-nest] [-v] [-h]\n",
1350                 argv[0]);
1351         return 1;
1352     }
1353   }
1354 
1355   // Seed global random generator.
1356   srand(seed);
1357 
1358   // Generate fuzzed program.
1359   JFuzz fuzz(stdout, seed, expr_depth, stmt_length, if_nest, loop_nest, try_nest);
1360   fuzz.emitProgram();
1361   return 0;
1362 }
1363