1*795d594fSAndroid Build Coastguard Worker /*
2*795d594fSAndroid Build Coastguard Worker * Copyright (C) 2024 The Android Open Source Project
3*795d594fSAndroid Build Coastguard Worker *
4*795d594fSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*795d594fSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*795d594fSAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*795d594fSAndroid Build Coastguard Worker *
8*795d594fSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*795d594fSAndroid Build Coastguard Worker *
10*795d594fSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*795d594fSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*795d594fSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*795d594fSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*795d594fSAndroid Build Coastguard Worker * limitations under the License.
15*795d594fSAndroid Build Coastguard Worker */
16*795d594fSAndroid Build Coastguard Worker
17*795d594fSAndroid Build Coastguard Worker #include <iostream>
18*795d594fSAndroid Build Coastguard Worker
19*795d594fSAndroid Build Coastguard Worker #include "android-base/file.h"
20*795d594fSAndroid Build Coastguard Worker #include "android-base/strings.h"
21*795d594fSAndroid Build Coastguard Worker #include "base/file_utils.h"
22*795d594fSAndroid Build Coastguard Worker #include "base/mem_map.h"
23*795d594fSAndroid Build Coastguard Worker #include "dex/class_accessor-inl.h"
24*795d594fSAndroid Build Coastguard Worker #include "dex/dex_file_verifier.h"
25*795d594fSAndroid Build Coastguard Worker #include "dex/standard_dex_file.h"
26*795d594fSAndroid Build Coastguard Worker #include "handle_scope-inl.h"
27*795d594fSAndroid Build Coastguard Worker #include "interpreter/unstarted_runtime.h"
28*795d594fSAndroid Build Coastguard Worker #include "jni/java_vm_ext.h"
29*795d594fSAndroid Build Coastguard Worker #include "noop_compiler_callbacks.h"
30*795d594fSAndroid Build Coastguard Worker #include "runtime.h"
31*795d594fSAndroid Build Coastguard Worker #include "scoped_thread_state_change-inl.h"
32*795d594fSAndroid Build Coastguard Worker #include "verifier/class_verifier.h"
33*795d594fSAndroid Build Coastguard Worker #include "well_known_classes.h"
34*795d594fSAndroid Build Coastguard Worker
35*795d594fSAndroid Build Coastguard Worker // Global variable to count how many DEX files passed DEX file verification and they were
36*795d594fSAndroid Build Coastguard Worker // registered, since these are the cases for which we would be running the GC. In case of
37*795d594fSAndroid Build Coastguard Worker // scheduling multiple fuzzer jobs, using the ‘-jobs’ flag, this is not shared among the threads.
38*795d594fSAndroid Build Coastguard Worker int skipped_gc_iterations = 0;
39*795d594fSAndroid Build Coastguard Worker // Global variable to call the GC once every maximum number of iterations.
40*795d594fSAndroid Build Coastguard Worker // TODO: These values were obtained from local experimenting. They can be changed after
41*795d594fSAndroid Build Coastguard Worker // further investigation.
42*795d594fSAndroid Build Coastguard Worker static constexpr int kMaxSkipGCIterations = 100;
43*795d594fSAndroid Build Coastguard Worker // Global variable to signal LSAN that we are not leaking memory.
44*795d594fSAndroid Build Coastguard Worker uint8_t* allocated_signal_stack = nullptr;
45*795d594fSAndroid Build Coastguard Worker
46*795d594fSAndroid Build Coastguard Worker namespace art {
47*795d594fSAndroid Build Coastguard Worker // A class to be friends with ClassLinker and access the internal FindDexCacheDataLocked method.
48*795d594fSAndroid Build Coastguard Worker class VerifyClassesFuzzerHelper {
49*795d594fSAndroid Build Coastguard Worker public:
GetDexCacheData(Runtime * runtime,const DexFile * dex_file)50*795d594fSAndroid Build Coastguard Worker static const ClassLinker::DexCacheData* GetDexCacheData(Runtime* runtime, const DexFile* dex_file)
51*795d594fSAndroid Build Coastguard Worker REQUIRES_SHARED(Locks::mutator_lock_) {
52*795d594fSAndroid Build Coastguard Worker Thread* self = Thread::Current();
53*795d594fSAndroid Build Coastguard Worker ReaderMutexLock mu(self, *Locks::dex_lock_);
54*795d594fSAndroid Build Coastguard Worker ClassLinker* class_linker = runtime->GetClassLinker();
55*795d594fSAndroid Build Coastguard Worker const ClassLinker::DexCacheData* cached_data = class_linker->FindDexCacheDataLocked(*dex_file);
56*795d594fSAndroid Build Coastguard Worker return cached_data;
57*795d594fSAndroid Build Coastguard Worker }
58*795d594fSAndroid Build Coastguard Worker };
59*795d594fSAndroid Build Coastguard Worker } // namespace art
60*795d594fSAndroid Build Coastguard Worker
GetDexFileName(const std::string & jar_name)61*795d594fSAndroid Build Coastguard Worker std::string GetDexFileName(const std::string& jar_name) {
62*795d594fSAndroid Build Coastguard Worker // The jar files are located in the data directory within the directory of the fuzzer's binary.
63*795d594fSAndroid Build Coastguard Worker std::string executable_dir = android::base::GetExecutableDirectory();
64*795d594fSAndroid Build Coastguard Worker
65*795d594fSAndroid Build Coastguard Worker std::string result =
66*795d594fSAndroid Build Coastguard Worker android::base::StringPrintf("%s/data/%s.jar", executable_dir.c_str(), jar_name.c_str());
67*795d594fSAndroid Build Coastguard Worker
68*795d594fSAndroid Build Coastguard Worker return result;
69*795d594fSAndroid Build Coastguard Worker }
70*795d594fSAndroid Build Coastguard Worker
GetLibCoreDexFileNames()71*795d594fSAndroid Build Coastguard Worker std::vector<std::string> GetLibCoreDexFileNames() {
72*795d594fSAndroid Build Coastguard Worker std::vector<std::string> result;
73*795d594fSAndroid Build Coastguard Worker const std::vector<std::string> modules = {
74*795d594fSAndroid Build Coastguard Worker "core-oj",
75*795d594fSAndroid Build Coastguard Worker "core-libart",
76*795d594fSAndroid Build Coastguard Worker "okhttp",
77*795d594fSAndroid Build Coastguard Worker "bouncycastle",
78*795d594fSAndroid Build Coastguard Worker "apache-xml",
79*795d594fSAndroid Build Coastguard Worker "core-icu4j",
80*795d594fSAndroid Build Coastguard Worker "conscrypt",
81*795d594fSAndroid Build Coastguard Worker };
82*795d594fSAndroid Build Coastguard Worker result.reserve(modules.size());
83*795d594fSAndroid Build Coastguard Worker for (const std::string& module : modules) {
84*795d594fSAndroid Build Coastguard Worker result.push_back(GetDexFileName(module));
85*795d594fSAndroid Build Coastguard Worker }
86*795d594fSAndroid Build Coastguard Worker return result;
87*795d594fSAndroid Build Coastguard Worker }
88*795d594fSAndroid Build Coastguard Worker
GetClassPathOption(const char * option,const std::vector<std::string> & class_path)89*795d594fSAndroid Build Coastguard Worker std::string GetClassPathOption(const char* option, const std::vector<std::string>& class_path) {
90*795d594fSAndroid Build Coastguard Worker return option + android::base::Join(class_path, ':');
91*795d594fSAndroid Build Coastguard Worker }
92*795d594fSAndroid Build Coastguard Worker
RegisterDexFileAndGetClassLoader(art::Runtime * runtime,art::StandardDexFile * dex_file)93*795d594fSAndroid Build Coastguard Worker jobject RegisterDexFileAndGetClassLoader(art::Runtime* runtime, art::StandardDexFile* dex_file)
94*795d594fSAndroid Build Coastguard Worker REQUIRES_SHARED(art::Locks::mutator_lock_) {
95*795d594fSAndroid Build Coastguard Worker art::Thread* self = art::Thread::Current();
96*795d594fSAndroid Build Coastguard Worker art::ClassLinker* class_linker = runtime->GetClassLinker();
97*795d594fSAndroid Build Coastguard Worker const std::vector<const art::DexFile*> dex_files = {dex_file};
98*795d594fSAndroid Build Coastguard Worker jobject class_loader = class_linker->CreatePathClassLoader(self, dex_files);
99*795d594fSAndroid Build Coastguard Worker art::ObjPtr<art::mirror::ClassLoader> cl = self->DecodeJObject(class_loader)->AsClassLoader();
100*795d594fSAndroid Build Coastguard Worker class_linker->RegisterDexFile(*dex_file, cl);
101*795d594fSAndroid Build Coastguard Worker return class_loader;
102*795d594fSAndroid Build Coastguard Worker }
103*795d594fSAndroid Build Coastguard Worker
LLVMFuzzerInitialize(int * argc,char *** argv)104*795d594fSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerInitialize([[maybe_unused]] int* argc, [[maybe_unused]] char*** argv) {
105*795d594fSAndroid Build Coastguard Worker // Set logging to error and above to avoid warnings about unexpected checksums.
106*795d594fSAndroid Build Coastguard Worker android::base::SetMinimumLogSeverity(android::base::ERROR);
107*795d594fSAndroid Build Coastguard Worker
108*795d594fSAndroid Build Coastguard Worker // Create runtime.
109*795d594fSAndroid Build Coastguard Worker art::RuntimeOptions options;
110*795d594fSAndroid Build Coastguard Worker {
111*795d594fSAndroid Build Coastguard Worker static art::NoopCompilerCallbacks callbacks;
112*795d594fSAndroid Build Coastguard Worker options.push_back(std::make_pair("compilercallbacks", &callbacks));
113*795d594fSAndroid Build Coastguard Worker }
114*795d594fSAndroid Build Coastguard Worker
115*795d594fSAndroid Build Coastguard Worker std::string boot_class_path_string =
116*795d594fSAndroid Build Coastguard Worker GetClassPathOption("-Xbootclasspath:", GetLibCoreDexFileNames());
117*795d594fSAndroid Build Coastguard Worker options.push_back(std::make_pair(boot_class_path_string, nullptr));
118*795d594fSAndroid Build Coastguard Worker
119*795d594fSAndroid Build Coastguard Worker // Instruction set.
120*795d594fSAndroid Build Coastguard Worker options.push_back(
121*795d594fSAndroid Build Coastguard Worker std::make_pair("imageinstructionset",
122*795d594fSAndroid Build Coastguard Worker reinterpret_cast<const void*>(GetInstructionSetString(art::kRuntimeISA))));
123*795d594fSAndroid Build Coastguard Worker
124*795d594fSAndroid Build Coastguard Worker // No need for sig chain.
125*795d594fSAndroid Build Coastguard Worker options.push_back(std::make_pair("-Xno-sig-chain", nullptr));
126*795d594fSAndroid Build Coastguard Worker
127*795d594fSAndroid Build Coastguard Worker if (!art::Runtime::Create(options, false)) {
128*795d594fSAndroid Build Coastguard Worker LOG(FATAL) << "We should always be able to create the runtime";
129*795d594fSAndroid Build Coastguard Worker UNREACHABLE();
130*795d594fSAndroid Build Coastguard Worker }
131*795d594fSAndroid Build Coastguard Worker
132*795d594fSAndroid Build Coastguard Worker // Need well-known-classes.
133*795d594fSAndroid Build Coastguard Worker art::WellKnownClasses::Init(art::Thread::Current()->GetJniEnv());
134*795d594fSAndroid Build Coastguard Worker // Need a class loader. Fake that we're a compiler.
135*795d594fSAndroid Build Coastguard Worker // Note: this will run initializers through the unstarted runtime, so make sure it's
136*795d594fSAndroid Build Coastguard Worker // initialized.
137*795d594fSAndroid Build Coastguard Worker art::interpreter::UnstartedRuntime::Initialize();
138*795d594fSAndroid Build Coastguard Worker
139*795d594fSAndroid Build Coastguard Worker art::Thread::Current()->TransitionFromRunnableToSuspended(art::ThreadState::kNative);
140*795d594fSAndroid Build Coastguard Worker
141*795d594fSAndroid Build Coastguard Worker // Query the current stack and add it to the global variable. Otherwise LSAN complains about a
142*795d594fSAndroid Build Coastguard Worker // non-existing leak.
143*795d594fSAndroid Build Coastguard Worker stack_t ss;
144*795d594fSAndroid Build Coastguard Worker if (sigaltstack(nullptr, &ss) == -1) {
145*795d594fSAndroid Build Coastguard Worker PLOG(FATAL) << "sigaltstack failed";
146*795d594fSAndroid Build Coastguard Worker }
147*795d594fSAndroid Build Coastguard Worker allocated_signal_stack = reinterpret_cast<uint8_t*>(ss.ss_sp);
148*795d594fSAndroid Build Coastguard Worker
149*795d594fSAndroid Build Coastguard Worker return 0;
150*795d594fSAndroid Build Coastguard Worker }
151*795d594fSAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)152*795d594fSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
153*795d594fSAndroid Build Coastguard Worker // Do not verify the checksum as we only care about the DEX file contents,
154*795d594fSAndroid Build Coastguard Worker // and know that the checksum would probably be erroneous (i.e. random).
155*795d594fSAndroid Build Coastguard Worker constexpr bool kVerify = false;
156*795d594fSAndroid Build Coastguard Worker
157*795d594fSAndroid Build Coastguard Worker auto container = std::make_shared<art::MemoryDexFileContainer>(data, size);
158*795d594fSAndroid Build Coastguard Worker art::StandardDexFile dex_file(data,
159*795d594fSAndroid Build Coastguard Worker /*location=*/"fuzz.dex",
160*795d594fSAndroid Build Coastguard Worker /*location_checksum=*/0,
161*795d594fSAndroid Build Coastguard Worker /*oat_dex_file=*/nullptr,
162*795d594fSAndroid Build Coastguard Worker container);
163*795d594fSAndroid Build Coastguard Worker std::string error_msg;
164*795d594fSAndroid Build Coastguard Worker const bool verify_result =
165*795d594fSAndroid Build Coastguard Worker art::dex::Verify(&dex_file, dex_file.GetLocation().c_str(), kVerify, &error_msg);
166*795d594fSAndroid Build Coastguard Worker
167*795d594fSAndroid Build Coastguard Worker if (!verify_result) {
168*795d594fSAndroid Build Coastguard Worker // DEX file couldn't be verified, don't save it in the corpus.
169*795d594fSAndroid Build Coastguard Worker return -1;
170*795d594fSAndroid Build Coastguard Worker }
171*795d594fSAndroid Build Coastguard Worker
172*795d594fSAndroid Build Coastguard Worker art::Runtime* runtime = art::Runtime::Current();
173*795d594fSAndroid Build Coastguard Worker CHECK(runtime != nullptr);
174*795d594fSAndroid Build Coastguard Worker
175*795d594fSAndroid Build Coastguard Worker art::ScopedObjectAccess soa(art::Thread::Current());
176*795d594fSAndroid Build Coastguard Worker art::ClassLinker* class_linker = runtime->GetClassLinker();
177*795d594fSAndroid Build Coastguard Worker jobject class_loader = RegisterDexFileAndGetClassLoader(runtime, &dex_file);
178*795d594fSAndroid Build Coastguard Worker
179*795d594fSAndroid Build Coastguard Worker // Scope for the handles
180*795d594fSAndroid Build Coastguard Worker {
181*795d594fSAndroid Build Coastguard Worker art::StackHandleScope<3> scope(soa.Self());
182*795d594fSAndroid Build Coastguard Worker art::Handle<art::mirror::ClassLoader> h_loader =
183*795d594fSAndroid Build Coastguard Worker scope.NewHandle(soa.Decode<art::mirror::ClassLoader>(class_loader));
184*795d594fSAndroid Build Coastguard Worker art::MutableHandle<art::mirror::Class> h_klass(scope.NewHandle<art::mirror::Class>(nullptr));
185*795d594fSAndroid Build Coastguard Worker art::MutableHandle<art::mirror::DexCache> h_dex_cache(
186*795d594fSAndroid Build Coastguard Worker scope.NewHandle<art::mirror::DexCache>(nullptr));
187*795d594fSAndroid Build Coastguard Worker
188*795d594fSAndroid Build Coastguard Worker for (art::ClassAccessor accessor : dex_file.GetClasses()) {
189*795d594fSAndroid Build Coastguard Worker h_klass.Assign(
190*795d594fSAndroid Build Coastguard Worker class_linker->FindClass(soa.Self(), dex_file, accessor.GetClassIdx(), h_loader));
191*795d594fSAndroid Build Coastguard Worker // Ignore classes that couldn't be loaded since we are looking for crashes during
192*795d594fSAndroid Build Coastguard Worker // class/method verification.
193*795d594fSAndroid Build Coastguard Worker if (h_klass == nullptr || h_klass->IsErroneous()) {
194*795d594fSAndroid Build Coastguard Worker soa.Self()->ClearException();
195*795d594fSAndroid Build Coastguard Worker continue;
196*795d594fSAndroid Build Coastguard Worker }
197*795d594fSAndroid Build Coastguard Worker h_dex_cache.Assign(h_klass->GetDexCache());
198*795d594fSAndroid Build Coastguard Worker art::verifier::ClassVerifier::VerifyClass(soa.Self(),
199*795d594fSAndroid Build Coastguard Worker /* verifier_deps= */ nullptr,
200*795d594fSAndroid Build Coastguard Worker h_dex_cache->GetDexFile(),
201*795d594fSAndroid Build Coastguard Worker h_klass,
202*795d594fSAndroid Build Coastguard Worker h_dex_cache,
203*795d594fSAndroid Build Coastguard Worker h_loader,
204*795d594fSAndroid Build Coastguard Worker *h_klass->GetClassDef(),
205*795d594fSAndroid Build Coastguard Worker runtime->GetCompilerCallbacks(),
206*795d594fSAndroid Build Coastguard Worker art::verifier::HardFailLogMode::kLogWarning,
207*795d594fSAndroid Build Coastguard Worker /* api_level= */ 0,
208*795d594fSAndroid Build Coastguard Worker &error_msg);
209*795d594fSAndroid Build Coastguard Worker }
210*795d594fSAndroid Build Coastguard Worker }
211*795d594fSAndroid Build Coastguard Worker
212*795d594fSAndroid Build Coastguard Worker skipped_gc_iterations++;
213*795d594fSAndroid Build Coastguard Worker
214*795d594fSAndroid Build Coastguard Worker // Delete weak root to the DexCache before removing a DEX file from the cache. This is usually
215*795d594fSAndroid Build Coastguard Worker // handled by the GC, but since we are not calling it every iteration, we need to delete them
216*795d594fSAndroid Build Coastguard Worker // manually.
217*795d594fSAndroid Build Coastguard Worker const art::ClassLinker::DexCacheData* dex_cache_data =
218*795d594fSAndroid Build Coastguard Worker art::VerifyClassesFuzzerHelper::GetDexCacheData(runtime, &dex_file);
219*795d594fSAndroid Build Coastguard Worker soa.Env()->GetVm()->DeleteWeakGlobalRef(soa.Self(), dex_cache_data->weak_root);
220*795d594fSAndroid Build Coastguard Worker
221*795d594fSAndroid Build Coastguard Worker class_linker->RemoveDexFromCaches(dex_file);
222*795d594fSAndroid Build Coastguard Worker
223*795d594fSAndroid Build Coastguard Worker // Delete global ref and unload class loader to free RAM.
224*795d594fSAndroid Build Coastguard Worker soa.Env()->GetVm()->DeleteGlobalRef(soa.Self(), class_loader);
225*795d594fSAndroid Build Coastguard Worker
226*795d594fSAndroid Build Coastguard Worker if (skipped_gc_iterations == kMaxSkipGCIterations) {
227*795d594fSAndroid Build Coastguard Worker runtime->GetHeap()->CollectGarbage(/* clear_soft_references */ true);
228*795d594fSAndroid Build Coastguard Worker skipped_gc_iterations = 0;
229*795d594fSAndroid Build Coastguard Worker }
230*795d594fSAndroid Build Coastguard Worker
231*795d594fSAndroid Build Coastguard Worker return 0;
232*795d594fSAndroid Build Coastguard Worker }
233