JOpFuzzer
This is a supplementary repository for paper submission Detecting JVM JIT Compiler Bugs via Exploring Two-Dimensional Input Spaces.
Confirmed Bugs
Since unconfirmed bugs cannot be shown in Java Bug System(JBS), we only show the bugs that are confirmed by developers. Also, since the information of the reporter cannot be found in JBS, there are several screenshots of the confirmation email sent by Oracle under the directory Confirmed.
Empirical Study
We provide the raw data and the results in our whole study. Raw data contains two parts: bug reports and bug triggering test cases. We store the bug reports in Google Drive (JDK_data), and bug triggering test cases in directory Bug_triggering_test_cases.
We use the tool in the directory Scripts to extract the result in the empirical study. Users should download the JDK_data and Compiler_data and run the process.py with a proper option.
Usage of JOpFuzzer
Using Docker Image
Users can pull the docker image from the docker hub. All the necessary evaluation environments have been set up.
# docker pull hustcamel/jopfuzzer:latest
# docker import JOpFuzzer-docker.tar # This process may take a few minutes depending on the machine performance. When the process finishes, the image ID will show on the screen.
# docker run -it [image ID] /bin/bash
# cd root/JOpFuzzer-demo
Users can execute JOpFuzzer.jar directly with four arguments:
-jdkPath the jdk under test (e.g., /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home)
-seedPath the seed for learning correlation (e.g., ./compiler, the regression test for compiler)
-testNumber the number of tests generated by JavaFuzzer (e.g., 1000)
-mutationRound the number of mutation round (e.g., 1000)
We write the two scripts (run-jdk11.sh, run-jdk17.sh) to aid users in reproducing the evaluation in the paper. Users can run these scripts directly. Be noted that the two following commands cannot be executed simultaneously. Users must wait until the execution of one instruction has finished before executing another.
# bash run-jdk11.sh
# bash run-jdk17.sh
Building from Source Code
Step 1: Enviroment Setup
JOpFuzzer needs the debug build of JVM, so users should download the source code of JVM and set the debug flag. Here we take the OpenJDK11 as an example.
# git clone https://github.com/openjdk/jdk11u.git
# cd jdk11u
# bash configure --enable-debug
# make images
If users want to collect the JVM coverage information, users have to set the coverage flag.
# git clone https://github.com/openjdk/jdk11u.git
# cd jdk11u
# bash configure --enable-debug --enable-native-coverage --disable-warnings-as-errors
# make images
Users can use Gcov and Lcov to collect the JVM coverage information.
# cd jdk11u
# lcov -c -i -d ./ -o init.info
... # execute JOpFuzzer
# lcov -c -d ./ -o cover.info
# lcov -a init.info -a cover.info -o total.info
# lcov -e total.info /absolute/path/to/target/jdk/src/hotspot/* -o hotspot.info
# lcov -l hotspot.info
Step 2: Run the Tool
JOpFuzzer is developed as a maven project, so to configure and run JOpFuzzer, you can import it directly into your IntelliJ IDEA workspace as a maven project. Execute MainEntry under src/main where the arguments are set as shown below:
-jdkPath the jdk under test (e.g., /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home)
-seedPath the seed for learning correlation (e.g., ./compiler, the regression test for compiler)
-testNumber the number of tests generated by JavaFuzzer (e.g., 1000)
-mutationRound the number of mutation round (e.g., 1000)
Note that we use spoon for java source code structure analysis, but there is a dependency conflict with the relevant code in tbar, and the package name where the conflict occurs is the same. So pre-generate the adapted tbar as JavaMutator.jar to avoid conflicts.
List of Profile Data and Optimization Options
PrintInlining
AlwaysIncrementalInline
ArrayCopyLoadStoreMaxElem
ArrayOperationPartialInlineSize
C1InlineStackLimit
C1MaxInlineLevel
C1MaxInlineSize
C1MaxRecursiveInlineLevel
C1MaxTrivialSize
C1ProfileInlinedCalls
ClipInlining
DebugInlinedCalls
FreqInlineSize
IncrementalInline
IncrementalInlineForceCleanup
IncrementalInlineMH
IncrementalInlineVirtual
Inline
InlineAccessors
InlineArrayCopy
InlineClassNatives
InlineIntrinsics
InlineMathNatives
InlineMethodsWithExceptionHandlers
InlineNatives
InlineNIOCheckIndex
InlineObjectCopy
InlineObjectHash
InlineReflectionGetCallerClass
InlineSmallCode
InlineSynchronizedMethods
InlineThreadNatives
InlineUnsafeOps
InlineWarmCalls
LiveNodeCountInliningCutoff
MultiArrayExpandLimit
NestedInliningSizeRatio
NodeCountInliningCutoff
NodeCountInliningStep
PrintEliminateAutoBox
EliminateAutoBox
AggressiveUnboxing
AutoBoxCacheMax
PrintEliminateLocks
EliminateLocks
EliminateNestedLocks
PrintEliminateAllocations
EliminateAllocationArraySizeLimit
EliminateAllocationFieldsLimit
EliminateAllocations
PrintEscapeAnalysis
DoEscapeAnalysis
TraceOptimizeFill
OptimizeFill
PrintBlockElimination
EliminateBlocks
PrintCanonicalization
CanonicalizeNodes
PrintCEE
DoCEE
PrintNullCheckElimination
EliminateNullChecks
PrintValueNumbering
UseGlobalValueNumbering
UseLocalValueNumbering
PrintNullCheckElimination
PrintOptimizeStringConcat
TraceLoopOpts
AlignVector
BlockLayoutRotateLoops
LoopMaxUnroll
LoopOptsCount
LoopPercentProfileLimit
LoopStripMiningIter
LoopStripMiningIterShortLoop
LoopUnrollLimit
LoopUnrollMin
MaxLoopPad
NumberOfLoopInstrToAlign
TraceLoopPredicate
UseLoopPredicate
TraceLoopUnswitching
LoopUnswitching
TracePartialPeeling
PartialPeelLoop
PartialPeelNewPhiDelta
TraceSuperWord
UseSuperWord
TraceSuperWordLoopUnrollAnalysis
SuperWordLoopUnrollAnalysis
TraceRangeCheckElimination
RangeCheckElimination
PrintOptoPeephole
OptoPeephole
PrintDominators
DominatorSearchLimit
PrintOptimizePtrCompare
OptimizePtrCompare
PrintUnsafeOptimization
OptimizeUnsafes
PrintTieredEvents
TieredCompilation
PrintCFG
SplitIfBlocks