| load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") |
| load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") |
| load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") |
| |
| java_fuzz_target_test( |
| name = "LongStringFuzzer", |
| srcs = [ |
| "src/test/java/com/example/LongStringFuzzer.java", |
| ], |
| data = ["src/test/java/com/example/LongStringFuzzerInput"], |
| expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = [ |
| "$(rootpath src/test/java/com/example/LongStringFuzzerInput)", |
| ], |
| target_class = "com.example.LongStringFuzzer", |
| verify_crash_input = False, |
| ) |
| |
| java_fuzz_target_test( |
| name = "JpegImageParserAutofuzz", |
| expected_findings = ["java.lang.NegativeArraySizeException"], |
| fuzzer_args = [ |
| "--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage", |
| # Exit after the first finding for testing purposes. |
| "--keep_going=1", |
| "--autofuzz_ignore=java.lang.NullPointerException", |
| ], |
| runtime_deps = [ |
| "@maven//:org_apache_commons_commons_imaging", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "HookDependenciesFuzzer", |
| srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"], |
| env = {"JAVA_OPTS": "-Xverify:all"}, |
| hook_classes = ["com.example.HookDependenciesFuzzer"], |
| target_class = "com.example.HookDependenciesFuzzer", |
| ) |
| |
| java_fuzz_target_test( |
| name = "AutofuzzWithoutCoverage", |
| expected_findings = ["java.lang.NullPointerException"], |
| fuzzer_args = [ |
| # Autofuzz a method that triggers no coverage instrumentation (the Java standard library is |
| # excluded by default). |
| "--autofuzz=java.util.regex.Pattern::compile", |
| "--keep_going=1", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "AutofuzzHookDependencies", |
| # The reproducer does not include the hook on OOM and thus throws a regular error. |
| expected_findings = ["java.lang.OutOfMemoryError"], |
| fuzzer_args = [ |
| "--instrumentation_includes=java.util.regex.**", |
| "--autofuzz=java.util.regex.Pattern::compile", |
| "--autofuzz_ignore=java.lang.Exception", |
| "--keep_going=1", |
| ], |
| # FIXME(fabian): Regularly times out on Windows with 0 exec/s for minutes. |
| target_compatible_with = SKIP_ON_WINDOWS, |
| ) |
| |
| java_fuzz_target_test( |
| name = "ForkModeFuzzer", |
| size = "enormous", |
| srcs = [ |
| "src/test/java/com/example/ForkModeFuzzer.java", |
| ], |
| env = { |
| "JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1", |
| }, |
| expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = [ |
| "-fork=2", |
| "--additional_jvm_args=-Dbaz=baz", |
| ] + select({ |
| # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in |
| # java_fuzz_target_test. |
| "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"], |
| "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"], |
| }), |
| # Consumes more resources than can be expressed via the size attribute. |
| tags = ["exclusive-if-local"], |
| target_class = "com.example.ForkModeFuzzer", |
| # The exit codes of the forked libFuzzer processes are not picked up correctly. |
| target_compatible_with = SKIP_ON_MACOS, |
| ) |
| |
| java_fuzz_target_test( |
| name = "CoverageFuzzer", |
| srcs = [ |
| "src/test/java/com/example/CoverageFuzzer.java", |
| ], |
| env = { |
| "COVERAGE_REPORT_FILE": "coverage.txt", |
| "COVERAGE_DUMP_FILE": "coverage.exec", |
| }, |
| fuzzer_args = [ |
| "-use_value_profile=1", |
| "--coverage_report=coverage.txt", |
| "--coverage_dump=coverage.exec", |
| "--instrumentation_includes=com.example.**", |
| ], |
| target_class = "com.example.CoverageFuzzer", |
| verify_crash_input = False, |
| verify_crash_reproducer = False, |
| deps = [ |
| "@jazzer_jacoco//:jacoco_internal", |
| ], |
| ) |
| |
| java_library( |
| name = "autofuzz_inner_class_target", |
| srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"], |
| deps = [ |
| "//agent:jazzer_api_compile_only", |
| ], |
| ) |
| |
| java_fuzz_target_test( |
| name = "AutofuzzInnerClassFuzzer", |
| expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = [ |
| "--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test", |
| "--keep_going=1", |
| ], |
| runtime_deps = [ |
| ":autofuzz_inner_class_target", |
| ], |
| ) |
| |
| # Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405. |
| java_fuzz_target_test( |
| name = "MemoryLeakFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"], |
| env = { |
| "JAVA_OPTS": "-Xmx800m", |
| }, |
| expect_crash = False, |
| fuzzer_args = [ |
| # Before the bug was fixed, either the GC overhead limit or the overall heap limit was |
| # reached by this target in this number of runs. |
| "-runs=1000000", |
| # Skip over the first and only exception to keep the fuzzer running until it hits the runs |
| # limit. |
| "--keep_going=2", |
| ], |
| target_class = "com.example.MemoryLeakFuzzer", |
| ) |
| |
| JAZZER_API_TEST_CASES = { |
| "default": [], |
| "nohooks": ["--nohooks"], |
| } |
| |
| [ |
| java_fuzz_target_test( |
| name = "JazzerApiFuzzer_" + case, |
| srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"], |
| expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = args, |
| target_class = "com.example.JazzerApiFuzzer", |
| ) |
| for case, args in JAZZER_API_TEST_CASES.items() |
| ] |
| |
| java_fuzz_target_test( |
| name = "DisabledHooksFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"], |
| expect_crash = False, |
| fuzzer_args = [ |
| "-runs=0", |
| "--custom_hooks=com.example.DisabledHook", |
| ] + select({ |
| "@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"], |
| "//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"], |
| }), |
| target_class = "com.example.DisabledHooksFuzzer", |
| ) |
| |
| java_fuzz_target_test( |
| name = "BytesMemoryLeakFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"], |
| env = { |
| "JAVA_OPTS": "-Xmx200m", |
| }, |
| expect_crash = False, |
| fuzzer_args = [ |
| # Before the bug was fixed, either the GC overhead limit or the overall heap limit was |
| # reached by this target in this number of runs. |
| "-runs=10000000", |
| ], |
| target_class = "com.example.BytesMemoryLeakFuzzer", |
| ) |
| |
| # Verifies that Jazzer continues fuzzing when the first two executions did not result in any |
| # coverage feedback. |
| java_fuzz_target_test( |
| name = "NoCoverageFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], |
| expect_crash = False, |
| fuzzer_args = [ |
| "-runs=10", |
| "--instrumentation_excludes=**", |
| ], |
| target_class = "com.example.NoCoverageFuzzer", |
| ) |
| |
| java_fuzz_target_test( |
| name = "SeedFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/SeedFuzzer.java"], |
| expect_crash = False, |
| fuzzer_args = [ |
| "-runs=0", |
| "-seed=1234567", |
| ], |
| target_class = "com.example.SeedFuzzer", |
| ) |
| |
| java_fuzz_target_test( |
| name = "NoSeedFuzzer", |
| timeout = "short", |
| srcs = ["src/test/java/com/example/NoSeedFuzzer.java"], |
| env = { |
| "JAZZER_NO_EXPLICIT_SEED": "1", |
| }, |
| expect_crash = False, |
| fuzzer_args = [ |
| "-runs=0", |
| ], |
| target_class = "com.example.NoSeedFuzzer", |
| ) |
| |
| java_jni_library( |
| name = "native_value_profile_fuzzer", |
| srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"], |
| native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"], |
| visibility = ["//tests/src/test/native/com/example:__pkg__"], |
| deps = ["//agent:jazzer_api_compile_only"], |
| ) |
| |
| java_fuzz_target_test( |
| name = "NativeValueProfileFuzzer", |
| expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], |
| fuzzer_args = ["-use_value_profile=1"], |
| sanitizer = "address", |
| target_class = "com.example.NativeValueProfileFuzzer", |
| target_compatible_with = SKIP_ON_WINDOWS, |
| verify_crash_reproducer = False, |
| runtime_deps = [":native_value_profile_fuzzer"], |
| ) |