Lines Matching +full:- +full:- +full:google +full:- +full:java +full:- +full:format +full:- +full:jar
1 <img src="https://www.code-intelligence.com/hubfs/Logos/CI%20Logos/Jazzer_einfach.png" height=150px…
5 …mg.shields.io/maven-central/v/com.code-intelligence/jazzer-api)](https://search.maven.org/search?q…
7 …oss-fuzz-build-logs.storage.googleapis.com/badges/java-example.svg)](https://bugs.chromium.org/p/o…
9 Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by [Code Intelligence…
10 …https://llvm.org/docs/LibFuzzer.html) and brings many of its instrumentation-powered mutation feat…
20 ## News: Jazzer available in OSS-Fuzz
22 …-intelligence.com) and Google have teamed up to bring support for Java, Kotlin, and other JVM-base…
24 …ore about Jazzer and OSS-Fuzz, [watch the FuzzCon 2020 talk](https://www.youtube.com/watch?v=SmH3Y…
33 docker run -v path/containing/the/application:/fuzzing cifuzz/jazzer <arguments>
45 * JDK 8 or later (e.g. [OpenJDK](https://openjdk.java.net/))
50 The instructions below will assume that this binary is called `bazel` - Bazelisk is a thin wrapper …
60 $ bazel run //:jazzer -- <arguments>
69 Target //:jazzer_release up-to-date:
70 bazel-bin/jazzer_release.tar.gz
78 …th the clang shipped with Xcode. If you encounter issues during the build, add `--config=toolchain`
79 right after `run` or `build` in the `bazelisk` commands above to use a checked-in toolchain that is…
85 See their README for instructions on how to use Jazzer in a Java Bazel project.
94 - `jazzer` - main binary
95 - `jazzer_agent_deploy.jar` - Java agent that performs bytecode instrumentation and tracks coverage…
96 - `jazzer_api_deploy.jar` - contains convenience methods for creating fuzz targets and defining cus…
98 The additional release artifact `examples_deploy.jar` contains most of the examples and can be used…
111 Multiple examples for instructive and real-world Jazzer fuzz targets can be found in the `examples/…
117 # Using the binary release and examples_deploy.jar:
118 ./jazzer --cp=examples_deploy.jar
126 INFO: libFuzzer ignores flags that start with '--'
128 INFO: Loaded 1 modules (65536 inline 8-bit counters): 65536 [0xe387b0, 0xe487b0),
130 INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
133 …s: 0 rss: 98Mb L: 13/13 MS: 5 ShuffleBytes-CrossOver-InsertRepeatedBytes-ShuffleBytes-CMP- DE: "ma…
134 … REDUCE cov: 4 ft: 4 corp: 2/13b lim: 17 exec/s: 0 rss: 99Mb L: 12/12 MS: 2 ChangeBit-EraseBytes-
135 … 6 corp: 3/51b lim: 38 exec/s: 0 rss: 113Mb L: 38/38 MS: 4 ChangeBit-ChangeByte-CopyPart-CrossOver-
136 …EDUCE cov: 6 ft: 6 corp: 3/49b lim: 38 exec/s: 0 rss: 113Mb L: 36/36 MS: 2 ShuffleBytes-EraseBytes-
137 #4266 REDUCE cov: 6 ft: 6 corp: 3/48b lim: 38 exec/s: 0 rss: 113Mb L: 35/35 MS: 1 EraseBytes-
138 … REDUCE cov: 6 ft: 6 corp: 3/47b lim: 38 exec/s: 0 rss: 114Mb L: 34/34 MS: 2 EraseBytes-CopyPart-
139 #4764 REDUCE cov: 6 ft: 6 corp: 3/46b lim: 38 exec/s: 0 rss: 115Mb L: 33/33 MS: 1 EraseBytes-
140 … REDUCE cov: 6 ft: 6 corp: 3/44b lim: 43 exec/s: 0 rss: 116Mb L: 31/31 MS: 2 InsertByte-EraseBytes-
143 == Java Exception: java.lang.IllegalStateException: mustNeverBeCalled has been called
144 at com.example.ExampleFuzzer.mustNeverBeCalled(ExampleFuzzer.java:38)
145 at com.example.ExampleFuzzer.fuzzerTestOneInput(ExampleFuzzer.java:32)
148 MS: 1 CMP- DE: "\x00C"-; base unit: 04e0ccacb50424e06e45f6184ad45895b6b8df8f
151 artifact_prefix='./'; Test unit written to crash-efea1e8fc83a15217d512e20d964040a68a968c3
153 reproducer_path='.'; Java reproducer written to Crash_efea1e8fc83a15217d512e20d964040a68a968c3.java
156 Here you can see the usual libFuzzer output in case of a crash, augmented with JVM-specific informa…
157 Instead of a native stack trace, the details of the uncaught Java exception that caused the crash a…
158 More information on what hooks and Java reproducers are can be found below.
167 may be as simple as the following Java example:
169 ```java
182 A Java fuzz target class needs to define exactly one of the following functions:
201 …s://github.com/CodeIntelligenceTesting/jazzer/tree/main/examples/src/main/java/com/example/KlaxonF…
205 The fuzz target needs to be compiled and packaged into a `.jar` archive. Assuming that this archive…
206 `fuzz_target.jar` and depends on libraries available as `lib1.jar` and `lib2.jar`, fuzzing is start…
210 --cp=fuzz_target.jar:lib1.jar:lib2.jar --target_class=com.example.MyFirstFuzzTarget <optional_corpu…
213 …s can optionally be specified by adding it as the value of the `Jazzer-Fuzz-Target-Class` attribute
214 in the JAR's manifest. If there is only a single such attribute among all manifests of JARs on the …
217 Bazel produces the correct type of `.jar` from a `java_binary` target with `create_executable = Fal…
218 `deploy_manifest_lines = ["Jazzer-Fuzz-Target-Class: com.example.MyFirstFuzzTarget"]` by adding the…
223 For most non-trivial fuzz targets it is necessary to further process the byte array passed from the…
224 to extract multiple values or convert the input into a valid `java.lang.String`. We provide functio…
225 [atheris'](https://github.com/google/atheris) `FuzzedDataProvider` and libFuzzer's `FuzzedDataProvi…
232 ```java
248 The `FuzzedDataProvider` interface definition is contained in `jazzer_api_deploy.jar` in the binary…
249 built by the Bazel target `//agent:jazzer_api_deploy.jar`. It is also available from
250 [Maven Central](https://search.maven.org/search?q=g:com.code-intelligence%20a:jazzer-api).
252 [javadocs](https://codeintelligencetesting.github.io/jazzer-api/com/code_intelligence/jazzer/api/Fu…
254 It is highly recommended to use `FuzzedDataProvider` for generating `java.lang.String` objects insi…
256 engineered to minimize copying and generate both valid and invalid ASCII-only and Unicode strings.
263 …cify the `--autofuzz` flag and provide a fully [qualified method reference](https://docs.oracle.co…
265 --autofuzz=org.apache.commons.imaging.Imaging::getBufferedImage
267 To autofuzz a constructor the `ClassType::new` format can be used.
270 --autofuzz=org.apache.commons.imaging.Imaging::getBufferedImage(java.io.InputStream,java.util.Map)
272 The format of the signature agrees with that obtained from the part after the `#` of the link to th…
276 …at follow the [builder design pattern](https://www.baeldung.com/creational-design-patterns#builder)
281 … of exceptions to be ignored during fuzzing via the `--autofuzz_ignore` flag in the form of a comm…
282 …java.lang.NullPointerException`), in which case also subclasses of these exception classes will be…
284 When fuzzing with `--autofuzz`, Jazzer automatically enables the `--keep_going` mode to keep fuzzin…
285 Set `--keep_going=N` explicitly to stop after the `N`-th finding.
292 docker run cifuzz/jazzer-autofuzz <Maven coordinates> --autofuzz=<method reference> <further argume…
295 As an example, you can autofuzz the `json-sanitizer` library as follows:
297 docker run -it cifuzz/jazzer-autofuzz \
298 com.mikesamuel:json-sanitizer:1.2.0 \
299 com.google.json.JsonSanitizer::sanitize \
300 --autofuzz_ignore=java.lang.ArrayIndexOutOfBoundsException \
301 --keep_going=1
308 … manages to find an input that causes an uncaught exception or a failed assertion, it prints a Java
311 * `crash-<sha1_of_input>` contains the raw bytes passed to the fuzz target (just as with libFuzzer …
313 * `Crash-<sha1_of_input>.java` contains a class with a `main` function that invokes the fuzz target…
315 …directly correspond to the values consumed by the fuzz target. The `.java` file can be compiled wi…
316 …the fuzz target and its dependencies in the classpath (plus `jazzer_api_deploy.jar` if using `Fuzz…
322 …To minimize a crashing input, execute Jazzer with the following arguments in addition to `--cp` and
323 `--target_class`:
326 -minimize_crash=1 <path/to/crashing_input>
331 libFuzzer offers the `-fork=N` and `-jobs=N` flags for parallel fuzzing, both of which are also sup…
336 fuzzing multi-threaded fuzz targets is theoretically possible, the reported coverage information ma…
343 | ------- | -------- | ------ | --- | -------- |
344 …java.net/groups/vulnerability/advisories/2022-01-18) | [CVE-2022-21360](https://nvd.nist.gov/vuln/…
345 …java.net/groups/vulnerability/advisories/2022-01-18) | [CVE-2022-21366](https://nvd.nist.gov/vuln/…
346 …sories/GHSA-wrvw-hg22-4m67) | [CVE-2021-22569](https://nvd.nist.gov/vuln/detail/CVE-2021-22569) | …
347 …/advisories/GHSA-m72m-mhq2-9p6c) | [CVE-2021-37714](https://nvd.nist.gov/vuln/detail/CVE-2021-3771…
348 …-compress](https://commons.apache.org/proper/commons-compress/) | Infinite loop when loading a cra…
349 …-compress](https://commons.apache.org/proper/commons-compress/) | `OutOfMemoryError` when loading …
350 …-compress](https://commons.apache.org/proper/commons-compress/) | Infinite loop when loading a cra…
351 …-compress](https://commons.apache.org/proper/commons-compress/) | `OutOfMemoryError` when loading …
352 …fted PDF | fixed | [CVE-2021-27807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27807) | […
353 …fted PDF | fixed | [CVE-2021-27906](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27906) | […
354 …-smart-v1](https://github.com/netplex/json-smart-v1) <br/> [netplex/json-smart-v2](https://github.…
355 …-sanitizer](https://github.com/OWASP/json-sanitizer) | Output can contain`</script>` and `]]>`, wh…
356 …-sanitizer](https://github.com/OWASP/json-sanitizer) | Output can be invalid JSON and undeclared e…
357 …//github.com/alibaba/fastjson/issues/3631) | | [Code Intelligence](https://code-intelligence.com) |
358 …-compress](https://commons.apache.org/proper/commons-compress/) | Infinite loop and `OutOfMemoryEr…
359 …-compress](https://commons.apache.org/proper/commons-compress/) | `NullPointerException` in `ZipFi…
360 …-imaging](https://commons.apache.org/proper/commons-imaging/) | Parsers for multiple image formats…
361 …rg/jira/browse/PDFBOX-5108?jql=project%20%3D%20PDFBOX%20AND%20reporter%20in%20(Meumertzheim)) | | …
362 …https://github.com/cbeust/klaxon/pull/330) | | [Code Intelligence](https://code-intelligence.com) |
363 …-dataformats-binary](https://github.com/FasterXML/jackson-dataformats-binary) | `CBORParser` throw…
364 …-dataformats-binary](https://github.com/FasterXML/jackson-dataformats-binary) | `CBORParser` throw…
365 …ageoint/tiff-java](https://github.com/ngageoint/tiff-java) | `readTiff ` Index Out Of Bounds | [fi…
366 | [google/re2j](https://github.com/google/re2j) | `NullPointerException` in `Pattern.compile` | [re…
367 | [google/gson](https://github.com/google/gson) | `ArrayIndexOutOfBounds` in `ParseString` | [fixed…
369 …-Fuzz, an additional list of bugs can be found [on the OSS-Fuzz issue tracker](https://bugs.chromi…
377 libFuzzer-compiled binary, all positional and single dash command-line options are parsed by libFuz…
378 Jazzer options are passed via double dash command-line flags, i.e., as `--option=value` (note the `…
380 A full list of command-line flags can be printed with the `--help` flag. For the available libFuzze…
388 Alternatively, arguments can also be supplied via the `--jvm_args` argument.
394 --jvm_args=--enable-preview;-Xmx1000m
396 --jvm_args=--enable-preview:-Xmx1000m
399 Arguments specified with `--jvm_args` take precendence over those in `JAVA_OPTS`.
406 It is possible to restrict instrumentation to only a subset of classes with the `--instrumentation_…
408 external parsing library in which the fuzzer is likely to get lost. Similarly, there is `--instrume…
409 exclude specific classes from instrumentation. Both flags take a list of glob patterns for the java…
413 --instrumentation_includes=com.my_com.**:com.other_com.** --instrumentation_excludes=com.my_com.cry…
416 By default, JVM-internal classes and Java as well as Kotlin standard library classes are not instru…
422 …to [clang's data flow hooks](https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow).
423 The particular instrumentation types to apply can be specified using the `--trace` flag, which acce…
425 * `cov`: AFL-style edge coverage
436 The run-time flag `-use_value_profile=1` enables [libFuzzer's value profiling mode](https://llvm.or…
439 …fileFuzzer.java](https://github.com/CodeIntelligenceTesting/jazzer/tree/main/examples/src/main/jav…
447 …leFuzzerHooks.java](https://github.com/CodeIntelligenceTesting/jazzer/tree/main/examples/src/main/…
449 …erHooks.java](https://github.com/CodeIntelligenceTesting/jazzer/tree/main/examples/src/main/java/c…
452 …ich is contained in `jazzer_api_deploy.jar` (binary release) or built by the target `//agent:jazze…
454 [Maven Central](https://search.maven.org/search?q=g:com.code-intelligence%20a:jazzer-api).
455 See the [javadocs of the `@MethodHook` API](https://codeintelligencetesting.github.io/jazzer-api/co…
458 To use the compiled method hooks they have to be available on the classpath provided by `--cp` and …
459 flag `--custom_hooks`, which takes a colon-separated list of names of classes to load hooks from.
460 …Java standard library, it has to be loaded from a JAR file so that Jazzer can [add it to the boots…
461 This list of custom hooks can alternatively be specified via the `Jazzer-Hook-Classes` attribute in…
462 JAR's manifest.
466 With the flag `--keep_going=N` Jazzer continues fuzzing until `N` unique stack traces have been enc…
468 Particular stack traces can also be ignored based on their `DEDUP_TOKEN` by passing a comma-separat…
469 via `--ignore=<token_1>,<token2>`.
473 …ered JaCoCo coverage information can be exported in human-readable and JaCoCo execution data format
477 The human-readable report contains coverage information, like branch and line coverage, on file lev…
478 get a quick overview about the overall coverage. The flag `--coverage_report=<file>` can be used to…
480 Similar to the JaCoCo `dump` command, the flag `--coverage_dump=<file>` specifies a coverage dump f…
482 data in the JaCoCo format.
488 HTML report in the folder `report` containing all classes available in `classes.jar` and their cove…
492 java -jar path/to/jacococli.jar report coverage.exec \
493 --classfiles classes.jar \
494 --sourcefiles some/path/to/sources \
495 --html report \
496 --name FuzzCoverageReport
504 coverage feedback, these libraries have to be compiled with `-fsanitize=fuzzer-no-link`.
508 - *AddressSanitizer*: `-fsanitize=fuzzer-no-link,address`
509 …- *UndefinedBehaviorSanitizer*: `-fsanitize=fuzzer-no-link,undefined` (add `-fno-sanitize-recover=…
517 minimal working examples for fuzzing with native libraries. Also see `TurboJpegFuzzer` for a real-w…
525 pre-loading the mutator library:
529 LD_PRELOAD=libcustom_mutator.so bazel run //:jazzer -- <arguments>
547 The LLVM-style edge coverage instrumentation for JVM bytecode used by Jazzer relies on [JaCoCo](htt…
548 Previously, Jazzer used AFL-style coverage instrumentation as pioneered by [kelinci](https://github…
551 <a href="https://www.code-intelligence.com"><img src="https://www.code-intelligence.com/hubfs/Logos…