• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library")
2load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS")
3load("//bazel:fuzz_target.bzl", "java_fuzz_target_test")
4
5java_fuzz_target_test(
6    name = "LongStringFuzzer",
7    srcs = [
8        "src/test/java/com/example/LongStringFuzzer.java",
9    ],
10    data = ["src/test/java/com/example/LongStringFuzzerInput"],
11    expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
12    fuzzer_args = [
13        "$(rootpath src/test/java/com/example/LongStringFuzzerInput)",
14    ],
15    target_class = "com.example.LongStringFuzzer",
16    verify_crash_input = False,
17)
18
19java_fuzz_target_test(
20    name = "JpegImageParserAutofuzz",
21    expected_findings = ["java.lang.NegativeArraySizeException"],
22    fuzzer_args = [
23        "--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage",
24        # Exit after the first finding for testing purposes.
25        "--keep_going=1",
26        "--autofuzz_ignore=java.lang.NullPointerException",
27    ],
28    runtime_deps = [
29        "@maven//:org_apache_commons_commons_imaging",
30    ],
31)
32
33java_fuzz_target_test(
34    name = "HookDependenciesFuzzer",
35    srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"],
36    env = {"JAVA_OPTS": "-Xverify:all"},
37    hook_classes = ["com.example.HookDependenciesFuzzer"],
38    target_class = "com.example.HookDependenciesFuzzer",
39)
40
41java_fuzz_target_test(
42    name = "AutofuzzWithoutCoverage",
43    expected_findings = ["java.lang.NullPointerException"],
44    fuzzer_args = [
45        # Autofuzz a method that triggers no coverage instrumentation (the Java standard library is
46        # excluded by default).
47        "--autofuzz=java.util.regex.Pattern::compile",
48        "--keep_going=1",
49    ],
50)
51
52java_fuzz_target_test(
53    name = "AutofuzzHookDependencies",
54    # The reproducer does not include the hook on OOM and thus throws a regular error.
55    expected_findings = ["java.lang.OutOfMemoryError"],
56    fuzzer_args = [
57        "--instrumentation_includes=java.util.regex.**",
58        "--autofuzz=java.util.regex.Pattern::compile",
59        "--autofuzz_ignore=java.lang.Exception",
60        "--keep_going=1",
61    ],
62    # FIXME(fabian): Regularly times out on Windows with 0 exec/s for minutes.
63    target_compatible_with = SKIP_ON_WINDOWS,
64)
65
66java_fuzz_target_test(
67    name = "ForkModeFuzzer",
68    size = "enormous",
69    srcs = [
70        "src/test/java/com/example/ForkModeFuzzer.java",
71    ],
72    env = {
73        "JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1",
74    },
75    expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
76    fuzzer_args = [
77        "-fork=2",
78        "--additional_jvm_args=-Dbaz=baz",
79    ] + select({
80        # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in
81        # java_fuzz_target_test.
82        "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"],
83        "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"],
84    }),
85    # Consumes more resources than can be expressed via the size attribute.
86    tags = ["exclusive-if-local"],
87    target_class = "com.example.ForkModeFuzzer",
88    # The exit codes of the forked libFuzzer processes are not picked up correctly.
89    target_compatible_with = SKIP_ON_MACOS,
90)
91
92java_fuzz_target_test(
93    name = "CoverageFuzzer",
94    srcs = [
95        "src/test/java/com/example/CoverageFuzzer.java",
96    ],
97    env = {
98        "COVERAGE_REPORT_FILE": "coverage.txt",
99        "COVERAGE_DUMP_FILE": "coverage.exec",
100    },
101    fuzzer_args = [
102        "-use_value_profile=1",
103        "--coverage_report=coverage.txt",
104        "--coverage_dump=coverage.exec",
105        "--instrumentation_includes=com.example.**",
106    ],
107    target_class = "com.example.CoverageFuzzer",
108    verify_crash_input = False,
109    verify_crash_reproducer = False,
110    deps = [
111        "@jazzer_jacoco//:jacoco_internal",
112    ],
113)
114
115java_library(
116    name = "autofuzz_inner_class_target",
117    srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"],
118    deps = [
119        "//agent:jazzer_api_compile_only",
120    ],
121)
122
123java_fuzz_target_test(
124    name = "AutofuzzInnerClassFuzzer",
125    expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
126    fuzzer_args = [
127        "--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test",
128        "--keep_going=1",
129    ],
130    runtime_deps = [
131        ":autofuzz_inner_class_target",
132    ],
133)
134
135# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405.
136java_fuzz_target_test(
137    name = "MemoryLeakFuzzer",
138    timeout = "short",
139    srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"],
140    env = {
141        "JAVA_OPTS": "-Xmx800m",
142    },
143    expect_crash = False,
144    fuzzer_args = [
145        # Before the bug was fixed, either the GC overhead limit or the overall heap limit was
146        # reached by this target in this number of runs.
147        "-runs=1000000",
148        # Skip over the first and only exception to keep the fuzzer running until it hits the runs
149        # limit.
150        "--keep_going=2",
151    ],
152    target_class = "com.example.MemoryLeakFuzzer",
153)
154
155JAZZER_API_TEST_CASES = {
156    "default": [],
157    "nohooks": ["--nohooks"],
158}
159
160[
161    java_fuzz_target_test(
162        name = "JazzerApiFuzzer_" + case,
163        srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"],
164        expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
165        fuzzer_args = args,
166        target_class = "com.example.JazzerApiFuzzer",
167    )
168    for case, args in JAZZER_API_TEST_CASES.items()
169]
170
171java_fuzz_target_test(
172    name = "DisabledHooksFuzzer",
173    timeout = "short",
174    srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"],
175    expect_crash = False,
176    fuzzer_args = [
177        "-runs=0",
178        "--custom_hooks=com.example.DisabledHook",
179    ] + select({
180        "@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"],
181        "//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"],
182    }),
183    target_class = "com.example.DisabledHooksFuzzer",
184)
185
186java_fuzz_target_test(
187    name = "BytesMemoryLeakFuzzer",
188    timeout = "short",
189    srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"],
190    env = {
191        "JAVA_OPTS": "-Xmx200m",
192    },
193    expect_crash = False,
194    fuzzer_args = [
195        # Before the bug was fixed, either the GC overhead limit or the overall heap limit was
196        # reached by this target in this number of runs.
197        "-runs=10000000",
198    ],
199    target_class = "com.example.BytesMemoryLeakFuzzer",
200)
201
202# Verifies that Jazzer continues fuzzing when the first two executions did not result in any
203# coverage feedback.
204java_fuzz_target_test(
205    name = "NoCoverageFuzzer",
206    timeout = "short",
207    srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"],
208    expect_crash = False,
209    fuzzer_args = [
210        "-runs=10",
211        "--instrumentation_excludes=**",
212    ],
213    target_class = "com.example.NoCoverageFuzzer",
214)
215
216java_fuzz_target_test(
217    name = "SeedFuzzer",
218    timeout = "short",
219    srcs = ["src/test/java/com/example/SeedFuzzer.java"],
220    expect_crash = False,
221    fuzzer_args = [
222        "-runs=0",
223        "-seed=1234567",
224    ],
225    target_class = "com.example.SeedFuzzer",
226)
227
228java_fuzz_target_test(
229    name = "NoSeedFuzzer",
230    timeout = "short",
231    srcs = ["src/test/java/com/example/NoSeedFuzzer.java"],
232    env = {
233        "JAZZER_NO_EXPLICIT_SEED": "1",
234    },
235    expect_crash = False,
236    fuzzer_args = [
237        "-runs=0",
238    ],
239    target_class = "com.example.NoSeedFuzzer",
240)
241
242java_jni_library(
243    name = "native_value_profile_fuzzer",
244    srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"],
245    native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"],
246    visibility = ["//tests/src/test/native/com/example:__pkg__"],
247    deps = ["//agent:jazzer_api_compile_only"],
248)
249
250java_fuzz_target_test(
251    name = "NativeValueProfileFuzzer",
252    expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
253    fuzzer_args = ["-use_value_profile=1"],
254    sanitizer = "address",
255    target_class = "com.example.NativeValueProfileFuzzer",
256    target_compatible_with = SKIP_ON_WINDOWS,
257    verify_crash_reproducer = False,
258    runtime_deps = [":native_value_profile_fuzzer"],
259)
260