load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") java_fuzz_target_test( name = "LongStringFuzzer", srcs = [ "src/test/java/com/example/LongStringFuzzer.java", ], data = ["src/test/java/com/example/LongStringFuzzerInput"], expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], fuzzer_args = [ "$(rootpath src/test/java/com/example/LongStringFuzzerInput)", ], target_class = "com.example.LongStringFuzzer", verify_crash_input = False, ) java_fuzz_target_test( name = "JpegImageParserAutofuzz", expected_findings = ["java.lang.NegativeArraySizeException"], fuzzer_args = [ "--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage", # Exit after the first finding for testing purposes. "--keep_going=1", "--autofuzz_ignore=java.lang.NullPointerException", ], runtime_deps = [ "@maven//:org_apache_commons_commons_imaging", ], ) java_fuzz_target_test( name = "HookDependenciesFuzzer", srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"], env = {"JAVA_OPTS": "-Xverify:all"}, hook_classes = ["com.example.HookDependenciesFuzzer"], target_class = "com.example.HookDependenciesFuzzer", ) java_fuzz_target_test( name = "AutofuzzWithoutCoverage", expected_findings = ["java.lang.NullPointerException"], fuzzer_args = [ # Autofuzz a method that triggers no coverage instrumentation (the Java standard library is # excluded by default). "--autofuzz=java.util.regex.Pattern::compile", "--keep_going=1", ], ) java_fuzz_target_test( name = "AutofuzzHookDependencies", # The reproducer does not include the hook on OOM and thus throws a regular error. expected_findings = ["java.lang.OutOfMemoryError"], fuzzer_args = [ "--instrumentation_includes=java.util.regex.**", "--autofuzz=java.util.regex.Pattern::compile", "--autofuzz_ignore=java.lang.Exception", "--keep_going=1", ], # FIXME(fabian): Regularly times out on Windows with 0 exec/s for minutes. target_compatible_with = SKIP_ON_WINDOWS, ) java_fuzz_target_test( name = "ForkModeFuzzer", size = "enormous", srcs = [ "src/test/java/com/example/ForkModeFuzzer.java", ], env = { "JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1", }, expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], fuzzer_args = [ "-fork=2", "--additional_jvm_args=-Dbaz=baz", ] + select({ # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in # java_fuzz_target_test. "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"], "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"], }), # Consumes more resources than can be expressed via the size attribute. tags = ["exclusive-if-local"], target_class = "com.example.ForkModeFuzzer", # The exit codes of the forked libFuzzer processes are not picked up correctly. target_compatible_with = SKIP_ON_MACOS, ) java_fuzz_target_test( name = "CoverageFuzzer", srcs = [ "src/test/java/com/example/CoverageFuzzer.java", ], env = { "COVERAGE_REPORT_FILE": "coverage.txt", "COVERAGE_DUMP_FILE": "coverage.exec", }, fuzzer_args = [ "-use_value_profile=1", "--coverage_report=coverage.txt", "--coverage_dump=coverage.exec", "--instrumentation_includes=com.example.**", ], target_class = "com.example.CoverageFuzzer", verify_crash_input = False, verify_crash_reproducer = False, deps = [ "@jazzer_jacoco//:jacoco_internal", ], ) java_library( name = "autofuzz_inner_class_target", srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"], deps = [ "//agent:jazzer_api_compile_only", ], ) java_fuzz_target_test( name = "AutofuzzInnerClassFuzzer", expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], fuzzer_args = [ "--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test", "--keep_going=1", ], runtime_deps = [ ":autofuzz_inner_class_target", ], ) # Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405. java_fuzz_target_test( name = "MemoryLeakFuzzer", timeout = "short", srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"], env = { "JAVA_OPTS": "-Xmx800m", }, expect_crash = False, fuzzer_args = [ # Before the bug was fixed, either the GC overhead limit or the overall heap limit was # reached by this target in this number of runs. "-runs=1000000", # Skip over the first and only exception to keep the fuzzer running until it hits the runs # limit. "--keep_going=2", ], target_class = "com.example.MemoryLeakFuzzer", ) JAZZER_API_TEST_CASES = { "default": [], "nohooks": ["--nohooks"], } [ java_fuzz_target_test( name = "JazzerApiFuzzer_" + case, srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"], expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], fuzzer_args = args, target_class = "com.example.JazzerApiFuzzer", ) for case, args in JAZZER_API_TEST_CASES.items() ] java_fuzz_target_test( name = "DisabledHooksFuzzer", timeout = "short", srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"], expect_crash = False, fuzzer_args = [ "-runs=0", "--custom_hooks=com.example.DisabledHook", ] + select({ "@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"], "//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"], }), target_class = "com.example.DisabledHooksFuzzer", ) java_fuzz_target_test( name = "BytesMemoryLeakFuzzer", timeout = "short", srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"], env = { "JAVA_OPTS": "-Xmx200m", }, expect_crash = False, fuzzer_args = [ # Before the bug was fixed, either the GC overhead limit or the overall heap limit was # reached by this target in this number of runs. "-runs=10000000", ], target_class = "com.example.BytesMemoryLeakFuzzer", ) # Verifies that Jazzer continues fuzzing when the first two executions did not result in any # coverage feedback. java_fuzz_target_test( name = "NoCoverageFuzzer", timeout = "short", srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], expect_crash = False, fuzzer_args = [ "-runs=10", "--instrumentation_excludes=**", ], target_class = "com.example.NoCoverageFuzzer", ) java_fuzz_target_test( name = "SeedFuzzer", timeout = "short", srcs = ["src/test/java/com/example/SeedFuzzer.java"], expect_crash = False, fuzzer_args = [ "-runs=0", "-seed=1234567", ], target_class = "com.example.SeedFuzzer", ) java_fuzz_target_test( name = "NoSeedFuzzer", timeout = "short", srcs = ["src/test/java/com/example/NoSeedFuzzer.java"], env = { "JAZZER_NO_EXPLICIT_SEED": "1", }, expect_crash = False, fuzzer_args = [ "-runs=0", ], target_class = "com.example.NoSeedFuzzer", ) java_jni_library( name = "native_value_profile_fuzzer", srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"], native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"], visibility = ["//tests/src/test/native/com/example:__pkg__"], deps = ["//agent:jazzer_api_compile_only"], ) java_fuzz_target_test( name = "NativeValueProfileFuzzer", expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], fuzzer_args = ["-use_value_profile=1"], sanitizer = "address", target_class = "com.example.NativeValueProfileFuzzer", target_compatible_with = SKIP_ON_WINDOWS, verify_crash_reproducer = False, runtime_deps = [":native_value_profile_fuzzer"], )