werunplugged/unplugged-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
unplugged-system/external/jazzer-api/tests/BUILD.bazel

260 lines
8.3 KiB
Python
Raw Permalink Blame History

load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library")
load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS")
load("//bazel:fuzz_target.bzl", "java_fuzz_target_test")
java_fuzz_target_test(
name = "LongStringFuzzer",
srcs = [
"src/test/java/com/example/LongStringFuzzer.java",
],
data = ["src/test/java/com/example/LongStringFuzzerInput"],
expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
fuzzer_args = [
"$(rootpath src/test/java/com/example/LongStringFuzzerInput)",
],
target_class = "com.example.LongStringFuzzer",
verify_crash_input = False,
)
java_fuzz_target_test(
name = "JpegImageParserAutofuzz",
expected_findings = ["java.lang.NegativeArraySizeException"],
fuzzer_args = [
"--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage",
# Exit after the first finding for testing purposes.
"--keep_going=1",
"--autofuzz_ignore=java.lang.NullPointerException",
],
runtime_deps = [
"@maven//:org_apache_commons_commons_imaging",
],
)
java_fuzz_target_test(
name = "HookDependenciesFuzzer",
srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"],
env = {"JAVA_OPTS": "-Xverify:all"},
hook_classes = ["com.example.HookDependenciesFuzzer"],
target_class = "com.example.HookDependenciesFuzzer",
)
java_fuzz_target_test(
name = "AutofuzzWithoutCoverage",
expected_findings = ["java.lang.NullPointerException"],
fuzzer_args = [
# Autofuzz a method that triggers no coverage instrumentation (the Java standard library is
# excluded by default).
"--autofuzz=java.util.regex.Pattern::compile",
"--keep_going=1",
],
)
java_fuzz_target_test(
name = "AutofuzzHookDependencies",
# The reproducer does not include the hook on OOM and thus throws a regular error.
expected_findings = ["java.lang.OutOfMemoryError"],
fuzzer_args = [
"--instrumentation_includes=java.util.regex.**",
"--autofuzz=java.util.regex.Pattern::compile",
"--autofuzz_ignore=java.lang.Exception",
"--keep_going=1",
],
# FIXME(fabian): Regularly times out on Windows with 0 exec/s for minutes.
target_compatible_with = SKIP_ON_WINDOWS,
)
java_fuzz_target_test(
name = "ForkModeFuzzer",
size = "enormous",
srcs = [
"src/test/java/com/example/ForkModeFuzzer.java",
],
env = {
"JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1",
},
expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
fuzzer_args = [
"-fork=2",
"--additional_jvm_args=-Dbaz=baz",
] + select({
# \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in
# java_fuzz_target_test.
"@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"],
"//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"],
}),
# Consumes more resources than can be expressed via the size attribute.
tags = ["exclusive-if-local"],
target_class = "com.example.ForkModeFuzzer",
# The exit codes of the forked libFuzzer processes are not picked up correctly.
target_compatible_with = SKIP_ON_MACOS,
)
java_fuzz_target_test(
name = "CoverageFuzzer",
srcs = [
"src/test/java/com/example/CoverageFuzzer.java",
],
env = {
"COVERAGE_REPORT_FILE": "coverage.txt",
"COVERAGE_DUMP_FILE": "coverage.exec",
},
fuzzer_args = [
"-use_value_profile=1",
"--coverage_report=coverage.txt",
"--coverage_dump=coverage.exec",
"--instrumentation_includes=com.example.**",
],
target_class = "com.example.CoverageFuzzer",
verify_crash_input = False,
verify_crash_reproducer = False,
deps = [
"@jazzer_jacoco//:jacoco_internal",
],
)
java_library(
name = "autofuzz_inner_class_target",
srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"],
deps = [
"//agent:jazzer_api_compile_only",
],
)
java_fuzz_target_test(
name = "AutofuzzInnerClassFuzzer",
expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
fuzzer_args = [
"--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test",
"--keep_going=1",
],
runtime_deps = [
":autofuzz_inner_class_target",
],
)
# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405.
java_fuzz_target_test(
name = "MemoryLeakFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"],
env = {
"JAVA_OPTS": "-Xmx800m",
},
expect_crash = False,
fuzzer_args = [
# Before the bug was fixed, either the GC overhead limit or the overall heap limit was
# reached by this target in this number of runs.
"-runs=1000000",
# Skip over the first and only exception to keep the fuzzer running until it hits the runs
# limit.
"--keep_going=2",
],
target_class = "com.example.MemoryLeakFuzzer",
)
JAZZER_API_TEST_CASES = {
"default": [],
"nohooks": ["--nohooks"],
}
[
java_fuzz_target_test(
name = "JazzerApiFuzzer_" + case,
srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"],
expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
fuzzer_args = args,
target_class = "com.example.JazzerApiFuzzer",
)
for case, args in JAZZER_API_TEST_CASES.items()
]
java_fuzz_target_test(
name = "DisabledHooksFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"],
expect_crash = False,
fuzzer_args = [
"-runs=0",
"--custom_hooks=com.example.DisabledHook",
] + select({
"@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"],
"//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"],
}),
target_class = "com.example.DisabledHooksFuzzer",
)
java_fuzz_target_test(
name = "BytesMemoryLeakFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"],
env = {
"JAVA_OPTS": "-Xmx200m",
},
expect_crash = False,
fuzzer_args = [
# Before the bug was fixed, either the GC overhead limit or the overall heap limit was
# reached by this target in this number of runs.
"-runs=10000000",
],
target_class = "com.example.BytesMemoryLeakFuzzer",
)
# Verifies that Jazzer continues fuzzing when the first two executions did not result in any
# coverage feedback.
java_fuzz_target_test(
name = "NoCoverageFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"],
expect_crash = False,
fuzzer_args = [
"-runs=10",
"--instrumentation_excludes=**",
],
target_class = "com.example.NoCoverageFuzzer",
)
java_fuzz_target_test(
name = "SeedFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/SeedFuzzer.java"],
expect_crash = False,
fuzzer_args = [
"-runs=0",
"-seed=1234567",
],
target_class = "com.example.SeedFuzzer",
)
java_fuzz_target_test(
name = "NoSeedFuzzer",
timeout = "short",
srcs = ["src/test/java/com/example/NoSeedFuzzer.java"],
env = {
"JAZZER_NO_EXPLICIT_SEED": "1",
},
expect_crash = False,
fuzzer_args = [
"-runs=0",
],
target_class = "com.example.NoSeedFuzzer",
)
java_jni_library(
name = "native_value_profile_fuzzer",
srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"],
native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"],
visibility = ["//tests/src/test/native/com/example:__pkg__"],
deps = ["//agent:jazzer_api_compile_only"],
)
java_fuzz_target_test(
name = "NativeValueProfileFuzzer",
expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
fuzzer_args = ["-use_value_profile=1"],
sanitizer = "address",
target_class = "com.example.NativeValueProfileFuzzer",
target_compatible_with = SKIP_ON_WINDOWS,
verify_crash_reproducer = False,
runtime_deps = [":native_value_profile_fuzzer"],
)
Reference in New Issue View Git Blame Copy Permalink