1load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") 2load("@io_bazel_rules_kotlin//kotlin:jvm.bzl", "kt_jvm_library") 3load("//bazel:compat.bzl", "LINUX_ONLY", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") 4load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") 5load("//bazel:kotlin.bzl", "ktlint") 6 7java_fuzz_target_test( 8 name = "LongStringFuzzer", 9 srcs = [ 10 "src/test/java/com/example/LongStringFuzzer.java", 11 ], 12 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 13 data = ["src/test/java/com/example/LongStringFuzzerInput"], 14 # Additionally verify that Jazzer-Fuzz-Target-Class is picked up if --target_class isn't set. 15 deploy_manifest_lines = ["Jazzer-Fuzz-Target-Class: com.example.LongStringFuzzer"], 16 fuzzer_args = [ 17 "$(rlocationpath src/test/java/com/example/LongStringFuzzerInput)", 18 ], 19 launcher_variant = "native", 20 verify_crash_input = False, 21) 22 23java_fuzz_target_test( 24 name = "JpegImageParserAutofuzz", 25 allowed_findings = ["java.lang.NegativeArraySizeException"], 26 fuzzer_args = [ 27 "--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage", 28 "--autofuzz_ignore=java.lang.NullPointerException", 29 ], 30 runtime_deps = [ 31 "@maven//:org_apache_commons_commons_imaging", 32 ], 33) 34 35java_binary( 36 name = "HookDependenciesFuzzerHooks", 37 srcs = ["src/test/java/com/example/HookDependenciesFuzzerHooks.java"], 38 create_executable = False, 39 deploy_manifest_lines = ["Jazzer-Hook-Classes: com.example.HookDependenciesFuzzerHooks"], 40 deps = ["//src/main/java/com/code_intelligence/jazzer/api:hooks"], 41) 42 43java_fuzz_target_test( 44 name = "HookDependenciesFuzzer", 45 srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"], 46 allowed_findings = [ 47 "com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow", 48 ], 49 env = {"JAVA_OPTS": "-Xverify:all"}, 50 hook_jar = "HookDependenciesFuzzerHooks_deploy.jar", 51 target_class = "com.example.HookDependenciesFuzzer", 52 verify_crash_reproducer = False, 53) 54 55java_fuzz_target_test( 56 name = "AutofuzzWithoutCoverage", 57 allowed_findings = ["java.lang.NullPointerException"], 58 fuzzer_args = [ 59 # Autofuzz a method that triggers no coverage instrumentation (the Java standard library is 60 # excluded by default). 61 "--autofuzz=java.util.regex.Pattern::compile", 62 ], 63) 64 65java_fuzz_target_test( 66 name = "ForkModeFuzzer", 67 size = "enormous", 68 srcs = [ 69 "src/test/java/com/example/ForkModeFuzzer.java", 70 ], 71 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 72 env = { 73 "JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1", 74 }, 75 fuzzer_args = [ 76 "-fork=2", 77 "--additional_jvm_args=-Dbaz=baz", 78 ] + select({ 79 # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in 80 # java_fuzz_target_test. 81 "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"], 82 "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"], 83 }), 84 launcher_variant = "native", 85 # Consumes more resources than can be expressed via the size attribute. 86 tags = ["exclusive-if-local"], 87 target_class = "com.example.ForkModeFuzzer", 88 # The exit codes of the forked libFuzzer processes are not picked up correctly. 89 target_compatible_with = SKIP_ON_MACOS, 90) 91 92java_fuzz_target_test( 93 name = "CoverageFuzzer", 94 srcs = [ 95 "src/test/java/com/example/CoverageFuzzer.java", 96 ], 97 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 98 env = { 99 "COVERAGE_REPORT_FILE": "coverage.txt", 100 "COVERAGE_DUMP_FILE": "coverage.exec", 101 }, 102 fuzzer_args = [ 103 "-use_value_profile=1", 104 "--coverage_report=coverage.txt", 105 "--coverage_dump=coverage.exec", 106 "--instrumentation_includes=com.example.**", 107 ], 108 target_class = "com.example.CoverageFuzzer", 109 verify_crash_input = False, 110 verify_crash_reproducer = False, 111 deps = [ 112 "@maven//:org_jacoco_org_jacoco_core", 113 ], 114) 115 116java_library( 117 name = "autofuzz_inner_class_target", 118 srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"], 119 deps = [ 120 "//deploy:jazzer-api", 121 ], 122) 123 124java_fuzz_target_test( 125 name = "AutofuzzInnerClassFuzzer", 126 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 127 fuzzer_args = [ 128 "--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test", 129 ], 130 runtime_deps = [ 131 ":autofuzz_inner_class_target", 132 ], 133) 134 135# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405. 136java_fuzz_target_test( 137 name = "MemoryLeakFuzzer", 138 timeout = "moderate", 139 srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"], 140 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 141 env = { 142 "JAVA_OPTS": "-Xmx800m", 143 }, 144 # --keep_going ignores the only finding. 145 expect_crash = False, 146 fuzzer_args = [ 147 # Before the bug was fixed, either the GC overhead limit or the overall heap limit was 148 # reached by this target in this number of runs. 149 "-runs=1000000", 150 # Skip over the first and only exception to keep the fuzzer running until it hits the runs 151 # limit. 152 "--keep_going=2", 153 ], 154 target_class = "com.example.MemoryLeakFuzzer", 155) 156 157JAZZER_API_TEST_CASES = { 158 "default": [], 159 "nohooks": ["--nohooks"], 160} 161 162[ 163 java_fuzz_target_test( 164 name = "JazzerApiFuzzer_" + case, 165 srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"], 166 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 167 fuzzer_args = args, 168 target_class = "com.example.JazzerApiFuzzer", 169 ) 170 for case, args in JAZZER_API_TEST_CASES.items() 171] 172 173java_fuzz_target_test( 174 name = "DisabledHooksFuzzer", 175 timeout = "short", 176 srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"], 177 fuzzer_args = [ 178 "-runs=0", 179 "--custom_hooks=com.example.DisabledHook", 180 ] + select({ 181 "@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"], 182 "//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"], 183 }), 184 target_class = "com.example.DisabledHooksFuzzer", 185) 186 187java_fuzz_target_test( 188 name = "BytesMemoryLeakFuzzer", 189 timeout = "moderate", 190 srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"], 191 env = { 192 "JAVA_OPTS": "-Xmx200m", 193 }, 194 fuzzer_args = [ 195 # Before the bug was fixed, either the GC overhead limit or the overall heap limit was 196 # reached by this target in this number of runs. 197 "-runs=10000000", 198 ], 199 target_class = "com.example.BytesMemoryLeakFuzzer", 200) 201 202# Verifies that Jazzer continues fuzzing when the first two executions did not result in any 203# coverage feedback. 204java_fuzz_target_test( 205 name = "NoCoverageFuzzer", 206 timeout = "short", 207 srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], 208 fuzzer_args = [ 209 "-runs=10", 210 "--instrumentation_excludes=**", 211 ], 212 target_class = "com.example.NoCoverageFuzzer", 213) 214 215java_fuzz_target_test( 216 name = "SeedFuzzer", 217 timeout = "short", 218 srcs = ["src/test/java/com/example/SeedFuzzer.java"], 219 fuzzer_args = [ 220 "-runs=0", 221 "-seed=1234567", 222 ], 223 target_class = "com.example.SeedFuzzer", 224) 225 226java_fuzz_target_test( 227 name = "NoSeedFuzzer", 228 timeout = "short", 229 srcs = ["src/test/java/com/example/NoSeedFuzzer.java"], 230 env = { 231 "JAZZER_NO_EXPLICIT_SEED": "1", 232 }, 233 fuzzer_args = [ 234 "-runs=0", 235 ], 236 target_class = "com.example.NoSeedFuzzer", 237) 238 239java_jni_library( 240 name = "native_value_profile_fuzzer", 241 srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"], 242 native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"], 243 visibility = ["//tests/src/test/native/com/example:__pkg__"], 244 deps = ["//deploy:jazzer-api"], 245) 246 247java_fuzz_target_test( 248 name = "NativeValueProfileFuzzer", 249 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], 250 fuzzer_args = [ 251 "-use_value_profile=1", 252 "--native", 253 ], 254 target_class = "com.example.NativeValueProfileFuzzer", 255 target_compatible_with = SKIP_ON_WINDOWS, 256 verify_crash_reproducer = False, 257 runtime_deps = [":native_value_profile_fuzzer"], 258) 259 260java_binary( 261 name = "JUnitAgentConfigurationFuzzTest", 262 srcs = ["src/test/java/com/example/JUnitAgentConfigurationFuzzTest.java"], 263 main_class = "com.code_intelligence.jazzer.Jazzer", 264 runtime_deps = [ 265 "//deploy:jazzer", 266 "@maven//:org_junit_jupiter_junit_jupiter_engine", 267 ], 268 deps = [ 269 "//deploy:jazzer-api", 270 "//deploy:jazzer-junit", 271 "@maven//:org_junit_jupiter_junit_jupiter_api", 272 ], 273) 274 275sh_test( 276 name = "junit_agent_configuration_test", 277 srcs = ["src/test/shell/junit_agent_configuration_test.sh"], 278 args = ["$(rlocationpath :JUnitAgentConfigurationFuzzTest)"], 279 data = [":JUnitAgentConfigurationFuzzTest"], 280 deps = ["@bazel_tools//tools/bash/runfiles"], 281) 282 283java_fuzz_target_test( 284 name = "JUnitAssertFuzzer", 285 timeout = "short", 286 srcs = ["src/test/java/com/example/JUnitAssertFuzzer.java"], 287 allowed_findings = ["org.opentest4j.AssertionFailedError"], 288 target_class = "com.example.JUnitAssertFuzzer", 289 deps = ["@maven//:org_junit_jupiter_junit_jupiter_api"], 290) 291 292java_library( 293 name = "autofuzz_ignore_target", 294 srcs = ["src/test/java/com/example/AutofuzzIgnoreTarget.java"], 295) 296 297java_fuzz_target_test( 298 name = "AutofuzzIgnoreFuzzer", 299 allowed_findings = ["java.lang.RuntimeException"], 300 fuzzer_args = [ 301 "--autofuzz=com.example.AutofuzzIgnoreTarget::doStuff", 302 "--autofuzz_ignore=java.lang.NullPointerException", 303 "--ignore=bdde2af8735993f3,0123456789ABCDEF", 304 ], 305 runtime_deps = [ 306 ":autofuzz_ignore_target", 307 ], 308) 309 310java_binary( 311 name = "CrashResistantCoverageTarget", 312 srcs = ["src/test/java/com/example/CrashResistantCoverageTarget.java"], 313) 314 315sh_test( 316 name = "crash_resistant_coverage_test", 317 srcs = ["src/test/shell/crash_resistant_coverage_test.sh"], 318 data = [ 319 "src/test/data/crash_resistant_coverage_test/crashing_seeds", 320 "src/test/data/crash_resistant_coverage_test/new_coverage_seeds/new_coverage", 321 ":CrashResistantCoverageTarget_deploy.jar", 322 "//launcher:jazzer", 323 "@bazel_tools//tools/bash/runfiles", 324 "@jacocoagent//file:jacocoagent.jar", 325 "@jacococli//file:jacococli.jar", 326 ], 327 target_compatible_with = LINUX_ONLY, 328) 329 330java_fuzz_target_test( 331 name = "JavaDriver", 332 allowed_findings = ["java.lang.NullPointerException"], 333 fuzzer_args = [ 334 "--autofuzz=java.util.regex.Pattern::compile", 335 ], 336) 337 338java_fuzz_target_test( 339 name = "JavaDriverWithFork", 340 allowed_findings = ["java.lang.NullPointerException"], 341 fuzzer_args = [ 342 "--autofuzz=java.util.regex.Pattern::compile", 343 "-fork=2", 344 ], 345 # -fork is broken on macOS for unknown reasons. 346 target_compatible_with = SKIP_ON_MACOS, 347) 348 349kt_jvm_library( 350 name = "kotlin_vararg", 351 srcs = ["src/test/java/com/example/KotlinVararg.kt"], 352) 353 354java_fuzz_target_test( 355 name = "KotlinVarargFuzzer", 356 srcs = ["src/test/java/com/example/KotlinVarargFuzzer.java"], 357 allowed_findings = ["java.io.IOException"], 358 target_class = "com.example.KotlinVarargFuzzer", 359 deps = [":kotlin_vararg"], 360) 361 362java_fuzz_target_test( 363 name = "TimeoutFuzzer", 364 timeout = "short", 365 srcs = ["src/test/java/com/example/TimeoutFuzzer.java"], 366 allowed_findings = ["timeout"], 367 fuzzer_args = [ 368 "-timeout=1", 369 ], 370 target_class = "com.example.TimeoutFuzzer", 371 verify_crash_reproducer = False, 372) 373 374java_library( 375 name = "autofuzz_crashing_setter_target", 376 srcs = ["src/test/java/com/example/AutofuzzCrashingSetterTarget.java"], 377) 378 379# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/586. 380java_fuzz_target_test( 381 name = "AutofuzzCrashingSetterFuzzer", 382 fuzzer_args = [ 383 "--autofuzz=com.example.AutofuzzCrashingSetterTarget::start", 384 "--autofuzz_ignore=java.lang.NullPointerException", 385 "-runs=100000", 386 ], 387 runtime_deps = [ 388 ":autofuzz_crashing_setter_target", 389 ], 390) 391 392java_library( 393 name = "autofuzz_assertion_error_target", 394 srcs = ["src/test/java/com/example/AutofuzzAssertionErrorTarget.java"], 395) 396 397# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/589. 398java_fuzz_target_test( 399 name = "AutofuzzAssertionError", 400 allowed_findings = ["java.lang.AssertionError"], 401 fuzzer_args = [ 402 "--autofuzz=com.example.AutofuzzAssertionErrorTarget::autofuzz", 403 ], 404 runtime_deps = [ 405 ":autofuzz_assertion_error_target", 406 ], 407) 408 409java_fuzz_target_test( 410 name = "SilencedFuzzer", 411 timeout = "short", 412 srcs = ["src/test/java/com/example/SilencedFuzzer.java"], 413 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh"], 414 target_class = "com.example.SilencedFuzzer", 415) 416 417java_binary( 418 name = "jacococli", 419 main_class = "org.jacoco.cli.internal.Main", 420 runtime_deps = ["@jacococli//file:jacococli.jar"], 421) 422 423java_library( 424 name = "OfflineInstrumentedTarget", 425 srcs = ["src/test/java/com/example/OfflineInstrumentedTarget.java"], 426) 427 428genrule( 429 name = "OfflineInstrumentedTargetInstrumented", 430 srcs = [":OfflineInstrumentedTarget"], 431 outs = ["OfflineInstrumentedTargetInstrumented.jar"], 432 cmd = """ 433$(location :jacococli) instrument $< --dest jacoco-instrumented --quiet 434cp jacoco-instrumented/*.jar $@ 435""", 436 tags = ["manual"], 437 tools = [":jacococli"], 438) 439 440java_fuzz_target_test( 441 name = "OfflineInstrumentedFuzzer", 442 timeout = "short", 443 srcs = ["src/test/java/com/example/OfflineInstrumentedFuzzer.java"], 444 allowed_findings = ["java.lang.IllegalStateException"], 445 target_class = "com.example.OfflineInstrumentedFuzzer", 446 deps = [ 447 ":OfflineInstrumentedTargetInstrumented", 448 "@jacocoagent//file:jacocoagent.jar", # Offline instrumented classes depend on the jacoco agent 449 ], 450) 451 452# TODO: Move to //examples eventually. 453java_fuzz_target_test( 454 name = "ExperimentalMutatorFuzzer", 455 srcs = ["src/test/java/com/example/ExperimentalMutatorFuzzer.java"], 456 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"], 457 fuzzer_args = [ 458 "--experimental_mutator", 459 "--instrumentation_includes=com.example.**", 460 "--custom_hook_includes=com.example.**", 461 # TODO: Investigate whether we can automatically exclude protos. 462 "--instrumentation_excludes=com.example.SimpleProto*", 463 "--custom_hook_excludes=com.example.SimpleProto*", 464 # Limit runs to catch regressions in mutator efficiency and speed up test runs. 465 "-runs=40000", 466 ], 467 target_class = "com.example.ExperimentalMutatorFuzzer", 468 verify_crash_reproducer = False, 469 deps = [ 470 "//src/main/java/com/code_intelligence/jazzer/mutation/annotation", 471 "//tests/src/test/proto:simple_java_proto", 472 ], 473) 474 475java_fuzz_target_test( 476 name = "ExperimentalMutatorComplexProtoFuzzer", 477 srcs = ["src/test/java/com/example/ExperimentalMutatorComplexProtoFuzzer.java"], 478 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"], 479 fuzzer_args = [ 480 "--experimental_mutator", 481 "--instrumentation_includes=com.example.**", 482 "--custom_hook_includes=com.example.**", 483 ] + select({ 484 # Limit runs to catch regressions in mutator efficiency and speed up test runs. 485 "@platforms//os:linux": ["-runs=400000"], 486 # TODO: Investigate why this test takes far more runs on macOS, with Windows also being 487 # significantly worse than Linux. 488 "//conditions:default": ["-runs=1200000"], 489 }), 490 target_class = "com.example.ExperimentalMutatorComplexProtoFuzzer", 491 verify_crash_reproducer = False, 492 deps = [ 493 "//src/main/java/com/code_intelligence/jazzer/mutation/annotation", 494 "//src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto:proto2_java_proto", 495 ], 496) 497 498cc_binary( 499 name = "complex_proto_fuzzer", 500 testonly = True, 501 srcs = ["src/test/cc/complex_proto_fuzzer.cc"], 502 copts = ["-fsanitize=fuzzer"], 503 linkopts = ["-fsanitize=fuzzer"], 504 # libfuzzer not shipped on macOS. 505 target_compatible_with = LINUX_ONLY, 506 deps = [ 507 "//src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto:proto2_cc_proto", 508 "@libprotobuf-mutator", 509 ], 510) 511 512java_fuzz_target_test( 513 name = "ExperimentalMutatorDynamicProtoFuzzer", 514 srcs = ["src/test/java/com/example/ExperimentalMutatorDynamicProtoFuzzer.java"], 515 allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"], 516 fuzzer_args = [ 517 "--experimental_mutator", 518 "--instrumentation_includes=com.example.**", 519 "--custom_hook_includes=com.example.**", 520 ] + select({ 521 # Limit runs to catch regressions in mutator efficiency and speed up test runs. 522 "@platforms//os:linux": ["-runs=400000"], 523 # TODO: Investigate why this test takes far more runs on macOS, with Windows also being 524 # significantly worse than Linux. 525 "//conditions:default": ["-runs=1200000"], 526 }), 527 target_class = "com.example.ExperimentalMutatorDynamicProtoFuzzer", 528 verify_crash_reproducer = False, 529 deps = [ 530 "//src/main/java/com/code_intelligence/jazzer/mutation/annotation", 531 "//src/main/java/com/code_intelligence/jazzer/mutation/annotation/proto", 532 "@com_google_protobuf//java/core", 533 ], 534) 535 536sh_test( 537 name = "jazzer_from_path_test", 538 srcs = ["src/test/shell/jazzer_from_path_test.sh"], 539 args = ["$(rlocationpath //:jazzer_release)"], 540 data = [ 541 "//:jazzer_release", 542 "@bazel_tools//tools/bash/runfiles", 543 ], 544) 545 546ktlint() 547
