diff options
author | Norbert Schneider <norbert.schneider@code-intelligence.com> | 2022-05-05 09:12:07 +0200 |
---|---|---|
committer | Norbert Schneider <mail@bertschneider.de> | 2022-05-05 20:02:18 +0200 |
commit | d4967bbcb997a02ecfc7b0634caaa4c85b0399cc (patch) | |
tree | 49d913cfbd50f369dc94f21de388faa5cc00d3e1 | |
parent | 3b473ad5b2a142150e3a9182b5670b160261f2c8 (diff) | |
download | jazzer-api-d4967bbcb997a02ecfc7b0634caaa4c85b0399cc.tar.gz |
Move honeypot class to API
The honeypot class jaz.Zer is needed to successfully execute reproducers
of deserialization issues. It's moved to the API artifact to be
available on the classpath.
Furthermore, reproducers not necessarily reproduce the found issue,
e.g. due to global state that leads to different behavior. To take that
into account the reproducer check is relaxed.
-rw-r--r-- | agent/src/main/java/com/code_intelligence/jazzer/api/BUILD.bazel | 1 | ||||
-rw-r--r-- | agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java | 7 | ||||
-rw-r--r-- | agent/src/main/java/jaz/BUILD.bazel | 8 | ||||
-rw-r--r-- | agent/src/main/java/jaz/Ter.java (renamed from sanitizers/src/main/java/jaz/Ter.java) | 0 | ||||
-rw-r--r-- | agent/src/main/java/jaz/Zer.java (renamed from sanitizers/src/main/java/jaz/Zer.java) | 0 | ||||
-rw-r--r-- | bazel/tools/java/com/code_intelligence/jazzer/tools/FuzzTargetTestWrapper.java | 1 | ||||
-rw-r--r-- | driver/fuzz_target_runner.cpp | 1 | ||||
-rw-r--r-- | sanitizers/BUILD.bazel | 1 | ||||
-rw-r--r-- | sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel | 1 | ||||
-rw-r--r-- | sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt | 13 | ||||
-rw-r--r-- | sanitizers/src/main/java/jaz/BUILD.bazel | 12 | ||||
-rw-r--r-- | sanitizers/src/test/java/com/example/BUILD.bazel | 3 |
12 files changed, 28 insertions, 20 deletions
diff --git a/agent/src/main/java/com/code_intelligence/jazzer/api/BUILD.bazel b/agent/src/main/java/com/code_intelligence/jazzer/api/BUILD.bazel index e573e757..b26bb846 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/api/BUILD.bazel +++ b/agent/src/main/java/com/code_intelligence/jazzer/api/BUILD.bazel @@ -23,6 +23,7 @@ java_library( "Jazzer.java", "MethodHook.java", "MethodHooks.java", + "//agent/src/main/java/jaz", ], visibility = ["//visibility:public"], ) diff --git a/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java b/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java index 8f9024fc..2d2e82b0 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java +++ b/agent/src/main/java/com/code_intelligence/jazzer/api/Jazzer.java @@ -593,10 +593,9 @@ final public class Jazzer { try { JAZZER_INTERNAL.getMethod("reportFindingFromHook", Throwable.class).invoke(null, finding); } catch (NullPointerException | IllegalAccessException | NoSuchMethodException e) { - // We can only reach this point if the runtime is not in the classpath, but it must be if - // hooks work and this function should only be called from them. - System.err.println("ERROR: Jazzer.reportFindingFromHook must be called from a method hook"); - System.exit(1); + // We can only reach this point if the runtime is not on the classpath, e.g. in case of a + // reproducer. Just throw the finding. + rethrowUnchecked(finding); } catch (InvocationTargetException e) { // reportFindingFromHook throws a HardToCatchThrowable, which will bubble up wrapped in an // InvocationTargetException that should not be stopped here. diff --git a/agent/src/main/java/jaz/BUILD.bazel b/agent/src/main/java/jaz/BUILD.bazel new file mode 100644 index 00000000..c6cdcf13 --- /dev/null +++ b/agent/src/main/java/jaz/BUILD.bazel @@ -0,0 +1,8 @@ +filegroup( + name = "jaz", + srcs = [ + "Ter.java", + "Zer.java", + ], + visibility = ["//agent/src/main/java/com/code_intelligence/jazzer/api:__pkg__"], +) diff --git a/sanitizers/src/main/java/jaz/Ter.java b/agent/src/main/java/jaz/Ter.java index 7814396f..7814396f 100644 --- a/sanitizers/src/main/java/jaz/Ter.java +++ b/agent/src/main/java/jaz/Ter.java diff --git a/sanitizers/src/main/java/jaz/Zer.java b/agent/src/main/java/jaz/Zer.java index 08ca3d2e..08ca3d2e 100644 --- a/sanitizers/src/main/java/jaz/Zer.java +++ b/agent/src/main/java/jaz/Zer.java diff --git a/bazel/tools/java/com/code_intelligence/jazzer/tools/FuzzTargetTestWrapper.java b/bazel/tools/java/com/code_intelligence/jazzer/tools/FuzzTargetTestWrapper.java index 0cafc036..edf3887e 100644 --- a/bazel/tools/java/com/code_intelligence/jazzer/tools/FuzzTargetTestWrapper.java +++ b/bazel/tools/java/com/code_intelligence/jazzer/tools/FuzzTargetTestWrapper.java @@ -209,6 +209,7 @@ public class FuzzTargetTestWrapper { throw new IllegalStateException("Expected crash with any of " + String.join(", ", expectedFindings) + " not reproduced by " + classFile); } + System.out.println("Reproducer finished successfully without finding"); } catch (InvocationTargetException e) { // expect the invocation to fail with the prescribed finding Throwable finding = e.getCause(); diff --git a/driver/fuzz_target_runner.cpp b/driver/fuzz_target_runner.cpp index 663971e8..455d6e72 100644 --- a/driver/fuzz_target_runner.cpp +++ b/driver/fuzz_target_runner.cpp @@ -410,7 +410,6 @@ void FuzzTargetRunner::DumpReproducer(const uint8_t *data, std::size_t size) { const auto finding = GetFinding(); if (finding == nullptr) { LOG(ERROR) << "Failed to reproduce crash when rerunning with recorder"; - return; } base64_data = SerializeRecordingFuzzedDataProvider(jvm_, recorder); } else { diff --git a/sanitizers/BUILD.bazel b/sanitizers/BUILD.bazel index fa84208e..fdc616a3 100644 --- a/sanitizers/BUILD.bazel +++ b/sanitizers/BUILD.bazel @@ -3,6 +3,5 @@ java_library( visibility = ["//visibility:public"], runtime_deps = [ "//sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers", - "//sanitizers/src/main/java/jaz", ], ) diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel index b585ecb8..f066b35f 100644 --- a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel +++ b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel @@ -28,6 +28,5 @@ kt_jvm_library( ], deps = [ "//agent:jazzer_api_compile_only", - "//sanitizers/src/main/java/jaz", ], ) diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt index 52519cac..219490d8 100644 --- a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt +++ b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/Utils.kt @@ -44,9 +44,20 @@ internal fun ByteArray.indexOf(needle: ByteArray): Int { } internal fun guideMarkableInputStreamTowardsEquality(stream: InputStream, target: ByteArray, id: Int) { + fun readBytes(stream: InputStream, size: Int): ByteArray { + val current = ByteArray(size) + var n = 0 + while (n < size) { + val count = stream.read(current, n, size - n) + if (count < 0) break + n += count + } + return current + } + check(stream.markSupported()) stream.mark(target.size) - val current = stream.readNBytes(target.size) + val current = readBytes(stream, target.size) stream.reset() Jazzer.guideTowardsEquality(current, target, id) } diff --git a/sanitizers/src/main/java/jaz/BUILD.bazel b/sanitizers/src/main/java/jaz/BUILD.bazel deleted file mode 100644 index 81275a31..00000000 --- a/sanitizers/src/main/java/jaz/BUILD.bazel +++ /dev/null @@ -1,12 +0,0 @@ -java_library( - name = "jaz", - srcs = [ - "Ter.java", - "Zer.java", - ], - visibility = [ - "//sanitizers:__pkg__", - "//sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers:__pkg__", - ], - deps = ["//agent:jazzer_api_compile_only"], -) diff --git a/sanitizers/src/test/java/com/example/BUILD.bazel b/sanitizers/src/test/java/com/example/BUILD.bazel index 5152e1e6..8498ab32 100644 --- a/sanitizers/src/test/java/com/example/BUILD.bazel +++ b/sanitizers/src/test/java/com/example/BUILD.bazel @@ -6,6 +6,7 @@ java_fuzz_target_test( srcs = [ "ObjectInputStreamDeserialization.java", ], + expected_findings = ["java.lang.ExceptionInInitializerError"], target_class = "com.example.ObjectInputStreamDeserialization", ) @@ -14,6 +15,7 @@ java_fuzz_target_test( srcs = [ "ReflectiveCall.java", ], + expected_findings = ["java.lang.ExceptionInInitializerError"], target_class = "com.example.ReflectiveCall", ) @@ -107,6 +109,7 @@ java_fuzz_target_test( srcs = [ "ClassLoaderLoadClass.java", ], + expected_findings = ["java.lang.ExceptionInInitializerError"], target_class = "com.example.ClassLoaderLoadClass", ) |