diff options
| author | Fabian Meumertzheim <meumertzheim@code-intelligence.com> | 2021-07-22 12:25:35 +0200 |
|---|---|---|
| committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-07-22 16:21:10 +0200 |
| commit | 186cc54245686d3d57ebe7db6256edb3d5debd5e (patch) | |
| tree | bdc18ecc5b14114c92d67bef0e420fdadb24850f /driver | |
| parent | 837fbb9fa102870b34145f9fd300d2abde9e78d0 (diff) | |
| download | jazzer-api-186cc54245686d3d57ebe7db6256edb3d5debd5e.tar.gz | |
Explicitly delete local JNI references
Local JNI references are cleaned up only when the stack they were
created on returns to the JVM, not on any return to the JVM. Since we
are using the Java Invocation API to launch the JVM, we thus have to
explicitly delete all local references that are created in functions
that were not called from a Java method.
For more information, see
https://stackoverflow.com/a/42333173/14712674
https://www.ibm.com/docs/en/sdk-java-technology/8?topic=collector-jni-transitions
Diffstat (limited to 'driver')
| -rw-r--r-- | driver/fuzz_target_runner.cpp | 8 | ||||
| -rw-r--r-- | driver/fuzzed_data_provider.cpp | 9 | ||||
| -rw-r--r-- | driver/jvm_tooling.cpp | 3 |
3 files changed, 17 insertions, 3 deletions
diff --git a/driver/fuzz_target_runner.cpp b/driver/fuzz_target_runner.cpp index d72d2bda..909c4d9c 100644 --- a/driver/fuzz_target_runner.cpp +++ b/driver/fuzz_target_runner.cpp @@ -238,11 +238,13 @@ RunResult FuzzTargetRunner::Run(const uint8_t *data, const std::size_t size) { if (dedup_token != 0 && FLAGS_keep_going > 1 && std::find(ignore_tokens_.cbegin(), ignore_tokens_.cend(), dedup_token) != ignore_tokens_.end()) { + env.DeleteLocalRef(finding); return RunResult::kOk; } else { ignore_tokens_.push_back(dedup_token); std::cout << std::endl; std::cerr << "== Java Exception: " << getStackTrace(finding); + env.DeleteLocalRef(finding); if (FLAGS_dedup) { std::cout << "DEDUP_TOKEN: " << std::hex << std::setfill('0') << std::setw(16) << dedup_token << std::endl; @@ -270,9 +272,12 @@ jthrowable FuzzTargetRunner::GetFinding() const { if (auto reported_finding = (jthrowable)env.GetStaticObjectField(jazzer_, last_finding_); reported_finding != nullptr) { + env.DeleteLocalRef(unprocessed_finding); unprocessed_finding = reported_finding; } - return preprocessException(unprocessed_finding); + jthrowable processed_finding = preprocessException(unprocessed_finding); + env.DeleteLocalRef(unprocessed_finding); + return processed_finding; } void FuzzTargetRunner::DumpReproducer(const uint8_t *data, std::size_t size) { @@ -329,6 +334,7 @@ std::string FuzzTargetRunner::DetectFuzzTargetClass() const { env.GetStringUTFChars(jni_fuzz_target_class, nullptr); std::string fuzz_target_class = std::string(fuzz_target_class_cstr); env.ReleaseStringUTFChars(jni_fuzz_target_class, fuzz_target_class_cstr); + env.DeleteLocalRef(jni_fuzz_target_class); return fuzz_target_class; } diff --git a/driver/fuzzed_data_provider.cpp b/driver/fuzzed_data_provider.cpp index da72076b..110e8b1d 100644 --- a/driver/fuzzed_data_provider.cpp +++ b/driver/fuzzed_data_provider.cpp @@ -744,7 +744,10 @@ jobject GetRecordingFuzzedDataProviderJavaObject(const JVM &jvm) { env.ExceptionDescribe(); exit(1); } - return env.NewGlobalRef(local_ref); + // This global reference is deleted in SerializeRecordingFuzzedDataProvider. + jobject global_ref = env.NewGlobalRef(local_ref); + env.DeleteLocalRef(local_ref); + return global_ref; } std::string SerializeRecordingFuzzedDataProvider(const JVM &jvm, @@ -758,15 +761,17 @@ std::string SerializeRecordingFuzzedDataProvider(const JVM &jvm, true); auto serialized_recorder = (jstring)env.CallStaticObjectMethod(java_class, java_serialize, recorder); + env.DeleteLocalRef(java_class); + env.DeleteGlobalRef(recorder); if (env.ExceptionCheck()) { env.ExceptionDescribe(); exit(1); } - env.DeleteGlobalRef(recorder); const char *serialized_recorder_cstr = env.GetStringUTFChars(serialized_recorder, nullptr); std::string out(serialized_recorder_cstr); env.ReleaseStringUTFChars(serialized_recorder, serialized_recorder_cstr); + env.DeleteLocalRef(serialized_recorder); return out; } } // namespace jazzer diff --git a/driver/jvm_tooling.cpp b/driver/jvm_tooling.cpp index ddfbfd0f..a0ccb6ac 100644 --- a/driver/jvm_tooling.cpp +++ b/driver/jvm_tooling.cpp @@ -362,12 +362,14 @@ std::string ExceptionPrinter::getStackTrace(jthrowable exception) const { } env.CallVoidMethod(exception, print_stack_trace_method_, print_writer); + env.DeleteLocalRef(print_writer); if (env.ExceptionCheck()) { env.ExceptionDescribe(); return ""; } auto exception_string_object = reinterpret_cast<jstring>( env.CallObjectMethod(string_writer, string_writer_to_string_method_)); + env.DeleteLocalRef(string_writer); if (env.ExceptionCheck()) { env.ExceptionDescribe(); return ""; @@ -376,6 +378,7 @@ std::string ExceptionPrinter::getStackTrace(jthrowable exception) const { auto char_pointer = env.GetStringUTFChars(exception_string_object, nullptr); std::string exception_string(char_pointer); env.ReleaseStringUTFChars(exception_string_object, char_pointer); + env.DeleteLocalRef(exception_string_object); return exception_string; } |