diff options
| -rw-r--r-- | driver/fuzz_target_runner.cpp | 37 | ||||
| -rw-r--r-- | examples/BUILD.bazel | 12 |
2 files changed, 45 insertions, 4 deletions
diff --git a/driver/fuzz_target_runner.cpp b/driver/fuzz_target_runner.cpp index b71a937a..59727932 100644 --- a/driver/fuzz_target_runner.cpp +++ b/driver/fuzz_target_runner.cpp @@ -42,9 +42,9 @@ DEFINE_string(target_args, "", "Arguments passed to fuzzerInitialize as a String array. " "Separated by space."); -DEFINE_uint32(keep_going, 1, +DEFINE_uint32(keep_going, 0, "Continue fuzzing until N distinct exception stack traces have" - "been encountered"); + "been encountered. Defaults to exit after the first finding."); DEFINE_bool(dedup, true, "Emit a dedup token for every finding. Defaults to true and is " "required for --keep_going and --ignore."); @@ -60,12 +60,18 @@ DEFINE_string(coverage_report, "", "Path at which a coverage report is stored when the fuzzer " "exits. If left empty, no report is generated (default)"); +DEFINE_string(autofuzz, "", + "Fully qualified reference to a method on the classpath that " + "should be fuzzed automatically (example: System.out::println)"); + DECLARE_bool(hooks); constexpr auto kManifestUtilsClass = "com/code_intelligence/jazzer/runtime/ManifestUtils"; constexpr auto kJazzerClass = "com/code_intelligence/jazzer/runtime/JazzerInternal"; +constexpr auto kAutofuzzFuzzTargetClass = + "com/code_intelligence/jazzer/autofuzz/FuzzTarget"; namespace jazzer { // split a string on unescaped spaces @@ -93,16 +99,39 @@ FuzzTargetRunner::FuzzTargetRunner( JVM &jvm, const std::vector<std::string> &additional_target_args) : ExceptionPrinter(jvm), jvm_(jvm), ignore_tokens_() { auto &env = jvm.GetEnv(); - if (FLAGS_target_class.empty()) { + if (!FLAGS_target_class.empty() && !FLAGS_autofuzz.empty()) { + std::cerr << "--target_class and --autofuzz cannot be specified together" + << std::endl; + exit(1); + } + if (!FLAGS_target_args.empty() && !FLAGS_autofuzz.empty()) { + std::cerr << "--target_args and --autofuzz cannot be specified together" + << std::endl; + exit(1); + } + if (FLAGS_target_class.empty() && FLAGS_autofuzz.empty()) { FLAGS_target_class = DetectFuzzTargetClass(); } // If automatically detecting the fuzz target class failed, we expect it as // the value of the --target_class argument. - if (FLAGS_target_class.empty()) { + if (FLAGS_target_class.empty() && FLAGS_autofuzz.empty()) { std::cerr << "Missing argument --target_class=<fuzz_target_class>" << std::endl; exit(1); } + if (!FLAGS_autofuzz.empty()) { + FLAGS_target_class = kAutofuzzFuzzTargetClass; + if (FLAGS_keep_going == 0) { + FLAGS_keep_going = std::numeric_limits<gflags::uint32>::max(); + } + // Pass the method reference string as an argument to the generic autofuzz + // fuzz target. + FLAGS_target_args = FLAGS_autofuzz; + } + // Set --keep_going to its real default. + if (FLAGS_keep_going == 0) { + FLAGS_keep_going = 1; + } if ((!FLAGS_ignore.empty() || FLAGS_keep_going > 1) && !FLAGS_dedup) { std::cerr << "--nodedup is not supported with --ignore or --keep_going" << std::endl; diff --git a/examples/BUILD.bazel b/examples/BUILD.bazel index 3e1c1f33..0d5f6bc4 100644 --- a/examples/BUILD.bazel +++ b/examples/BUILD.bazel @@ -4,6 +4,18 @@ load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") java_fuzz_target_test( + name = "Autofuzz", + fuzzer_args = [ + "--autofuzz=com.google.json.JsonSanitizer::sanitize", + # Exit after the first finding for testing purposes. + "--keep_going=1", + ], + runtime_deps = [ + "@maven//:com_mikesamuel_json_sanitizer", + ], +) + +java_fuzz_target_test( name = "ExampleFuzzer", srcs = [ "src/main/java/com/example/ExampleFuzzer.java", |