Age | Commit message (Collapse) | Author |
|
Method/Constructor are not yet implemented.
|
|
Also add a test to catch potential copy&paste issues.
|
|
Also moves AutofuzzInvocationException to the api package.
|
|
|
|
This requires moving AutofuzzConstructionException to api package.
|
|
|
|
This could pretty wild AutofillErrors.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BEFORE and AFTER hooks can be applied to the same method by replacing
the call instruction in the BEFORE hook instrumentation with the full
instrumentation for the AFTER hook. While this is not very useful for
instance methods, where the same can be achieved with a REPLACE hook,
it is the only way to modify arguments to a constructor call while
still being able to act on the fully initialized object.
This commit adds this functionality by cycling through the three types
in order and nesting the AFTER bytecode into the BEFORE bytecode if
both exist.
This adds a test verifying that:
* BEFORE and AFTER hooks can be combined.
* If an argument is modified in a BEFORE hook, the modified argument is
received in the corresponding AFTER hook.
* AFTER hooks on constructors receive the fully initialized this object
(added in a previous commit).
|
|
Coverage probes for method invocations should be emitted after the
invocation as their purpose is to track whether the method has returned.
This is in line with how unpatched JaCoCo instrumentes lines with method
calls: It emits the probe when it visits the line number label, which
happens after all instructions associated with the line have been
processed.
|
|
|
|
|
|
The switch instrumentation constructed the array of case labels
incorrectly, which lead to libFuzzer performing an out-of-bounds read.
|
|
Calls through reflection are the equivalent of indirect calls in C/C++.
With this commit, caller-callee relationships (hook ID and hash of
method descriptor) are tracked by libFuzzer via the
__sanitizer_cov_trace_pc_indir callback.
|
|
|
|
Make EdgeCoverageInstrumentor a class rather than an object and inject a
CoverageIdStrategy instead of using a global coverage ID counter.
This makes the class more testable and allows the addition of other
coverage ID generation strategies in follow-up commits.
|
|
According to
https://www.usenix.org/system/files/woot20-paper-fioraldi.pdf,
letting coverage 8-bit counters wrap from 255 to 1 on increment performs
better than having them stay at 255. In fact, the latter has been
observed to hurt overall coverage.
|
|
A method invocation only needs to be instrumented for coverage if the
method can throw an exception (including RuntimeException, which is not
declared via `throws`). For methods in the Java standard library
(in `java.*`), this property is thoroughly documented via Javadoc.
This commit adds a doclet, i.e., a Java program that parses Javadoc, for
automatically compiling a list of known no-throw methods in `java.*`.
The list is loaded lazily at runtime and used to skip calls to these
methods in the coverage instrumentation.
With OpenJDK 15, the list consists of almost 9000 methods, many of which
are used very frequently and in performance-critical parts, e.g.,
StringBuilder#append(String) and List#size().
|
|
We are currently deriving edge coverage instrumentation from basic block
instrumentation via the AFL XOR-technique. This has several downsides:
* Different edges can be assigned the same position in the coverage map,
which leads to underreported coverage.
* The coverage map needs to be large enough for collisions to be
unlikely (on the order of num_edges^2). In addition to being wasteful,
it is also hard to determine the correct size given that we don't know
the number of edges.
In addition to the design limitations, the current implementation
additionally does not take into account that most Java method
invocations can throw exceptions and thus need to be instrumented.
These issues are resolved by switching to true LLVM-style edge coverage
instrumentation. The new coverage instrumentation is based on a lightly
patched version of the JaCoCo internals.
Note:
//agent/src/test/java/com/code_intelligence/jazzer/instrumentor:coverage_instrumentation_test
is not passing for this commit. It will be fixed with the next commit.
|
|
|