Age | Commit message (Collapse) | Author |
|
|
|
|
|
This allows us to get rid of the libFuzzer patch to quote argv, which
breaks Windows and would have to be turned into a conditional patch
otherwise.
With this change, all argument separators use the same syntax as the
java executable on any given platform.
Collisions of ':' as an argument separator and a classpath separator
should be rare as we have our own argument to pass in the classpath.
This commit implements a rudimentary escaping mechanism to handle the
cases where this should be an issue:
* \<separator> results in a literal <separator> and no split
* \\ results in a literal backlash not interpreted as an escape
character for a subsequent <separator>
This is a breaking change, but we should rather break this now that we
haven't committed to a version 1.0 yet. The only breakage I am aware of
is easily fixed:
https://github.com/google/oss-fuzz/blob/0c1d5231de61b4166281b4d5685aa66e9f4948a8/projects/kryo/build.sh#L48
|
|
The path returned by generic_string() does not use backslashes as path
segment separators on Windows.
|
|
|
|
|
|
|
|
|
|
|
|
The replayer can be used to reproduce crashes for fuzz targets using the
FuzzedDataProvider only given the raw crashing input. This will help
maintainers of OSS-Fuzz projects to reproduce issues even though they
have no access to the Java reproducers, which ClusterFuzz does not
store.
Compared to the full Jazzer driver, it has the advantage that it is a
Java library (with a native library dependency) and can thus be
published to Maven.
Since we currently do not have multi-platform RBE or cross toolchains
set up on GitHub, the packages jars for the individual architectures are
merged in a GitHub Actions pipeline.
|
|
|
|
This simplifies the libjvm location logic as well as native library
packaging. Incidentally, this fixes the libjpeg_turbo build.
In anticipation of Windows support and because it simplifies further
improvements to the fuzz target test setup, the wrapper is rewritten in
Java.
|
|
Now that Jazzer uses the runfiles library to locate the agent jar, this
argument is no longer required.
|
|
This masked failing tests in the CI.
Along the way, improve the error message.
|
|
|
|
This links statically against our own libraries, but dynamically against
system libraries.
|
|
|
|
This is not available on Windows.
|
|
Neither is directly supported on Windows, but also not required: We can
simply not add these symbols if we are linking against a sanitizer.
|
|
|
|
These repositories are no longer how starlarkified rules will be
published in the near future.
|
|
https://docs.oracle.com/en/java/javase/11/gctuning/available-collectors.html#GUID-414C9D95-297E-4EE3-B0D9-36F158A83393
|
|
When libFuzzer without a sanitizer times out, this prints the current
stack traces of all JVM threads, e.g.:
==1235420== ERROR: libFuzzer: timeout after 3 seconds
Stack traces of all JVM threads:
Thread[Signal Dispatcher,9,system]
Thread[Notification Thread,9,system]
Thread[Reference Handler,10,system]
at java.base@15.0.3/java.lang.ref.Reference.waitForReferencePendingList(Native Method)
at java.base@15.0.3/java.lang.ref.Reference.processPendingReferences(Reference.java:241)
at java.base@15.0.3/java.lang.ref.Reference$ReferenceHandler.run(Reference.java:213)
Thread[Finalizer,8,system]
at java.base@15.0.3/java.lang.Object.wait(Native Method)
at java.base@15.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
at java.base@15.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:176)
at java.base@15.0.3/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:170)
Thread[main,5,main]
at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceCmpInt(Native Method)
at app//com.example.ExampleFuzzer.fuzzerTestOneInput(ExampleFuzzer.java:28)
Thread[Common-Cleaner,8,InnocuousThreadGroup]
at java.base@15.0.3/java.lang.Object.wait(Native Method)
at java.base@15.0.3/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:155)
at java.base@15.0.3/jdk.internal.ref.CleanerImpl.run(CleanerImpl.java:148)
at java.base@15.0.3/java.lang.Thread.run(Thread.java:832)
at java.base@15.0.3/jdk.internal.misc.InnocuousThread.run(InnocuousThread.java:134)
SUMMARY: libFuzzer: timeout
Unexpected exit code: 70
|
|
Restores compatibility with gcc on linux.
|
|
|
|
|
|
|
|
Since Bazel uses clang as its linker instead of clang++, the UBSan
C++ runtime library is not linked automatically. We request it
explicitly.
|
|
Since we require building with a relatively modern clang, we might as
well use its linker (and in the future, its C++ standard library).
|
|
The toolchain is only enabled in the CI by default as users should use
the same compiler toolchain for compiling the Jazzer driver as they use
to compile their JNI libraries. However, if they are only interested in
fuzzing pure Java libraries, they can pass --config=ci on the CLI to use
the toolchain, which greatly simplifies the build on macOS.
A significant complication arises because the ASan runtime library can't
be linked statically on macOS. To make the tests pass, it needs to be
exported from the toolchain and the driver has to conditionally depend
on it explicitly.
A further patch to the toolchain is required to ensure compatibility
with Ubuntu 21.04.
|
|
libjvm lives in different subpaths of JAVA_HOME, depending both on the
OS and the Java version. Since it is currently not possible to select a
dependency based on the Java version, supporting Java 8 required a
custom build setting. This also broke bazel query (but not cquery).
By loading libjvm from a simple repository rule, we can cover all
OSes and Java versions with a single dependency, even if libjvm.so is
installed in a non-standard location.
|
|
The Java reproducer used `getMethod` incorrectly and thus did not call
fuzzerInitialize(String[]).
|
|
|
|
The -Xmx setting does not account for the following additional heap
usage that is included in the RSS limit maintained by libFuzzer:
- Metaspace, which contains Java class metadata and is on the order of
25 MB for the Jazzer examples.
- Jazzer coverage counters
By lowering the default -Xmx setting, we make it less likely that
a target crashes with a libFuzzer OOM.
|
|
Local JNI references are cleaned up only when the stack they were
created on returns to the JVM, not on any return to the JVM. Since we
are using the Java Invocation API to launch the JVM, we thus have to
explicitly delete all local references that are created in functions
that were not called from a Java method.
For more information, see
https://stackoverflow.com/a/42333173/14712674
https://www.ibm.com/docs/en/sdk-java-technology/8?topic=collector-jni-transitions
|
|
The native callbacks in the driver should be registered as early as
possible since they may already be needed during agent startup (e.g.,
if a JDK-internal class is to be instrumented).
|
|
|
|
With --dump_classes_dir=<dir>, all classes that are instrumented by the
agent at runtime will be dumped into a subdirectory of <dir> according
to their internal class name.
|
|
|
|
|
|
In certain situations, such as OSS-Fuzz coverage reports, additional
JVM args need to be specified on the command line after --jvm_args has
already been used. Specifying --jvm_args again overrides the previous
arguments rather than appending to them.
This commit adds an additional flag for adding JVM args that will be
emitted after the flags specified in --jvm_args.
|
|
If Jazzer is imported as an external workspace from another Bazel
workspace, the runfiles path of the agent is
../jazzer/agent/jazzer_agent_deploy.jar rather than
agent/jazzer_agent_deploy.jar. Since the first path applies more
generally, we switch to it, but perform a check for a Bazel env variable
to prevent loading agents from potentially untrusted sibling dirs.
|
|
Applying the -std=c++17 transition on a cc_library rather than a
cc_binary has three advantages:
* saves an unnecessary transitioned build of the agent
* makes it faster to compile the driver for multiple sanitizers
* does not require a symlink in the transitioned rule
|
|
libFuzzer defaults to an rss_limit_mb of 2048, but we start the JVM with
-Xmx4096m. This can lead to libFuzzer OOM reports when a single
allocation in Java exceeds 2 GB but still fits into the JVM heap.
This is solved by letting the JVM heap size default to slightly less
than 2 GB.
This change is not fully backwards compatible, but will only cause
targets to crash more often than they used to.
|
|
|
|
Use a Bazel provided target for the JNI headers instead of a custom one.
|
|
|
|
This reverts commit 45bd07e46afcd445879d5af0ef23dafbee1028a0.
The observed crashes were found to be unrelated to Jazzer.
|
|
This reverts commit 519d7b95b8df9abb4f872edea7313305fdab5c3c and updates
to a new version of jazzer_libfuzzer with a few reverts.
Speculative fix for crashes in memmove.
|
|
The new --coverage_report option triggers a coverage report to be
written on fuzzer exit.
The report is generated with the JaCoCo analyzer. The information about
observed coverage IDs is obtained from libFuzzer and combined with the
coverage obtained during fuzzerInitialize as well as the current run.
|