Age | Commit message (Collapse) | Author |
|
The JUnit integration always created corpus files in .cifuzz-corpus
subdirectories, even if an explicit corpus directory was stated via
command line. Now explicit corpus parameters are honored.
|
|
A default instance is a more direct representation of a protobuf base
message and getting it via a method allows for more flexible use, e.g.,
by making the choice of proto type dependent on command-line arguments.
|
|
A proto message deserialized from bytes can be incomplete, which results
in an error when building it if required fields are missing. To prevent
this, walk the proto and initialize all unset required fields to
defaults recursively.
|
|
The new heuristic walks the classpath directory and considers all
directories (but not jar files) to constitute the classes of the current
project. All subdirectories that include `.class` files are translated
into packages and all their subpackages are subject to instrumentation.
This is expected to give much better results than the previous
heuristic, which only considered the first two or three segments of the
test class package.
|
|
This improves consistency between regression test and fuzzing mode as
well as between file-provided and Java-provided seeds (added in a
follow-up commit).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Add custom cross over functionality in libFuzzer integration and mutator
framework APIs. Concrete cross over implementations are added later on.
|
|
This is intended to be a pure refactoring that enables us to allow
arbitrary `ArgumentsProvider`s to provide arguments for fuzz tests that
are picked up in fuzzing mode.
|
|
When recursive proto fields are initialized, the resulting messages
have an expected nesting depth on the order of the inverse of the
frequency with which a nullable value is non-null, which tends to run
into StackOverflowErrors quickly.
This is fixed by checking whether a given proto field is recursive and
if so, only initializing it "layer by layer" in mutations rather than
all at once during initialization.
|
|
(#710)
Change junit integration to use different directories for each test
method
|
|
|
|
A new `DescriptorSource` annotation is used to specify a field with the
`DynamicMessage`'s `Descriptor`.
Since `DynamicMessage` instances are only compatible if their
descriptors are reference equal, the mutator interner now checks for
this instead of relying on `equals`.
|
|
The previous Map mutator performed both single element as well as chunk
mutations, which isn't necessary now that we can bias chunks towards
being small.
The old implementation didn't check that `initInPlace` and `read` obeyed
the specified `minSize`. Since non-zero `minSize`s can be problematic in
`read`, they are not supported for now.
There were also a few issues with key mutations: Instead of retrying key
creation separately for each key, which can result in a large amount of
wasted attempts if the key set is almost saturated, all such attempts
now share a single failure counter. Keys are now properly detached
before being mutated, which is necessary if map keys are mutable.
The fallback to value mutation if key mutation failed also didn't
behave correctly: It called `setValue` on a newly allocated `Map.Entry`,
which is a noop.
The number of iterations in the StressTest is halved to prevent OOMs on
the runners.
|
|
Makes it possible to run the tests without building proto-related code.
|
|
The rare case happens for proto float/double fields that are
initiated with -0.0/-0.0f; detached to 0.0/0.0f; and mutated back to
-0.0/-0.0f. This previously caused a rare random failure of the StressTest.java.
|
|
Adds chunk-based mutations to the list mutator mimicking fuzztest's
mutation.
The size of the chunks is chosen according to a Zipf distribution, which
ensures that chunks tend to be small (and often have length 1), which
should result in more stable mutations and also makes separate
individual element mutations unnecessary.
Co-authored-by: Fabian Meumertzheim <meumertzheim@code-intelligence.com>
|
|
Detaching confusingly meant two things at once, but failed at both:
1. It was meant to rid fuzz test arguments of state shared with the
mutator so that fuzz test body and future mutations couldn't
affect each other. This wasn't working correctly for lists, which
provided a shallowly immutable view on potentially mutable contents.
2. It also promised "mutable values where possible", which wasn't really
well-defined and also doesn't match common use cases: If a function
accepts a `List<Foo>`, it should generally be able to expect the list
to permit modifications.
Instead, `detach` now always returns an object that shares no mutable
state, not even transitively, with the original object. Apart from
simplifying the implementation, this allows mutators to copy values by
applying `detach`, which previously could have resulted in shared state
that couldn't be mutated independently.
Since we are currently reading in the fuzz test arguments from the raw
byte representation in every iteration, there is no need to detach and
we can also return mutable lists directly. If we get rid of the
re-reads, we would have to detach, which is now verified by a new
consistency check in `ArgumentsMutator`.
We might be able to optimize e.g. `List<String>` to avoid all copies in
the future via a new annotation (e.g. `@Immutable`). The current
implementation would already avoid copying the strings and would only
recreate the list, which is most likely negligible overhead.
|
|
Ensures that individual bulk operations never require more than linear
time.
Also improves the test by asserting that the underlying builder is
modified rather than just the view.
|
|
Regular Bazel tests now verify that there are no ktlint findings and
`./format.sh` only formats those files that need fixing. This speeds up
format script runs.
|
|
Co-authored-by: Fabian Meumertzheim <meumertzheim@code-intelligence.com>
|
|
improve map mutator
|
|
This ensures that the iteration order and thus the mutations applied to
the map are deterministic.
Some tests had to be adjusted - they were potentially flaky as they
dependend on the previously unspecified iteration order.
|
|
|
|
|
|
If a corpus file is not exactly consumed by the mutator a warning is
displayed during a fuzzing run.
|
|
The annotation controls the message types used for Any proto fields in
(recursive) submessages.
This requires passing the annotation through to message field types as
well as extending the mutator cache key to cover the annotation value.
|
|
|
|
|
|
Without this change, the simple new fuzz test fails to find the planted
bug. With this change, it finds it in less than 20,000 runs.
|
|
These tests also provide coverage for the oneof index bug fixed in the
previous commit.
|
|
Instead of using enhancing the explicit fixed value mutator, simply let
`combine` accept no arguments. In this case, having an empty
`initInPlace` has the correct semantics of not modifying what it has
been given.
|
|
`fixedValue` didn't behave correctly as a
`SerializingInPlaceMutator` on a non-default value as it would not be
able to ensure that the object given to `initInPlace` is indeed the
fixed value - it just didn't change the object and thus only worked
correctly for default instances.
This reverts commits:
* 81cc0bbcdae1471114a54e458790c2b1c60cc68b
* bdd71b3dfdecf537ff355df5a32c92b7b44e8041
* 1605864822b519e7e241504472fd50605ceeb9aa
|
|
Add `WithUtf8Length` annotation and support for it
|
|
Introduces helper functions that we can use to make debug strings for
Builders more helpful in general.
|
|
|
|
Add a test that verifies that crash files are created in the base
directory in case no test resource directory is present.
|
|
Add support for withlength annotation to byte arrays
|
|
No distinction of the invocation type is required anymore. Fuzz tests
invoked via the CLI should behave the same as if they were invoked in
JUnit tests.
|
|
|
|
While map fields in protos are represented as repeated message fields to
the reflection API, this "illusion" wasn't convincing enough for us to
support them automatically: There is a single class that represents all
MapEntry messages, even though there are many different message types
due to the possible key/value type combinations.
In addition, modelling a map as a list of entries means that some
mutations, e.g. duplicating a list entry, would silently not affect the
map.
Instead, we are now mapping a proto map field to an actual map to which
we apply our map mutator.
|
|
By representing message fields as their message rather than builder
types, we can get rid of the message field specific adapters.
|
|
|