diff options
Diffstat (limited to 'tests/BUILD.bazel')
-rw-r--r-- | tests/BUILD.bazel | 259 |
1 files changed, 259 insertions, 0 deletions
diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel new file mode 100644 index 00000000..cbc77434 --- /dev/null +++ b/tests/BUILD.bazel @@ -0,0 +1,259 @@ +load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library") +load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS") +load("//bazel:fuzz_target.bzl", "java_fuzz_target_test") + +java_fuzz_target_test( + name = "LongStringFuzzer", + srcs = [ + "src/test/java/com/example/LongStringFuzzer.java", + ], + data = ["src/test/java/com/example/LongStringFuzzerInput"], + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = [ + "$(rootpath src/test/java/com/example/LongStringFuzzerInput)", + ], + target_class = "com.example.LongStringFuzzer", + verify_crash_input = False, +) + +java_fuzz_target_test( + name = "JpegImageParserAutofuzz", + expected_findings = ["java.lang.NegativeArraySizeException"], + fuzzer_args = [ + "--autofuzz=org.apache.commons.imaging.formats.jpeg.JpegImageParser::getBufferedImage", + # Exit after the first finding for testing purposes. + "--keep_going=1", + "--autofuzz_ignore=java.lang.NullPointerException", + ], + runtime_deps = [ + "@maven//:org_apache_commons_commons_imaging", + ], +) + +java_fuzz_target_test( + name = "HookDependenciesFuzzer", + srcs = ["src/test/java/com/example/HookDependenciesFuzzer.java"], + env = {"JAVA_OPTS": "-Xverify:all"}, + hook_classes = ["com.example.HookDependenciesFuzzer"], + target_class = "com.example.HookDependenciesFuzzer", +) + +java_fuzz_target_test( + name = "AutofuzzWithoutCoverage", + expected_findings = ["java.lang.NullPointerException"], + fuzzer_args = [ + # Autofuzz a method that triggers no coverage instrumentation (the Java standard library is + # excluded by default). + "--autofuzz=java.util.regex.Pattern::compile", + "--keep_going=1", + ], +) + +java_fuzz_target_test( + name = "AutofuzzHookDependencies", + # The reproducer does not include the hook on OOM and thus throws a regular error. + expected_findings = ["java.lang.OutOfMemoryError"], + fuzzer_args = [ + "--instrumentation_includes=java.util.regex.**", + "--autofuzz=java.util.regex.Pattern::compile", + "--autofuzz_ignore=java.lang.Exception", + "--keep_going=1", + ], + # FIXME(fabian): Regularly times out on Windows with 0 exec/s for minutes. + target_compatible_with = SKIP_ON_WINDOWS, +) + +java_fuzz_target_test( + name = "ForkModeFuzzer", + size = "enormous", + srcs = [ + "src/test/java/com/example/ForkModeFuzzer.java", + ], + env = { + "JAVA_OPTS": "-Dfoo=not_foo -Djava_opts=1", + }, + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = [ + "-fork=2", + "--additional_jvm_args=-Dbaz=baz", + ] + select({ + # \\\\ becomes \\ when evaluated as a Starlark string literal, then \ in + # java_fuzz_target_test. + "@platforms//os:windows": ["--jvm_args=-Dfoo=foo;-Dbar=b\\\\;ar"], + "//conditions:default": ["--jvm_args=-Dfoo=foo:-Dbar=b\\\\:ar"], + }), + # Consumes more resources than can be expressed via the size attribute. + tags = ["exclusive-if-local"], + target_class = "com.example.ForkModeFuzzer", + # The exit codes of the forked libFuzzer processes are not picked up correctly. + target_compatible_with = SKIP_ON_MACOS, +) + +java_fuzz_target_test( + name = "CoverageFuzzer", + srcs = [ + "src/test/java/com/example/CoverageFuzzer.java", + ], + env = { + "COVERAGE_REPORT_FILE": "coverage.txt", + "COVERAGE_DUMP_FILE": "coverage.exec", + }, + fuzzer_args = [ + "-use_value_profile=1", + "--coverage_report=coverage.txt", + "--coverage_dump=coverage.exec", + "--instrumentation_includes=com.example.**", + ], + target_class = "com.example.CoverageFuzzer", + verify_crash_input = False, + verify_crash_reproducer = False, + deps = [ + "@jazzer_jacoco//:jacoco_internal", + ], +) + +java_library( + name = "autofuzz_inner_class_target", + srcs = ["src/test/java/com/example/AutofuzzInnerClassTarget.java"], + deps = [ + "//agent:jazzer_api_compile_only", + ], +) + +java_fuzz_target_test( + name = "AutofuzzInnerClassFuzzer", + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = [ + "--autofuzz=com.example.AutofuzzInnerClassTarget.Middle.Inner::test", + "--keep_going=1", + ], + runtime_deps = [ + ":autofuzz_inner_class_target", + ], +) + +# Regression test for https://github.com/CodeIntelligenceTesting/jazzer/issues/405. +java_fuzz_target_test( + name = "MemoryLeakFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/MemoryLeakFuzzer.java"], + env = { + "JAVA_OPTS": "-Xmx800m", + }, + expect_crash = False, + fuzzer_args = [ + # Before the bug was fixed, either the GC overhead limit or the overall heap limit was + # reached by this target in this number of runs. + "-runs=1000000", + # Skip over the first and only exception to keep the fuzzer running until it hits the runs + # limit. + "--keep_going=2", + ], + target_class = "com.example.MemoryLeakFuzzer", +) + +JAZZER_API_TEST_CASES = { + "default": [], + "nohooks": ["--nohooks"], +} + +[ + java_fuzz_target_test( + name = "JazzerApiFuzzer_" + case, + srcs = ["src/test/java/com/example/JazzerApiFuzzer.java"], + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = args, + target_class = "com.example.JazzerApiFuzzer", + ) + for case, args in JAZZER_API_TEST_CASES.items() +] + +java_fuzz_target_test( + name = "DisabledHooksFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/DisabledHooksFuzzer.java"], + expect_crash = False, + fuzzer_args = [ + "-runs=0", + "--custom_hooks=com.example.DisabledHook", + ] + select({ + "@platforms//os:windows": ["--disabled_hooks=com.example.DisabledHook;com.code_intelligence.jazzer.sanitizers.RegexInjection"], + "//conditions:default": ["--disabled_hooks=com.example.DisabledHook:com.code_intelligence.jazzer.sanitizers.RegexInjection"], + }), + target_class = "com.example.DisabledHooksFuzzer", +) + +java_fuzz_target_test( + name = "BytesMemoryLeakFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/BytesMemoryLeakFuzzer.java"], + env = { + "JAVA_OPTS": "-Xmx200m", + }, + expect_crash = False, + fuzzer_args = [ + # Before the bug was fixed, either the GC overhead limit or the overall heap limit was + # reached by this target in this number of runs. + "-runs=10000000", + ], + target_class = "com.example.BytesMemoryLeakFuzzer", +) + +# Verifies that Jazzer continues fuzzing when the first two executions did not result in any +# coverage feedback. +java_fuzz_target_test( + name = "NoCoverageFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], + expect_crash = False, + fuzzer_args = [ + "-runs=10", + "--instrumentation_excludes=**", + ], + target_class = "com.example.NoCoverageFuzzer", +) + +java_fuzz_target_test( + name = "SeedFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/SeedFuzzer.java"], + expect_crash = False, + fuzzer_args = [ + "-runs=0", + "-seed=1234567", + ], + target_class = "com.example.SeedFuzzer", +) + +java_fuzz_target_test( + name = "NoSeedFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/NoSeedFuzzer.java"], + env = { + "JAZZER_NO_EXPLICIT_SEED": "1", + }, + expect_crash = False, + fuzzer_args = [ + "-runs=0", + ], + target_class = "com.example.NoSeedFuzzer", +) + +java_jni_library( + name = "native_value_profile_fuzzer", + srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"], + native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"], + visibility = ["//tests/src/test/native/com/example:__pkg__"], + deps = ["//agent:jazzer_api_compile_only"], +) + +java_fuzz_target_test( + name = "NativeValueProfileFuzzer", + expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"], + fuzzer_args = ["-use_value_profile=1"], + sanitizer = "address", + target_class = "com.example.NativeValueProfileFuzzer", + target_compatible_with = SKIP_ON_WINDOWS, + verify_crash_reproducer = False, + runtime_deps = [":native_value_profile_fuzzer"], +) |