Package com.code_intelligence.jazzer.api
Class Jazzer
- java.lang.Object
-
- com.code_intelligence.jazzer.api.Jazzer
-
public final class Jazzer extends java.lang.Object
Helper class with static methods that interact with Jazzer at runtime.
-
-
Field Summary
Fields Modifier and Type Field Description static int
SEED
A 32-bit random number that hooks can use to make pseudo-random choices between multiple possible mutations they could guide the fuzzer towards.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static <T1> void
autofuzz(FuzzedDataProvider data, Consumer1<T1> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2>
voidautofuzz(FuzzedDataProvider data, Consumer2<T1,T2> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3>
voidautofuzz(FuzzedDataProvider data, Consumer3<T1,T2,T3> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3,T4>
voidautofuzz(FuzzedDataProvider data, Consumer4<T1,T2,T3,T4> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3,T4,T5>
voidautofuzz(FuzzedDataProvider data, Consumer5<T1,T2,T3,T4,T5> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,R>
Rautofuzz(FuzzedDataProvider data, Function1<T1,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,R>
Rautofuzz(FuzzedDataProvider data, Function2<T1,T2,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3,R>
Rautofuzz(FuzzedDataProvider data, Function3<T1,T2,T3,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3,T4,R>
Rautofuzz(FuzzedDataProvider data, Function4<T1,T2,T3,T4,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T1,T2,T3,T4,T5,R>
Rautofuzz(FuzzedDataProvider data, Function5<T1,T2,T3,T4,T5,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath.static <T> T
consume(FuzzedDataProvider data, java.lang.Class<T> type)
Attempts to construct an instance oftype
from the fuzzer input using only public methods available on the classpath.static void
exploreState(byte state, int id)
Instructs the fuzzer to attain as many possible values for the absolute value ofstate
as possible.static void
guideTowardsContainment(java.lang.String haystack, java.lang.String needle, int id)
Instructs the fuzzer to guide its mutations towards makinghaystack
containneedle
as a substring.static void
guideTowardsEquality(byte[] current, byte[] target, int id)
Instructs the fuzzer to guide its mutations towards makingcurrent
equal totarget
.static void
guideTowardsEquality(java.lang.String current, java.lang.String target, int id)
Instructs the fuzzer to guide its mutations towards makingcurrent
equal totarget
.static void
reportFindingFromHook(java.lang.Throwable finding)
Make Jazzer report the providedThrowable
as a finding.
-
-
-
Field Detail
-
SEED
public static final int SEED
A 32-bit random number that hooks can use to make pseudo-random choices between multiple possible mutations they could guide the fuzzer towards. Hooks must not base the decision whether or not to report a finding on this number as this will make findings non-reproducible. This is the same number that libFuzzer uses as a seed internally, which makes it possible to deterministically reproduce a previous fuzzing run by supplying the seed value printed by libFuzzer as the value of the-seed
.
-
-
Method Detail
-
autofuzz
public static <T1,R> R autofuzz(FuzzedDataProvider data, Function1<T1,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toFunction1
with (partially) specified type variables, e.g.(Function1<String, ?>) String::new
.- Returns:
- the return value of
func
, ornull
ifautofuzz
failed to invoke the function. - Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,R> R autofuzz(FuzzedDataProvider data, Function2<T1,T2,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toFunction2
with (partially) specified type variables.- Returns:
- the return value of
func
, ornull
ifautofuzz
failed to invoke the function. - Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3,R> R autofuzz(FuzzedDataProvider data, Function3<T1,T2,T3,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toFunction3
with (partially) specified type variables.- Returns:
- the return value of
func
, ornull
ifautofuzz
failed to invoke the function. - Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3,T4,R> R autofuzz(FuzzedDataProvider data, Function4<T1,T2,T3,T4,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toFunction4
with (partially) specified type variables.- Returns:
- the return value of
func
, ornull
ifautofuzz
failed to invoke the function. - Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3,T4,T5,R> R autofuzz(FuzzedDataProvider data, Function5<T1,T2,T3,T4,T5,R> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toFunction5
with (partially) specified type variables.- Returns:
- the return value of
func
, ornull
ifautofuzz
failed to invoke the function. - Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1> void autofuzz(FuzzedDataProvider data, Consumer1<T1> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toConsumer1
with explicitly specified type variable.- Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2> void autofuzz(FuzzedDataProvider data, Consumer2<T1,T2> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toConsumer2
with (partially) specified type variables.- Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3> void autofuzz(FuzzedDataProvider data, Consumer3<T1,T2,T3> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toConsumer3
with (partially) specified type variables.- Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3,T4> void autofuzz(FuzzedDataProvider data, Consumer4<T1,T2,T3,T4> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toConsumer4
with (partially) specified type variables.- Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
autofuzz
public static <T1,T2,T3,T4,T5> void autofuzz(FuzzedDataProvider data, Consumer5<T1,T2,T3,T4,T5> func)
Attempts to invokefunc
with arguments created automatically from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to executefunc
in meaningful ways for a number of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.func
- a method reference for the function to autofuzz. If there are multiple overloads, resolve ambiguities by explicitly casting toConsumer5
with (partially) specified type variables.- Throws:
java.lang.Throwable
- anyThrowable
thrown byfunc
, or anAutofuzzConstructionException
if autofuzz failed to construct the arguments for the call. TheThrowable
is thrown unchecked.
-
consume
public static <T> T consume(FuzzedDataProvider data, java.lang.Class<T> type)
Attempts to construct an instance oftype
from the fuzzer input using only public methods available on the classpath. Note: This function is inherently heuristic and may fail to return meaningful values for a variety of reasons.- Parameters:
data
- theFuzzedDataProvider
instance provided tofuzzerTestOneInput
.type
- theClass
to construct an instance of.- Returns:
- an instance of
type
constructed from the fuzzer input, ornull
if autofuzz failed to create an instance.
-
guideTowardsEquality
public static void guideTowardsEquality(java.lang.String current, java.lang.String target, int id)
Instructs the fuzzer to guide its mutations towards makingcurrent
equal totarget
. If the relation between the raw fuzzer input and the value ofcurrent
is relatively complex, running the fuzzer with the argument-use_value_profile=1
may be necessary to achieve equality.- Parameters:
current
- a non-constant string observed during fuzz target executiontarget
- a string thatcurrent
should become equal to, but currently isn'tid
- a (probabilistically) unique identifier for this particular compare hint
-
guideTowardsEquality
public static void guideTowardsEquality(byte[] current, byte[] target, int id)
Instructs the fuzzer to guide its mutations towards makingcurrent
equal totarget
. If the relation between the raw fuzzer input and the value ofcurrent
is relatively complex, running the fuzzer with the argument-use_value_profile=1
may be necessary to achieve equality.- Parameters:
current
- a non-constant byte array observed during fuzz target executiontarget
- a byte array thatcurrent
should become equal to, but currently isn'tid
- a (probabilistically) unique identifier for this particular compare hint
-
guideTowardsContainment
public static void guideTowardsContainment(java.lang.String haystack, java.lang.String needle, int id)
Instructs the fuzzer to guide its mutations towards makinghaystack
containneedle
as a substring. If the relation between the raw fuzzer input and the value ofhaystack
is relatively complex, running the fuzzer with the argument-use_value_profile=1
may be necessary to satisfy the substring check.- Parameters:
haystack
- a non-constant string observed during fuzz target executionneedle
- a string that should be contained inhaystack
as a substring, but currently isn'tid
- a (probabilistically) unique identifier for this particular compare hint
-
exploreState
public static void exploreState(byte state, int id)
Instructs the fuzzer to attain as many possible values for the absolute value ofstate
as possible. Call this function from a fuzz target or a hook to help the fuzzer track partial progress (e.g. by passing the length of a common prefix of two lists that should become equal) or explore different values of state that is not directly related to code coverage (see the MazeFuzzer example). Note: This hint only takes effect if the fuzzer is run with the argument-use_value_profile=1
.- Parameters:
state
- a numeric encoding of a state that should be varied by the fuzzerid
- a (probabilistically) unique identifier for this particular state hint
-
reportFindingFromHook
public static void reportFindingFromHook(java.lang.Throwable finding)
Make Jazzer report the providedThrowable
as a finding. Note: This method must only be called from a method hook. In a fuzz target, simply throw an exception to trigger a finding.- Parameters:
finding
- the finding that Jazzer should report
-
-