feat: String mutator now uses @DictionaryProvider

The mutator now extracts applicable Strings from the provider and uses
them during mutation according to the pInv of the last
@DictionaryProvider annotation it found on this type.

Author: oetr

src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/StringMutatorFactory.java

@@ -17,22 +17,31 @@
 package com.code_intelligence.jazzer.mutation.mutator.lang;
 
 import static com.code_intelligence.jazzer.mutation.combinator.MutatorCombinators.mutateThenMapToImmutable;
-import static com.code_intelligence.jazzer.mutation.support.TypeSupport.*;
+import static com.code_intelligence.jazzer.mutation.support.DictionaryProviderSupport.extractLastInvProbability;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.findFirstParentIfClass;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.notNull;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.withLength;
 
 import com.code_intelligence.jazzer.mutation.annotation.Ascii;
 import com.code_intelligence.jazzer.mutation.annotation.UrlSegment;
 import com.code_intelligence.jazzer.mutation.annotation.WithUtf8Length;
 import com.code_intelligence.jazzer.mutation.api.Debuggable;
 import com.code_intelligence.jazzer.mutation.api.ExtendedMutatorFactory;
 import com.code_intelligence.jazzer.mutation.api.MutatorFactory;
+import com.code_intelligence.jazzer.mutation.api.PseudoRandom;
 import com.code_intelligence.jazzer.mutation.api.SerializingMutator;
 import com.code_intelligence.jazzer.mutation.mutator.libfuzzer.LibFuzzerMutatorFactory;
 import com.code_intelligence.jazzer.mutation.runtime.MutatorRuntime;
+import com.code_intelligence.jazzer.mutation.support.DictionaryProviderSupport;
 import com.code_intelligence.jazzer.mutation.support.TypeHolder;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
 import java.lang.reflect.AnnotatedType;
 import java.nio.charset.StandardCharsets;
 import java.util.Optional;
 import java.util.function.Predicate;
+import java.util.stream.Stream;
 
 final class StringMutatorFactory implements MutatorFactory {
   private static final int HEADER_MASK = 0b1100_0000;
@@ -177,7 +186,9 @@ public Optional<SerializingMutator<?>> tryCreate(
 
               AnnotatedType innerByteArray =
                   notNull(withLength(new TypeHolder<byte[]>() {}.annotatedType(), min, max));
-              return LibFuzzerMutatorFactory.tryCreate(runtime, innerByteArray);
+              Optional<SerializingMutator<?>> innerMutator =
+                  LibFuzzerMutatorFactory.tryCreate(runtime, innerByteArray);
+              return UserDictionaryMutatorWrapper.of(runtime, innerMutator, type, min, max);
             })
         .map(
             byteArrayMutator -> {
@@ -199,4 +210,102 @@ public Optional<SerializingMutator<?>> tryCreate(
                   (Predicate<Debuggable> inCycle) -> "String");
             });
   }
+
+  private static final class UserDictionaryMutatorWrapper extends SerializingMutator<byte[]> {
+    private final byte[][] dictionaryValues;
+    private final SerializingMutator<byte[]> basicMutator;
+    private final int pInv;
+
+    public static Optional<SerializingMutator<?>> of(
+        MutatorRuntime runtime,
+        Optional<SerializingMutator<?>> mutator,
+        AnnotatedType type,
+        int minSize,
+        int maxSize) {
+      if (!mutator.isPresent()) {
+        return Optional.empty();
+      }
+      SerializingMutator<byte[]> castedMutator =
+          mutator.map(m -> (SerializingMutator<byte[]>) m).get();
+      Optional<byte[][]> values = generateDictionaryValues(runtime, type, minSize, maxSize);
+      if (!values.isPresent()) {
+        return mutator;
+      }
+      return Optional.of(
+          new UserDictionaryMutatorWrapper(
+              castedMutator, values.get(), extractLastInvProbability(type)));
+    }
+
+    public UserDictionaryMutatorWrapper(
+        SerializingMutator<byte[]> basicMutator, byte[][] dictionaryValues, int pInv) {
+      this.basicMutator = basicMutator;
+      this.dictionaryValues = dictionaryValues;
+      this.pInv = pInv;
+    }
+
+    public static Optional<byte[][]> generateDictionaryValues(
+        MutatorRuntime runtime, AnnotatedType type, int minSize, int maxSize) {
+      return DictionaryProviderSupport.extractProviderStreams(runtime, type)
+          .map(
+              stream ->
+                  stream
+                      .flatMap(
+                          o -> {
+                            if (o instanceof String) {
+                              return Stream.of(((String) o).getBytes(StandardCharsets.UTF_8));
+                            } else {
+                              return Stream.empty();
+                            }
+                          })
+                      .filter(b -> b.length >= minSize && b.length <= maxSize)
+                      .distinct()
+                      .toArray(byte[][]::new));
+    }
+
+    @Override
+    public String toDebugString(Predicate<Debuggable> isInCycle) {
+      return "String";
+    }
+
+    @Override
+    public byte[] read(DataInputStream in) throws IOException {
+      return basicMutator.read(in);
+    }
+
+    @Override
+    public void write(byte[] value, DataOutputStream out) throws IOException {
+      basicMutator.write(value, out);
+    }
+
+    @Override
+    public byte[] detach(byte[] value) {
+      return basicMutator.detach(value);
+    }
+
+    @Override
+    public byte[] init(PseudoRandom prng) {
+      if (prng.trueInOneOutOf(pInv)) {
+        return prng.pickIn(dictionaryValues);
+      }
+      return basicMutator.init(prng);
+    }
+
+    @Override
+    public byte[] mutate(byte[] value, PseudoRandom prng) {
+      if (prng.trueInOneOutOf(pInv)) {
+        return prng.pickIn(dictionaryValues);
+      }
+      return basicMutator.mutate(value, prng);
+    }
+
+    @Override
+    public byte[] crossOver(byte[] value, byte[] otherValue, PseudoRandom prng) {
+      return basicMutator.crossOver(value, otherValue, prng);
+    }
+
+    @Override
+    public boolean hasFixedSize() {
+      return false;
+    }
+  }
 }

src/main/java/com/code_intelligence/jazzer/mutation/support/BUILD.bazel

@@ -7,6 +7,7 @@ java_library(
     ],
     deps = [
         "//src/main/java/com/code_intelligence/jazzer/mutation/annotation",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/runtime",
         "//src/main/java/com/code_intelligence/jazzer/mutation/utils",
         "//src/main/java/com/code_intelligence/jazzer/utils:log",
     ],

tests/BUILD.bazel

@@ -20,6 +20,27 @@ java_fuzz_target_test(
     verify_crash_input = False,
 )
 
+java_fuzz_target_test(
+    name = "DictionaryProviderFuzzerLongString",
+    srcs = [
+        "src/test/java/com/example/DictionaryProviderFuzzerLongString.java",
+    ],
+    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
+    fuzzer_args = [
+        "-runs=10000",
+    ],
+    target_class = "com.example.DictionaryProviderFuzzerLongString",
+    verify_crash_input = False,
+    verify_crash_reproducer = False,
+    deps = [
+        "//deploy:jazzer-junit",
+        "//deploy:jazzer-project",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+        "@maven//:org_junit_jupiter_junit_jupiter_engine",
+        "@maven//:org_junit_platform_junit_platform_launcher",
+    ],
+)
+
 java_fuzz_target_test(
     name = "JpegImageParserAutofuzz",
     allowed_findings = ["java.lang.NegativeArraySizeException"],

tests/src/test/java/com/example/DictionaryProviderFuzzerLongString.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2024 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow;
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import com.code_intelligence.jazzer.mutation.annotation.DictionaryProvider;
+import com.code_intelligence.jazzer.mutation.annotation.NotNull;
+import com.code_intelligence.jazzer.mutation.annotation.WithUtf8Length;
+import java.util.stream.Stream;
+
+public class DictionaryProviderFuzzerLongString {
+
+  public static Stream<?> myDict() {
+    return Stream.of(
+        repeat("0123456789abcdef", 50),
+        repeat("sitting duck suprime", 53),
+        // We can mix all kinds of values in the same dictionary.
+        // Each mutator only takes the values it can use.
+        123);
+  }
+
+  @FuzzTest
+  // Just propagate the dictionary to all types of the fuzz test method that can use it.
+  // We could also only annotate the String parameters, but this is easier.
+  @DictionaryProvider(
+      value = {"myDict"},
+      // Don't want to wait, force String mutators to use dictionary values every other time.
+      pInv = 2)
+  public static void fuzzerTestOneInput(
+      @NotNull @WithUtf8Length(max = 10000) String data,
+      @NotNull @WithUtf8Length(max = 10000) String data2) {
+    /*
+     * libFuzzer's table of recent compares only allows 64 bytes, so asking the fuzzer to construct
+     * these long strings would run for a very very long time without finding them. With a
+     * DictionaryProvider this problem is trivial, because we can directly provide these long strings to
+     * the fuzzer, and also force that they are used more often by setting pInv to a low value.
+     */
+    if (data.equals(repeat("0123456789abcdef", 50))
+        && data2.equals(repeat("sitting duck suprime", 53))) {
+      throw new FuzzerSecurityIssueLow("Found the long string!");
+    }
+  }
+
+  private static String repeat(String str, int count) {
+    StringBuilder sb = new StringBuilder(str.length() * count);
+    for (int i = 0; i < count; i++) {
+      sb.append(str);
+    }
+    return sb.toString();
+  }
+}