fix: don't apply Bean factories for proto enums

simonresch · simonresch · commit d7a522990ca9 · 2025-10-13T14:07:29.000+02:00
Using the full original factory to construct a mutator for protobuf enum
types would trigger a deeply nested mutator construction attempt on the
EnumValueDescriptor class using e.g. the
`CachedConstructorMutatorFactory`. While this still ended up at the
dedicated enum mutator for most cases, for complex protobuf parameters
it could lead to the construction of invalid mutators.

At the point where an enum type is reached we now use a simplified
factory instead that only deals with repeated or nullable enums.
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/collection/BUILD.bazel b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/collection/BUILD.bazel
@@ -2,7 +2,7 @@ java_library(
     name = "collection",
     srcs = glob(["*.java"]),
     visibility = [
-        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator:__pkg__",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator:__subpackages__",
         "//src/test/java/com/code_intelligence/jazzer/mutation/mutator:__subpackages__",
     ],
     deps = [
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/BUILD.bazel b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/BUILD.bazel
@@ -2,7 +2,7 @@ java_library(
     name = "lang",
     srcs = glob(["*.java"]),
     visibility = [
-        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator:__pkg__",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator:__subpackages__",
         "//src/test/java/com/code_intelligence/jazzer/mutation/mutator:__subpackages__",
     ],
     deps = [
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BUILD.bazel b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BUILD.bazel
@@ -13,6 +13,8 @@ java_library(
         "//src/main/java/com/code_intelligence/jazzer/mutation/api",
         "//src/main/java/com/code_intelligence/jazzer/mutation/combinator",
         "//src/main/java/com/code_intelligence/jazzer/mutation/engine",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator/collection",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang",
         "//src/main/java/com/code_intelligence/jazzer/mutation/support",
         "//src/main/java/com/code_intelligence/jazzer/mutation/utils",
     ],
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/proto/BuilderMutatorFactory.java
@@ -53,6 +53,8 @@
 import com.code_intelligence.jazzer.mutation.api.SerializingInPlaceMutator;
 import com.code_intelligence.jazzer.mutation.api.SerializingMutator;
 import com.code_intelligence.jazzer.mutation.engine.ChainedMutatorFactory;
+import com.code_intelligence.jazzer.mutation.mutator.collection.CollectionMutators;
+import com.code_intelligence.jazzer.mutation.mutator.lang.LangMutators;
 import com.code_intelligence.jazzer.mutation.support.Preconditions;
 import com.google.protobuf.Any;
 import com.google.protobuf.Descriptors.Descriptor;
@@ -140,31 +142,35 @@ private ExtendedMutatorFactory withDescriptorDependentMutatorFactoryIfNeeded(
     if (field.getJavaType() == JavaType.ENUM) {
       // Proto enum fields are special as their type (EnumValueDescriptor) does not encode their
       // domain - we need the actual EnumDescriptor instance.
+      MutatorFactory enumFactory =
+          (type, factory) ->
+              asSubclassOrEmpty(type, EnumValueDescriptor.class)
+                  .map(
+                      unused -> {
+                        EnumDescriptor enumType = field.getEnumType();
+                        List<EnumValueDescriptor> values = enumType.getValues();
+                        String name = enumType.getName();
+                        if (values.size() == 1) {
+                          // While we generally prefer to error out instead of creating a
+                          // mutator that can't actually mutate its domain, we can't do that
+                          // for proto enum fields as the user creating the fuzz test may not be
+                          // in a position to modify the existing proto definition.
+                          return fixedValue(values.get(0));
+                        } else {
+                          return mutateThenMapToImmutable(
+                              mutateIndices(values.size()),
+                              values::get,
+                              EnumValueDescriptor::getIndex,
+                              unused2 -> "Enum<" + name + ">");
+                        }
+                      });
+      // Apart from the specific enum factory we need handling for `null` and other collection
+      // types. Note, that we don't include the full original factory here because we don't want
+      // to follow constructors or builders of the EnumValueDescriptor class.
       return ChainedMutatorFactory.of(
-          originalFactory.getCache(),
-          Stream.of(
-              originalFactory,
-              (type, factory) ->
-                  asSubclassOrEmpty(type, EnumValueDescriptor.class)
-                      .map(
-                          unused -> {
-                            EnumDescriptor enumType = field.getEnumType();
-                            List<EnumValueDescriptor> values = enumType.getValues();
-                            String name = enumType.getName();
-                            if (values.size() == 1) {
-                              // While we generally prefer to error out instead of creating a
-                              // mutator that can't actually mutate its domain, we can't do that for
-                              // proto enum fields as the user creating the fuzz test may not be in
-                              // a position to modify the existing proto definition.
-                              return fixedValue(values.get(0));
-                            } else {
-                              return mutateThenMapToImmutable(
-                                  mutateIndices(values.size()),
-                                  values::get,
-                                  EnumValueDescriptor::getIndex,
-                                  unused2 -> "Enum<" + name + ">");
-                            }
-                          })));
+          Stream.concat(
+              Stream.concat(LangMutators.newFactories(), CollectionMutators.newFactories()),
+              Stream.of(enumFactory)));
     } else if (field.getJavaType() == JavaType.MESSAGE) {
       Descriptor messageDescriptor;
       if (field.isMapField()) {
diff --git a/src/test/java/com/code_intelligence/jazzer/mutation/ArgumentsMutatorTest.java b/src/test/java/com/code_intelligence/jazzer/mutation/ArgumentsMutatorTest.java
@@ -23,6 +23,8 @@
 import com.code_intelligence.jazzer.mutation.annotation.NotNull;
 import com.code_intelligence.jazzer.mutation.mutator.Mutators;
 import com.code_intelligence.jazzer.mutation.support.TestSupport.MockPseudoRandom;
+import com.code_intelligence.jazzer.protobuf.Proto2.TestProtobuf;
+import com.google.protobuf.DescriptorProtos;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.lang.reflect.Method;
@@ -347,4 +349,26 @@ void testReadEmptyBeanWithRuntimeError() throws NoSuchMethodException {
       // expected
     }
   }
+
+  // Regression: ensure we can build an ArgumentsMutator for a fuzz target that
+  // takes a protobuf message and a protobuf descriptor as parameters.
+  @SuppressWarnings("unused")
+  public static void complexProtoFuzzTest(
+      @NotNull TestProtobuf proto, @NotNull DescriptorProtos.DescriptorProto descriptor) {}
+
+  @Test
+  void testProtoAndDescriptorParameters() throws NoSuchMethodException {
+    Method method =
+        ArgumentsMutatorTest.class.getMethod(
+            "complexProtoFuzzTest", TestProtobuf.class, DescriptorProtos.DescriptorProto.class);
+    Optional<ArgumentsMutator> maybeMutator =
+        ArgumentsMutator.forMethod(Mutators.newFactory(), method);
+    assertThat(maybeMutator).isPresent();
+    // Ensure that the mutator debug string can be generated. This would fail with the error:
+    //   Caused by: java.lang.NullPointerException: Cannot invoke
+    //
+    // "com.code_intelligence.jazzer.mutation.api.SerializingMutator.toDebugString(java.util.function.Predicate)"
+    //   because "productMutator" is null
+    assertThat(maybeMutator.toString()).contains("-> Message");
+  }
 }
diff --git a/src/test/java/com/code_intelligence/jazzer/mutation/BUILD.bazel b/src/test/java/com/code_intelligence/jazzer/mutation/BUILD.bazel
@@ -10,6 +10,8 @@ java_test_suite(
         "//src/main/java/com/code_intelligence/jazzer/mutation/annotation",
         "//src/main/java/com/code_intelligence/jazzer/mutation/api",
         "//src/main/java/com/code_intelligence/jazzer/mutation/mutator",
+        "//src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto:proto2_java_proto",
         "//src/test/java/com/code_intelligence/jazzer/mutation/support:test_support",
+        "@protobuf//java/core",
     ],
 )
diff --git a/src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto/BUILD.bazel b/src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto/BUILD.bazel
@@ -28,7 +28,7 @@ java_proto_library(
     testonly = True,
     visibility = [
         "//selffuzz:__subpackages__",
-        "//src/test/java/com/code_intelligence/jazzer/mutation/mutator:__pkg__",
+        "//src/test/java/com/code_intelligence/jazzer/mutation:__subpackages__",
         "//tests:__pkg__",
     ],
     deps = [":proto2_proto"],

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ java_test_suite(`
`10`	`10`	`"//src/main/java/com/code_intelligence/jazzer/mutation/annotation",`
`11`	`11`	`"//src/main/java/com/code_intelligence/jazzer/mutation/api",`
`12`	`12`	`"//src/main/java/com/code_intelligence/jazzer/mutation/mutator",`
	`13`	`+ "//src/test/java/com/code_intelligence/jazzer/mutation/mutator/proto:proto2_java_proto",`
`13`	`14`	`"//src/test/java/com/code_intelligence/jazzer/mutation/support:test_support",`
	`15`	`+ "@protobuf//java/core",`
`14`	`16`	`],`
`15`	`17`	`)`