feat: String mutator now uses @DictionaryProvider

oetr · oetr · commit fde2a496fda9 · 2025-10-28T20:05:31.000+01:00
The mutator now extracts applicable Strings from the provider and uses
them during mutation according to the pInv of the last
@DictionaryProvider annotation it found on this type.
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/StringMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/StringMutatorFactory.java
@@ -17,22 +17,31 @@
 package com.code_intelligence.jazzer.mutation.mutator.lang;
 
 import static com.code_intelligence.jazzer.mutation.combinator.MutatorCombinators.mutateThenMapToImmutable;
-import static com.code_intelligence.jazzer.mutation.support.TypeSupport.*;
+import static com.code_intelligence.jazzer.mutation.support.DictionaryProviderSupport.extractFirstInvProbability;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.findFirstParentIfClass;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.notNull;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.withLength;
 
 import com.code_intelligence.jazzer.mutation.annotation.Ascii;
 import com.code_intelligence.jazzer.mutation.annotation.UrlSegment;
 import com.code_intelligence.jazzer.mutation.annotation.WithUtf8Length;
 import com.code_intelligence.jazzer.mutation.api.Debuggable;
 import com.code_intelligence.jazzer.mutation.api.ExtendedMutatorFactory;
 import com.code_intelligence.jazzer.mutation.api.MutatorFactory;
+import com.code_intelligence.jazzer.mutation.api.PseudoRandom;
 import com.code_intelligence.jazzer.mutation.api.SerializingMutator;
 import com.code_intelligence.jazzer.mutation.mutator.libfuzzer.LibFuzzerMutatorFactory;
 import com.code_intelligence.jazzer.mutation.runtime.MutatorRuntime;
+import com.code_intelligence.jazzer.mutation.support.DictionaryProviderSupport;
 import com.code_intelligence.jazzer.mutation.support.TypeHolder;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
 import java.lang.reflect.AnnotatedType;
 import java.nio.charset.StandardCharsets;
 import java.util.Optional;
 import java.util.function.Predicate;
+import java.util.stream.Stream;
 
 final class StringMutatorFactory implements MutatorFactory {
   private static final int HEADER_MASK = 0b1100_0000;
@@ -177,7 +186,9 @@ public Optional<SerializingMutator<?>> tryCreate(
 
               AnnotatedType innerByteArray =
                   notNull(withLength(new TypeHolder<byte[]>() {}.annotatedType(), min, max));
-              return LibFuzzerMutatorFactory.tryCreate(runtime, innerByteArray);
+              Optional<SerializingMutator<?>> innerMutator =
+                  LibFuzzerMutatorFactory.tryCreate(runtime, innerByteArray);
+              return UserDictionaryMutatorWrapper.of(runtime, innerMutator, type, min, max);
             })
         .map(
             byteArrayMutator -> {
@@ -199,4 +210,102 @@ public Optional<SerializingMutator<?>> tryCreate(
                   (Predicate<Debuggable> inCycle) -> "String");
             });
   }
+
+  private static final class UserDictionaryMutatorWrapper extends SerializingMutator<byte[]> {
+    private final byte[][] dictionaryValues;
+    private final SerializingMutator<byte[]> basicMutator;
+    private final int pInv;
+
+    public static Optional<SerializingMutator<?>> of(
+        MutatorRuntime runtime,
+        Optional<SerializingMutator<?>> mutator,
+        AnnotatedType type,
+        int minSize,
+        int maxSize) {
+      if (!mutator.isPresent()) {
+        return Optional.empty();
+      }
+      SerializingMutator<byte[]> castedMutator =
+          mutator.map(m -> (SerializingMutator<byte[]>) m).get();
+      Optional<byte[][]> values = generateDictionaryValues(runtime, type, minSize, maxSize);
+      if (!values.isPresent()) {
+        return mutator;
+      }
+      return Optional.of(
+          new UserDictionaryMutatorWrapper(
+              castedMutator, values.get(), extractFirstInvProbability(type)));
+    }
+
+    public UserDictionaryMutatorWrapper(
+        SerializingMutator<byte[]> basicMutator, byte[][] dictionaryValues, int pInv) {
+      this.basicMutator = basicMutator;
+      this.dictionaryValues = dictionaryValues;
+      this.pInv = pInv;
+    }
+
+    public static Optional<byte[][]> generateDictionaryValues(
+        MutatorRuntime runtime, AnnotatedType type, int minSize, int maxSize) {
+      return DictionaryProviderSupport.extractRawValues(runtime, type)
+          .map(
+              stream ->
+                  stream
+                      .flatMap(
+                          o -> {
+                            if (o instanceof String) {
+                              return Stream.of(((String) o).getBytes(StandardCharsets.UTF_8));
+                            } else {
+                              return Stream.empty();
+                            }
+                          })
+                      .filter(b -> b.length >= minSize && b.length <= maxSize)
+                      .distinct()
+                      .toArray(byte[][]::new));
+    }
+
+    @Override
+    public String toDebugString(Predicate<Debuggable> isInCycle) {
+      return "String";
+    }
+
+    @Override
+    public byte[] read(DataInputStream in) throws IOException {
+      return basicMutator.read(in);
+    }
+
+    @Override
+    public void write(byte[] value, DataOutputStream out) throws IOException {
+      basicMutator.write(value, out);
+    }
+
+    @Override
+    public byte[] detach(byte[] value) {
+      return basicMutator.detach(value);
+    }
+
+    @Override
+    public byte[] init(PseudoRandom prng) {
+      if (prng.trueInOneOutOf(pInv)) {
+        return prng.pickIn(dictionaryValues);
+      }
+      return basicMutator.init(prng);
+    }
+
+    @Override
+    public byte[] mutate(byte[] value, PseudoRandom prng) {
+      if (prng.trueInOneOutOf(pInv)) {
+        return prng.pickIn(dictionaryValues);
+      }
+      return basicMutator.mutate(value, prng);
+    }
+
+    @Override
+    public byte[] crossOver(byte[] value, byte[] otherValue, PseudoRandom prng) {
+      return basicMutator.crossOver(value, otherValue, prng);
+    }
+
+    @Override
+    public boolean hasFixedSize() {
+      return false;
+    }
+  }
 }
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/support/BUILD.bazel b/src/main/java/com/code_intelligence/jazzer/mutation/support/BUILD.bazel
@@ -7,6 +7,7 @@ java_library(
     ],
     deps = [
         "//src/main/java/com/code_intelligence/jazzer/mutation/annotation",
+        "//src/main/java/com/code_intelligence/jazzer/mutation/runtime",
         "//src/main/java/com/code_intelligence/jazzer/mutation/utils",
         "//src/main/java/com/code_intelligence/jazzer/utils:log",
     ],
diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel
@@ -20,6 +20,28 @@ java_fuzz_target_test(
     verify_crash_input = False,
 )
 
+java_fuzz_target_test(
+    name = "DictionaryProviderFuzzerLongString",
+    srcs = [
+        "src/test/java/com/example/DictionaryProviderFuzzerLongString.java",
+    ],
+    allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
+    fuzzer_args = [
+        "-runs=10000",
+    ],
+    target_class = "com.example.DictionaryProviderFuzzerLongString",
+    verify_crash_input = False,
+    verify_crash_reproducer = False,
+    deps = [
+        "//deploy:jazzer-junit",
+        "//deploy:jazzer-project",
+        "@maven//:com_google_truth_truth",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+        "@maven//:org_junit_jupiter_junit_jupiter_engine",
+        "@maven//:org_junit_platform_junit_platform_launcher",
+    ],
+)
+
 java_fuzz_target_test(
     name = "JpegImageParserAutofuzz",
     allowed_findings = ["java.lang.NegativeArraySizeException"],
diff --git a/tests/src/test/java/com/example/DictionaryProviderFuzzerLongString.java b/tests/src/test/java/com/example/DictionaryProviderFuzzerLongString.java
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2024 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow;
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import com.code_intelligence.jazzer.mutation.annotation.DictionaryProvider;
+import com.code_intelligence.jazzer.mutation.annotation.NotNull;
+import com.code_intelligence.jazzer.mutation.annotation.WithSize;
+import com.code_intelligence.jazzer.mutation.annotation.WithUtf8Length;
+import java.util.List;
+import java.util.stream.Stream;
+
+public class DictionaryProviderFuzzerLongString {
+  private static final String str00 = repeat("0123456789abcdef", 50);
+  private static final String str01 = repeat("sitting duck suprime", 53);
+  private static final String str10 = repeat("poa0189fbhBHOVBO781%", 30);
+  private static final String unused = repeat("XdeadbeefX", 21);
+
+  public static Stream<?> dict0() {
+    return Stream.of(
+        str00,
+        str01,
+        // We can mix all kinds of values in the same dictionary.
+        // Each mutator only takes the values it can use.
+        123,
+        4567899999L);
+  }
+
+  public static Stream<?> dict1() {
+    return Stream.of(str10);
+  }
+
+  public static Stream<?> emptyDict() {
+    return Stream.of();
+  }
+
+  public static Stream<?> unusedDictionary() {
+    return Stream.of(unused);
+  }
+
+  @FuzzTest
+  // Just propagate the dictionary to all types of the fuzz test method that can use it.
+  // Annotating individual String parameters is also possible.
+  @DictionaryProvider(
+      value = {"dict0"},
+      // Here we use a very low probability for picking dictionary values.
+      // It gets overwritten for some arguments below.
+      pInv = 1000000000)
+  public static void fuzzerTestOneInput(
+      @NotNull
+          // Extend the maximum length of the String so that the dictionary values can actually be
+          // used
+          @WithUtf8Length(max = 10000)
+          // The String mutator for this argument will use "dict1" and "emptyDict" with pInv = 2
+          // for all dictionary entries.
+          @DictionaryProvider(
+              value = {"emptyDict"},
+              // Set pInv = 2 for the String mutator
+              pInv = 2)
+          String data00,
+
+      // Identical annotations as for data00
+      @NotNull
+          @WithUtf8Length(max = 10000)
+          @DictionaryProvider(
+              value = {"emptyDict"},
+              pInv = 2)
+          String data01,
+
+      // The String mutator, inside the List mutator for this argument will use "dict0" and
+      // "dict1" with pInv = 2 for all dictionary entries.
+      // Note that the String mutator is not directly annotated, and gets annotated because
+      // @DictionaryProvider has PropertyConstraint.RECURSIVE
+      @DictionaryProvider(
+              value = {"dict1"},
+              pInv = 2)
+          @NotNull
+          @WithSize(max = 2)
+          List<@NotNull String> data1,
+
+      // The String mutator for this argument will use entries from
+      // @DictionaryProvider(value={"dict0"}, pInv = 1000000000), that get propagated here from the
+      // method annotation.
+      @NotNull String data2) {
+
+    // This should only happen 2:1000000000 times.
+    assertThat(data2.equals(str00)).isFalse();
+    assertThat(data2.equals(str01)).isFalse();
+
+    // Error: matched a long string from dictionary entry this variable was was NOT annotated with.
+    // This should never happen.
+    assertThat(data00.equals(str10)).isFalse();
+    assertThat(data00.equals(unused)).isFalse();
+    assertThat(data01.equals(str10)).isFalse();
+    assertThat(data01.equals(unused)).isFalse();
+    assertThat(data1.equals(unused)).isFalse();
+    assertThat(data2.equals(str10)).isFalse();
+    assertThat(data2.equals(unused)).isFalse();
+
+    /*
+     * libFuzzer's table of recent compares only allows 64 bytes, so asking the fuzzer to construct
+     * these long strings would run for a very very long time without finding them. However, with a
+     * @DictionaryProvider this problem is trivial, because we can directly provide these long strings to
+     * the fuzzer, and also force that they are used more often by setting pInv to a low value close to 2.
+     */
+    if (data00.equals(str00)
+        && data01.equals(str01)
+        && !data1.isEmpty()
+        && data1.get(0).equals(str10)) {
+      throw new FuzzerSecurityIssueLow("Found all long strings as expected");
+    }
+  }
+
+  private static String repeat(String str, int count) {
+    StringBuilder sb = new StringBuilder(str.length() * count);
+    for (int i = 0; i < count; i++) {
+      sb.append(str);
+    }
+    return sb.toString();
+  }
+}
