xref: /aosp_15_r20/external/jazzer-api/docs/common.md (revision 33edd6723662ea34453766bfdca85dbfdd5342b8) 
1## Common options and workflows
2
3* [Reproducing a finding](#reproducing-a-finding)
4* [Minimizing a crashing input](#minimizing-a-crashing-input)
5* [Parallel execution](#parallel-execution)
6* [Autofuzz mode](#autofuzz-mode)
7
8<!-- Created by https://github.com/ekalinin/github-markdown-toc -->
9
10### Reproducing a finding
11
12When Jazzer manages to find an input that causes an uncaught exception or a failed assertion, it prints a Java stack trace and creates two files that aid in reproducing the crash without Jazzer:
13
14* `crash-<sha1_of_input>` contains the raw bytes passed to the fuzz target (just as with libFuzzer C/C++ fuzz targets).
15  The crash can be reproduced with Jazzer by passing the path to the crash file as the only positional argument.
16* `Crash-<sha1_of_input>.java` contains a class with a `main` function that invokes the fuzz target with the crashing input.
17  This is especially useful if using `FuzzedDataProvider` as the raw bytes of the input do not directly correspond to the values consumed by the fuzz target.
18  The `.java` file can be compiled with just the fuzz target and its dependencies in the classpath (plus `jazzer_standalone.jar` or `com.code-intelligence:jazzer-api:<version>` if using `FuzzedDataProvider`).
19
20### Minimizing a crashing input
21
22Every crash stack trace is accompanied by a `DEDUP_TOKEN` that uniquely identifies the relevant parts of the stack trace.
23This value is used by libFuzzer while minimizing a crashing input to ensure that the smaller inputs reproduce the "same" bug.
24To minimize a crashing input, execute Jazzer with the following arguments in addition to `--cp` and `--target_class`:
25
26```bash
27-minimize_crash=1 <path/to/crashing_input>
28```
29
30### Parallel execution
31
32libFuzzer offers the `-fork=N` and `-jobs=N` flags for parallel fuzzing, both of which are also supported by Jazzer.
33
34### Autofuzz mode
35
36The Autofuzz mode enables fuzzing arbitrary methods without having to manually create fuzz targets.
37Instead, Jazzer will attempt to generate suitable and varied inputs to a specified methods using only public API functions available on the classpath.
38
39To use Autofuzz, specify the `--autofuzz` flag and provide a fully [qualified method reference](https://docs.oracle.com/javase/specs/jls/se8/html/jls-15.html#jls-15.13), e.g.:
40```
41--autofuzz=org.apache.commons.imaging.Imaging::getBufferedImage
42```
43To autofuzz a constructor the `ClassType::new` format can be used.
44If there are multiple overloads, and you want Jazzer to only fuzz one, you can optionally specify the signature of the method to fuzz:
45```
46--autofuzz=org.apache.commons.imaging.Imaging::getBufferedImage(java.io.InputStream,java.util.Map)
47```
48The format of the signature agrees with that obtained from the part after the `#` of the link to the Javadocs for the particular method.
49
50Under the hood, Jazzer tries various ways of creating objects from the fuzzer input.
51For example, if a parameter is an interface or an abstract class, it will look for all concrete implementing classes on the classpath.
52Jazzer can also create objects from classes that follow the [builder design pattern](https://www.baeldung.com/creational-design-patterns#builder) or have a default constructor and use setters to set the fields.
53
54Creating objects from fuzzer input can lead to many reported exceptions.
55Jazzer addresses this issue by ignoring exceptions that the target method declares to throw.
56In addition to that, you can provide a list of exceptions to be ignored during fuzzing via the `--autofuzz_ignore` flag in the form of a comma-separated list.
57You can specify concrete exceptions (e.g., `java.lang.NullPointerException`), in which case also subclasses of these exception classes will be ignored, or glob patterns to ignore all exceptions in a specific package (e.g. `java.lang.*` or `com.company.**`).
58
59