BREAKING feat: use mutation framework for single-byte[] fuzz tests

oetr · oetr · commit 6a892499a63d · 2026-02-27T13:28:31.000+01:00
diff --git a/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/ArgumentsMutatorFuzzTest.java b/selffuzz/src/test/java/com/code_intelligence/selffuzz/mutation/ArgumentsMutatorFuzzTest.java
@@ -226,6 +226,8 @@ void fuzzPrimitiveArrays(
     if (l0 != null) assertThat(l0.length).isAtMost(3);
     if (by0 != null) assertThat(by0.length).isAtMost(3);
     if (s0 != null) assertThat(s0.length).isAtMost(3);
+    if (b1 != null) assertThat(b1.length).isAtMost(1000);
+    if (by1 != null) assertThat(by1.length).isAtMost(4096);
   }
 
   enum MyEnum {
diff --git a/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java b/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java
@@ -140,7 +140,7 @@ public final class FuzzTargetRunner {
     useMutatorFramework =
         Opt.mutatorFramework.get()
             && Opt.autofuzz.get().isEmpty()
-            && !(fuzzTarget.usesPrimitiveByteArray() || fuzzTarget.usesFuzzedDataProvider());
+            && !fuzzTarget.usesFuzzedDataProvider();
 
     useFuzzedDataProvider = fuzzTarget.usesFuzzedDataProvider();
     if (!useFuzzedDataProvider && IS_ANDROID) {
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java
@@ -73,6 +73,8 @@ public Optional<SerializingMutator<?>> tryCreate(
   public static final class PrimitiveArrayMutator<T> extends SerializingMutator<T> {
     private static final int DEFAULT_MIN_LENGTH = 0;
     private static final int DEFAULT_MAX_LENGTH = 1000;
+    // This default is chosen to match libFuzzer's default max length for byte arrays.
+    private static final int DEFAULT_BYTE_ARRAY_MAX_LENGTH = 4096;
     private static final Charset FUZZED_DATA_CHARSET = Charset.forName("CESU-8");
     private long minRange;
     private long maxRange;
@@ -216,7 +218,12 @@ private void extractRange(AnnotatedType type) {
     private void extractLength(AnnotatedType type) {
       Optional<WithLength> withLength = Optional.ofNullable(type.getAnnotation(WithLength.class));
       minLength = withLength.map(WithLength::min).orElse(DEFAULT_MIN_LENGTH);
-      maxLength = withLength.map(WithLength::max).orElse(DEFAULT_MAX_LENGTH);
+      // Different default max lengths for byte[] and other primitive arrays to match libFuzzer.
+      int defaultMaxLength =
+          type.getType().getTypeName().equals("byte[]")
+              ? DEFAULT_BYTE_ARRAY_MAX_LENGTH
+              : DEFAULT_MAX_LENGTH;
+      maxLength = withLength.map(WithLength::max).orElse(defaultMaxLength);
     }
 
     private AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType newType) {
diff --git a/src/test/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorTest.java b/src/test/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorTest.java
@@ -24,10 +24,19 @@
 import static com.code_intelligence.jazzer.mutation.mutator.lang.PrimitiveArrayMutatorFactory.PrimitiveArrayMutator.getLongPrimitiveArray;
 import static com.code_intelligence.jazzer.mutation.mutator.lang.PrimitiveArrayMutatorFactory.PrimitiveArrayMutator.getShortPrimitiveArray;
 import static com.code_intelligence.jazzer.mutation.mutator.lang.PrimitiveArrayMutatorFactory.PrimitiveArrayMutator.makePrimitiveArrayToBytesConverter;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.notNull;
+import static com.code_intelligence.jazzer.mutation.support.TypeSupport.withLength;
 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.jupiter.params.provider.Arguments.arguments;
 
+import com.code_intelligence.jazzer.mutation.api.SerializingMutator;
+import com.code_intelligence.jazzer.mutation.engine.ChainedMutatorFactory;
 import com.code_intelligence.jazzer.mutation.support.TypeHolder;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
 import java.lang.reflect.AnnotatedArrayType;
 import java.lang.reflect.AnnotatedType;
 import java.util.function.Function;
@@ -636,4 +645,68 @@ void testRoundTrip_bytes(byte[] numbers) {
     assertThat(libfuzzerBytesToBytes.apply(bytesToLibfuzzerBytes.apply(numbers)))
         .isEqualTo(numbers);
   }
+
+  /*
+  Testing that the  maxRange for the byte[] type is 4096 bytes, which is the default max range for byte[] in Jazzer.
+  This is important to ensure that the mutator does not generate byte arrays that are too large, which could lead to out-of-memory errors during fuzzing.
+   */
+  static Stream<Arguments> byteArrayLength() {
+    AnnotatedType defaultLen = new TypeHolder<byte[]>() {}.annotatedType();
+    AnnotatedType defaultLenNN = notNull(new TypeHolder<byte[]>() {}.annotatedType());
+    AnnotatedType withLen_10_20 = withLength(new TypeHolder<byte[]>() {}.annotatedType(), 10, 20);
+    AnnotatedType withLen_10_5000 =
+        withLength(new TypeHolder<byte[]>() {}.annotatedType(), 10, 5000);
+    AnnotatedType withLen_10_20_NN =
+        withLength(notNull(new TypeHolder<byte[]>() {}.annotatedType()), 10, 20);
+    AnnotatedType withLen_10_5000_NN =
+        withLength(notNull(new TypeHolder<byte[]>() {}.annotatedType()), 10, 5000);
+    // type, numBytes to serialize with write(), expectedNumBytes after deserialization with read()
+    return Stream.of(
+        arguments(defaultLen, 5000, 4096),
+        arguments(defaultLen, 100, 100),
+        arguments(defaultLen, 0, 0),
+        arguments(defaultLenNN, 5000, 4096),
+        arguments(defaultLenNN, 100, 100),
+        arguments(defaultLenNN, 0, 0),
+        arguments(withLen_10_20, 15, 15),
+        arguments(withLen_10_20, 25, 20),
+        arguments(withLen_10_5000, 15, 15),
+        arguments(withLen_10_5000, 25, 25),
+        arguments(withLen_10_5000, 5000, 5000),
+        arguments(withLen_10_5000, 10000, 5000),
+        arguments(withLen_10_20_NN, 15, 15),
+        arguments(withLen_10_20_NN, 25, 20),
+        arguments(withLen_10_5000_NN, 15, 15),
+        arguments(withLen_10_5000_NN, 25, 25),
+        arguments(withLen_10_5000_NN, 5000, 5000),
+        arguments(withLen_10_5000_NN, 10000, 5000));
+  }
+
+  @ParameterizedTest
+  @MethodSource("byteArrayLength")
+  public void testByteArrayMaxRange_writeReadWithLength(
+      AnnotatedType type, int serializationLength, int expectedReadLength) throws IOException {
+    ChainedMutatorFactory factory = ChainedMutatorFactory.of(LangMutators.newFactories());
+    SerializingMutator<byte[]> mutator = (SerializingMutator<byte[]>) factory.createOrThrow(type);
+
+    byte[] serialized;
+
+    // serialize with write()
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    mutator.write(new byte[serializationLength], new DataOutputStream(baos));
+    serialized = baos.toByteArray();
+
+    // deserialize with read()
+    byte[] data = mutator.read(new DataInputStream(new ByteArrayInputStream(serialized)));
+    assertThat(data.length).isEqualTo(expectedReadLength);
+
+    // serialize with writeExclusive()
+    baos = new ByteArrayOutputStream();
+    mutator.writeExclusive(new byte[serializationLength], new DataOutputStream(baos));
+    serialized = baos.toByteArray();
+
+    // deserialize with readExclusive()
+    data = mutator.readExclusive(new DataInputStream(new ByteArrayInputStream(serialized)));
+    assertThat(data.length).isEqualTo(expectedReadLength);
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -226,6 +226,8 @@ void fuzzPrimitiveArrays(`
`226`	`226`	`if (l0 != null) assertThat(l0.length).isAtMost(3);`
`227`	`227`	`if (by0 != null) assertThat(by0.length).isAtMost(3);`
`228`	`228`	`if (s0 != null) assertThat(s0.length).isAtMost(3);`
	`229`	`+ if (b1 != null) assertThat(b1.length).isAtMost(1000);`
	`230`	`+ if (by1 != null) assertThat(by1.length).isAtMost(4096);`
`229`	`231`	`}`
`230`	`232`
`231`	`233`	`enum MyEnum {`