feat: add Autofuzz constructor excludes option

Author: oetr

src/main/java/com/code_intelligence/jazzer/autofuzz/BUILD.bazel

@@ -4,6 +4,7 @@ java_library(
         "AccessibleObjectLookup.java",
         "AutofuzzCodegenVisitor.java",
         "AutofuzzError.java",
+        "ConstructorExclusions.java",
         "FuzzTarget.java",
         "Meta.java",
         "YourAverageJavaClass.java",

src/main/java/com/code_intelligence/jazzer/autofuzz/ConstructorExclusions.java

@@ -0,0 +1,139 @@
+/*
+ * Copyright 2024 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.code_intelligence.jazzer.autofuzz;
+
+import com.code_intelligence.jazzer.utils.Utils;
+import java.lang.reflect.Constructor;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+final class ConstructorExclusions {
+  private static final String CONSTRUCTOR_REFERENCE = "::new";
+  private static final ConstructorExclusions EMPTY =
+      new ConstructorExclusions(Collections.emptySet());
+
+  static ConstructorExclusions empty() {
+    return EMPTY;
+  }
+
+  static ConstructorExclusions from(
+      List<String> constructorReferences, AccessibleObjectLookup lookup) {
+    return constructorReferences.isEmpty()
+        ? EMPTY
+        : new ConstructorExclusions(
+            constructorReferences.stream()
+                .map(String::trim)
+                .filter(reference -> !reference.isEmpty())
+                .map(reference -> resolveConstructorReference(reference, lookup))
+                .collect(
+                    Collectors.collectingAndThen(
+                        Collectors.toCollection(LinkedHashSet::new),
+                        Collections::unmodifiableSet)));
+  }
+
+  private final Set<String> excludedConstructorReferences;
+
+  private ConstructorExclusions(Set<String> excludedConstructorReferences) {
+    this.excludedConstructorReferences = excludedConstructorReferences;
+  }
+
+  boolean isExcluded(Constructor<?> constructor) {
+    return !excludedConstructorReferences.isEmpty()
+        && excludedConstructorReferences.contains(toConstructorReference(constructor));
+  }
+
+  private static String toConstructorReference(Constructor<?> constructor) {
+    return constructor.getDeclaringClass().getName()
+        + CONSTRUCTOR_REFERENCE
+        + Utils.getReadableDescriptor(constructor);
+  }
+
+  private static String resolveConstructorReference(
+      String reference, AccessibleObjectLookup lookup) {
+    int separator = reference.indexOf(CONSTRUCTOR_REFERENCE);
+    if (separator <= 0 || separator != reference.lastIndexOf(CONSTRUCTOR_REFERENCE)) {
+      throw invalidConstructorReference(reference);
+    }
+
+    String className = reference.substring(0, separator);
+    String descriptor = reference.substring(separator + CONSTRUCTOR_REFERENCE.length());
+    if (!descriptor.startsWith("(")
+        || !descriptor.endsWith(")")
+        || descriptor.indexOf(')') != descriptor.length() - 1) {
+      throw invalidConstructorReference(reference);
+    }
+
+    Class<?> clazz = loadClass(reference, className);
+    Constructor<?>[] constructors = lookup.getAccessibleConstructors(clazz);
+    List<Constructor<?>> matchingConstructors =
+        Arrays.stream(constructors)
+            .filter(constructor -> Utils.getReadableDescriptor(constructor).equals(descriptor))
+            .collect(Collectors.toList());
+
+    if (matchingConstructors.size() == 1) {
+      return toConstructorReference(matchingConstructors.get(0));
+    }
+    throw noMatchingConstructor(reference, clazz, constructors);
+  }
+
+  private static Class<?> loadClass(String reference, String className) {
+    try {
+      return Class.forName(className, false, ClassLoader.getSystemClassLoader());
+    } catch (ClassNotFoundException e) {
+      throw classNotFound(reference, className, e);
+    }
+  }
+
+  private static IllegalArgumentException invalidConstructorReference(String reference) {
+    return new IllegalArgumentException(
+        String.format(
+            "Invalid Autofuzz constructor exclude '%s'; expected exact constructor reference like"
+                + " 'com.example.Dangerous::new(int,java.util.Random)'",
+            reference));
+  }
+
+  private static IllegalArgumentException classNotFound(
+      String reference, String className, ClassNotFoundException cause) {
+    return new IllegalArgumentException(
+        String.format(
+            "Invalid Autofuzz constructor exclude '%s'; class '%s' could not be found",
+            reference, className),
+        cause);
+  }
+
+  private static IllegalArgumentException noMatchingConstructor(
+      String reference, Class<?> clazz, Constructor<?>[] constructors) {
+    return new IllegalArgumentException(
+        String.format(
+            "Invalid Autofuzz constructor exclude '%s'; no accessible constructor with this"
+                + " descriptor found in %s.%nAccessible constructors:%n%s",
+            reference, clazz.getName(), formatConstructorReferences(constructors)));
+  }
+
+  private static String formatConstructorReferences(Constructor<?>[] constructors) {
+    if (constructors.length == 0) {
+      return "<none>";
+    }
+    return Arrays.stream(constructors)
+        .map(ConstructorExclusions::toConstructorReference)
+        .collect(Collectors.joining(System.lineSeparator()));
+  }
+}

src/main/java/com/code_intelligence/jazzer/autofuzz/FuzzTarget.java

@@ -34,7 +34,9 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -51,6 +53,7 @@ public final class FuzzTarget {
           + "}";
   private static final long MAX_EXECUTIONS_WITHOUT_INVOCATION = 100;
 
+  private static List<String> constructorExcludeReferences = Collections.emptyList();
   private static Meta meta;
   private static String methodReference;
   private static Executable[] targetExecutables;
@@ -59,6 +62,10 @@ public final class FuzzTarget {
   private static Set<SimpleGlobMatcher> ignoredExceptionMatchers;
   private static long executionsSinceLastInvocation = 0;
 
+  public static void setConstructorExcludeReferences(List<String> references) {
+    constructorExcludeReferences = Collections.unmodifiableList(new ArrayList<>(references));
+  }
+
   public static void fuzzerInitialize(String[] args) {
     if (args.length == 0 || !args[0].contains("::")) {
       Log.error(
@@ -245,8 +252,22 @@ public static void fuzzerInitialize(String[] args) {
                                 Arrays.stream(method.getExceptionTypes()), alwaysIgnore.stream())
                             .toArray(Class[]::new)));
 
+    ConstructorExclusions constructorExclusions;
+    try {
+      constructorExclusions = ConstructorExclusions.from(constructorExcludeReferences, lookup);
+    } catch (IllegalArgumentException e) {
+      Log.error(e.getMessage());
+      System.exit(1);
+      return;
+    }
+
     setTarget(
-        executables, null, methodSignature, ignoredExceptionGlobMatchers, ignoredExceptionClasses);
+        executables,
+        null,
+        methodSignature,
+        ignoredExceptionGlobMatchers,
+        ignoredExceptionClasses,
+        constructorExclusions);
   }
 
   /**
@@ -259,6 +280,22 @@ public static void setTarget(
       String methodReference,
       Set<SimpleGlobMatcher> ignoredExceptionMatchers,
       Map<Executable, Class<?>[]> throwsDeclarations) {
+    setTarget(
+        targetExecutables,
+        targetInstance,
+        methodReference,
+        ignoredExceptionMatchers,
+        throwsDeclarations,
+        ConstructorExclusions.empty());
+  }
+
+  private static void setTarget(
+      Executable[] targetExecutables,
+      Object targetInstance,
+      String methodReference,
+      Set<SimpleGlobMatcher> ignoredExceptionMatchers,
+      Map<Executable, Class<?>[]> throwsDeclarations,
+      ConstructorExclusions constructorExclusions) {
     Class<?> targetClass = null;
     for (Executable executable : targetExecutables) {
       if (targetClass != null && !targetClass.equals(executable.getDeclaringClass())) {
@@ -269,7 +306,7 @@ public static void setTarget(
       executable.setAccessible(true);
     }
 
-    FuzzTarget.meta = new Meta(targetClass);
+    FuzzTarget.meta = new Meta(targetClass, constructorExclusions);
     FuzzTarget.targetExecutables = targetExecutables;
     FuzzTarget.targetInstance = targetInstance;
     FuzzTarget.methodReference = methodReference;

src/main/java/com/code_intelligence/jazzer/autofuzz/Meta.java

@@ -72,9 +72,15 @@ public class Meta {
       new WeakHashMap<>();
 
   private final AccessibleObjectLookup lookup;
+  private final ConstructorExclusions constructorExclusions;
 
   public Meta(Class<?> referenceClass) {
+    this(referenceClass, ConstructorExclusions.empty());
+  }
+
+  Meta(Class<?> referenceClass, ConstructorExclusions constructorExclusions) {
     lookup = new AccessibleObjectLookup(referenceClass);
+    this.constructorExclusions = constructorExclusions;
   }
 
   @SuppressWarnings("unchecked")
@@ -610,7 +616,7 @@ Object consume(FuzzedDataProvider data, Type genericType, AutofuzzCodegenVisitor
       if (visitor != null) {
         throw new AutofuzzError("codegen has not been implemented for Constructor.class");
       }
-      return data.pickValue(lookup.getAccessibleConstructors(YourAverageJavaClass.class));
+      return data.pickValue(getAccessibleConstructors(YourAverageJavaClass.class));
     } else if (type.isInterface() || Modifier.isAbstract(type.getModifiers())) {
       List<Class<?>> implementingClasses = implementingClassesCache.get(type);
       if (implementingClasses == null) {
@@ -665,7 +671,7 @@ Object consume(FuzzedDataProvider data, Type genericType, AutofuzzCodegenVisitor
       }
       return result;
     }
-    Constructor<?>[] constructors = lookup.getAccessibleConstructors(type);
+    Constructor<?>[] constructors = getAccessibleConstructors(type);
     if (constructors.length > 0) {
       Constructor<?> constructor = data.pickValue(constructors);
       boolean applySetters = constructor.getParameterCount() == 0;
@@ -701,7 +707,10 @@ Object consume(FuzzedDataProvider data, Type genericType, AutofuzzCodegenVisitor
 
     // First, try to find nested classes with names ending in Builder and call a subset of their
     // chaining methods.
-    List<Class<?>> nestedBuilderClasses = getNestedBuilderClasses(type);
+    List<Class<?>> nestedBuilderClasses =
+        getNestedBuilderClasses(type).stream()
+            .filter(builder -> getAccessibleConstructors(builder).length > 0)
+            .collect(Collectors.toList());
     if (!nestedBuilderClasses.isEmpty()) {
       Class<?> pickedBuilder = data.pickValue(nestedBuilderClasses);
       List<Method> cascadingBuilderMethods = getCascadingBuilderMethods(pickedBuilder);
@@ -717,7 +726,7 @@ Object consume(FuzzedDataProvider data, Type genericType, AutofuzzCodegenVisitor
       }
       Object builderObj =
           autofuzzForConsume(
-              data, data.pickValue(lookup.getAccessibleConstructors(pickedBuilder)), visitor);
+              data, data.pickValue(getAccessibleConstructors(pickedBuilder)), visitor);
       for (Method method : pickedMethods) {
         builderObj = autofuzzForConsume(data, method, builderObj, visitor);
       }
@@ -741,7 +750,7 @@ Object consume(FuzzedDataProvider data, Type genericType, AutofuzzCodegenVisitor
               "Failed to generate instance of %s:%nAccessible constructors: %s%nNested subclasses:"
                   + " %s%n",
               type.getName(),
-              Arrays.stream(lookup.getAccessibleConstructors(type))
+              Arrays.stream(getAccessibleConstructors(type))
                   .map(Utils::getReadableDescriptor)
                   .collect(Collectors.joining(", ")),
               Arrays.stream(lookup.getAccessibleClasses(type))
@@ -766,6 +775,12 @@ private List<Class<?>> getNestedBuilderClasses(Class<?> type) {
     return nestedBuilderClasses;
   }
 
+  private Constructor<?>[] getAccessibleConstructors(Class<?> type) {
+    return Arrays.stream(lookup.getAccessibleConstructors(type))
+        .filter(constructor -> !constructorExclusions.isExcluded(constructor))
+        .toArray(Constructor<?>[]::new);
+  }
+
   private List<Method> getOriginalObjectCreationMethods(Class<?> builder) {
     List<Method> originalObjectCreationMethods = originalObjectCreationMethodsCache.get(builder);
     if (originalObjectCreationMethods == null) {

src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java

@@ -68,11 +68,16 @@ public final class FuzzTargetRunner {
         Log.error("--autofuzz_ignore requires --autofuzz");
         exit(1);
       }
+      if (!Opt.autofuzzConstructorExcludes.get().isEmpty()) {
+        Log.error("--autofuzz_constructor_excludes requires --autofuzz");
+        exit(1);
+      }
     } else {
       if (!Opt.targetClass.get().isEmpty()) {
         Log.error("--target_class and --autofuzz cannot be specified together");
         exit(1);
       }
+      FuzzTarget.setConstructorExcludeReferences(Opt.autofuzzConstructorExcludes.get());
       if (!Opt.targetArgs.setIfDefault(
           unmodifiableList(
               concat(Stream.of(Opt.autofuzz.get()), Opt.autofuzzIgnore.get().stream())

src/main/java/com/code_intelligence/jazzer/driver/Opt.java

@@ -105,6 +105,11 @@ public final class Opt {
           "autofuzz_ignore",
           ',',
           "Fully qualified names of exception classes to ignore during fuzzing");
+  public static final OptItem<List<String>> autofuzzConstructorExcludes =
+      stringListSetting(
+          "autofuzz_constructor_excludes",
+          ';',
+          "Exact constructor references to exclude during Autofuzz argument construction");
   public static final OptItem<String> coverageDump =
       stringSetting(
           "coverage_dump",

src/test/java/com/code_intelligence/jazzer/autofuzz/BUILD.bazel

@@ -21,6 +21,19 @@ java_test(
     ],
 )
 
+java_test(
+    name = "ConstructorExclusionsTest",
+    size = "small",
+    srcs = [
+        "ConstructorExclusionsTest.java",
+    ],
+    test_class = "com.code_intelligence.jazzer.autofuzz.ConstructorExclusionsTest",
+    deps = [
+        "//src/main/java/com/code_intelligence/jazzer/autofuzz",
+        "@maven//:junit_junit",
+    ],
+)
+
 java_test(
     name = "InterfaceCreationTest",
     size = "small",