Description
Originally mentioned in #1024 (comment)
Autofuzz generates invalid code for multi-dimensional arrays such as int[][]. The Jazzer code uses Class#getName during code generation, however for arrays that uses the JVM type descriptor (e.g. [I), which is not valid in the generated Java code:
|
String.format("new %s[]{", type.getComponentType().getName()), ", ", "}"); |
This could be solved by using Class#getTypeName which returns the desired format, however its documentation makes no guarantees about the output. So it might be safer to create a custom method which produces the desired type string.
Reproduction steps
- Create a dummy Java class which takes a multi-dimensional array as input
package example;
public class Test {
public Test(int[][] i) {
if (i != null && i.length > 3) throw new RuntimeException();
}
}
- Compile that file and package the compiled file (
example/Test.class) in a JAR (e.g. example.jar)
- Run Autofuzz
./jazzer --cp=example.jar --autofuzz="example.Test::new"
Crash_....java
- Inspect the reproducer file
Crash_....java
❌ Bug: The generated reproducer contains invalid Java code new example.Test(new [I[]{...}); (note the [I)
Description
Originally mentioned in #1024 (comment)
Autofuzz generates invalid code for multi-dimensional arrays such as
int[][]. The Jazzer code usesClass#getNameduring code generation, however for arrays that uses the JVM type descriptor (e.g.[I), which is not valid in the generated Java code:jazzer/src/main/java/com/code_intelligence/jazzer/autofuzz/Meta.java
Line 499 in c6296b8
This could be solved by using
Class#getTypeNamewhich returns the desired format, however its documentation makes no guarantees about the output. So it might be safer to create a custom method which produces the desired type string.Reproduction steps
example/Test.class) in a JAR (e.g.example.jar)./jazzer --cp=example.jar --autofuzz="example.Test::new"Crash_....javaCrash_....java❌ Bug: The generated reproducer contains invalid Java code
new example.Test(new [I[]{...});(note the[I)