Skip to content

feat: add hook for Enum.valueOf #1031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
onionpsy wants to merge 1 commit into
base: main
Choose a base branch
from
+101 −1
Open

feat: add hook for Enum.valueOf #1031

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -866,6 +866,53 @@ public static void mapGetOrDefault(
}
}

@MethodHook(
type = HookType.BEFORE,
targetClassName = "java.lang.Enum",
targetMethod = "valueOf",
targetMethodDescriptor = "(Ljava/lang/Class;Ljava/lang/String;)Ljava/lang/Enum;")
public static void enumValueOf(
MethodHandle method, Object alwaysNull, Object[] arguments, int hookId) {
if (arguments.length < 2) {
return;
}
Comment on lines +876 to +878
Copy link
Contributor

@Marcono1234 Marcono1234 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiositry: Given that this hook specifies targetMethodDescriptor, is it even possible that arguments.length < 2 is ever true?

Object enumTypeArg = arguments[0];
Object nameArg = arguments[1];
if (!(enumTypeArg instanceof Class) || !(nameArg instanceof String)) {
return;
}
Class<?> enumClass = (Class<?>) enumTypeArg;
if (enumClass == null || !enumClass.isEnum()) {
return;
}
String candidate = (String) nameArg;
if (candidate == null) {
return;
}
Comment on lines +885 to +891
Copy link
Contributor

@Marcono1234 Marcono1234 Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These null checks might be redundant due to the instanceof checks above?

Suggested change
if (enumClass == null || !enumClass.isEnum()) {
return;
}
String candidate = (String) nameArg;
if (candidate == null) {
return;
}
if (!enumClass.isEnum()) {
return;
}
String candidate = (String) nameArg;

Respectively, given that the hook specifies targetMethodDescriptor, are the instanceof checks even needed, or would it be safe to just perform the casts and only have null checks then?


Enum<?>[] constants;
try {
constants = (Enum<?>[]) enumClass.getEnumConstants();
} catch (Exception | LinkageError ignored) {
return;
}
if (constants == null || constants.length == 0) {
return;
}

// Skip guidance if the target string is already valid.
for (Enum<?> enumConstant : constants) {
if (enumConstant.name().equals(candidate)) {
return;
}
}

// Guide the fuzzer towards a single valid enum
int index = Math.floorMod(candidate.hashCode(), constants.length);
Copy link
Contributor

@fmeum fmeum Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can jump around when candidate changes slightly, which could throw off the guidance. Instead, you could use a ClassValue to associate an Enum class with a sorted array of its values and then Arrays.binarySearch for the nearest valid value (perhaps ignoring case).

Copy link
Contributor

@oetr oetr Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious about the reasoning to go for the nearest enum value--why prefer it over any other enum value?

I am asking because I think there is a bias in libfuzzer's output (e.g. zeros are way more favored than anything else), and by taking the closest value, this bias gets propagated. WDYT?

Copy link
Contributor

@fmeum fmeum Jan 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Picking the nearest candidate isn't necessary, but I think that a particular guideTowardsEquality call (with a fixed hook id) should keep guiding towards the same target as long as the fuzzer keeps making progress towards the target tracked in the last iteration. I could see the behavior becoming erratic if the target changes as more bytes agree.

Copy link
Contributor Author

@onionpsy onionpsy Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I benchmarked the 3 solutions (binary search, random pick, hashcode based pick) by executing 50 times a fresh fuzz test with 1M executions.
It seems like distribution is slightly more spread in the binary search but not by a large margin. On the other hand it does increases the complexity.

Binary search with random pick for the neighbour:

SUPER_SECRET_SHADE   hits=76401   
YELLOW               hits=191745  
BBB                  hits=584921  
CCC                  hits=484576  
DDD                  hits=480848  
EEE                  hits=514521  
Total hits across all enum constants: 2333012

Hashcode pick (random pick has also very similar values):

SUPER_SECRET_SHADE   hits=66965   
YELLOW               hits=163662  
BBB                  hits=556240  
CCC                  hits=547206  
DDD                  hits=541491  
EEE                  hits=536563  
Total hits across all enum constants: 2412127

Enum<?> target = constants[index];
TraceDataFlowNativeCallbacks.traceStrcmp(candidate, target.name(), 1, hookId);
}

private static final class Bounds {
private final Object lower;
private final Object upper;
Expand Down
16 changes: 15 additions & 1 deletion tests/BUILD.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,7 @@ java_fuzz_target_test(
srcs = ["src/test/java/com/example/SetFuzzer.java"],
allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"],
fuzzer_args = [
"-runs=1000000",
"-runs=100000",
],
target_class = "com.example.SetFuzzer",
verify_crash_reproducer = False,
Expand All @@ -710,6 +710,20 @@ java_fuzz_target_test(
],
)

java_fuzz_target_test(
name = "EnumFuzzer",
srcs = ["src/test/java/com/example/EnumFuzzer.java"],
allowed_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium"],
fuzzer_args = [
"-runs=100000",
],
target_class = "com.example.EnumFuzzer",
verify_crash_reproducer = False,
deps = [
"//src/main/java/com/code_intelligence/jazzer/mutation/annotation",
],
)

sh_test(
name = "jazzer_from_path_test",
srcs = ["src/test/shell/jazzer_from_path_test.sh"],
Expand Down
39 changes: 39 additions & 0 deletions tests/src/test/java/com/example/EnumFuzzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
/*
* Copyright 2024 Code Intelligence GmbH
Copy link
Contributor

@Marcono1234 Marcono1234 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be 2026? (or does it not matter much?)

Suggested change
* Copyright 2024 Code Intelligence GmbH
* Copyright 2026 Code Intelligence GmbH

*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.example;

import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium;
import com.code_intelligence.jazzer.mutation.annotation.NotNull;

public class EnumFuzzer {
private enum SampleColor {
RED,
GREEN,
BLUE,
SUPER_SECRET_SHADE
}

public static void fuzzerTestOneInput(@NotNull String value) {
try {
SampleColor color = SampleColor.valueOf(value);
if (color == SampleColor.SUPER_SECRET_SHADE) {
throw new FuzzerSecurityIssueMedium("Enum matched: " + color);
}
} catch (IllegalArgumentException ignored) {
}
}
}
Loading