fix: fuzz test invocation with referring protobufs #995
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug where fuzz tests with multiple protobuf message parameters fail with "argument type mismatch" errors when one message type is a submessage of another. The fix adds the message class to the mutator cache key, preventing incorrect reuse of DynamicMessage mutators for concrete message types.
Changes
- Modified the
CacheKeyclass to include the message class alongside the descriptor and anySource - Added a regression test to verify fuzz test invocation with referring protobufs
- Re-enabled a previously commented-out fuzz test that was failing due to this bug
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| BuilderMutatorFactory.java | Updated CacheKey to include message class in cache key, fixing mutator reuse for nested protobuf messages |
| ArgumentsMutatorTest.java | Added regression test testProtoWithSubmessage() to verify the fix |
| ArgumentsMutatorFuzzTest.java | Re-enabled fuzz_MutuallyReferringProtobufs test that was previously failing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/test/java/com/code_intelligence/jazzer/mutation/ArgumentsMutatorTest.java
Outdated
Show resolved
Hide resolved
simonresch
force-pushed
the
CIF-1811-proto-with-subproto
branch
from
b9432e0 to
b7f980a
Compare
simonresch
force-pushed
the
CIF-1811-proto-with-subproto
branch
2 times, most recently
from
79574a5 to
f845260
Compare
There was a problem hiding this comment.
Nice fix!
I think, we could prevent these sort of bugs entirely, if we changed the HashMap internedMutators from global to per fuzz test argument. Like this, cycles in recursive protos will still be broken like before, but the fuzz test arguments will not influence each other's cached internedMutators.
src/test/java/com/code_intelligence/jazzer/mutation/ArgumentsMutatorTest.java
Outdated
Show resolved
Hide resolved
When constructing a mutator for a protobuf message the mutator is cached based on the protobuf descriptor. This led to issues for fuzz tests that take two protobuf messages where one message is referring to the other. While building the mutator for the top level message nested messages are constructed with the type `DynamicMessage` which lead to 'argument type mismatch' exceptions when invoking the fuzz test method. This is fixed by including the message class in the mutator cache key.
simonresch
force-pushed
the
CIF-1811-proto-with-subproto
branch
from
f845260 to
fbc26c0
Compare
I was thinking in this direction as well, however I could not find a clean entry point to separate the WDYT, is this worth investigating further? Do you expect any downsides from breaking the recursion one layer deeper? |
I don't see any downsides, it's a great solution with minimal changes that can and should be merged already! I am a bit scared of temporary protobuf enum mutators (or others) ending up in Sharing state between mutators can be done by wiring it though |
When constructing a mutator for a protobuf message the mutator is cached based on the protobuf descriptor. This led to issues for fuzz tests that take two protobuf messages where one message is referring to the other.
While building the mutator for the top level message nested messages are constructed with the type
DynamicMessagewhich lead to 'argument type mismatch' exceptions when invoking the fuzz test method. This is fixed by including the message class in the mutator cache key which ensures that a generated protobuf message class does not re-use the correspondingDynamicMessagemutator.Note, that this causes some recursion breaking to happen one layer deeper (see test assertion changes).