Missing known coverage when using jqf:repro

Question

Missing known coverage when using jqf:repro

enzocardeal opened this issue 2 years ago · 4 comments

I'm fuzzing a login routine with jqf zest but I'm facing an issue. There are specific methods that I know for a fact that is called in every run but somehow are never logged when I call mvn jqf:repro -DprintArgs -Dclass=br.usp.pcs.control.UserFuzzTest -Dmethod=testGetUser -Dinput=target/fuzz-results/br.usp.pcs.control.UserFuzzTest/testGetUser/corpus/id_000000 -DlogCoverage=coverage_0.out.

For example:

(000000000) #<unknown>():0 --> br/usp/pcs/control/UserFuzzTest#<init>()V
(1036005377) br/usp/pcs/control/UserFuzzTest#testGetUser():32 --> br/usp/pcs/utils/StringUtils#convertInputStreamToString(Ljava/io/InputStream;)Ljava/lang/String;
(1036005380) br/usp/pcs/control/UserFuzzTest#testGetUser():39 [0]
(1036005386) br/usp/pcs/control/UserFuzzTest#testGetUser():49 --> org/json/simple/parser/JSONParser#<init>()V
(1388326913) com/sun/jna/IntegerType#<init>():62 --> com/sun/jna/IntegerType#<init>(IJZ)V
(1388331010) com/sun/jna/IntegerType#<init>():69 --> com/sun/jna/IntegerType#setValue(J)V
(1388335105) com/sun/jna/IntegerType#setValue():78 [-1]
(1388335118) com/sun/jna/IntegerType#setValue():106 [1]
(1572872195) br/usp/pcs/utils/StringUtils#convertInputStreamToString():15 [0]
(1572872195) br/usp/pcs/utils/StringUtils#convertInputStreamToString():15 [1]
(1610678273) de/mkammerer/argon2/BaseArgon2#verify():160 --> de/mkammerer/argon2/BaseArgon2#toByteArray([CLjava/nio/charset/Charset;)[B
(1610678274) de/mkammerer/argon2/BaseArgon2#verify():162 --> de/mkammerer/argon2/BaseArgon2#verifyBytes(Ljava/lang/String;[B)Z
(1610678275) de/mkammerer/argon2/BaseArgon2#verify():164 --> de/mkammerer/argon2/BaseArgon2#wipeArray([B)V
(1610682369) de/mkammerer/argon2/BaseArgon2#verify():170 --> de/mkammerer/argon2/BaseArgon2#verify(Ljava/lang/String;[CLjava/nio/charset/Charset;)Z

Line 1610678273 is called from br/usp/pcs/utils/SecurityUtils#unhashPassword() and the latter is called from br/usp/pcs/control/User#getUser(), but neither one is logged on coverage_0.out.

Answer 1 · 2023-01-23T16:42:28.000Z

Do you know if the classes SecurityUtils and User are getting instrumented? I don't see any other coverage from those classes either in your log, so it might be the case that there was some issue when instrumenting them.

Try using the flag -Djanala.verbose to get a log of all instrumented classes and search for these. Do you get a Done! message or was there a problem reported (usually with an exception stacktrace)? You can additionall use the -Dquiet flag to prevent JQF from showing the continuously updating fuzzing-status screen, so that you can observe the instrumentation log properly.

Answer 2 · 2023-01-29T20:12:25.000Z

I used -Djanala.verbose and was able to identify this error:
java.lang.IllegalArgumentException: Unsupported class file major version 62.

Unfortunately, i lost the rest of the error log but it seems like janala was having an issue with openjdk-19. I've downgrade it to openjdk-17 and now it is instrumenting the code properlly.

This is happening for JQF version 1.6

Answer 3 · 2023-01-30T14:32:32.000Z

Thanks for the update. As an alternative to downgrading your JDK, you can also upgrade JQF's dependency on ASM to 9.4, which should support newer JDK versions.

Answer 4 · 2023-01-30T14:32:51.000Z

I will make a release with an updated dependency on the latest ASM soon.