feat: ensure correct length constraints for char[] mutation

Author: kyakdan

examples/junit/src/test/java/com/example/BUILD.bazel

@@ -224,6 +224,23 @@ java_fuzz_target_test(
     ],
 )
 
+java_fuzz_target_test(
+    name = "CharArrayWithLengthFuzzTest",
+    srcs = ["CharArrayWithLengthFuzzTest.java"],
+    allowed_findings = ["java.lang.RuntimeException"],
+    tags = ["no-jdk8"],
+    target_class = "com.example.CharArrayWithLengthFuzzTest",
+    verify_crash_reproducer = False,
+    runtime_deps = [
+        ":junit_runtime",
+    ],
+    deps = [
+        "//src/main/java/com/code_intelligence/jazzer/junit:fuzz_test",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+        "@maven//:org_mockito_mockito_core",
+    ],
+)
+
 java_fuzz_target_test(
     name = "MutatorFuzzTest",
     srcs = ["MutatorFuzzTest.java"],

examples/junit/src/test/java/com/example/CharArrayWithLengthFuzzTest.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2025 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.junit.FuzzTest;
+import com.code_intelligence.jazzer.mutation.annotation.NotNull;
+import com.code_intelligence.jazzer.mutation.annotation.WithLength;
+import java.nio.charset.Charset;
+
+public class CharArrayWithLengthFuzzTest {
+  @FuzzTest
+  public void fuzzCharArray(char @NotNull @WithLength(max = 5) [] data) {
+    String expression = new String(data);
+    // Each '中' character is encoded using three bytes with CESU8. To satisfy this check, the
+    // underlying CESU8-encoded byte array should have at least 15 bytes.
+    if (expression.equals("中中中中中")) {
+      assert expression.getBytes(Charset.forName("CESU-8")).length == 15;
+      throw new RuntimeException("Found evil code");
+    }
+  }
+}

src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java

@@ -43,6 +43,7 @@
 import java.lang.reflect.AnnotatedType;
 import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
+import java.util.Arrays;
 import java.util.Optional;
 import java.util.function.BiFunction;
 import java.util.function.Function;
@@ -75,6 +76,8 @@ public static final class PrimitiveArrayMutator<T> extends SerializingMutator<T>
     private static final Charset FUZZED_DATA_CHARSET = Charset.forName("CESU-8");
     private long minRange;
     private long maxRange;
+    private int minLength;
+    private int maxLength;
     private boolean allowNaN;
     private float minFloatRange;
     private float maxFloatRange;
@@ -90,6 +93,7 @@ public static final class PrimitiveArrayMutator<T> extends SerializingMutator<T>
     public PrimitiveArrayMutator(AnnotatedType type) {
       elementType = ((AnnotatedArrayType) type).getAnnotatedGenericComponentType();
       extractRange(elementType);
+      extractLength(type);
       AnnotatedType innerByteArray =
           forwardAnnotations(
               type, convertWithLength(type, new TypeHolder<byte[]>() {}.annotatedType()));
@@ -209,11 +213,14 @@ private void extractRange(AnnotatedType type) {
       }
     }
 
-    private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType newType) {
-      AnnotatedType elementType = ((AnnotatedArrayType) type).getAnnotatedGenericComponentType();
+    private void extractLength(AnnotatedType type) {
       Optional<WithLength> withLength = Optional.ofNullable(type.getAnnotation(WithLength.class));
-      int minLength = withLength.map(WithLength::min).orElse(DEFAULT_MIN_LENGTH);
-      int maxLength = withLength.map(WithLength::max).orElse(DEFAULT_MAX_LENGTH);
+      minLength = withLength.map(WithLength::min).orElse(DEFAULT_MIN_LENGTH);
+      maxLength = withLength.map(WithLength::max).orElse(DEFAULT_MAX_LENGTH);
+    }
+
+    private AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType newType) {
+      AnnotatedType elementType = ((AnnotatedArrayType) type).getAnnotatedGenericComponentType();
       switch (elementType.getType().getTypeName()) {
         case "int":
         case "float":
@@ -222,8 +229,11 @@ private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType
         case "double":
           return withLength(newType, minLength * 8, maxLength * 8);
         case "short":
-        case "char":
           return withLength(newType, minLength * 2, maxLength * 2);
+        case "char":
+          // CESU-8 encodes each UTF-16 char (including surrogates) as at most 3 bytes.
+          // So a char[] of length n needs at most 3 * n bytes.
+          return withLength(newType, minLength * 3, maxLength * 3);
         case "boolean":
         case "byte":
           return withLength(newType, minLength, maxLength);
@@ -241,7 +251,7 @@ private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType
         case "short":
           return getShortPrimitiveArray(minRange, maxRange);
         case "char":
-          return getCharPrimitiveArray(minRange, maxRange);
+          return getCharPrimitiveArray(minRange, maxRange, minLength, maxLength);
         case "float":
           return getFloatPrimitiveArray(minFloatRange, maxFloatRange, allowNaN);
         case "double":
@@ -263,9 +273,16 @@ public char[] postMutateChars(byte[] bytes, PseudoRandom prng) {
         return (char[]) toPrimitive.apply(bytes);
       } else {
         char[] chars = new String(bytes, FUZZED_DATA_CHARSET).toCharArray();
+
         for (int i = 0; i < chars.length; i++) {
           chars[i] = (char) forceInRange(chars[i], minRange, maxRange);
         }
+
+        if (chars.length < minLength) {
+          return Arrays.copyOf(chars, minLength);
+        } else if (chars.length > maxLength) {
+          return Arrays.copyOf(chars, maxLength);
+        }
         return chars;
       }
     }
@@ -407,10 +424,18 @@ public static Function<byte[], short[]> getShortPrimitiveArray(long minRange, lo
       };
     }
 
-    public static Function<byte[], char[]> getCharPrimitiveArray(long minRange, long maxRange) {
+    public static Function<byte[], char[]> getCharPrimitiveArray(
+        long minRange, long maxRange, int minLength, int maxLength) {
       int nBytes = 2;
       return (byte[] byteArray) -> {
         if (byteArray == null) return null;
+
+        if (byteArray.length < minLength * 2) {
+          byteArray = Arrays.copyOf(byteArray, minLength * 2);
+        } else if (byteArray.length > maxLength * 2) {
+          byteArray = Arrays.copyOf(byteArray, maxLength * 2);
+        }
+
         char extraBytes = (char) (byteArray.length % nBytes);
         char[] result = new char[byteArray.length / nBytes + (extraBytes > 0 ? 1 : 0)];
         ByteBuffer buffer = ByteBuffer.wrap(byteArray);

src/test/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorTest.java

@@ -86,7 +86,7 @@ public class PrimitiveArrayMutatorTest {
   static Function<char[], byte[]> charsToBytes =
       (Function<char[], byte[]>) makePrimitiveArrayToBytesConverter(annotatedType_char);
   static Function<byte[], char[]> bytesToChars =
-      getCharPrimitiveArray(Character.MIN_VALUE, Character.MAX_VALUE);
+      getCharPrimitiveArray(Character.MIN_VALUE, Character.MAX_VALUE, 0, 1000);
 
   static Function<boolean[], byte[]> booleansToBytes =
       (Function<boolean[], byte[]>) makePrimitiveArrayToBytesConverter(annotatedType_boolean);
@@ -305,7 +305,7 @@ static Stream<Arguments> bytes2charsTestCases() {
   @ParameterizedTest
   @MethodSource("bytes2charsTestCases")
   void testArrayConversion_bytes2chars(byte[] input, char[] expected, long min, long max) {
-    Function<byte[], char[]> fn = getCharPrimitiveArray(min, max);
+    Function<byte[], char[]> fn = getCharPrimitiveArray(min, max, 0, 100);
     assertThat(fn.apply(input)).isEqualTo(expected);
   }