protobuf 4 incompatiblity?

[loosebazooka]

I'm not sure exactly how to debug this as I'm not sure where the issue is occuring? Is it during instrumentation? My knowledge of the inner workings of the fuzzing process are weak at best.

Errors are from oss-fuzz, I can add more details, but I'm not sure what's useful.

Full log might be public here: https://github.com/sigstore/sigstore-java/actions/runs/8577430969/job/23510004362?pr=674

The snippet in question. This happened when I updated protobuf generators from v3.x to v4.x. I can't even tell if this is useful for debugging

INFO: Instrumented com.google.protobuf.CodedOutputStream$UnsafeDirectNioEncoder with custom hooks only (took 4 ms, size +0%)
INFO: Instrumented com.google.protobuf.CodedOutputStream$SafeDirectNioEncoder with custom hooks only (took 2 ms, size +0%)
INFO: Instrumented com.google.protobuf.CodedOutputStream$OutOfSpaceException with custom hooks only (took 0 ms, size +0%)
INFO: Instrumented com.google.protobuf.ByteString$CodedBuilder with custom hooks only (took 0 ms, size +0%)
INFO: Instrumented com.google.protobuf.GeneratedMessage$ExtendableMessage$ExtensionWriter with custom hooks only (took 0 ms, size +0%)

== Java Exception: java.lang.ExceptionInInitializerError
    at dev.sigstore.proto.bundle.v1.BundleProto.<clinit>(BundleProto.java:85)
    at dev.sigstore.proto.bundle.v1.Bundle$Builder.getDescriptorForType(Bundle.java:561)
    at com.google.protobuf.util.JsonFormat$ParserImpl.merge(JsonFormat.java:1444)
    at com.google.protobuf.util.JsonFormat$ParserImpl.merge(JsonFormat.java:1313)
    at com.google.protobuf.util.JsonFormat$Parser.merge(JsonFormat.java:463)
    at dev.sigstore.bundle.BundleFactoryInternal.readBundle(BundleFactoryInternal.java:145)
    at dev.sigstore.bundle.BundleFactory.readBundle(BundleFactory.java:66)
    at fuzzing.BundleFactoryFuzzer.fuzzerTestOneInput(BundleFactoryFuzzer.java:27)
Caused by: java.lang.NullPointerException: Cannot invoke "com.google.protobuf.DescriptorProtos$FeatureSet.getExtension(com.google.protobuf.ExtensionLite)" because "this.features" is null
    at com.google.protobuf.Descriptors$FieldDescriptor.legacyEnumFieldTreatedAsClosed(Descriptors.java:1538)
    at com.google.protobuf.MessageReflection.mergeFieldFrom(MessageReflection.java:1219)
    at com.google.protobuf.GeneratedMessage$ExtendableBuilder.parseUnknownField(GeneratedMessage.java:1575)
    at com.google.protobuf.DescriptorProtos$FieldOptions$Builder.mergeFrom(DescriptorProtos.java:34132)
    at com.google.protobuf.DescriptorProtos$FieldOptions$Builder.mergeFrom(DescriptorProtos.java:33683)
    at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:845)
    at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$Builder.mergeFrom(DescriptorProtos.java:15588)
    at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:16671)
    at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:16663)
    at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:[861](https://github.com/sigstore/sigstore-java/actions/runs/8577430969/job/23510004362?pr=674#step:4:862))
    at com.google.protobuf.DescriptorProtos$DescriptorProto$Builder.mergeFrom(DescriptorProtos.java:8204)
    at com.google.protobuf.DescriptorProtos$DescriptorProto$1.parsePartialFrom(DescriptorProtos.java:10381)
    at com.google.protobuf.DescriptorProtos$DescriptorProto$1.parsePartialFrom(DescriptorProtos.java:10373)
    at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:861)
    at com.google.protobuf.DescriptorProtos$FileDescriptorProto$Builder.mergeFrom(DescriptorProtos.java:2886)
    at com.google.protobuf.DescriptorProtos$FileDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:5140)
    at com.google.protobuf.DescriptorProtos$FileDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:5132)
    at com.google.protobuf.AbstractParser.parsePartialFrom(AbstractParser.java:77)
    at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:97)
    at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:25)
    at com.google.protobuf.DescriptorProtos$FileDescriptorProto.parseFrom(DescriptorProtos.java:2361)
    at com.google.protobuf.Descriptors$FileDescriptor.internalUpdateFileDescriptor(Descriptors.java:495)
    at dev.sigstore.proto.common.v1.CommonProto.<clinit>(CommonProto.java:247)
    ... 8 more
DEDUP_TOKEN: 1917f89e4dc6c058
== libFuzzer crashing input ==
MS: 0 ; base unit: 0000000000000000000000000000000000000000

artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
reproducer_path='.'; Java reproducer written to ./Crash_da39a3ee5e6b4b0d3255bfef95601890afd80709.java

I tried not instrumenting the protobuf libraries, but that seemed to not help.

[ghost]

Hi @loosebazooka ! Thanks for the issue; I'm sorry for my late reply, and that you're having issue building the fuzzer for fuzzing protobuz for sigstore-java. A quick search shows you're using JUnit 5, so that is good. I'm not super proficient on oss-fuzz. But you can try again with Jazzer?

[loosebazooka]

Sorry I know that was a lot of info, I'm working on a reproducer right now, trying to get something minimal. These tests don't use junit5. They follow the process outlined in the ozzfuzz docs for jazzer (https://google.github.io/oss-fuzz/getting-started/new-project-guide/jvm-lang/)

[loosebazooka]

So maybe I don't understand what's going on with the oss_fuzz build, but it appears to be a 2-step process where there's a build phase and a run phase.

The build phase in this case appears to be executing fuzzers though? Anyway, this appears to be a genuine issue discovered by fuzzing just at weird "build" phase of the fuzzing process (on oss_fuzz). Any idea who would be the right person to direct this to?

[ghost]

Yeah, that's a tough one. I'm really not the expert on oss-fuzz and jazzer for this situation. It seems like this is urgent or a task that you need to finish quickly. Is that an accurate assumption? In which case, can you email me at david.merian@code-intelligence.com ?

[loosebazooka]

It's not super urgent. But I can still email you if it makes sense

[ghost]

Yeah let's move it to email so I can get the whole picture.

[ghost]

Thank you!