feat: sometimes interpret char[] mutations as single bytes

When mutating char[] randomly interpret the bytes from libFuzzer as
individual (single byte) chars. This helps to make use of libFuzzers
table of recent compare entries (encoded as CESU8) if the char[] is used
as a String inside the fuzz test.

Author: simonresch

src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java

@@ -43,6 +43,7 @@
 import java.lang.reflect.AnnotatedType;
 import java.nio.ByteBuffer;
 import java.util.Optional;
+import java.util.function.BiFunction;
 import java.util.function.Function;
 import java.util.function.Predicate;
 
@@ -81,6 +82,7 @@ public static final class PrimitiveArrayMutator<T> extends SerializingMutator<T>
     private final SerializingMutator<byte[]> innerMutator;
     private final Function<byte[], T> toPrimitive;
     private final Function<T, byte[]> toBytes;
+    private final BiFunction<byte[], PseudoRandom, T> toPrimitiveAfterMutate;
 
     @SuppressWarnings("unchecked")
     public PrimitiveArrayMutator(AnnotatedType type) {
@@ -92,6 +94,8 @@ public PrimitiveArrayMutator(AnnotatedType type) {
       innerMutator =
           (SerializingMutator<byte[]>) LibFuzzerMutatorFactory.tryCreate(innerByteArray).get();
       toPrimitive = (Function<byte[], T>) makeBytesToPrimitiveArrayConverter(elementType);
+      toPrimitiveAfterMutate =
+          (BiFunction<byte[], PseudoRandom, T>) makeBytesToPrimitiveArrayAfterMutate(elementType);
       toBytes = (Function<T, byte[]>) makePrimitiveArrayToBytesConverter(elementType);
     }
 
@@ -128,14 +132,13 @@ public T init(PseudoRandom prng) {
 
     @Override
     public T mutate(T value, PseudoRandom prng) {
-      return (T) toPrimitive.apply(innerMutator.mutate(toBytes.apply(value), prng));
+      return toPrimitiveAfterMutate.apply(innerMutator.mutate(toBytes.apply(value), prng), prng);
     }
 
     @Override
     public T crossOver(T value, T otherValue, PseudoRandom prng) {
-      return (T)
-          toPrimitive.apply(
-              innerMutator.crossOver(toBytes.apply(value), toBytes.apply(otherValue), prng));
+      return toPrimitive.apply(
+          innerMutator.crossOver(toBytes.apply(value), toBytes.apply(otherValue), prng));
     }
 
     private void extractRange(AnnotatedType type) {
@@ -250,6 +253,29 @@ private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType
       }
     }
 
+    // Randomly maps the byte array from libFuzzer directly onto char[] or converts each byte into a
+    // 2 byte char. This helps in cases where a String is constructed out of char[] and libFuzzer
+    // inserts CESU8 encoded bytes into the byte[].
+    public char[] postMutateChars(byte[] bytes, PseudoRandom prng) {
+      if (prng.choice()) {
+        return (char[]) toPrimitive.apply(bytes);
+      } else {
+        char[] chars = new char[bytes.length];
+        for (int i = 0; i < chars.length; i++) {
+          chars[i] = (char) bytes[i];
+        }
+        return chars;
+      }
+    }
+
+    public BiFunction<byte[], PseudoRandom, ?> makeBytesToPrimitiveArrayAfterMutate(
+        AnnotatedType type) {
+      if (type.getType().getTypeName().equals("char")) {
+        return this::postMutateChars;
+      }
+      return (bytes, ignored) -> makeBytesToPrimitiveArrayConverter(type).apply(bytes);
+    }
+
     public static Function<?, byte[]> makePrimitiveArrayToBytesConverter(AnnotatedType type) {
       switch (type.getType().getTypeName()) {
         case "int":

tests/BUILD.bazel

@@ -1107,6 +1107,16 @@ java_fuzz_target_test(
     ],
 )
 
+java_fuzz_target_test(
+    name = "CharArrayFuzzer",
+    srcs = [
+        "src/test/java/com/example/CharArrayFuzzer.java",
+    ],
+    allowed_findings = ["java.lang.RuntimeException"],
+    target_class = "com.example.CharArrayFuzzer",
+    verify_crash_reproducer = False,
+)
+
 filegroup(
     name = "fuzz_test_lister_classes",
     srcs = ["src/test/data/fuzz_test_lister_test"],

tests/src/test/java/com/example/CharArrayFuzzer.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2025 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+public class CharArrayFuzzer {
+  public static void fuzzerTestOneInput(char[] data) {
+    if (data == null) {
+      return;
+    }
+    String expression = new String(data);
+    if (expression.contains("jazzer")) {
+      throw new RuntimeException("found jazzer");
+    }
+  }
+}