chore: add test to validate hook method descriptors

Author: simonresch

MODULE.bazel

@@ -107,6 +107,8 @@ TEST_MAVEN_ARTIFACTS = [
     "com.google.truth.extensions:truth-liteproto-extension:1.4.2",
     "com.google.truth.extensions:truth-proto-extension:1.4.2",
     "com.google.truth:truth:1.4.2",
+    "jakarta.el:jakarta.el-api:6.0.1",
+    "javax.persistence:javax.persistence-api:2.2",
     "junit:junit:4.13.2",
     "org.assertj:assertj-core:3.25.3",
     "org.jacoco:org.jacoco.core:0.8.12",

maven_install.json

@@ -1,7 +1,7 @@
 {
   "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
-  "__INPUT_ARTIFACTS_HASH": 285652305,
-  "__RESOLVED_ARTIFACTS_HASH": -2054117877,
+  "__INPUT_ARTIFACTS_HASH": -1935863112,
+  "__RESOLVED_ARTIFACTS_HASH": 1203654031,
   "conflict_resolution": {
     "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9",
     "com.google.errorprone:error_prone_annotations:2.3.2": "com.google.errorprone:error_prone_annotations:2.26.1",
@@ -197,6 +197,12 @@
       },
       "version": "1.12.3"
     },
+    "jakarta.el:jakarta.el-api": {
+      "shasums": {
+        "jar": "7e84b5bed49de32b79cc5e85d90b6f5adb1a953ac67283adbb41c1e297f9c605"
+      },
+      "version": "6.0.1"
+    },
     "jakarta.servlet:jakarta.servlet-api": {
       "shasums": {
         "jar": "c034eb1afb158987dbb53a5fea0cadf611c8dae8daadd59c44d9d5ab70129cef"
@@ -215,6 +221,12 @@
       },
       "version": "3.0.1-b06"
     },
+    "javax.persistence:javax.persistence-api": {
+      "shasums": {
+        "jar": "5578b71b37999a5eaed3fea0d14aa61c60c6ec6328256f2b63472f336318baf4"
+      },
+      "version": "2.2"
+    },
     "javax.validation:validation-api": {
       "shasums": {
         "jar": "9873b46df1833c9ee8f5bc1ff6853375115dadd8897bcb5a0dffb5848835ee6c"
@@ -1285,6 +1297,9 @@
       "io.micrometer.observation.docs",
       "io.micrometer.observation.transport"
     ],
+    "jakarta.el:jakarta.el-api": [
+      "jakarta.el"
+    ],
     "jakarta.servlet:jakarta.servlet-api": [
       "jakarta.servlet",
       "jakarta.servlet.annotation",
@@ -1297,6 +1312,12 @@
     "javax.el:javax.el-api": [
       "javax.el"
     ],
+    "javax.persistence:javax.persistence-api": [
+      "javax.persistence",
+      "javax.persistence.criteria",
+      "javax.persistence.metamodel",
+      "javax.persistence.spi"
+    ],
     "javax.validation:validation-api": [
       "javax.validation",
       "javax.validation.bootstrap",
@@ -2611,9 +2632,11 @@
       "io.github.classgraph:classgraph",
       "io.micrometer:micrometer-commons",
       "io.micrometer:micrometer-observation",
+      "jakarta.el:jakarta.el-api",
       "jakarta.servlet:jakarta.servlet-api",
       "javax.activation:javax.activation-api",
       "javax.el:javax.el-api",
+      "javax.persistence:javax.persistence-api",
       "javax.validation:validation-api",
       "javax.xml.bind:jaxb-api",
       "junit:junit",

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel

@@ -74,7 +74,10 @@ kt_jvm_library(
         "Utils.kt",
         "XPathInjection.kt",
     ],
-    visibility = ["//sanitizers:__pkg__"],
+    visibility = [
+        "//sanitizers:__pkg__",
+        "//sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers:__pkg__",
+    ],
     runtime_deps = [
         ":clojure_lang_hooks",
         ":file_path_traversal",

sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel

@@ -10,3 +10,20 @@ java_junit5_test(
         "@maven//:org_junit_jupiter_junit_jupiter_params",
     ],
 )
+
+java_junit5_test(
+    name = "HookBindingSanityTest",
+    srcs = ["HookBindingSanityTest.java"],
+    deps = JUNIT5_DEPS + [
+        "//sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers",
+        "//sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers:constants",
+        "//src/main/java/com/code_intelligence/jazzer/api:hooks",
+        "@clojure_jar//jar",
+        "@maven//:jakarta_el_jakarta_el_api",
+        "@maven//:javax_el_javax_el_api",
+        "@maven//:javax_persistence_javax_persistence_api",
+        "@maven//:javax_validation_validation_api",
+        "@maven//:org_junit_jupiter_junit_jupiter_api",
+        "@maven//:org_junit_jupiter_junit_jupiter_params",
+    ],
+)

sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers/HookBindingSanityTest.java

@@ -0,0 +1,186 @@
+/*
+ * Copyright 2025 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.code_intelligence.jazzer.sanitizers;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import com.code_intelligence.jazzer.api.MethodHook;
+import com.code_intelligence.jazzer.api.MethodHooks;
+import java.lang.invoke.MethodType;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+/**
+ * Verifies that for every declared @MethodHook in built-in sanitizers, a corresponding target
+ * method (or constructor) with the configured descriptor exists. This guards against typos and
+ * wrong descriptors.
+ */
+public class HookBindingSanityTest {
+
+  final Set<String> SKIPPED_CLASSES_CURRENT_JDK =
+      Collections.unmodifiableSet(
+          Stream.of(
+                  // Available for JDK >= 9
+                  "java.util.regex.Pattern$Single",
+                  "java.util.regex.Pattern$SingleI",
+                  "java.util.regex.Pattern$SingleS",
+                  "java.util.regex.Pattern$SingleU")
+              .collect(Collectors.toSet()));
+
+  final Set<String> SKIPPED_METHODS_CURRENT_JDK =
+      Collections.unmodifiableSet(
+          Stream.of(
+                  // Available for JDK >= 9
+                  "java.util.regex.Pattern.caseInsensitiveRangeFor",
+                  "java.util.regex.Pattern.rangeFor",
+                  "java.util.regex.Pattern.union",
+                  "sun.misc.Unsafe.getByte",
+                  "sun.misc.Unsafe.getChar",
+                  "sun.misc.Unsafe.getDouble",
+                  "sun.misc.Unsafe.getFloat",
+                  "sun.misc.Unsafe.getInt",
+                  "sun.misc.Unsafe.getLong",
+                  "sun.misc.Unsafe.getShort",
+                  "sun.misc.Unsafe.putByte",
+                  "sun.misc.Unsafe.putChar",
+                  "sun.misc.Unsafe.putDouble",
+                  "sun.misc.Unsafe.putFloat",
+                  "sun.misc.Unsafe.putInt",
+                  "sun.misc.Unsafe.putLong",
+                  "sun.misc.Unsafe.putShort")
+              .collect(Collectors.toSet()));
+
+  final Set<String> SKIPPED_CLASSES_JDK_8 =
+      Collections.unmodifiableSet(
+          Stream.of(
+                  "jakarta.el.ExpressionFactory",
+                  "java.util.regex.Pattern$CharPredicate",
+                  "javax.xml.xpath.XPath")
+              .collect(Collectors.toSet()));
+
+  final Set<String> SKIPPED_METHODS_JDK_8 =
+      Collections.unmodifiableSet(
+          Stream.of(
+                  "java.lang.Class.forName",
+                  "java.lang.ClassLoader.loadClass",
+                  "java.nio.file.Files.mismatch",
+                  "java.nio.file.Files.readString",
+                  "java.nio.file.Files.writeString",
+                  "java.util.regex.Pattern.CIRange",
+                  "java.util.regex.Pattern.CIRangeU",
+                  "java.util.regex.Pattern.Range",
+                  "java.util.regex.Pattern.Single",
+                  "java.util.regex.Pattern.SingleI",
+                  "java.util.regex.Pattern.SingleS",
+                  "java.util.regex.Pattern.SingleU")
+              .collect(Collectors.toSet()));
+
+  final boolean isJDK8 = System.getProperty("java.version").startsWith("1.8");
+  final Set<String> SKIPPED_CLASSES = isJDK8 ? SKIPPED_CLASSES_JDK_8 : SKIPPED_CLASSES_CURRENT_JDK;
+  final Set<String> SKIPPED_METHODS = isJDK8 ? SKIPPED_METHODS_JDK_8 : SKIPPED_METHODS_CURRENT_JDK;
+
+  @ParameterizedTest
+  @MethodSource("getMethodHooks")
+  public void methodHookResolves(MethodHook hook) {
+    String targetClassName = hook.targetClassName();
+    assertNotNull(targetClassName, "Hook has no target class");
+    if (SKIPPED_CLASSES.contains(targetClassName)) {
+      return;
+    }
+    ClassLoader loader = HookBindingSanityTest.class.getClassLoader();
+    Class<?> targetClass =
+        assertDoesNotThrow(
+            () -> Class.forName(targetClassName, false, loader),
+            () -> "class to hook not found: " + targetClassName);
+    String methodName = hook.targetMethod();
+    String methodDesc = hook.targetMethodDescriptor();
+
+    if (SKIPPED_METHODS.contains(String.format("%s.%s", targetClassName, methodName))) {
+      return;
+    }
+
+    if ("<init>".equals(methodName)) {
+      if (methodDesc.isEmpty()) {
+        // Any constructor is acceptable.
+        assertNotEquals(
+            0,
+            targetClass.getDeclaredConstructors().length,
+            String.format("no constructor for class %s found", targetClassName));
+      } else {
+        // Match specific constructor by descriptor
+        MethodType mt = MethodType.fromMethodDescriptorString(methodDesc, loader);
+        Class<?>[] descriptorParams = mt.parameterArray();
+        assertTrue(
+            Arrays.stream(targetClass.getDeclaredConstructors())
+                .anyMatch(c -> Arrays.equals(c.getParameterTypes(), descriptorParams)),
+            String.format("no matching constructor for class %s found", targetClassName));
+      }
+    } else {
+      if (methodDesc.isEmpty()) {
+        // Require at least one declared method with that name
+        assertTrue(
+            Arrays.stream(targetClass.getDeclaredMethods())
+                .anyMatch(md -> md.getName().equals(methodName)),
+            String.format("method name %s not found in class %s", methodName, targetClassName));
+      } else {
+        MethodType mt = MethodType.fromMethodDescriptorString(methodDesc, loader);
+        Class<?> descriptorReturnType = mt.returnType();
+        Class<?>[] descriptorParams = mt.parameterArray();
+        assertTrue(
+            Arrays.stream(targetClass.getDeclaredMethods())
+                .anyMatch(
+                    md ->
+                        md.getName().equals(methodName)
+                            && md.getReturnType().equals(descriptorReturnType)
+                            && Arrays.equals(md.getParameterTypes(), descriptorParams)),
+            String.format(
+                "method %s with descriptor %s not found in class %s",
+                methodName, methodDesc, targetClassName));
+      }
+    }
+  }
+
+  static Class<?> getHookClass(String className) {
+    try {
+      return Class.forName(className, false, HookBindingSanityTest.class.getClassLoader());
+    } catch (ClassNotFoundException e) {
+      throw new RuntimeException("Could not find hook class " + className, e);
+    }
+  }
+
+  static MethodHook[] getMethodHooks() throws ClassNotFoundException, NoSuchMethodException {
+    return Constants.SANITIZER_HOOK_NAMES.stream()
+        .map(HookBindingSanityTest::getHookClass)
+        .flatMap(clazz -> Stream.of(clazz.getMethods()))
+        .flatMap(
+            m ->
+                Stream.concat(
+                    Stream.of(m.getAnnotation(MethodHook.class)),
+                    Optional.ofNullable(m.getAnnotation(MethodHooks.class))
+                        .map(MethodHooks::value)
+                        .map(Stream::of)
+                        .orElseGet(Stream::empty)))
+        .filter(Objects::nonNull)
+        .toArray(MethodHook[]::new);
+  }
+}