Version
jazzer-junit 0.24.0
Description
It seems when a sanitizer throws an exception during regression mode, that exception is not properly cleared and causes the subsequent fuzzing run to immediately fail with the same exception and also creating a bogus 0-byte input file.
The issue might be in FuzzTestExtensions and the way it handles JazzerInternal.lastFinding: It only clears the lastFinding at the start, but after regression execution it just retrieves the value but does not clear it:
|
Throwable stored = (Throwable) getLastFindingField().get(null); |
This most likely then causes the fuzzing run (which happens still in the same JVM) to see that lastFinding and fail immediately, creating a bogus 0-byte input file (bogus because on the next run this does not cause an exception).
At least that is my current assumption; I have not debugged it in detail though.
How to reproduce
Create a test class which triggers a sanitizer exception, for example:
public class RegexTest {
@FuzzTest
void test(FuzzedDataProvider d) {
String input = d.consumeRemainingAsString();
try {
Pattern.matches("\\Q" + input + "\\E", "foobar");
} catch (PatternSyntaxException ignored) {
}
}
}For all the subsequents steps always run with JAZZER_FUZZ=1.
- Run the test method
🔍 As expected: It should find (non-empty) input which triggers a sanitzer exception; a new crash-... input file is generated
- Run the test method again
🔍 As expected: The previous crash reproducer is still failing
❌ Bug: Fuzzing immediately fails and creates a bogus 0-byte crash-... input file
(I performed this within IntelliJ IDE, with JDK 17)
Version
jazzer-junit 0.24.0
Description
It seems when a sanitizer throws an exception during regression mode, that exception is not properly cleared and causes the subsequent fuzzing run to immediately fail with the same exception and also creating a bogus 0-byte input file.
The issue might be in
FuzzTestExtensionsand the way it handlesJazzerInternal.lastFinding: It only clears thelastFindingat the start, but after regression execution it just retrieves the value but does not clear it:jazzer/src/main/java/com/code_intelligence/jazzer/junit/FuzzTestExtensions.java
Line 115 in c138e8f
This most likely then causes the fuzzing run (which happens still in the same JVM) to see that
lastFindingand fail immediately, creating a bogus 0-byte input file (bogus because on the next run this does not cause an exception).At least that is my current assumption; I have not debugged it in detail though.
How to reproduce
Create a test class which triggers a sanitizer exception, for example:
For all the subsequents steps always run with
JAZZER_FUZZ=1.🔍 As expected: It should find (non-empty) input which triggers a sanitzer exception; a new
crash-...input file is generated🔍 As expected: The previous crash reproducer is still failing
❌ Bug: Fuzzing immediately fails and creates a bogus 0-byte
crash-...input file(I performed this within IntelliJ IDE, with JDK 17)