| Issue |
180033
|
| Summary |
libFuzzer corpus merging ignores nonzero return codes from fuzzing harness
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
personnumber3377
|
Hi!
In the tutorial: https://llvm.org/docs/LibFuzzer.html#rejecting-unwanted-inputs it says that "If the fuzz target returns -1 on a given input, libFuzzer will not add that input top the corpus, regardless of what coverage it triggers." . Currently the libFuzzer corpus merging doesn't honor this when gathering the coverage from the input sample:
```
// Write the pre-run marker.
OF << "STARTED " << i << " " << U.size() << "\n";
OF.flush(); // Flush is important since Command::Execute may crash.
// Run.
TPC.ResetMaps();
ExecuteCallback(U.data(), U.size());
// Collect coverage. We are iterating over the files in this order:
// * First, files in the initial corpus ordered by size, smallest first.
// * Then, all other files, smallest first.
std::set<size_t> Features;
if (IsSetCoverMerge)
TPC.CollectFeatures([&](size_t Feature) { Features.insert(Feature); });
else
TPC.CollectFeatures([&](size_t Feature) {
if (AllFeatures.insert(Feature).second)
Features.insert(Feature);
});
```
the return code of the ExecuteCallback function must be checked and if if it returns false (meaning that the return code of LLVMFuzzerTestOneInput did NOT return zero) then skip gathering the coverage.
Here is a draft patch:
```
// Ask the harness if the input should be rejected...
if (!ExecuteCallback(U.data(), U.size())) {
// Mark as processed but do not record coverage, since the harness returned -1 assumably...
OF << "FT " << i << "\n";
OF << "COV " << i << "\n";
OF.flush();
continue;
}
```
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
