driver: Remove unnecessary and ineffective coverage replay

In the newest version, libFuzzer no longer exits when no coverage is
attained during the first two executions, so replaying coverage is no
longer needed. According to the newly added test, replaying the coverage
actually wasn't effective.

4 files changed, 36 insertions, 15 deletions

diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt
index 275057f0..098cf389 100644
--- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt
+++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt
@@ -59,11 +59,6 @@ object CoverageRecorder {
         additionalCoverage.addAll(CoverageMap.getCoveredIds())
     }
 
-    @JvmStatic
-    fun replayCoveredIds() {
-        CoverageMap.replayCoveredIds(additionalCoverage)
-    }
-
     /**
      * [dumpCoverageReport] dumps a human-readable coverage report of files using any [coveredIds] to [dumpFileName].
      */
diff --git a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java
index 0cda6d25..aedf8eb6 100644
--- a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java
+++ b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java
@@ -67,7 +67,6 @@ public final class FuzzTargetRunner {
   private static final MethodHandle fuzzTarget;
   public static final boolean useFuzzedDataProvider;
   private static final ReproducerTemplate reproducerTemplate;
-  private static long runCount = 0;
 
   static {
     String targetClassName = determineFuzzTargetClassName();
@@ -133,6 +132,9 @@ public final class FuzzTargetRunner {
     }
 
     if (Opt.hooks) {
+      // libFuzzer will clear the coverage map after this method returns and keeps no record of the
+      // coverage accumulated so far (e.g. by static initializers). We record it here to keep it
+      // around for JaCoCo coverage reports.
       CoverageRecorder.updateCoveredIdsWithCoverageMap();
     }
 
@@ -159,15 +161,6 @@ public final class FuzzTargetRunner {
    *         this is always 0. The function may exit the process instead of returning.
    */
   public static int runOne(byte[] data) {
-    if (Opt.hooks && runCount < 2) {
-      runCount++;
-      // For the first two runs only, replay the coverage recorded from static initializers.
-      // libFuzzer cleared the coverage map after they ran and could fail to see any coverage,
-      // triggering an early exit, if we don't replay it here.
-      // https://github.com/llvm/llvm-project/blob/957a5e987444d3193575d6ad8afe6c75da00d794/compiler-rt/lib/fuzzer/FuzzerLoop.cpp#L804-L809
-      CoverageRecorder.replayCoveredIds();
-    }
-
     Throwable finding = null;
     try {
       if (useFuzzedDataProvider) {
diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel
index b43aa67f..ee927aef 100644
--- a/tests/BUILD.bazel
+++ b/tests/BUILD.bazel
@@ -197,3 +197,17 @@ java_fuzz_target_test(
     ],
     target_class = "com.example.BytesMemoryLeakFuzzer",
 )
+
+# Verifies that Jazzer continues fuzzing when the first two executions did not result in any
+# coverage feedback.
+java_fuzz_target_test(
+    name = "NoCoverageFuzzer",
+    timeout = "short",
+    srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"],
+    expect_crash = False,
+    fuzzer_args = [
+        "-runs=10",
+        "--instrumentation_excludes=**",
+    ],
+    target_class = "com.example.NoCoverageFuzzer",
+)
diff --git a/tests/src/test/java/com/example/NoCoverageFuzzer.java b/tests/src/test/java/com/example/NoCoverageFuzzer.java
new file mode 100644
index 00000000..a1f8b4ea
--- /dev/null
+++ b/tests/src/test/java/com/example/NoCoverageFuzzer.java
@@ -0,0 +1,19 @@
+// Copyright 2022 Code Intelligence GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.example;
+
+public class NoCoverageFuzzer {
+  public static void fuzzerTestOneInput(byte[] data) {}
+}