diff options
4 files changed, 36 insertions, 15 deletions
diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt index 275057f0..098cf389 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt @@ -59,11 +59,6 @@ object CoverageRecorder { additionalCoverage.addAll(CoverageMap.getCoveredIds()) } - @JvmStatic - fun replayCoveredIds() { - CoverageMap.replayCoveredIds(additionalCoverage) - } - /** * [dumpCoverageReport] dumps a human-readable coverage report of files using any [coveredIds] to [dumpFileName]. */ diff --git a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java index 0cda6d25..aedf8eb6 100644 --- a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java +++ b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java @@ -67,7 +67,6 @@ public final class FuzzTargetRunner { private static final MethodHandle fuzzTarget; public static final boolean useFuzzedDataProvider; private static final ReproducerTemplate reproducerTemplate; - private static long runCount = 0; static { String targetClassName = determineFuzzTargetClassName(); @@ -133,6 +132,9 @@ public final class FuzzTargetRunner { } if (Opt.hooks) { + // libFuzzer will clear the coverage map after this method returns and keeps no record of the + // coverage accumulated so far (e.g. by static initializers). We record it here to keep it + // around for JaCoCo coverage reports. CoverageRecorder.updateCoveredIdsWithCoverageMap(); } @@ -159,15 +161,6 @@ public final class FuzzTargetRunner { * this is always 0. The function may exit the process instead of returning. */ public static int runOne(byte[] data) { - if (Opt.hooks && runCount < 2) { - runCount++; - // For the first two runs only, replay the coverage recorded from static initializers. - // libFuzzer cleared the coverage map after they ran and could fail to see any coverage, - // triggering an early exit, if we don't replay it here. - // https://github.com/llvm/llvm-project/blob/957a5e987444d3193575d6ad8afe6c75da00d794/compiler-rt/lib/fuzzer/FuzzerLoop.cpp#L804-L809 - CoverageRecorder.replayCoveredIds(); - } - Throwable finding = null; try { if (useFuzzedDataProvider) { diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel index b43aa67f..ee927aef 100644 --- a/tests/BUILD.bazel +++ b/tests/BUILD.bazel @@ -197,3 +197,17 @@ java_fuzz_target_test( ], target_class = "com.example.BytesMemoryLeakFuzzer", ) + +# Verifies that Jazzer continues fuzzing when the first two executions did not result in any +# coverage feedback. +java_fuzz_target_test( + name = "NoCoverageFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], + expect_crash = False, + fuzzer_args = [ + "-runs=10", + "--instrumentation_excludes=**", + ], + target_class = "com.example.NoCoverageFuzzer", +) diff --git a/tests/src/test/java/com/example/NoCoverageFuzzer.java b/tests/src/test/java/com/example/NoCoverageFuzzer.java new file mode 100644 index 00000000..a1f8b4ea --- /dev/null +++ b/tests/src/test/java/com/example/NoCoverageFuzzer.java @@ -0,0 +1,19 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +public class NoCoverageFuzzer { + public static void fuzzerTestOneInput(byte[] data) {} +} |