From 08b6c8b71f6e5b65c0ef84d16f51be93c303b481 Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Fri, 12 Aug 2022 14:51:23 +0200 Subject: driver: Remove unnecessary and ineffective coverage replay In the newest version, libFuzzer no longer exits when no coverage is attained during the first two executions, so replaying coverage is no longer needed. According to the newly added test, replaying the coverage actually wasn't effective. --- .../jazzer/instrumentor/CoverageRecorder.kt | 5 ----- .../jazzer/driver/FuzzTargetRunner.java | 13 +++---------- tests/BUILD.bazel | 14 ++++++++++++++ tests/src/test/java/com/example/NoCoverageFuzzer.java | 19 +++++++++++++++++++ 4 files changed, 36 insertions(+), 15 deletions(-) create mode 100644 tests/src/test/java/com/example/NoCoverageFuzzer.java diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt index 275057f0..098cf389 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/CoverageRecorder.kt @@ -59,11 +59,6 @@ object CoverageRecorder { additionalCoverage.addAll(CoverageMap.getCoveredIds()) } - @JvmStatic - fun replayCoveredIds() { - CoverageMap.replayCoveredIds(additionalCoverage) - } - /** * [dumpCoverageReport] dumps a human-readable coverage report of files using any [coveredIds] to [dumpFileName]. */ diff --git a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java index 0cda6d25..aedf8eb6 100644 --- a/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java +++ b/driver/src/main/java/com/code_intelligence/jazzer/driver/FuzzTargetRunner.java @@ -67,7 +67,6 @@ public final class FuzzTargetRunner { private static final MethodHandle fuzzTarget; public static final boolean useFuzzedDataProvider; private static final ReproducerTemplate reproducerTemplate; - private static long runCount = 0; static { String targetClassName = determineFuzzTargetClassName(); @@ -133,6 +132,9 @@ public final class FuzzTargetRunner { } if (Opt.hooks) { + // libFuzzer will clear the coverage map after this method returns and keeps no record of the + // coverage accumulated so far (e.g. by static initializers). We record it here to keep it + // around for JaCoCo coverage reports. CoverageRecorder.updateCoveredIdsWithCoverageMap(); } @@ -159,15 +161,6 @@ public final class FuzzTargetRunner { * this is always 0. The function may exit the process instead of returning. */ public static int runOne(byte[] data) { - if (Opt.hooks && runCount < 2) { - runCount++; - // For the first two runs only, replay the coverage recorded from static initializers. - // libFuzzer cleared the coverage map after they ran and could fail to see any coverage, - // triggering an early exit, if we don't replay it here. - // https://github.com/llvm/llvm-project/blob/957a5e987444d3193575d6ad8afe6c75da00d794/compiler-rt/lib/fuzzer/FuzzerLoop.cpp#L804-L809 - CoverageRecorder.replayCoveredIds(); - } - Throwable finding = null; try { if (useFuzzedDataProvider) { diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel index b43aa67f..ee927aef 100644 --- a/tests/BUILD.bazel +++ b/tests/BUILD.bazel @@ -197,3 +197,17 @@ java_fuzz_target_test( ], target_class = "com.example.BytesMemoryLeakFuzzer", ) + +# Verifies that Jazzer continues fuzzing when the first two executions did not result in any +# coverage feedback. +java_fuzz_target_test( + name = "NoCoverageFuzzer", + timeout = "short", + srcs = ["src/test/java/com/example/NoCoverageFuzzer.java"], + expect_crash = False, + fuzzer_args = [ + "-runs=10", + "--instrumentation_excludes=**", + ], + target_class = "com.example.NoCoverageFuzzer", +) diff --git a/tests/src/test/java/com/example/NoCoverageFuzzer.java b/tests/src/test/java/com/example/NoCoverageFuzzer.java new file mode 100644 index 00000000..a1f8b4ea --- /dev/null +++ b/tests/src/test/java/com/example/NoCoverageFuzzer.java @@ -0,0 +1,19 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +public class NoCoverageFuzzer { + public static void fuzzerTestOneInput(byte[] data) {} +} -- cgit v1.2.3