I had a similar issue like #23.
When crash is detected, it tries to reproduce the crash.
// save crashes and hangs immediately when they are detected
if (result == CRASH) {
string crash_desc = tc->instrumentation->GetCrashName();
if (crash_reproduce_retries > 0) {
if (TryReproduceCrash(tc, sample, init_timeout, timeout) == CRASH) {
// get a hopefully better name
crash_desc = tc->instrumentation->GetCrashName();
} else {
crash_desc = "flaky_" + crash_desc;
}
}
If it is !tc->sampleDelivery->DeliverSample(sample), the fuzzer quits without saving the crash.
RunResult Fuzzer::TryReproduceCrash(ThreadContext* tc, Sample* sample, uint32_t init_timeout, uint32_t timeout) {
RunResult result;
for (int i = 0; i < crash_reproduce_retries; i++) {
total_execs++;
if (!tc->sampleDelivery->DeliverSample(sample)) {
WARN("Error delivering sample, retrying with a clean target");
tc->instrumentation->CleanTarget();
if (!tc->sampleDelivery->DeliverSample(sample)) {
FATAL("Repeatedly failed to deliver sample");
}
}
result = tc->instrumentation->RunWithCrashAnalysis(tc->target_argc, tc->target_argv, init_timeout, timeout);
tc->instrumentation->ClearCoverage();
if (result == CRASH) return result;
}
return result;
}
I think it is better to save the crash before FATAL("Repeatedly failed to deliver sample");
I had a similar issue like #23.
When crash is detected, it tries to reproduce the crash.
If it is
!tc->sampleDelivery->DeliverSample(sample), the fuzzer quits without saving the crash.I think it is better to save the crash before
FATAL("Repeatedly failed to deliver sample");