Sanitizer exception in regression mode causes bogus exception for subsequent fuzzing #935
Description
Version
jazzer-junit 0.24.0
Description
It seems when a sanitizer throws an exception during regression mode, that exception is not properly cleared and causes the subsequent fuzzing run to immediately fail with the same exception and also creating a bogus 0-byte input file.
The issue might be in FuzzTestExtensions and the way it handles JazzerInternal.lastFinding: It only clears the lastFinding at the start, but after regression execution it just retrieves the value but does not clear it:
This most likely then causes the fuzzing run (which happens still in the same JVM) to see that lastFinding and fail immediately, creating a bogus 0-byte input file (bogus because on the next run this does not cause an exception).
At least that is my current assumption; I have not debugged it in detail though.
How to reproduce
Create a test class which triggers a sanitizer exception, for example:
public class RegexTest {
@FuzzTest
void test(FuzzedDataProvider d) {
String input = d.consumeRemainingAsString();
try {
Pattern.matches("\\Q" + input + "\\E", "foobar");
} catch (PatternSyntaxException ignored) {
}
}
}For all the subsequents steps always run with JAZZER_FUZZ=1.
- Run the test method
🔍 As expected: It should find (non-empty) input which triggers a sanitzer exception; a newcrash-...input file is generated - Run the test method again
🔍 As expected: The previous crash reproducer is still failing
❌ Bug: Fuzzing immediately fails and creates a bogus 0-bytecrash-...input file
(I performed this within IntelliJ IDE, with JDK 17)