How to know whether fuzzjit has found non-crash bugs?

[zhangxiaosa]

Hi, I've been using fuzzjit to fuzz jsc and the logs show that it has found 22 crashes. However, I understand that the primary focus of this tool is to find non-crash bugs. How can I determine if fuzzjit has identified any non-crash bugs? Thanks for your help!

Fuzzer Statistics
-----------------
Fuzzer phase:                 Fuzzing (with MutationEngine)
Uptime:                       3d 16h 34m 0s
Total Samples:                2117534
Interesting Samples Found:    14429
Last Interesting Sample:      0d 0h 0m 21s
Valid Samples Found:          1405299
Corpus Size:                  1006
Correctness Rate:             68.10% (66.36%)
Timeout Rate:                 2.50% (4.11%)
Crashes Found:                22
Timeouts Hit:                 87005
Coverage:                     21.97%
Avg. program size:            16.75
Avg. corpus program size:     10.99
Connected workers:            0
Execs / Second:               14.12
Fuzzer Overhead:              9.29%
Total Execs:                  2912717

[JimWongM]

When fuzzjit found non-crash bugs, it will invoke FuzzilliCrash in the template, so I guess non-crash bugs are also in the crash directory.

[zhangxiaosa]

@JimWongM Thank you, now I understand it.