Fix -crash_retry argument

googleprojectzero / Jackalope

Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android

Apache License 2.0

1.1k stars 128 forks source link

Fix -crash_retry argument #37

Closed notwhickey closed 2 years ago

notwhickey commented 2 years ago

The code doesn't account for command-line argument "-crash_retry 0". If provided, this argument will, upon finding a crash, cause a "Run-Time Check Failure 3 - The variable 'result' is being used without being initialized." This is an uncommon usecase, but I have encountered this while fuzzing a binary that keeps a handle to the crashing file for a bit too long. Using "-crash_retry 0" allows for fuzzing the binary, albeit flaky fuzzing.

ifratric commented 2 years ago

Thanks for catching this case and for the patch! The only thing I noticed is that, with the patch, all crashes will be marled as flaky, which might not be desirable. My suggestion would be to either

put crash_reproduce_retries > 0 check around that entire if block (including else).
change Fuzzer::TryReproduceCrash to immediately return CRASH if crash_reproduce_retries is zero.

notwhickey commented 2 years ago

Good point. I've committed the first suggested change. Thanks.

ifratric commented 2 years ago

Cool, thank you!