Crashes not recognized as unique

[Ikrk]

Hi, I have a minimal code example where I would expect to find three unique crashes. However the fuzzer classifies the bugs as identical and therefore only one unique crash file is saved.

use honggfuzz::fuzz;

const MAGIC_NUMBER: u8 = 254;

fn main() {
    loop {
        fuzz!(|data: &[u8]| {
            if data.len() != 2 {
                return;
            }

            let _ = buggy_math_function(data[0], data[1]);

            panic_function(data[0]);
        });
    }
}

pub fn buggy_math_function(input1: u8, input2: u8) -> u8 {
    // causes div-by-zero if input2 == 254
    // causes subtract with overflow if input2 == 255 because overflow-checks = true for profile.release
    let divisor = MAGIC_NUMBER - input2;
    input1 / divisor
}

pub fn panic_function(input1: u8) {
    // panics if input1 == 97
    if input1 == b'a' {
        panic!("BOOM")
    }
}

• If I pass the --save_all option to honggfuzz to save all crashes, I can find all expected three crash cases (input1 = 97, input2 = 254 or 255), so it does not look the code was somehow optimized to prevent the bugs. However the crash names are all with the same filename SIGABRT.PC.7ffff7c8e83c.STACK.d0d9781a0.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebx.2023-08-30.15:55:32.535662.fuzz besides the time-stamp.
• If I replay the crashes in debug environment, the stack traces are different as I would expect but then I don't understand why the stack signature in the crash filenames is always the same. Also the error messages are as expected.
• If I correct the bugs one by one and run the fuzzer after each fix, the next unique crash is found until all bugs are fixed.
• I tried to use also the AFL fuzzer with the exact same code and it works just fine as expected (3 unique crashes are found).
• I tried to play (kind of randomly) with the --codegen opt-level and llvm-args parameters but with no luck.

My setup:

• x86_64 GNU/Linux
• cargo-hfuzz 0.5.55
• rustc 1.70.0 (90c541806 2023-05-31)

Any help or hints are appreciated.

[Ikrk]

Changing the panic_function to:

pub fn panic_function(input1: u8) {
        if input1 == b'a' {
            let a = vec![1, 2, 3];
            println!("{:?}", a[4]); // array out of bounds
        }
        if input1 == b'b' {
            std::panic::panic_any(4); // another panic
        }
    }

actually finds three unique crashes. So it seems to be related to how honggfuzz actually calculates the stack signature. AFL on the other hand uses executed edges to decide about crash uniqueness.

Closing the issue as it seems to be related to the upstream project.