-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using 'catch_unwind' to convert panic into error is still detected as crash #85
Comments
This appears to be related to |
I'm not sure why we went with the It seems like using |
AIUI the fuzzer works better if panics lead to immediate aborts since there's less logic to trace. But I'm not quite sure if there is a major difference. |
I recall it being much better in a sense that it gives libfuzzer an opportunity to see unique crashes easier. Or at least that was the case back when I first MVPd the thing. |
This makes a ton of sense, since tools like oss-fuzz will ~essentially use only the crashing stack trace to differentiate bugs, AFAIK. I wonder if we can make |
Yeah I think the solution here is to have an on by default option |
I wrap a function that I know is buggy into a
std::panic::catch_unwind()
so that when it panics my own code does not. I can then gracefully handle the error.Unfortunately, libfuzzer still detects this as an error and stops.
Here's an example fuzzing target:
Where the file
fuzz/artifacts/issue/minimized-from-ac85e832d98dd32e68baaafa21973abcb7a73101
contains a single byte:0xF3
(243).Can we instruct libfuzzer to not bother with these kinds of errors?
Thanks!
The text was updated successfully, but these errors were encountered: