Fuzzer quits without saving crash

I had a similar issue like https://github.com/googleprojectzero/Jackalope/issues/23.

When crash is detected, it tries to reproduce the crash.
```  
// save crashes and hangs immediately when they are detected
  if (result == CRASH) {
    string crash_desc = tc->instrumentation->GetCrashName();
    
    if (crash_reproduce_retries > 0) {
        if (TryReproduceCrash(tc, sample, init_timeout, timeout) == CRASH) {
            // get a hopefully better name
            crash_desc = tc->instrumentation->GetCrashName();
        } else {
            crash_desc = "flaky_" + crash_desc;
        }
    }
```

If it is `!tc->sampleDelivery->DeliverSample(sample)`, the fuzzer quits without saving the crash.
```
RunResult Fuzzer::TryReproduceCrash(ThreadContext* tc, Sample* sample, uint32_t init_timeout, uint32_t timeout) {
  RunResult result;

  for (int i = 0; i < crash_reproduce_retries; i++) {
    total_execs++;

    if (!tc->sampleDelivery->DeliverSample(sample)) {
      WARN("Error delivering sample, retrying with a clean target");
      tc->instrumentation->CleanTarget();
      if (!tc->sampleDelivery->DeliverSample(sample)) {
        FATAL("Repeatedly failed to deliver sample");
      }
    }

    result = tc->instrumentation->RunWithCrashAnalysis(tc->target_argc, tc->target_argv, init_timeout, timeout);
    tc->instrumentation->ClearCoverage();

    if (result == CRASH) return result;
  }

  return result;
}
```

I think it is better to save the crash before `FATAL("Repeatedly failed to deliver sample");`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fuzzer quits without saving crash #58

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Fuzzer quits without saving crash #58

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions