fix(core): normalize LibAFL engine behavior

Store engine aliases canonically, replay every regression input, and reject malformed LibAFL integer flags so backend selection stays predictable across CLI and Jest runs.

Author: oetr

packages/core/core.ts

@@ -228,7 +228,11 @@ export async function startFuzzing(
 	registerEsmLoaderHooks(instrumentor);
 	instrumentor.sendHooksToLoader();
 	const fuzzFn = await loadFuzzFunction(options);
-	const findingAwareFuzzFn = asFindingAwareFuzzFn(fuzzFn);
+	const findingAwareFuzzFn = asFindingAwareFuzzFn(
+		fuzzFn,
+		true,
+		options.get("engine"),
+	);
 	return startFuzzingNoInit(findingAwareFuzzFn, options).finally(() => {
 		// These post fuzzing actions are only required for invocations through the CLI,
 		// other means of invocation, e.g. via Jest, don't need them.
@@ -394,13 +398,11 @@ async function loadFuzzFunction(
 export function asFindingAwareFuzzFn(
 	originalFuzzFn: fuzzer.FuzzTarget,
 	dumpCrashingInput = true,
+	engine = "libfuzzer",
 ): FindingAwareFuzzTarget {
 	function printAndDump(error: unknown): void {
 		cleanErrorStack(error);
-		const shouldDumpWithLibFuzzer =
-			(
-				globalThis as typeof globalThis & { options?: OptionsManager }
-			).options?.get("engine") !== "libafl";
+		const shouldDumpWithLibFuzzer = resolveEngine(engine) === "libfuzzer";
 		if (
 			!(
 				error instanceof FuzzerSignalFinding &&

packages/core/options.test.ts

@@ -337,6 +337,15 @@ describe("libafl options", () => {
 		expect(() => resolveEngine("unknown")).toThrow("Unknown fuzzing engine");
 	});
 
+	it("canonicalizes engine aliases during option merge", () => {
+		const manager = new OptionsManager(OptionSource.DefaultJestOptions).merge(
+			{ engine: "afl" },
+			OptionSource.ConfigurationFile,
+		);
+
+		expect(manager.get("engine")).toBe("libafl");
+	});
+
 	it("builds structured LibAFL options from fuzzer options", () => {
 		const manager = new OptionsManager(OptionSource.DefaultCLIOptions).merge(
 			{
@@ -385,7 +394,7 @@ describe("libafl options", () => {
 			{
 				engine: "libafl",
 				mode: "regression",
-				fuzzerOptions: ["corpus"],
+				fuzzerOptions: ["corpus", "-runs=1"],
 			},
 			OptionSource.CommandLineArguments,
 		);
@@ -437,6 +446,20 @@ describe("libafl options", () => {
 			fs.rmSync(tempDirectory, { force: true, recursive: true });
 		}
 	});
+
+	it("rejects malformed LibAFL integer flags", () => {
+		for (const option of ["-runs=1abc", "-max_len=1.5", "-seed="]) {
+			const manager = new OptionsManager(OptionSource.DefaultCLIOptions).merge(
+				{
+					engine: "libafl",
+					fuzzerOptions: [option],
+				},
+				OptionSource.CommandLineArguments,
+			);
+
+			expect(() => buildLibAflOptions(manager)).toThrow();
+		}
+	});
 });
 
 function expectDefaultsExceptKeys(

packages/core/options.ts

@@ -177,7 +177,7 @@ export function resolveEngine(engine: string): FuzzingEngine {
 			return "libafl";
 		default:
 			throw new Error(
-				`Unknown fuzzing engine '${engine}'. Supported engines are 'libfuzzer' and 'afl'.`,
+				`Unknown fuzzing engine '${engine}'. Supported engines are 'libfuzzer' and 'libafl' (alias 'afl').`,
 			);
 	}
 }
@@ -336,6 +336,9 @@ export class OptionsManager {
 					`Invalid type for Jazzer.js option '${key}', expected type '${keyType}', got '${typeof resultValue}'`,
 				);
 			}
+			if (key === "engine") {
+				resultValue = resolveEngine(resultValue);
+			}
 			// Deep copy the new value to avoid reference keeping and unintended mutations.
 			resultValue = OptionsManager.copyOptionValue(resultValue);
 			setProperty(this._options, key, { value: resultValue, source: source });
@@ -529,6 +532,12 @@ export function buildLibAflOptions(options: OptionsManager): LibAflOptions {
 		);
 	}
 
+	if (options.get("mode") === "regression") {
+		// Regression mode should replay every available corpus input unless the
+		// user asked to stop for some other reason, mirroring libFuzzer's behavior.
+		runs = 0;
+	}
+
 	printOptions(options);
 	if (process.env.JAZZER_DEBUG) {
 		console.error(
@@ -564,7 +573,7 @@ export function buildLibAflOptions(options: OptionsManager): LibAflOptions {
 }
 
 function parsePositiveInteger(name: string, value: string): number {
-	const parsed = Number.parseInt(value, 10);
+	const parsed = parseDecimalInteger(name, value);
 	if (!Number.isInteger(parsed) || parsed <= 0) {
 		throw new Error(
 			`Option '${name}' must be a positive integer, got '${value}'`,
@@ -574,7 +583,7 @@ function parsePositiveInteger(name: string, value: string): number {
 }
 
 function parsePositiveOrZeroInteger(name: string, value: string): number {
-	const parsed = Number.parseInt(value, 10);
+	const parsed = parseDecimalInteger(name, value);
 	if (!Number.isInteger(parsed) || parsed < 0) {
 		throw new Error(
 			`Option '${name}' must be a non-negative integer, got '${value}'`,
@@ -583,6 +592,21 @@ function parsePositiveOrZeroInteger(name: string, value: string): number {
 	return parsed;
 }
 
+function parseDecimalInteger(name: string, value: string): number {
+	if (!/^\d+$/.test(value)) {
+		throw new Error(`Option '${name}' must be an integer, got '${value}'`);
+	}
+
+	const parsed = Number(value);
+	if (!Number.isSafeInteger(parsed)) {
+		throw new Error(
+			`Option '${name}' must fit into a safe integer, got '${value}'`,
+		);
+	}
+
+	return parsed;
+}
+
 export function printOptions(options: OptionsManager, infix = "") {
 	if (process.env.JAZZER_DEBUG) {
 		console.error(

packages/jest-runner/fuzz.ts

@@ -140,6 +140,7 @@ export function fuzz(
 		const wrappedFn = asFindingAwareFuzzFn(
 			fn,
 			localConfig.get("mode") === "fuzzing",
+			localConfig.get("engine"),
 		);
 
 		if (localConfig.get("mode") === "regression") {