fix(fuzzer): contain sync stop callback errors

Reject stop callback failures on the JS promise instead of letting them unwind through the Rust execution callback. The new child-process regression reproduces the pre-fix Rust panic triggered by a SIGINT stop callback that throws.

Author: oetr

packages/fuzzer/libafl_runtime.cpp

@@ -203,6 +203,16 @@ void StoreDeferredRejection(AsyncFuzzTargetContext *context,
   context->deferred_rejection = Napi::Persistent(error);
 }
 
+void RejectSyncLibAflRun(SyncFuzzTargetContext *context,
+                         const Napi::Value &error) {
+  if (context->is_resolved) {
+    return;
+  }
+
+  context->is_resolved = true;
+  context->deferred.Reject(error);
+}
+
 void SettleLibAflRun(Napi::Env env, Napi::Promise::Deferred &deferred,
                      bool &is_resolved, int status) {
   if (is_resolved) {
@@ -492,7 +502,31 @@ int ExecuteSyncInput(void *user_data, const uint8_t *data, size_t size) {
       exit_code = Napi::Number::New(context->env, context->signal_status);
     }
 
-    context->js_stop_callback.Call({exit_code});
+    try {
+      context->js_stop_callback.Call({exit_code});
+    } catch (const Napi::Error &error) {
+      context->signal_status = 0;
+      RejectSyncLibAflRun(context, error.Value());
+      return kExecutionFatal;
+    } catch (const std::exception &exception) {
+      context->signal_status = 0;
+      RejectSyncLibAflRun(
+          context, Napi::Error::New(context->env,
+                                    std::string("Internal fuzzer error - ") +
+                                        exception.what())
+                       .Value());
+      return kExecutionFatal;
+    } catch (...) {
+      context->signal_status = 0;
+      RejectSyncLibAflRun(
+          context,
+          Napi::Error::New(
+              context->env,
+              "Internal fuzzer error - stop callback threw a non-standard "
+              "exception")
+              .Value());
+      return kExecutionFatal;
+    }
     context->signal_status = 0;
     return kExecutionStop;
   }

packages/fuzzer/libafl_runtime.test.ts

@@ -258,6 +258,45 @@ describe("LibAFL runtime", () => {
 		},
 	);
 
+	it("rejects thrown stop callbacks instead of panicking through Rust", () => {
+		const script = `
+			const addon = require(${JSON.stringify(nativeAddonPath())});
+			addon.registerCoverageMap(Buffer.alloc(${1 << 20}));
+			addon.registerNewCounters(0, 512);
+
+			let invocations = 0;
+			addon.startLibAfl(
+				() => {
+					if (invocations === 0) {
+						process.kill(process.pid, "SIGINT");
+					}
+					invocations += 1;
+				},
+				${JSON.stringify({ ...libAflOptions, runs: 1 })},
+				() => {
+					throw new Error("stop callback boom");
+				},
+			)
+				.then(() => process.exit(2))
+				.catch((error) => {
+					if (!String(error).includes("stop callback boom")) {
+						console.error(error);
+						process.exit(3);
+					}
+					process.exit(0);
+				});
+
+			setTimeout(() => process.exit(4), 1000);
+		`;
+
+		const result = spawnSync(process.execPath, ["-e", script], {
+			encoding: "utf8",
+			timeout: 5000,
+		});
+
+		expect(result.status).toBe(0);
+	});
+
 	it("records compare feedback in the shared native map", async () => {
 		addon.clearCompareFeedbackMap();