fix(fuzzer): defer LibAFL promise settlement

Async findings used to settle before native cleanup released the single-run
runtime guard. Defer rejection until finalization so CLI exit and follow-up
runs cannot race teardown.

Author: oetr

packages/fuzzer/libafl_runtime.cpp

@@ -169,6 +169,7 @@ struct AsyncFuzzTargetContext {
 
   std::thread native_thread;
   Napi::Promise::Deferred deferred;
+  Napi::Reference<Napi::Value> deferred_rejection;
   LibAflOptions options;
   std::unique_ptr<ScopedLibAflRuntime> runtime_guard;
   bool is_resolved = false;
@@ -190,13 +191,12 @@ AsyncFuzzTargetContext *gActiveAsyncContext = nullptr;
 AsyncTsfn gAsyncTsfn;
 JazzerLibAflFindingInfo gFindingInfo{};
 
-void RejectDeferredIfNeeded(AsyncFuzzTargetContext *context,
+void StoreDeferredRejection(AsyncFuzzTargetContext *context,
                             const Napi::Value &error) {
-  if (context->is_resolved) {
+  if (!context->deferred_rejection.IsEmpty()) {
     return;
   }
-  context->deferred.Reject(error);
-  context->is_resolved = true;
+  context->deferred_rejection = Napi::Persistent(error);
 }
 
 void SettleLibAflRun(Napi::Env env, Napi::Promise::Deferred &deferred,
@@ -243,13 +243,29 @@ void ReportAsyncFinding(AsyncFuzzTargetContext *context, Napi::Env env,
                         const std::shared_ptr<AsyncExecutionState> &state,
                         const Napi::Value &error,
                         const std::vector<uint8_t> &input) {
+  StoreDeferredRejection(context, error);
   if (TrySetExecutionStatus(state, kExecutionFinding)) {
     const auto artifact =
         WriteArtifact(context->options.artifact_prefix, "crash", input.data(),
                       input.size(), false);
     RecordFindingInfo(&gFindingInfo, artifact, DescribeJsError(env, error));
   }
-  RejectDeferredIfNeeded(context, error);
+}
+
+void SettleAsyncLibAflRun(Napi::Env env, AsyncFuzzTargetContext *context) {
+  if (context->is_resolved) {
+    return;
+  }
+
+  if (!context->deferred_rejection.IsEmpty()) {
+    context->is_resolved = true;
+    context->deferred.Reject(context->deferred_rejection.Value());
+    context->deferred_rejection.Reset();
+    return;
+  }
+
+  SettleLibAflRun(env, context->deferred, context->is_resolved,
+                  context->run_status);
 }
 
 void StartSyncWatchdog(SyncFuzzTargetContext *context) {
@@ -424,8 +440,6 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
   try {
     if (context->sigints > 0) {
       TrySetExecutionStatus(state, kExecutionStop);
-      context->deferred.Resolve(env.Undefined());
-      context->is_resolved = true;
       return;
     }
 
@@ -522,10 +536,11 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
   } catch (const Napi::Error &error) {
     ReportAsyncFinding(context, env, state, error.Value(), current_input);
   } catch (const std::exception &exception) {
-    TrySetExecutionStatus(state, kExecutionFatal);
-    auto message =
-        std::string("Internal fuzzer error - ").append(exception.what());
-    RejectDeferredIfNeeded(context, Napi::Error::New(env, message).Value());
+    if (TrySetExecutionStatus(state, kExecutionFatal)) {
+      auto message =
+          std::string("Internal fuzzer error - ").append(exception.what());
+      StoreDeferredRejection(context, Napi::Error::New(env, message).Value());
+    }
   }
 }
 
@@ -673,8 +688,10 @@ Napi::Value StartLibAflAsync(const Napi::CallbackInfo &info) {
       info.Env(), info[0].As<Napi::Function>(), "LibAflAsyncAddon", 0, 1,
       context.get(),
       [](Napi::Env env, AsyncFinalizerDataType *, AsyncFuzzTargetContext *ctx) {
+        Napi::HandleScope scope(env);
         ctx->native_thread.join();
-        SettleLibAflRun(env, ctx->deferred, ctx->is_resolved, ctx->run_status);
+        ctx->runtime_guard.reset();
+        SettleAsyncLibAflRun(env, ctx);
         delete ctx;
       });
 

packages/fuzzer/libafl_runtime.test.ts

@@ -15,6 +15,8 @@
  */
 
 import { spawnSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
 import * as path from "path";
 
 import { addon } from "./addon";
@@ -98,6 +100,33 @@ describe("LibAFL runtime", () => {
 		}
 	});
 
+	it("settles async findings after releasing the native runtime", async () => {
+		const artifactDirectory = fs.mkdtempSync(
+			path.join(os.tmpdir(), "jazzer-libafl-lifetime-"),
+		);
+
+		try {
+			await expect(
+				addon.startLibAflAsync(
+					() => {
+						throw new Error("first finding");
+					},
+					{
+						...libAflOptions,
+						artifactPrefix: `${artifactDirectory}${path.sep}`,
+					},
+				),
+			).rejects.toThrow("first finding");
+
+			await addon.startLibAflAsync(() => undefined, {
+				...libAflOptions,
+				runs: 1,
+			});
+		} finally {
+			fs.rmSync(artifactDirectory, { force: true, recursive: true });
+		}
+	});
+
 	it("restores previous SIGINT handlers after fuzzing", () => {
 		const addonPath = path.join(
 			__dirname,