CodeIntelligenceTesting
diff --git a/‎packages/fuzzer/libafl_runtime.cpp‎
Lines changed: 125 additions & 43 deletions b/‎packages/fuzzer/libafl_runtime.cpp‎
Lines changed: 125 additions & 43 deletions
@@ -144,13 +144,17 @@ struct SyncFuzzTargetContext {
   LibAflOptions options;
   SyncWatchdogState watchdog;
   volatile std::sig_atomic_t signal_status = 0;
+  volatile std::sig_atomic_t execution_active = 0;
   volatile int sigints = 0;
   std::jmp_buf execution_context;
 };
 
 struct AsyncExecutionState {
   std::promise<int> promise;
   std::atomic<bool> settled = false;
+  bool done_called = false;
+  bool done_succeeded = false;
+  bool callback_invocation_completed = false;
 };
 
 struct AsyncDataType {
@@ -173,8 +177,8 @@ struct AsyncFuzzTargetContext {
   LibAflOptions options;
   std::unique_ptr<ScopedLibAflRuntime> runtime_guard;
   bool is_resolved = false;
-  bool is_done_called = false;
   int run_status = kRuntimeOk;
+  volatile std::sig_atomic_t execution_active = 0;
   volatile int sigints = 0;
   std::jmp_buf execution_context;
 };
@@ -227,29 +231,77 @@ void SettleLibAflRun(Napi::Env env, Napi::Promise::Deferred &deferred,
   }
 }
 
-bool TrySetExecutionStatus(const std::shared_ptr<AsyncExecutionState> &state,
-                           int status) {
+bool IsExecutionSettled(const std::shared_ptr<AsyncExecutionState> &state) {
+  return state->settled.load(std::memory_order_acquire);
+}
+
+bool TryClaimExecution(const std::shared_ptr<AsyncExecutionState> &state) {
   bool expected = false;
   if (!state->settled.compare_exchange_strong(expected, true,
                                               std::memory_order_acq_rel,
                                               std::memory_order_acquire)) {
     return false;
   }
+  return true;
+}
+
+void PublishExecutionStatus(const std::shared_ptr<AsyncExecutionState> &state,
+                            int status) {
   state->promise.set_value(status);
+}
+
+bool TryPublishExecutionStatus(
+    const std::shared_ptr<AsyncExecutionState> &state, int status) {
+  if (!TryClaimExecution(state)) {
+    return false;
+  }
+  PublishExecutionStatus(state, status);
   return true;
 }
 
+Napi::Value NormalizeAsyncError(Napi::Env env, const Napi::Value &error) {
+  if (error.IsObject()) {
+    return error;
+  }
+  return Napi::Error::New(env, error.ToString()).Value();
+}
+
 void ReportAsyncFinding(AsyncFuzzTargetContext *context, Napi::Env env,
                         const std::shared_ptr<AsyncExecutionState> &state,
                         const Napi::Value &error,
                         const std::vector<uint8_t> &input) {
-  StoreDeferredRejection(context, error);
-  if (TrySetExecutionStatus(state, kExecutionFinding)) {
-    const auto artifact =
-        WriteArtifact(context->options.artifact_prefix, "crash", input.data(),
-                      input.size(), false);
-    RecordFindingInfo(&gFindingInfo, artifact, DescribeJsError(env, error));
+  if (!TryClaimExecution(state)) {
+    return;
+  }
+
+  auto normalized_error = NormalizeAsyncError(env, error);
+  auto summary = std::string("The LibAFL backend found a crashing input");
+  const auto artifact = WriteArtifact(context->options.artifact_prefix, "crash",
+                                      input.data(), input.size(), false);
+  try {
+    summary = DescribeJsError(env, normalized_error);
+  } catch (const std::exception &exception) {
+    normalized_error =
+        Napi::Error::New(env, std::string("Internal fuzzer error - ") +
+                                  exception.what())
+            .Value();
+    summary = normalized_error.ToString().Utf8Value();
+  }
+
+  RecordFindingInfo(&gFindingInfo, artifact, summary);
+  StoreDeferredRejection(context, normalized_error);
+  PublishExecutionStatus(state, kExecutionFinding);
+}
+
+void ReportAsyncInternalError(AsyncFuzzTargetContext *context, Napi::Env env,
+                              const std::shared_ptr<AsyncExecutionState> &state,
+                              const std::string &message) {
+  if (!TryClaimExecution(state)) {
+    return;
   }
+
+  StoreDeferredRejection(context, Napi::Error::New(env, message).Value());
+  PublishExecutionStatus(state, kExecutionFatal);
 }
 
 void SettleAsyncLibAflRun(Napi::Env env, AsyncFuzzTargetContext *context) {
@@ -366,17 +418,26 @@ class ScopedSyncWatchdog {
 };
 
 void SyncSigintHandler(int signum) {
-  std::cerr << std::endl;
-  gActiveSyncContext->signal_status = signum;
-  if (gActiveSyncContext->sigints > 0) {
+  auto *context = gActiveSyncContext;
+  if (context == nullptr) {
+    _Exit(libfuzzer::RETURN_CONTINUE);
+  }
+
+  context->signal_status = signum;
+  if (context->sigints > 0) {
     _Exit(libfuzzer::RETURN_CONTINUE);
   }
-  gActiveSyncContext->sigints++;
+  context->sigints++;
 }
 
 void SyncErrorSignalHandler(int signum) {
-  gActiveSyncContext->signal_status = signum;
-  std::longjmp(gActiveSyncContext->execution_context, signum);
+  auto *context = gActiveSyncContext;
+  if (context == nullptr || context->execution_active == 0) {
+    _Exit(libfuzzer::EXIT_ERROR_SEGV);
+  }
+
+  context->signal_status = signum;
+  std::longjmp(context->execution_context, signum);
 }
 
 int ExecuteSyncInput(void *user_data, const uint8_t *data, size_t size) {
@@ -389,15 +450,19 @@ int ExecuteSyncInput(void *user_data, const uint8_t *data, size_t size) {
 
   try {
     auto buffer = Napi::Buffer<uint8_t>::Copy(context->env, data, size);
-    if (setjmp(context->execution_context) == 0) {
+    context->execution_active = 1;
+    const auto signal_status = setjmp(context->execution_context);
+    if (signal_status == 0) {
       auto result = context->target.Call({buffer});
       if (result.IsPromise()) {
         AsyncReturnsHandler();
       } else {
         SyncReturnsHandler();
       }
     }
+    context->execution_active = 0;
   } catch (const Napi::Error &error) {
+    context->execution_active = 0;
     if (!context->is_resolved) {
       const auto artifact = WriteArtifact(context->options.artifact_prefix,
                                           "crash", data, size, false);
@@ -408,6 +473,7 @@ int ExecuteSyncInput(void *user_data, const uint8_t *data, size_t size) {
     }
     return kExecutionFinding;
   } catch (const std::exception &exception) {
+    context->execution_active = 0;
     ExitWithUnexpectedError(exception);
   }
 
@@ -439,19 +505,23 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
 
   try {
     if (context->sigints > 0) {
-      TrySetExecutionStatus(state, kExecutionStop);
+      TryPublishExecutionStatus(state, kExecutionStop);
       return;
     }
 
-    if (setjmp(context->execution_context) == SIGSEGV) {
+    context->execution_active = 1;
+    const auto signal_status = setjmp(context->execution_context);
+    if (signal_status == SIGSEGV) {
+      context->execution_active = 0;
       std::cerr << "==" << static_cast<unsigned long>(GetPID())
                 << "== Segmentation Fault" << std::endl;
       libfuzzer::PrintCrashingInput();
       _Exit(libfuzzer::EXIT_ERROR_SEGV);
     }
 
     if (env == nullptr) {
-      TrySetExecutionStatus(state, kExecutionFatal);
+      context->execution_active = 0;
+      TryPublishExecutionStatus(state, kExecutionFatal);
       return;
     }
 
@@ -463,13 +533,12 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
                                .Int32Value();
 
     if (parameter_count > 1) {
-      context->is_done_called = false;
       auto done = Napi::Function::New(env, [=](const Napi::CallbackInfo &info) {
-        if (context->is_resolved) {
+        if (IsExecutionSettled(state)) {
           return;
         }
 
-        if (context->is_done_called) {
+        if (state->done_called) {
           auto error =
               Napi::Error::New(env, "Expected done to be called once, but it "
                                     "was called multiple times.")
@@ -478,21 +547,24 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
           return;
         }
 
-        context->is_done_called = true;
+        state->done_called = true;
         const auto has_error =
             info.Length() > 0 && !(info[0].IsNull() || info[0].IsUndefined());
         if (has_error) {
-          auto error = info[0];
-          if (!error.IsObject()) {
-            error = Napi::Error::New(env, error.ToString()).Value();
-          }
-          ReportAsyncFinding(context, env, state, error, current_input);
+          ReportAsyncFinding(context, env, state, info[0], current_input);
+          return;
+        }
+
+        if (state->callback_invocation_completed) {
+          TryPublishExecutionStatus(state, kExecutionContinue);
         } else {
-          TrySetExecutionStatus(state, kExecutionContinue);
+          state->done_succeeded = true;
         }
       });
 
       auto result = js_fuzz_callback.Call({buffer, done});
+      state->callback_invocation_completed = true;
+      context->execution_active = 0;
       if (result.IsPromise()) {
         AsyncReturnsHandler();
         auto error =
@@ -502,19 +574,23 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
         ReportAsyncFinding(context, env, state, error, current_input);
       } else {
         SyncReturnsHandler();
+        if (state->done_succeeded) {
+          TryPublishExecutionStatus(state, kExecutionContinue);
+        }
       }
       return;
     }
 
     auto result = js_fuzz_callback.Call({buffer});
+    context->execution_active = 0;
     if (result.IsPromise()) {
       AsyncReturnsHandler();
       auto js_promise = result.As<Napi::Object>();
       auto then = js_promise.Get("then").As<Napi::Function>();
       then.Call(js_promise,
                 {Napi::Function::New(env,
                                      [=](const Napi::CallbackInfo &) {
-                                       TrySetExecutionStatus(
+                                       TryPublishExecutionStatus(
                                            state, kExecutionContinue);
                                      }),
                  Napi::Function::New(env, [=](const Napi::CallbackInfo &info) {
@@ -523,37 +599,43 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
                            ? info[0]
                            : Napi::Error::New(env, "Unknown promise rejection")
                                  .Value();
-                   if (!error.IsObject()) {
-                     error = Napi::Error::New(env, error.ToString()).Value();
-                   }
                    ReportAsyncFinding(context, env, state, error,
                                       current_input);
                  })});
     } else {
       SyncReturnsHandler();
-      TrySetExecutionStatus(state, kExecutionContinue);
+      TryPublishExecutionStatus(state, kExecutionContinue);
     }
   } catch (const Napi::Error &error) {
+    context->execution_active = 0;
     ReportAsyncFinding(context, env, state, error.Value(), current_input);
   } catch (const std::exception &exception) {
-    if (TrySetExecutionStatus(state, kExecutionFatal)) {
-      auto message =
-          std::string("Internal fuzzer error - ").append(exception.what());
-      StoreDeferredRejection(context, Napi::Error::New(env, message).Value());
-    }
+    context->execution_active = 0;
+    ReportAsyncInternalError(
+        context, env, state,
+        std::string("Internal fuzzer error - ").append(exception.what()));
   }
 }
 
 void AsyncSigintHandler(int signum) {
-  std::cerr << std::endl;
-  if (gActiveAsyncContext->sigints > 0) {
+  auto *context = gActiveAsyncContext;
+  if (context == nullptr) {
     _Exit(libfuzzer::RETURN_CONTINUE);
   }
-  gActiveAsyncContext->sigints = signum;
+
+  if (context->sigints > 0) {
+    _Exit(libfuzzer::RETURN_CONTINUE);
+  }
+  context->sigints = signum;
 }
 
 void AsyncErrorSignalHandler(int signum) {
-  std::longjmp(gActiveAsyncContext->execution_context, signum);
+  auto *context = gActiveAsyncContext;
+  if (context == nullptr || context->execution_active == 0) {
+    _Exit(libfuzzer::EXIT_ERROR_SEGV);
+  }
+
+  std::longjmp(context->execution_context, signum);
 }
 
 int ExecuteAsyncInput(void *user_data, const uint8_t *data, size_t size) {