fix(fuzzer): harden LibAFL signal state

oetr · oetr · commit c74002d02610 · 2026-04-30T10:33:20.000+02:00
Use signal-safe interrupt counters and initialize the jump target before marking an execution active so signal handlers do not observe partially prepared state.
diff --git a/packages/fuzzer/libafl_runtime.cpp b/packages/fuzzer/libafl_runtime.cpp
@@ -145,7 +145,7 @@ struct SyncFuzzTargetContext {
   SyncWatchdogState watchdog;
   volatile std::sig_atomic_t signal_status = 0;
   volatile std::sig_atomic_t execution_active = 0;
-  volatile int sigints = 0;
+  volatile std::sig_atomic_t sigints = 0;
   std::jmp_buf execution_context;
 };
 
@@ -179,7 +179,7 @@ struct AsyncFuzzTargetContext {
   bool is_resolved = false;
   int run_status = kRuntimeOk;
   volatile std::sig_atomic_t execution_active = 0;
-  volatile int sigints = 0;
+  volatile std::sig_atomic_t sigints = 0;
   std::jmp_buf execution_context;
 };
 
@@ -450,8 +450,10 @@ int ExecuteSyncInput(void *user_data, const uint8_t *data, size_t size) {
 
   try {
     auto buffer = Napi::Buffer<uint8_t>::Copy(context->env, data, size);
-    context->execution_active = 1;
+    // Initialize the jump target before signal handlers can treat this
+    // invocation as actively executing user code.
     const auto signal_status = setjmp(context->execution_context);
+    context->execution_active = 1;
     if (signal_status == 0) {
       auto result = context->target.Call({buffer});
       if (result.IsPromise()) {
@@ -506,14 +508,16 @@ void CallJsFuzzCallback(Napi::Env env, Napi::Function js_fuzz_callback,
   try {
     if (context->sigints > 0) {
       TryPublishExecutionStatus(state, kExecutionStop);
-      return;
-    }
-
-    context->execution_active = 1;
-    const auto signal_status = setjmp(context->execution_context);
-    if (signal_status == SIGSEGV) {
-      context->execution_active = 0;
-      std::cerr << "==" << static_cast<unsigned long>(GetPID())
+			return;
+		}
+
+		// Initialize the jump target before signal handlers can treat this
+		// invocation as actively executing user code.
+		const auto signal_status = setjmp(context->execution_context);
+		context->execution_active = 1;
+		if (signal_status == SIGSEGV) {
+			context->execution_active = 0;
+			std::cerr << "==" << static_cast<unsigned long>(GetPID())
                 << "== Segmentation Fault" << std::endl;
       libfuzzer::PrintCrashingInput();
       _Exit(libfuzzer::EXIT_ERROR_SEGV);
