Skip to content

fix(clusterfuzzlite): ASan-only fuzzing — drop unsupported undefined sanitizer#130

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/dreamy-hypatia-O8XHo
Jun 27, 2026
Merged

fix(clusterfuzzlite): ASan-only fuzzing — drop unsupported undefined sanitizer#130
hyperpolymath merged 1 commit into
mainfrom
claude/dreamy-hypatia-O8XHo

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

What

Follow-up to #129. #129 fixed the ClusterFuzzLite build (clean Dockerfile + build.sh), and CI confirmed it works — the image builds and fuzz_main compiles + stages. The only remaining red was the undefined sanitizer matrix variant:

BAD BUILD: UBSan build of fuzz_main seems to be compiled with ASan.
ERROR: 100.0% of fuzz targets seem to be broken.

This is fundamental, not a config typo: Rust/cargo-fuzz cannot emit a valid UndefinedBehaviorSanitizer binary — it links ASan regardless — so OSS-Fuzz's bad_build_check rejects it. The undefined job could never produce real UBSan coverage. Standard Rust OSS-Fuzz practice is ASan-only.

Changes

  • cflite_pr.yml / cflite_batch.yml: matrix sanitizer: [address] — removes the broken PR (undefined) job.
  • .clusterfuzzlite/project.yaml: sanitizers: [address].
  • .clusterfuzzlite/build.sh: pass --sanitizer "${SANITIZER:-address}" explicitly.

Each change carries an inline comment explaining the Rust/UBSan limitation. The address variant (whose build already works per #129) is retained, so ASan fuzzing continues.

Verification

bash -n .clusterfuzzlite/build.sh OK; config greps confirm [address] everywhere. The full OSS-Fuzz image build isn't runnable in this environment, so this is correct-by-spec — the address job exercises it in CI.

Out of scope (separate, tracked)

The Validate Hypatia Baseline red is the pre-existing Hypatia backlog (issue #34): the now-working analyzer reports 25 findings ≥ medium against an empty .hypatia-baseline.json. Resolving it needs the actual findings (artifact hypatia-scan-findings/the Security tab), which aren't reachable from the CI sandbox — to be fixed at source once the list is in hand, per the repo's fix-don't-suppress discipline.

🤖 Generated with Claude Code

https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV


Generated by Claude Code

…ASan only)

#129 fixed the ClusterFuzzLite *build* (Dockerfile + build.sh), but the
`undefined` matrix variant still failed bad_build_check:

  BAD BUILD: UBSan build of fuzz_main seems to be compiled with ASan.

That's fundamental, not a misconfig to paper over: Rust/cargo-fuzz cannot emit a
valid UndefinedBehaviorSanitizer binary — it links ASan regardless — so the
`undefined` job could never produce real UBSan coverage. Restrict fuzzing to
the supported, meaningful sanitizer:

- cflite_pr.yml / cflite_batch.yml: matrix `sanitizer: [address]` (removes the
  broken `PR (undefined)` job);
- project.yaml: `sanitizers: [address]`;
- build.sh: pass `--sanitizer "${SANITIZER:-address}"` explicitly.

ASan fuzzing (the `address` variant, whose build already works as of #129) is
retained. NOTE: the full OSS-Fuzz image build isn't runnable locally, so this
is correct-by-spec; the `address` job exercises it in CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 22:16
@hyperpolymath hyperpolymath merged commit f5f03ce into main Jun 27, 2026
13 of 14 checks passed
@hyperpolymath hyperpolymath deleted the claude/dreamy-hypatia-O8XHo branch June 27, 2026 22:16
hyperpolymath pushed a commit that referenced this pull request Jun 27, 2026
#131's my-llvm .rs edit triggered the ClusterFuzzLite workflow for the first
time since the #130 build fix — validating it: fuzz_main built and ran 177M
executions in 301s with ZERO crashes. The job still failed on the final step:
`upload-sarif` runs `if: always()` but a clean run writes no
vulnerabilities.sarif, so it errored 'Path does not exist'. Guard the upload
with `hashFiles('vulnerabilities.sarif') != ''` so a no-crash run passes
cleanly. Applied to both cflite_pr.yml and cflite_batch.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants