fix(clusterfuzzlite): ASan-only fuzzing — drop unsupported undefined sanitizer#130
Merged
Merged
Conversation
…ASan only) #129 fixed the ClusterFuzzLite *build* (Dockerfile + build.sh), but the `undefined` matrix variant still failed bad_build_check: BAD BUILD: UBSan build of fuzz_main seems to be compiled with ASan. That's fundamental, not a misconfig to paper over: Rust/cargo-fuzz cannot emit a valid UndefinedBehaviorSanitizer binary — it links ASan regardless — so the `undefined` job could never produce real UBSan coverage. Restrict fuzzing to the supported, meaningful sanitizer: - cflite_pr.yml / cflite_batch.yml: matrix `sanitizer: [address]` (removes the broken `PR (undefined)` job); - project.yaml: `sanitizers: [address]`; - build.sh: pass `--sanitizer "${SANITIZER:-address}"` explicitly. ASan fuzzing (the `address` variant, whose build already works as of #129) is retained. NOTE: the full OSS-Fuzz image build isn't runnable locally, so this is correct-by-spec; the `address` job exercises it in CI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
hyperpolymath
pushed a commit
that referenced
this pull request
Jun 27, 2026
#131's my-llvm .rs edit triggered the ClusterFuzzLite workflow for the first time since the #130 build fix — validating it: fuzz_main built and ran 177M executions in 301s with ZERO crashes. The job still failed on the final step: `upload-sarif` runs `if: always()` but a clean run writes no vulnerabilities.sarif, so it errored 'Path does not exist'. Guard the upload with `hashFiles('vulnerabilities.sarif') != ''` so a no-crash run passes cleanly. Applied to both cflite_pr.yml and cflite_batch.yml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Follow-up to #129. #129 fixed the ClusterFuzzLite build (clean
Dockerfile+build.sh), and CI confirmed it works — the image builds andfuzz_maincompiles + stages. The only remaining red was theundefinedsanitizer matrix variant:This is fundamental, not a config typo: Rust/cargo-fuzz cannot emit a valid UndefinedBehaviorSanitizer binary — it links ASan regardless — so OSS-Fuzz's
bad_build_checkrejects it. Theundefinedjob could never produce real UBSan coverage. Standard Rust OSS-Fuzz practice is ASan-only.Changes
cflite_pr.yml/cflite_batch.yml: matrixsanitizer: [address]— removes the brokenPR (undefined)job..clusterfuzzlite/project.yaml:sanitizers: [address]..clusterfuzzlite/build.sh: pass--sanitizer "${SANITIZER:-address}"explicitly.Each change carries an inline comment explaining the Rust/UBSan limitation. The
addressvariant (whose build already works per #129) is retained, so ASan fuzzing continues.Verification
bash -n .clusterfuzzlite/build.shOK; config greps confirm[address]everywhere. The full OSS-Fuzz image build isn't runnable in this environment, so this is correct-by-spec — theaddressjob exercises it in CI.Out of scope (separate, tracked)
The
Validate Hypatia Baselinered is the pre-existing Hypatia backlog (issue #34): the now-working analyzer reports 25 findings ≥ medium against an empty.hypatia-baseline.json. Resolving it needs the actual findings (artifacthypatia-scan-findings/the Security tab), which aren't reachable from the CI sandbox — to be fixed at source once the list is in hand, per the repo's fix-don't-suppress discipline.🤖 Generated with Claude Code
https://claude.ai/code/session_01BwV2DWsjkBiNP3oscimMLV
Generated by Claude Code