"--timeout=..." is now a native Jazzer.js flag

oetr · oetr · commit 97dbadd09f9e · 2023-02-01T11:20:09.000+01:00
diff --git a/docs/fuzz-settings.md b/docs/fuzz-settings.md
@@ -55,18 +55,16 @@ npx jazzer fuzzTarget -- -use_value_profile=1
 ## Timeout
 
 Invocations of fuzz targets, which take longer than the configured timeout, will
-cause fuzzing to stop and a timeout finding to be reported. This feature is
-directly provided by the underlying fuzzing engine, libFuzzer.
-
-A [default timeout](https://www.llvm.org/docs/LibFuzzer.html#output) of 1200
-seconds is preconfigured, but can be changed using the `-timeout` fuzzer flag.
+cause fuzzing to stop and a timeout finding to be reported. A default timeout of
+5000 milliseconds is preconfigured, but can be changed using the `--timeout`
+fuzzer flag.
 
 Timeouts work in the sync- and asynchronous fuzzing mode.
 
 **Example invocation:**
 
 ```shell
-npx jazzer fuzzTarget -- -timeout=10
+npx jazzer fuzzTarget --timeout=10000
 ```
 
 **Example output:**
diff --git a/docs/jest-integration.md b/docs/jest-integration.md
@@ -327,4 +327,3 @@ reimplemented.
 
 - Mock functions
 - Isolated workers
-- Test-based timeouts (third parameter to `test` functions)
diff --git a/examples/jest_integration/integration.fuzz.js b/examples/jest_integration/integration.fuzz.js
@@ -24,6 +24,22 @@ describe("My describe", () => {
 		target.fuzzMe(data);
 	});
 
+	it.fuzz(
+		"My fuzz test with an explicit timeout (async)",
+		async (data) => {
+			target.fuzzMe(data);
+		},
+		1000
+	);
+
+	it.fuzz(
+		"My fuzz test with an explicit timeout (sync)",
+		(data) => {
+			target.fuzzMe(data);
+		},
+		1000
+	);
+
 	it.fuzz("My callback fuzz test", (data, done) => {
 		target.callbackFuzzMe(data, done);
 	});
diff --git a/examples/jest_integration/integration.fuzz/My_describe/My_fuzz_test_with_an_explicit_timeout_(async)/test b/examples/jest_integration/integration.fuzz/My_describe/My_fuzz_test_with_an_explicit_timeout_(async)/test
@@ -0,0 +1 @@
+test
diff --git a/examples/jest_integration/integration.fuzz/My_describe/My_fuzz_test_with_an_explicit_timeout_(sync)/test b/examples/jest_integration/integration.fuzz/My_describe/My_fuzz_test_with_an_explicit_timeout_(sync)/test
@@ -0,0 +1 @@
+test
diff --git a/fuzztests/.jazzerjsrc b/fuzztests/.jazzerjsrc
@@ -1,4 +1,5 @@
 {
 	"fuzzerOptions": ["-use_value_profile=1", "-max_total_time=30"],
-	"includes": ["jazzer.js"]
+	"includes": ["jazzer.js"],
+	"timeout": 1000
 }
diff --git a/fuzztests/FuzzedDataProvider.fuzz.js b/fuzztests/FuzzedDataProvider.fuzz.js
@@ -42,7 +42,7 @@ describe("FuzzedDataProvider", () => {
 			}
 			jazzer.exploreState(hash(usedMethods), 31);
 		},
-		40000
+		5000
 	);
 });
 
diff --git a/fuzztests/runFuzzTests.js b/fuzztests/runFuzzTests.js
@@ -9,7 +9,7 @@ const fs = require("fs/promises");
 const { spawn } = require("child_process");
 
 const fuzzTestFileExtension = "fuzz.js";
-const fuzzTestNameRegex = /it.fuzz\(\s*"(.*)"/g;
+const fuzzTestNameRegex = /it.fuzz\s*\(\s*"(.*)"/g;
 
 async function findFuzzTestNamesInFile(file) {
 	const fuzzTestNames = [];
@@ -47,8 +47,11 @@ async function executeFuzzTest(file, name) {
 		});
 		test.on("close", (code) => {
 			console.log(`--- Finished fuzz test ${file} > ${name} with code ${code}`);
-			if (code !== 0 && code !== null) reject(code);
-			else resolve();
+			if (code !== 0 && code !== null) {
+				reject(code);
+			} else {
+				resolve();
+			}
 		});
 	});
 }
diff --git a/packages/core/cli.ts b/packages/core/cli.ts
@@ -181,6 +181,12 @@ yargs(process.argv.slice(2))
 					type: "string",
 					group: "Fuzzer:",
 					default: ["json", "text", "lcov", "clover"],
+				})
+				.option("timeout", {
+					describe: "Timeout in milliseconds for each fuzz test execution.",
+					type: "number",
+					group: "Fuzzer:",
+					default: 5000,
 				});
 		},
 		// eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -196,6 +202,7 @@ yargs(process.argv.slice(2))
 				excludes: args.instrumentation_excludes,
 				dryRun: args.dry_run,
 				sync: args.sync,
+				timeout: args.timeout,
 				fuzzerOptions: args.corpus.concat(args._),
 				customHooks: args.custom_hooks,
 				expectedErrors: args.expected_errors,
diff --git a/packages/core/core.ts b/packages/core/core.ts
@@ -52,7 +52,7 @@ export interface Options {
 	fuzzerOptions: string[];
 	customHooks: string[];
 	expectedErrors: string[];
-	timeout?: number;
+	timeout: number;
 	idSyncFile?: string;
 	coverage: boolean; // Enables source code coverage report generation.
 	coverageDirectory: string;
@@ -290,10 +290,12 @@ function buildFuzzerOptions(options: Options): string[] {
 		// the last provided option takes precedence
 		opts = opts.concat("-runs=0");
 	}
-	if (options.timeout != undefined) {
-		const inSeconds = options.timeout / 1000;
-		opts = opts.concat(`-timeout=${inSeconds}`);
+
+	if (options.timeout <= 0) {
+		throw new Error("timeout must be > 0");
 	}
+	const inSeconds = Math.ceil(options.timeout / 1000);
+	opts = opts.concat(`-timeout=${inSeconds}`);
 
 	return [prepareLibFuzzerArg0(opts), ...opts];
 }
diff --git a/packages/instrumentor/edgeIdStrategy.ts b/packages/instrumentor/edgeIdStrategy.ts
@@ -22,12 +22,16 @@ import process from "process";
 import { fuzzer } from "@jazzer.js/fuzzer";
 
 if (process.listeners) {
-	// "signal-exit" library imported by "proper-lockfile" inserts listeners for all important signals, such as SIGALRM and SIGINT (see https://github.com/tapjs/signal-exit/blob/39a5946d2b04d00106400c0dcc5d358a40892438/signals.js)
-	// libFuzzer has a SIGALRM handler to deal with -timeout flag, here we give the control back to libFuzzer by removing the SIGALRM listeners inserted by "signal-exit".
+	// "signal-exit" library imported by "proper-lockfile" inserts listeners
+	// for all important signals, such as SIGALRM and SIGINT
+	// (see https://github.com/tapjs/signal-exit/blob/39a5946d2b04d00106400c0dcc5d358a40892438/signals.js)
+	// libFuzzer has a SIGALRM handler to deal with -timeout flag, here we give
+	// the control back to libFuzzer by removing the SIGALRM listeners inserted by "signal-exit".
 	if (process.listeners("SIGALRM").length > 0) {
 		process.removeListener("SIGALRM", process.listeners("SIGALRM")[0]);
 	}
-	// SIGINT: in synchronous mode, pressing CTRL-C does not abort the process. Removing the SIGINT listener inserted by "signal-exit" gives the control back to the users.
+	// SIGINT: in synchronous mode, pressing CTRL-C does not abort the process.
+	// Removing the SIGINT listener inserted by "signal-exit" gives the control back to the users.
 	if (process.listeners("SIGINT").length > 0) {
 		process.removeListener("SIGINT", process.listeners("SIGINT")[0]);
 	}
diff --git a/packages/jest-runner/config.ts b/packages/jest-runner/config.ts
@@ -27,7 +27,7 @@ export const defaultOptions: Options = {
 	fuzzerOptions: [],
 	sync: false,
 	expectedErrors: [],
-	timeout: undefined,
+	timeout: 5000, // default Jest timeout
 	coverage: false,
 	coverageDirectory: "coverage",
 	coverageReporters: ["json", "text", "lcov", "clover"], // default Jest reporters
diff --git a/packages/jest-runner/fuzz.ts b/packages/jest-runner/fuzz.ts
@@ -73,9 +73,11 @@ export const fuzz: FuzzTest = (name, fn, timeout) => {
 	const fuzzingConfig = loadConfig();
 
 	// Timeout priority is: test timeout > config timeout > default timeout.
-	if (!timeout)
-		if (fuzzingConfig.timeout) timeout = fuzzingConfig.timeout;
-		else timeout = 5000;
+	if (!timeout) {
+		timeout = fuzzingConfig.timeout;
+	} else {
+		fuzzingConfig.timeout = timeout;
+	}
 
 	if (fuzzingConfig.dryRun) {
 		runInRegressionMode(name, fn, corpus, timeout);
diff --git a/tests/timeout/fuzz.js b/tests/timeout/fuzz.js
@@ -15,7 +15,7 @@
  */
 
 /**
- * This is a regression test that checks that running this function with "-timeout=1" does not result in a timeout.
+ * This is a regression test that checks that running this function with "--timeout=1000" does not result in a timeout.
  *
  * @param { Buffer } data
  */
diff --git a/tests/timeout/package.json b/tests/timeout/package.json
@@ -3,8 +3,8 @@
 	"version": "1.0.0",
 	"description": "Timeout test: checking that the handler for the SIGALRM signal does not return with error code.",
 	"scripts": {
-		"timeout": "jazzer fuzz -f=timeout -- -timeout=1",
-		"fuzz": "jazzer fuzz -- -timeout=1 -max_total_time=10",
+		"timeout": "jazzer fuzz -f=timeout --timeout=1000 -- -max_total_time=10",
+		"fuzz": "jazzer fuzz --timeout=1000 -- -max_total_time=10",
 		"dryRun": "echo \"skipped\""
 	},
 	"devDependencies": {

Original file line number	Diff line number	Diff line change
`@@ -327,4 +327,3 @@ reimplemented.`
`327`	`327`
`328`	`328`	`- Mock functions`
`329`	`329`	`- Isolated workers`
`330`		-- Test-based timeouts (third parameter to `test` functions)
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"fuzzerOptions": ["-use_value_profile=1", "-max_total_time=30"],`
`3`		`- "includes": ["jazzer.js"]`
	`3`	`+ "includes": ["jazzer.js"],`
	`4`	`+ "timeout": 1000`
`4`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ describe("FuzzedDataProvider", () => {`
`42`	`42`	`}`
`43`	`43`	`jazzer.exploreState(hash(usedMethods), 31);`
`44`	`44`	`},`
`45`		`- 40000`
	`45`	`+ 5000`
`46`	`46`	`);`
`47`	`47`	`});`
`48`	`48`