Bug: `FuzzedDataProvider#consume...` returns wrong results when `max - min == MAX_VALUE`

[Marcono1234]

Version

Jazzer JUnit 0.24.0

Description

It seems the FuzzedDataProvider methods for producing a value within a [min, max] range, such as consumeInt, return results outside that range when max - min == MAX_VALUE.

The simplest case is something like this:

@FuzzTest
void test(FuzzedDataProvider dataProvider) {
    var value = dataProvider.consumeInt(0, Integer.MAX_VALUE);
    if (value < 0) {
        throw new RuntimeException("value: " + value);
    }
}

min is 0 so the value should never be < 0, yet it does return results which are negative.

To highlight that this is not due to numeric overflow or related to max being MAX_VALUE, consider this example:

@FuzzTest
void test(FuzzedDataProvider dataProvider) {
    int diff = Byte.MAX_VALUE;
    int min = -10;
    int max = min + diff;
    
    var value = dataProvider.consumeByte((byte) min, (byte) max);
    if (value < min) {
        throw new RuntimeException("value: " + value);
    }
}

It fails in a similar way, but if you change it to diff = Byte.MAX_VALUE + 1 or diff = Byte.MAX_VALUE - 1 it does not fail anymore.

---

The cause might be this check here, not sure why it exists: https://github.com/CodeIntelligenceTesting/jazzer/blob/efbc6354e412ce221ad3b18a6fdd32bf12241825/src/main/native/com/code_intelligence/jazzer/driver/fuzzed_data_provider.cpp#L114 Maybe this is supposed to prevent overflow for the result variable, but contains a bug and should rather check uint64_t::max() (uint64_t being the type of result) instead of T::max() (which is the MAX_VALUE of the Java type?)?