-minimize_crash=1 doesn't seem to work

[TheBlueMatt]

In trying to minimize a crash that had a rather large input into something more manageable I tried

rustup run nightly cargo fuzz run $TESTNAME -- -max_len=200 -minimize_crash=1 -runs=500

but got basically nonsense. It appears the fuzzer ignored the max_len argument, trying to read only the first 18 bytes of the input (which does not cause a crash), but confused itself into thinking it got a crash by getting a crash inside libfuzzer. This may very likely be an upstream bug, but figured I'd ask here

INFO: Seed: 3212198946
INFO: Loaded 1 modules   (214286 guards): 214286 [0x55f806201140, 0x55f8062d2578), 
CRASH_MIN: minimizing crash input: '$PATH/fuzz/corpus/$TESTNAME' (18 bytes)
CRASH_MIN: executing: fuzz/target/x86_64-unknown-linux-gnu/debug/$TESTNAME -artifact_prefix=$PATH/fuzz/artifacts/$TESTNAME/ -max_len=200 -runs=500 $PATH/fuzz/corpus/$TESTNAME >/tmp/libFuzzerTemp.3585.txt 2>&1
CRASH_MIN: '$PATH/fuzz/corpus/$TESTNAME' (18 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: fuzz/target/x86_64-unknown-linux-gnu/debug/$TESTNAME -artifact_prefix=$PATH/fuzz/artifacts/$TESTNAME/ -max_len=200 -runs=500 $PATH/fuzz/corpus/$TESTNAME -minimize_crash_internal_step=1 -exact_artifact_path=$PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7 >/tmp/libFuzzerTemp.3585.txt 2>&1
INFO: Seed: 1246592331
INFO: Loaded 1 modules   (214286 guards): 214286 [0x56377bb7f140, 0x56377bc50578), 
INFO: Starting MinimizeCrashInputInternalStep: 18
$TESTNAME: libfuzzer/FuzzerLoop.cpp:375: void fuzzer::Fuzzer::SetMaxInputLen(size_t): Assertion `this->MaxInputLen == 0' failed.
==3595== ERROR: libFuzzer: deadly signal
    #0 0x56377ac08997 in __sanitizer_print_stack_trace /cargo/registry/src/github.com-1ecc6299db9ec823/compiler_builtins-0.1.2/compiler-rt/lib/asan/asan_stack.cc:38:3
    #1 0x56377ac63421 in fuzzer::PrintStackTrace() /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerUtil.cpp:206:38
    #2 0x56377ac39276 in fuzzer::Fuzzer::CrashCallback() /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerLoop.cpp:237:18
    #3 0x56377ac3912b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerLoop.cpp:209:19
    #4 0x56377ac63d10 in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerUtilPosix.cpp:36:36
    #5 0x7ff068f826af  (/lib/x86_64-linux-gnu/libpthread.so.0+0x126af)
    #6 0x7ff068dca85a in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x3785a)
    #7 0x7ff068db5534 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22534)
    #8 0x7ff068db540e in __tls_get_addr (/lib/x86_64-linux-gnu/libc.so.6+0x2240e)
    #9 0x7ff068dc30a1 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x300a1)
    #10 0x56377ac39ab6 in fuzzer::Fuzzer::SetMaxInputLen(unsigned long) /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerLoop.cpp:375:3
    #11 0x56377ac25ed1 in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerDriver.cpp:459:20
    #12 0x56377ac27b1e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerDriver.cpp:672:42
    #13 0x56377ac21266 in main /home/matt/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/libfuzzer/FuzzerMain.cpp:20:30
    #14 0x7ff068db709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #15 0x56377aa10a99 in _start ($PATH/fuzz/target/x86_64-unknown-linux-gnu/debug/$TESTNAME+0xeaa99)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='$PATH/fuzz/artifacts/$TESTNAME/'; Test unit written to $PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7
Base64: 
*********************************
CRASH_MIN: minimizing crash input: '$PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7' (0 bytes)
CRASH_MIN: executing: fuzz/target/x86_64-unknown-linux-gnu/debug/$TESTNAME -artifact_prefix=$PATH/fuzz/artifacts/$TESTNAME/ -max_len=200 -runs=500 $PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7 >/tmp/libFuzzerTemp.3585.txt 2>&1
^[[A^[[B^[[B^[[B^CCRASH_MIN: '$PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7' (0 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: fuzz/target/x86_64-unknown-linux-gnu/debug/$TESTNAME -artifact_prefix=$PATH/fuzz/artifacts/$TESTNAME/ -max_len=200 -runs=500 $PATH/fuzz/artifacts/$TESTNAME/minimized-from-a770e927c71c77a0a9ba32e12cd7eae07148f0e7 -minimize_crash_internal_step=1 -exact_artifact_path=$PATH/fuzz/artifacts/$TESTNAME/minimized-from-da39a3ee5e6b4b0d3255bfef95601890afd80709 >/tmp/libFuzzerTemp.3585.txt 2>&1
INFO: Seed: 4279967766
INFO: Loaded 1 modules   (214286 guards): 214286 [0x55d96276f140, 0x55d962840578), 
INFO: Starting MinimizeCrashInputInternalStep: 0
INFO: The input is small enough, exiting

[nagisa]

As per assertion message

$TESTNAME: libfuzzer/FuzzerLoop.cpp:375: void fuzzer::Fuzzer::SetMaxInputLen(size_t): Assertion `this->MaxInputLen == 0' failed.

It seems that -max-len must be unset in this scenario.

[TheBlueMatt]

Ah, OK, so I managed to confuse myself, maybe I should stop working on these things on no sleep. Got it working manually, but lets call this a feature request for a new subcommand - just need to drop the default input folder argument thats added and replace it with a single test case to minimize.