Bug: `FuzzedDataProvider#consume...` returns wrong results when `max - min == MAX_VALUE`

[Marcono1234]

Version

Jazzer JUnit 0.24.0

Description

It seems the FuzzedDataProvider methods for producing a value within a [min, max] range, such as consumeInt, return results outside that range when max - min == MAX_VALUE.

The simplest case is something like this:

@FuzzTest
void test(FuzzedDataProvider dataProvider) {
    var value = dataProvider.consumeInt(0, Integer.MAX_VALUE);
    if (value < 0) {
        throw new RuntimeException("value: " + value);
    }
}

min is 0 so the value should never be < 0, yet it does return results which are negative.

To highlight that this is not due to numeric overflow or related to max being MAX_VALUE, consider this example:

@FuzzTest
void test(FuzzedDataProvider dataProvider) {
    int diff = Byte.MAX_VALUE;
    int min = -10;
    int max = min + diff;
    
    var value = dataProvider.consumeByte((byte) min, (byte) max);
    if (value < min) {
        throw new RuntimeException("value: " + value);
    }
}

It fails in a similar way, but if you change it to diff = Byte.MAX_VALUE + 1 or diff = Byte.MAX_VALUE - 1 it does not fail anymore.

---

The cause might be this check here, not sure why it exists:

jazzer/src/main/native/com/code_intelligence/jazzer/driver/fuzzed_data_provider.cpp

Line 114 in efbc635

if (range != std::numeric_limits<T>::max())

Maybe this is supposed to prevent overflow for the result variable, but contains a bug and should rather check uint64_t::max() (uint64_t being the type of result) instead of T::max() (which is the MAX_VALUE of the Java type?)?

[Anchels]

I have the same issue, consumeInt(0, Integer.MAX_VALUE) might return negative values

[oetr]

This issue is relevant for all integer types.
The while loop makes sure that the resulting numbers are always within the range:

jazzer/src/main/native/com/code_intelligence/jazzer/driver/fuzzed_data_provider.cpp

Line 104 in efbc635

while (offset < 8 * sizeof(T) && (range >> offset) > 0 &&

But they are not guaranteed to be within [min; max].
So maybe we should do something like this:

  if (result >= min && result <= max) {
      return static_cast<T>(result);
  }
  return static_cast<T>(min + (result % (range + 1)));

In the meantime you could use the mutation framework:

  private static final int diff = Byte.MAX_VALUE;
  private static final int min = -10;
  private static final int max = min + diff;

  @FuzzTest
  void test2(@InRange(min=min, max=max) byte value) {
    if ((value < min) || (value > max)) {
      throw new RuntimeException("value: " + value);
    }
  }