No coverage generated due to corpus format in Golang Native Fuzzing

[sudiptob2]

We are implementing fuzzing in envoy/gateway using Go's native fuzzing support. However, we are seeing no coverage reported in OSS-Fuzz.

Upon investigation, we found that this is due to a mismatch in corpus formats. For fuzzing, OSS-Fuzz uses a libFuzzer-style corpus, while for coverage builds, it expects a corpus in the Go native fuzzing format.
This issue arises because the fuzzing build uses the go-118-fuzz-build library, whereas the coverage build uses Go's native fuzzing implementation.

oss-fuzz/infra/base-images/base-builder/compile_native_go_fuzzer

Lines 44 to 68 in 7476251

	if [[ $SANITIZER = *coverage* ]]; then
	echo "here we perform coverage build"
	fuzzed_package=`go list $tags -f '{{.Name}}' $path`
	abspath=`go list $tags -f {{.Dir}} $path`
	cd $abspath
	cp $GOPATH/native_ossfuzz_coverage_runner.go ./"${function,,}"_test.go
	sed -i -e 's/FuzzFunction/'$function'/' ./"${function,,}"_test.go
	sed -i -e 's/mypackagebeingfuzzed/'$fuzzed_package'/' ./"${function,,}"_test.go
	sed -i -e 's/TestFuzzCorpus/Test'$function'Corpus/' ./"${function,,}"_test.go
	# The repo is the module path/name, which is already created above
	# in case it doesn't exist, but not always the same as the module
	# path. This is necessary to handle SIV properly.
	fuzzed_repo=$(go list $tags -f {{.Module}} "$path")
	abspath_repo=`go list -m $tags -f {{.Dir}} $fuzzed_repo || go list $tags -f {{.Dir}} $fuzzed_repo`
	# give equivalence to absolute paths in another file, as go test -cover uses golangish pkg.Dir
	echo "s=$fuzzed_repo"="$abspath_repo"= > $OUT/$fuzzer.gocovpath
	go test -run Test${function}Corpus -v $tags -coverpkg $fuzzed_repo/... -c -o $OUT/$fuzzer $path
	rm ./"${function,,}"_test.go
	else
	go-118-fuzz-build -o $fuzzer.a -func $function $abs_file_dir
	$CXX $CXXFLAGS $LIB_FUZZING_ENGINE $fuzzer.a -o $OUT/$fuzzer
	fi
	}

There is a corpus converter that is supposed to transform the libFuzzer corpus into the Go native format during coverage builds. However, it appears that this conversion step is not being triggered.

oss-fuzz/infra/base-images/base-runner/coverage

Lines 145 to 146 in 8bc2e0b

	# rewrite libFuzzer corpus to Std Go corpus if native fuzzing
	grep "TestFuzzCorpus" $target > /dev/null 2>&1 && $SYSGOPATH/bin/convertcorpus $target "testdata/fuzz/${target}"

As a result, the entire generated corpus is not taken into account while building the coverage report. See coverage build logs: https://oss-fuzz-build-logs.storage.googleapis.com/log-5714e769-c3e8-4543-adfb-7ed9e040a8d8.txt

We would appreciate any guidance on how to resolve this issue, as having coverage reports is crucial for us to fine-tune and develop additional fuzzers for envoy/gateway.

[cyphar]

I see this in umoci as well when running ClusterFuzzLite. The log from the coverage job just looks like:

2025-05-27 01:23:08,004 - root - INFO - Deleting builder docker images to save disk space.
Cloning into '.'...
2025-05-27 01:23:08,446 - root - INFO - ClusterFuzzDeployment: <clusterfuzz_deployment.ClusterFuzzLite object at 0x7fe48f398760>.
2025-05-27 01:23:08,446 - root - INFO - run fuzzers MODE is: coverage. Runner: <run_fuzzers.CoverageTargetRunner object at 0x7fe48f3981f0>.
2025-05-27 01:23:08,446 - root - INFO - Using coverage sanitizer.
2025-05-27 01:23:08,446 - root - INFO - Fuzz targets: ['/github/workspace/build-out/fuzz_generate_layer', '/github/workspace/build-out/casext_fuzz', '/github/workspace/build-out/fuzz_hardening', '/github/workspace/build-out/fuzz_mutate', '/github/workspace/build-out/fuzz_unpack']
2025-05-27 01:23:08,447 - root - INFO - Downloading corpus for fuzz_generate_layer to /github/workspace/cifuzz-corpus/fuzz_generate_layer.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:08,686 - root - INFO - Done downloading corpus. Contains 516 elements.
2025-05-27 01:23:08,686 - root - INFO - Downloading corpus for casext_fuzz to /github/workspace/cifuzz-corpus/casext_fuzz.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:08,901 - root - INFO - Done downloading corpus. Contains 501 elements.
2025-05-27 01:23:08,901 - root - INFO - Downloading corpus for fuzz_hardening to /github/workspace/cifuzz-corpus/fuzz_hardening.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,046 - root - INFO - Done downloading corpus. Contains 47 elements.
2025-05-27 01:23:09,046 - root - INFO - Downloading corpus for fuzz_mutate to /github/workspace/cifuzz-corpus/fuzz_mutate.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,206 - root - INFO - Done downloading corpus. Contains 579 elements.
2025-05-27 01:23:09,206 - root - INFO - Downloading corpus for fuzz_unpack to /github/workspace/cifuzz-corpus/fuzz_unpack.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,333 - root - INFO - Done downloading corpus. Contains 164 elements.
Switched to a new branch 'gh-pages'
Branch 'gh-pages' set up to track remote branch 'gh-pages' from 'origin'.
HEAD is now at 00d5660 init commit
On branch gh-pages
Your branch is up to date with 'origin/gh-pages'.

nothing to commit, working tree clean