ci: CFL migrates to Ubuntu 24.04

[Sjors]

It should no longer be needed to use a fork.

• fix MSan
• check that coverage still works

Waiting for:

• Migrate actions to Ubuntu 24.04-v1 google/clusterfuzzlite#146

[Sjors]

Rebased after #85 but this is still broken.

[xyephy]

I reproduced the current PR locally in gcr.io/oss-fuzz-base/base-builder:ubuntu-24-04 and both TODOs look resolved:

• MSan: builds and runs to completion — the use-of-uninitialized-value at fuzz.cpp:61 from the 2026-02-17 job is gone. Upstream appears to have updated the image in the last ~2 months.
• Coverage: SANITIZER=coverage build also completes, produces the fuzz binary with -fprofile-instr-generate -fcoverage-mapping. Haven't exercised the clusterfuzzlite-cron.yml end-to-end but the build step is fine.

A rerun of CI on master may just pass now.

Two concrete follow-ups:

1. Residual fork dependency in .clusterfuzzlite/run-cfl-helper.sh:51. The upstream image ships llvm-symbolizer at /usr/local/bin/llvm-symbolizer (verified):

-    image='ghcr.io/sjors/clusterfuzzlite-run-fuzzers:llvm-22-debug'
+    image='gcr.io/oss-fuzz-base/clusterfuzzlite-run-fuzzers:ubuntu-24-04-v1'                               

2. Pin the action to a SHA while google/clusterfuzzlite#146 is still open, so CI survives rebases on that branch:

-        uses: google/clusterfuzzlite/actions/build_fuzzers@migrate-to-ubuntu-24-04
+        uses: google/clusterfuzzlite/actions/build_fuzzers@d2c7d068aab9081cbbc57825ad0d5d6ca6674f95        

(same for run_fuzzers)

[Sjors]

@xyephy I've rebased this branch, but didn't make any other changes. You could try running CI on your own fork to test the changes you suggested. (or just open a second PR)

My experience with LLM help on this PR (and CFL in general) has been disastrous, so beware you might waste time :-)

[Sjors]

One important thing to check, is to create a deliberate bug to trigger the memory sanitizer. See that it provides a correct source code mapping (a previous source of headaches, and it eventually turned out to be a file format version issue).

[xyephy]

@Sjors tried running CI on my fork as you suggested. These are the modifications that actually worked.

Root cause

MSan was dying at the first deref of argc/argv in LLVMFuzzerInitialize. Glibc 2.39's
__libc_start_main doesn't hand them to MSan's interceptor the way 2.31 does, so they arrive poisoned —
master is fine only because it's still on 2.31.

Fix

~ __msan_unpoison block at the top of LLVMFuzzerInitialize, gated on
__has_feature(memory_sanitizer). No-op in non-MSan builds.

extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
{                                                                                                           
#ifdef SV2_MSAN_ENABLED
    __msan_unpoison(argc, sizeof(*argc));                                                                   
    __msan_unpoison(argv, sizeof(*argv));                          
    const int ac{*argc};                                                                                    
    char** const av{*argv};                                        
    __msan_unpoison(av, sizeof(*av) * (ac + 1));                                                            
    for (int i = 0; i < ac; ++i) {                                 
        if (av[i] != nullptr) {                                                                             
            __msan_unpoison(av[i], std::strlen(av[i]) + 1);        
        }                                                                                                   
    }                                                              
#endif                                                                                                      
    SetArgs(*argc, *argv);                                         
    initialize();                                                                                           
    return 0;
}                                                                                                           

Validation — xyephy/sv2-tp branch 2025/12/cfl-ubuntu-24-msan-test :

• CFL PR fuzzing green across address / undefined / memory: run 24675431211

• Canary check for source mapping: pushed volatile int sv2_msan_canary; if (sv2_msan_canary == 0xdead1) std::abort(); into the target body, then reverted. MSan reported:

  SUMMARY: MemorySanitizer: use-of-uninitialized-value           
    src/test/fuzz/sv2_noise.cpp:84:25 in sv2_noise_cipher_roundtrip_fuzz_target                           
                                                                                                          
    Uninitialized value was created by an allocation of 'sv2_msan_canary' in the stack frame              
    #0 src/test/fuzz/sv2_noise.cpp:83:5                                                                   
  

Happy to push onto this branch as 2–3 small commits (MSan patch / image swap / SHA pin) or open a separate PR — whichever is easier to review. Coverage TODO I haven't touched yet.

[Sjors]

@xyephy thanks! Can you open a fresh PR? And then open a second (draft) PR on top of it with the intentional bug.

[xyephy]

@xyephy thanks! Can you open a fresh PR? And then open a second (draft) PR on top of it with the intentional bug.

I've opened #94 and draft #95 , let me know if you need me to make further changes. Thank you.