Some question about fuzz test

[dota17]

I spent a little time sorting out some information. here are what I got:
We implement a fuzz target in fuzz.cpp, which integrated into this project's build and test system, and will be really used by project OSS-Fuzz,which contains a fuzzer. and the fuzzer will feed massive data to fuzz target until there is a crash.
If we run fuzz.cpp by the method that I used in issue #1009 where its fuzzer is directly comes from libFuzzer.a, it does have an crash. This means there is a buffer overflow in fuzz.cpp, and when I run the code in your PR #994 with a dict, there are also some crashes. So my question is :

1. Does this also means there is a buffer overflow in some APIs of jsoncpp?

2. And if the testcase in main.cpp run the fuzz test without any fuzzer, then it will always pass the build&unittest, so is this test case still useful?

@Google-Autofuzz

[Google-Autofuzz]

1. Can you please share the ASAN trace, so that we can help you diagnostic what is going on?
2. I'm not sure I understand your question: running the main.cpp file outside of a fuzzing environment shouldn't crash, since you're not feeding it with data, nor are trying to exercise as much coverage as possible. This is the intended behaviour. Am I understanding your question correctly?

[dota17]

root@0e73c0250141:/opt/opensource_work/jsoncppFuzzer_2# ./my_fuzzer -dict=./fuzz.dict -max_total_time=300 -print_final_stats=1 corpus3
Dictionary: 37 entries
INFO: Seed: 2058797593
INFO: Loaded 1 modules (216 guards): [0x785340, 0x7856a0),
Loading corpus dir: corpus3
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0      READ units: 1
#1      INITED cov: 80 ft: 78 corp: 1/1b exec/s: 0 rss: 29Mb
#9      NEW    cov: 80 ft: 83 corp: 2/4b exec/s: 0 rss: 29Mb L: 3 MS: 3 CopyPart-ChangeBinInt-ManualDict- DE: "0"-
#221    NEW    cov: 103 ft: 108 corp: 3/9b exec/s: 0 rss: 30Mb L: 5 MS: 5 CrossOver-PersAutoDict-ManualDict-CMP-EraseBytes- DE: "0"-"[[]]"-"\x01\x00"-
#228    NEW    cov: 103 ft: 110 corp: 4/56b exec/s: 0 rss: 30Mb L: 47 MS: 2 CopyPart-InsertRepeatedBytes-
#263    NEW    cov: 103 ft: 116 corp: 5/59b exec/s: 0 rss: 30Mb L: 3 MS: 2 CopyPart-EraseBytes-
#563    NEW    cov: 103 ft: 120 corp: 6/123b exec/s: 0 rss: 31Mb L: 64 MS: 2 CrossOver-PersAutoDict- DE: "[[]]"-
#702    NEW    cov: 103 ft: 122 corp: 7/133b exec/s: 0 rss: 31Mb L: 10 MS: 1 CopyPart-
#816    NEW    cov: 103 ft: 129 corp: 8/148b exec/s: 0 rss: 32Mb L: 15 MS: 5 CMP-CrossOver-EraseBytes-ChangeBit-ManualDict- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-"{\"\":0}"-
#1313   NEW    cov: 103 ft: 133 corp: 9/158b exec/s: 0 rss: 33Mb L: 10 MS: 2 CopyPart-CopyPart-
#4592   NEW    cov: 103 ft: 136 corp: 10/166b exec/s: 0 rss: 41Mb L: 8 MS: 1 ManualDict- DE: ",\"\""-
#4932   NEW    cov: 103 ft: 137 corp: 11/177b exec/s: 0 rss: 41Mb L: 11 MS: 1 PersAutoDict- DE: "{\"\":0}"-
#20680  NEW    cov: 103 ft: 139 corp: 12/182b exec/s: 0 rss: 79Mb L: 5 MS: 4 InsertByte-ManualDict-ManualDict-CopyPart- DE: ":\"\""-"\\0"-
#47422  NEW    cov: 103 ft: 149 corp: 13/196b exec/s: 47422 rss: 145Mb L: 14 MS: 1 ManualDict- DE: ",{}"-
#48678  NEW    cov: 103 ft: 152 corp: 14/214b exec/s: 48678 rss: 148Mb L: 18 MS: 2 ChangeBit-ManualDict- DE: "[[]]"-
#54742  NEW    cov: 103 ft: 156 corp: 15/268b exec/s: 54742 rss: 163Mb L: 54 MS: 1 InsertRepeatedBytes-
#63456  NEW    cov: 103 ft: 162 corp: 16/332b exec/s: 63456 rss: 188Mb L: 64 MS: 5 ShuffleBytes-ChangeBit-CrossOver-PersAutoDict-CopyPart- DE: "\x01\x00"-
#80917  NEW    cov: 103 ft: 163 corp: 17/349b exec/s: 40458 rss: 246Mb L: 17 MS: 1 PersAutoDict- DE: ",{}"-
#111257 NEW    cov: 103 ft: 167 corp: 18/382b exec/s: 37085 rss: 346Mb L: 33 MS: 1 CopyPart-
#113962 NEW    cov: 103 ft: 168 corp: 19/446b exec/s: 37987 rss: 355Mb L: 64 MS: 1 ChangeBit-
#127667 NEW    cov: 103 ft: 178 corp: 20/482b exec/s: 31916 rss: 401Mb L: 36 MS: 1 CopyPart-
#131072 pulse  cov: 103 ft: 178 corp: 20/482b exec/s: 32768 rss: 413Mb
#133942 NEW    cov: 103 ft: 181 corp: 21/518b exec/s: 33485 rss: 418Mb L: 36 MS: 1 ManualDict- DE: ",{}"-
#254388 NEW    cov: 103 ft: 182 corp: 22/569b exec/s: 28265 rss: 448Mb L: 51 MS: 2 CopyPart-CrossOver-
#262144 pulse  cov: 103 ft: 182 corp: 22/569b exec/s: 29127 rss: 448Mb
#524288 pulse  cov: 103 ft: 182 corp: 22/569b exec/s: 27594 rss: 448Mb
#590177 NEW    cov: 103 ft: 185 corp: 23/628b exec/s: 26826 rss: 448Mb L: 59 MS: 1 CopyPart-
#1048576        pulse  cov: 103 ft: 185 corp: 23/628b exec/s: 26214 rss: 448Mb
#2097152        pulse  cov: 103 ft: 185 corp: 23/628b exec/s: 25575 rss: 448Mb
#4194304        pulse  cov: 103 ft: 185 corp: 23/628b exec/s: 25420 rss: 448Mb
#5340507        NEW    cov: 103 ft: 191 corp: 24/684b exec/s: 25310 rss: 448Mb L: 56 MS: 1 CopyPart-
#7596116        DONE   cov: 103 ft: 191 corp: 24/684b exec/s: 25236 rss: 448Mb
###### Recommended dictionary. ######
"\x01\x00" # Uses: 67139
"\x00\x00\x00\x00\x00\x00\x00\x00" # Uses: 60366
###### End of recommended dictionary. ######
Done 7596116 runs in 301 second(s)
stat::number_of_executed_units: 7596116
stat::average_exec_per_sec:     25236
stat::new_units_added:          23
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              448
==113445==LeakSanitizer has encountered a fatal error.
==113445==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==113445==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
MS: 5 ChangeBinInt-ChangeBit-ChangeBinInt-ChangeByte-EraseBytes-; base unit: 4ded91fea85840609deeb93e70762101827f6b9b


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
stat::number_of_executed_units: 7596116
stat::average_exec_per_sec:     25236
stat::new_units_added:          23
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              448

the file crash-da39a3ee5e6b4b0d3255bfef95601890afd80709 is empty, and the corpus3 directory contains 20+ files:

040aaae31a58bd39909feac4986a9a71d223745b  5a1a2136b59a9c27bfc33eacf96fa0af36962e74  7513a5ed5cb3333a45ee82365f67527ff7ed018d  cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
16450080dd4ea581b22d950a45f407ed9a15616b  5e9a55f2bb6dd1c7a1f7231ea510fdaf8a47f908  875731fb0353ad0cfd6eeba11ec14357b5544097  d9b7a91ec8394c129a8a46fd9693368aaae715fd
2f586f9b00d97da847f95ee8eb019088eeb7fd22  62b73bb6068e444b9e7b26abfec159ee6d209619  8efadc9f24e673c0b68dc55f3013018e0ce7196a  e4f4ff7376a1b50b0d694cf93480a037b99da2d8
348fd7516c70cbce2d347a73f159f01ebe80bf82  660fbb026a12537aff5db3034703b3ebb3563f33  abfbc055bec2b5a0d778c75c9a6db2fd4b6cf772  f8b3fe9de7d0298ab74b20eec716fa9877a9e587
3685c1036951e9e7b8de8e8d32862a4d964e1f09  67a9856808e472d974b74cc29c38c1470d3d6a2a  bb49fb6a917074680daf060d134834f618d22068  f9283b27b995d05185b0d44c8f228fca17ade1b0
4ded91fea85840609deeb93e70762101827f6b9b  6af33e68de8125d560aa2287318884abcc2e3296  ca043d9457e713e606751b58de88d4e86800b53f

Some of them look like: [], [[{"":0}]], [[{"": [[]]}],{}]

I don't run the main.cpp file outside of a fuzzing environment, I just saw the comment even if it's never run as an actual fuzz test, so I doubt that if this testcase in main.cpp is necessary.