From 8d033ac8b1610633b56067c560381dd0d7f38403 Mon Sep 17 00:00:00 2001 From: Joel DSouza Date: Sat, 4 Jul 2026 19:08:47 +0200 Subject: [PATCH 1/2] ci: fix deep-fuzz cargo-bolero invocation + pin 0.13.x The deep-fuzz nightly failed on every target with 'Found argument -m which wasn't expected'. cargo-bolero 0.13.4's clap parser reads the engine-arg value '-max_total_time=120' (leading dash) as bundled short flags unless it is attached to -E with '='. Fix: '-E=-max_total_time=...'. Also pin cargo-bolero to the same 0.13.x series as the bolero lib so a --force install can't pull an incompatible CLI. Verified: '-E=-max_total_time=5' parses cleanly (0.13.4) where '-E -max_total_time=5' reproduces the CI error. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/fuzz.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 194ac97..46c12f9 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -45,7 +45,9 @@ jobs: run: sudo apt-get update && sudo apt-get install -y binutils-dev libunwind-dev - name: Install cargo-bolero - run: cargo install cargo-bolero --force + # Pin to the same 0.13.x series as the `bolero` lib in fuzz/Cargo.toml, so a + # `--force` install can't silently pull a future release with an incompatible CLI. + run: cargo install cargo-bolero --version '^0.13' --locked --force - name: Fuzz ${{ matrix.target }} working-directory: fuzz @@ -53,7 +55,7 @@ jobs: cargo bolero test ${{ matrix.target }} \ --sanitizer address \ --engine libfuzzer \ - -E -max_total_time=${{ github.event.inputs.duration || '120' }} + -E=-max_total_time=${{ github.event.inputs.duration || '120' }} - name: Upload crashes if: failure() From 43dae765f7e6b5cb9a6f87d89069cc31e20386ef Mon Sep 17 00:00:00 2001 From: Joel DSouza Date: Sat, 4 Jul 2026 19:20:25 +0200 Subject: [PATCH 2/2] ci: force deep-fuzz onto nightly (rust-toolchain.toml shadows it) After fixing the engine-arg parsing, the build failed with '-Z is only accepted on the nightly compiler': the repo's rust-toolchain.toml pins stable 1.95.0, which shadows the nightly the workflow installs, so -Zsanitizer=address is rejected. Set RUSTUP_TOOLCHAIN=nightly on the fuzz step (outranks rust-toolchain.toml). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/fuzz.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 46c12f9..09432bf 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -51,6 +51,11 @@ jobs: - name: Fuzz ${{ matrix.target }} working-directory: fuzz + # The repo's rust-toolchain.toml pins stable 1.95.0, which shadows the nightly + # installed above. -Zsanitizer=address requires nightly, so force this step onto + # it — RUSTUP_TOOLCHAIN outranks rust-toolchain.toml. + env: + RUSTUP_TOOLCHAIN: nightly run: | cargo bolero test ${{ matrix.target }} \ --sanitizer address \