name: Fuzzer Fix Automation

concurrency:

group: fuzzer-fix-${{ inputs.issue_number || github.run_id }}

cancel-in-progress: true

on:

workflow_dispatch:

inputs:

issue_number:

description: "Issue number to analyze and fix"

required: true

type: number

workflow_call:

inputs:

issue_number:

description: "Issue number to analyze and fix"

required: true

type: number

env:

NIGHTLY_TOOLCHAIN: nightly-2026-02-05

jobs:

attempt-fix:

name: "Attempt to Fix Fuzzer Crash"

# Only run when:

# 1. Manually triggered via workflow_dispatch, OR

# 2. Called from another workflow (workflow_call)

if: |

github.event_name == 'workflow_call' ||

github.event_name == 'workflow_dispatch'

runs-on: ubuntu-latest

timeout-minutes: 120

permissions:

contents: write

pull-requests: write

issues: write

id-token: write

steps:

- name: Checkout repository

uses: actions/checkout@v6

- name: Fetch issue details

id: fetch_issue

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

ISSUE_DATA=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json number,title,body,labels)

echo "issue_number=${{ inputs.issue_number }}" >> $GITHUB_OUTPUT

echo "issue_title=$(echo "$ISSUE_DATA" | jq -r '.title')" >> $GITHUB_OUTPUT

echo "issue_body<<EOF" >> $GITHUB_OUTPUT

echo "$ISSUE_DATA" | jq -r '.body' >> $GITHUB_OUTPUT

echo "EOF" >> $GITHUB_OUTPUT

- name: Setup Rust

uses: ./.github/actions/setup-rust

with:

repo-token: ${{ secrets.GITHUB_TOKEN }}

toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}

enable-sccache: "false"

- name: Install llvm

uses: aminya/setup-cpp@v1

with:

compiler: llvm

- name: Install cargo-fuzz

uses: taiki-e/cache-cargo-install-action@66c9585ef5ca780ee69399975a5e911f47905995

with:

tool: cargo-fuzz

- name: Extract crash details from issue

id: extract

shell: bash

run: |

# Extract crash details from the fetched issue body

cat > issue_body.txt <<'ISSUE_EOF'

${{ steps.fetch_issue.outputs.issue_body }}

ISSUE_EOF

# Extract target name from issue body

TARGET=$(grep -oP '(?<=\*\*Target\*\*: `)[^`]+' issue_body.txt || echo "file_io")

echo "target=$TARGET" >> $GITHUB_OUTPUT

# Extract crash file name

CRASH_FILE=$(grep -oP '(?<=\*\*Crash File\*\*: `)[^`]+' issue_body.txt || echo "")

echo "crash_file=$CRASH_FILE" >> $GITHUB_OUTPUT

# Extract artifact URL

ARTIFACT_URL=$(grep -oP 'https://[^\s]+/artifacts/[0-9]+' issue_body.txt | head -1 || echo "")

echo "artifact_url=$ARTIFACT_URL" >> $GITHUB_OUTPUT

echo "Extracted: target=$TARGET, crash_file=$CRASH_FILE"

rm -f issue_body.txt

- name: Validate issue details

id: validate

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

ISSUE_NUM="${{ inputs.issue_number }}"

# Check if issue exists and has fuzzer label

ISSUE_LABELS=$(gh issue view "$ISSUE_NUM" --repo ${{ github.repository }} --json labels --jq '.labels[].name')

if ! echo "$ISSUE_LABELS" | grep -q "fuzzer"; then

echo "❌ Issue #$ISSUE_NUM does not have 'fuzzer' label"

exit 1

fi

echo "✅ Issue #$ISSUE_NUM has 'fuzzer' label"

# Check if we have required crash details

if [ -z "${{ steps.extract.outputs.crash_file }}" ]; then

echo "❌ Could not extract crash file name from issue"

exit 1

fi

if [ -z "${{ steps.extract.outputs.artifact_url }}" ]; then

echo "❌ Could not extract artifact URL from issue"

exit 1

fi

echo "✅ Extracted crash details: target=${{ steps.extract.outputs.target }}, crash_file=${{ steps.extract.outputs.crash_file }}"

- name: Download and verify crash artifact

id: download

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

# Extract run ID from artifact URL

ARTIFACT_URL="${{ steps.extract.outputs.artifact_url }}"

RUN_ID=$(echo "$ARTIFACT_URL" | grep -oP 'runs/\K[0-9]+')

ARTIFACT_ID=$(echo "$ARTIFACT_URL" | grep -oP 'artifacts/\K[0-9]+')

# Artifact name matches run-fuzzer.yml upload: ${{ inputs.fuzz_target }}-crash-artifacts

TARGET="${{ steps.extract.outputs.target }}"

ARTIFACT_NAME="${TARGET}-crash-artifacts"

echo "Downloading artifact $ARTIFACT_NAME (ID: $ARTIFACT_ID) from run $RUN_ID"

# Download the artifact

gh run download "$RUN_ID" --name "$ARTIFACT_NAME" --repo ${{ github.repository }}

# Verify crash file exists

CRASH_FILE_PATH="${{ steps.extract.outputs.target }}/${{ steps.extract.outputs.crash_file }}"

if [ ! -f "$CRASH_FILE_PATH" ]; then

echo "❌ Crash file not found: $CRASH_FILE_PATH"

ls -la "${{ steps.extract.outputs.target }}/" || true

exit 1

fi

echo "✅ Downloaded crash file: $CRASH_FILE_PATH"

echo "crash_file_path=$CRASH_FILE_PATH" >> $GITHUB_OUTPUT

- name: Build fuzzer target

id: build

run: |

echo "Building fuzzer target: ${{ steps.extract.outputs.target }} (debug mode for faster build)"

# Build the fuzzer target in debug mode (faster than release)

if cargo +$NIGHTLY_TOOLCHAIN fuzz build --dev --sanitizer=none "${{ steps.extract.outputs.target }}" 2>&1 | tee fuzzer_build.log; then

echo "✅ Fuzzer target built successfully"

echo "build_success=true" >> $GITHUB_OUTPUT

else

echo "❌ Fuzzer target failed to build"

echo "build_success=false" >> $GITHUB_OUTPUT

# Show the build errors

echo "Build errors:"

tail -50 fuzzer_build.log

exit 1

fi

- name: Reproduce crash

id: reproduce

continue-on-error: true

run: |

echo "Attempting to reproduce crash with fuzzer (debug mode)..."

# Run fuzzer with crash file (debug mode, no sanitizer, full backtrace)

RUST_BACKTRACE=full timeout 30s cargo +$NIGHTLY_TOOLCHAIN fuzz run --dev --sanitizer=none "${{ steps.extract.outputs.target }}" "${{ steps.download.outputs.crash_file_path }}" -- -runs=1 -rss_limit_mb=0 2>&1 | tee crash_reproduction.log

FUZZ_EXIT_CODE=${PIPESTATUS[0]}

if [ $FUZZ_EXIT_CODE -eq 0 ]; then

echo "⚠️ Fuzzer did not crash - may have been fixed already"

echo "crash_reproduced=false" >> $GITHUB_OUTPUT

else

echo "✅ Crash reproduced (exit code: $FUZZ_EXIT_CODE)"

echo "crash_reproduced=true" >> $GITHUB_OUTPUT

fi

- name: Check if crash still exists

if: steps.reproduce.outputs.crash_reproduced == 'false'

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

ISSUE_NUM="${{ inputs.issue_number }}"

gh issue comment "$ISSUE_NUM" --repo ${{ github.repository }} --body "## 🤖 Automated Analysis

I attempted to reproduce this crash but the fuzzer completed successfully without crashing.

**This likely means the issue has already been fixed.**

### Verification Steps

I ran:

\`\`\`bash

cargo +nightly fuzz run --sanitizer=none ${{ steps.extract.outputs.target }} ${{ steps.download.outputs.crash_file_path }} -- -runs=1 -rss_limit_mb=0

\`\`\`

The fuzzer exited with code 0 (success).

### Next Steps

- Verify if a recent commit fixed this issue

- If confirmed fixed, close this issue

- If not fixed, the crash may be non-deterministic and requires further investigation"

echo "Crash could not be reproduced - skipping fix attempt"

exit 0

- name: Attempt to fix crash with Claude

if: steps.reproduce.outputs.crash_reproduced == 'true'

env:

ISSUE_NUMBER: ${{ inputs.issue_number }}

ISSUE_TITLE: ${{ steps.fetch_issue.outputs.issue_title }}

ISSUE_BODY: ${{ steps.fetch_issue.outputs.issue_body }}

TARGET: ${{ steps.extract.outputs.target }}

CRASH_FILE: ${{ steps.extract.outputs.crash_file }}

CRASH_FILE_PATH: ${{ steps.download.outputs.crash_file_path }}

ARTIFACT_URL: ${{ steps.extract.outputs.artifact_url }}

uses: anthropics/claude-code-action@v1

with:

claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

github_token: ${{ secrets.GITHUB_TOKEN }}

show_full_output: true

prompt: |

# Fuzzer Crash Fix - Issue #${{ env.ISSUE_NUMBER }}

## Context

A fuzzer crash has been detected, downloaded, and reproduced. Your job is to analyze it and attempt a fix.

**Crash file**: `${{ env.CRASH_FILE_PATH }}`

**Crash log**: `crash_reproduction.log` (already run with RUST_BACKTRACE=full)

**Target**: ${{ env.TARGET }}

## Your Task

1. **Analyze**: Read `crash_reproduction.log` to understand the crash

2. **Post analysis**: Post initial analysis comment to issue #${{ env.ISSUE_NUMBER }}

3. **Fix**: If straightforward (missing bounds check, validation, edge case), fix it

4. **Post progress**: After implementing fix, post progress comment with what was changed

5. **Test**: Write a regression test using the crash file

6. **Post completion**: Post final comment with test results and summary

## Important - Progressive Updates

- **Post comments frequently** as you make progress using `gh issue comment`

- **CRITICAL**: Include ALL relevant code inline in your comments in code blocks

- After analyzing the crash, post what you found WITH the problematic code section

- After implementing the fix, post the COMPLETE changed code (entire function/section)

- After writing tests, post the COMPLETE test code inline

- This ensures your work is visible and reviewable even if you hit the turn limit

- Keep fixes minimal - only fix the specific bug

- Follow CLAUDE.md code style guidelines

- **Use `--dev` flag** for faster builds: `cargo +nightly fuzz run --dev --sanitizer=none <target> <crash_file> -- -rss_limit_mb=0`

## Fixability Guidelines

**Can fix** (do it): Missing bounds check, validation, edge case, off-by-one

**Can't fix** (analyze only): Architecture issues, complex logic, requires domain knowledge

## Comment Templates

Post comments at each stage using:

```bash

gh issue comment ${{ env.ISSUE_NUMBER }} --body "YOUR_COMMENT_HERE"

```

**After analysis** (post immediately):

```markdown

## 🔍 Analysis

**Root Cause**: [2-3 sentence explanation]

**Crash Location**: `file.rs:function_name`

**Relevant Code** (from crash location):

\`\`\`rust

[Include the problematic code section from the crash location - show enough context]

\`\`\`

**Next Step**: [Attempting fix | Needs human review because...]

```

**After implementing fix** (post immediately):

```markdown

## 🔧 Fix Implemented

**Modified**: `path/to/file.rs`

**Changes**: [Brief description of what was changed]

**Complete Code Changes**:

\`\`\`rust

[Include ALL the changed code - the entire function or section that was modified]

\`\`\`

**Next Step**: Writing regression test...

```

**Final summary** (post at end):

```markdown

## ✅ Automated Fix Complete

**Root Cause**: [Summary]

**Files Modified**:

- `path/to/file.rs`

**Complete Fix**:

\`\`\`rust

[Include the complete fixed code again for easy review]

\`\`\`

**Regression Test**:

\`\`\`rust

[Include the complete test code inline]

\`\`\`

**Test Result**: [Pass/Fail status with output]

**Note**: This is an automated fix - please review carefully before merging.

```

**If can't fix**:

```markdown

## 🤖 Analysis Complete - Human Review Needed

**Root Cause**: [Analysis]

**Problematic Code**:

\`\`\`rust

[Show the problematic code section]

\`\`\`

**Why Manual Fix Required**: [Reason]

**Suggested Approach**: [Recommendation with code snippets if possible]

```

claude_args: |

--model claude-opus-4-20250514

--max-turns 120

--allowedTools "Read,Write,Edit,Glob,Grep,Bash(cargo:*),Bash(gh issue comment:*),Bash(gh run download:*),Bash(curl:*),Bash(find:*),Bash(ls:*),Bash(cat:*),Bash(RUST_BACKTRACE=* cargo:*)"

- name: Verify Claude posted comments

if: steps.reproduce.outputs.crash_reproduced == 'true'

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

ISSUE_NUM="${{ inputs.issue_number }}"

# Check for comments from claude-code[bot]

COMMENT_COUNT=$(gh api "repos/${{ github.repository }}/issues/$ISSUE_NUM/comments" \

--jq '[.[] | select(.user.login == "claude-code[bot]" or .user.type == "Bot")] | length')

if [ "$COMMENT_COUNT" -eq 0 ]; then

echo "⚠️ WARNING: Claude did not post any comments on issue #$ISSUE_NUM"

echo "This may indicate Claude encountered an error early on"

exit 1

else

echo "✅ Claude posted $COMMENT_COUNT comment(s) on issue #$ISSUE_NUM"

# Show summary of what was posted

echo "Comment titles:"

gh api "repos/${{ github.repository }}/issues/$ISSUE_NUM/comments" \

--jq '.[] | select(.user.login == "claude-code[bot]" or .user.type == "Bot") | "- " + (.body | split("\n") | .[0])'

fi