Add a flag to toggle -Zbuild-std, and default it

src/options.rs

@@ -100,6 +100,14 @@ pub struct BuildOptions {
     /// Use a specific sanitizer
     pub sanitizer: Sanitizer,
 
+    #[structopt(long = "build-std")]
+    /// Pass -Zbuild-std to Cargo, which will build the standard library with all the build
+    /// settings for the fuzz target, including debug assertions, and a sanitizer if requested.
+    /// Currently this conflicts with coverage instrumentation but -Zbuild-std enables detecting
+    /// more bugs so this option defaults to true, but when using `cargo fuzz coverage` it
+    /// defaults to false.
+    pub build_std: Option<bool>,
+
     #[structopt(
         name = "triple",
         long = "target",
@@ -231,6 +239,7 @@ mod test {
             no_default_features: false,
             all_features: false,
             features: None,
+            build_std: None,
             sanitizer: Sanitizer::Address,
             triple: String::from(crate::utils::default_target()),
             unstable_flags: Vec::new(),

src/options/coverage.rs

@@ -3,7 +3,7 @@ use crate::{
     project::FuzzProject,
     RunCommand,
 };
-use anyhow::Result;
+use anyhow::{bail, Result};
 use structopt::StructOpt;
 
 #[derive(Clone, Debug, StructOpt)]
@@ -27,6 +27,12 @@ pub struct Coverage {
 
 impl RunCommand for Coverage {
     fn run_command(&mut self) -> Result<()> {
+        if self.build.build_std.unwrap_or(false) {
+            bail!(
+                "-Zbuild-std is currently incompatible with -Zinstrument-coverage, \
+                see https://github.com/rust-lang/wg-cargo-std-aware/issues/63"
+            );
+        }
         let project = FuzzProject::new(self.fuzz_dir_wrapper.fuzz_dir.to_owned())?;
         self.build.coverage = true;
         project.exec_coverage(self)

src/project.rs

@@ -158,6 +158,8 @@ impl FuzzProject {
         }
         if let Sanitizer::Memory = build.sanitizer {
             cmd.arg("-Z").arg("build-std");
+        } else if build.build_std.unwrap_or(true) && !build.coverage {
+            cmd.arg("-Z").arg("build-std");
         }
 
         let mut rustflags: String = "-Cpasses=sancov-module \

tests/tests/main.rs

@@ -380,9 +380,8 @@ fn run_with_msan_with_crash() {
                 use libfuzzer_sys::fuzz_target;
 
                 fuzz_target!(|data: &[u8]| {
-                    let test_data: Vec<u8> = Vec::with_capacity(4);
-                    let uninitialized_value = unsafe {test_data.get_unchecked(0)};
-                    // prevent uninit read from being optimized out
+                    let uninitialized_value: u8 = unsafe { std::mem::MaybeUninit::uninit().assume_init() };
+                    // try to prevent uninit read from being optimized out
                     println!("{}", uninitialized_value);
                 });
             "#,