Direct-leak in Update |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5107287554785280 Fuzzer: pdfium_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: Update v8::internal::Deserializer::Allocate v8::internal::Deserializer::ReadObject Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96KhTrHHZjtYPEGay18iXu5uAnwmagFC1yPCicZRjhPUJyRIcUG5GDMFL4o-sEL6kzbYTxt9SdiXY8Op49dsZGk3BizTGijFgvAZIuAPvnHMr5QQctd141MzgIY4B4Goo2oPRqXYZRVt71XYhESHMW0VZ2I4Q Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 18 2016
I'm not sure if it is a PDFium issue actually.
,
Apr 18 2016
yangguo@, could you please take a look if it is an internal V8 error or incorrect usage from PDFium side?
,
Apr 18 2016
,
Apr 19 2016
why would you run a libfuzzer test with lsan? it's not supposed to free up stuff ever.
,
Apr 19 2016
libfuzzer tests have an initialize hook, but no deinitialize hook - they're designed to leak memory.
,
Apr 19 2016
jochen, no, fuzz tartgets are not expected to leak memory in the lsan sense. The one-time initialization performed at process startup is not a leak as long as the pointers to the allocated objects are not lost. mmoroz@, how do I reproduce this? I've tried this: % git pull && gclient sync % gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check % ninja -C out/libfuzzer pdfium_fuzzer % ASAN_OPTIONS=detect_leaks=1:symbolize=1 ./out/libfuzzer/pdfium_fuzzer ~/Downloads/260560b25029714bea2854172dc4dbee2b3b038c INFO: Seed: 3926530079 ./out/libfuzzer/pdfium_fuzzer: Running 1 inputs 1 time(s) each. /usr/local/google/home/kcc/Downloads/260560b25029714bea2854172dc4dbee2b3b038c: 7 ms (no leak report). When doing the actual fuzzing I do see some leak reports elsewhere (e.g. CPDF_Parser::StartParse), but not in v8.
,
Apr 20 2016
Good question, I cannot reproduce it too...
,
Apr 20 2016
Let's keep it closed then. I don't think it was a false positive though -- probably just got fixed.
,
Jul 22 2016
ClusterFuzz has detected this issue as fixed in range 395675:395769. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5107287554785280 Fuzzer: pdfium_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: Update v8::internal::Deserializer::Allocate v8::internal::Deserializer::ReadObject Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=375690:375725 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96KhTrHHZjtYPEGay18iXu5uAnwmagFC1yPCicZRjhPUJyRIcUG5GDMFL4o-sEL6kzbYTxt9SdiXY8Op49dsZGk3BizTGijFgvAZIuAPvnHMr5QQctd141MzgIY4B4Goo2oPRqXYZRVt71XYhESHMW0VZ2I4Q?testcase_id=5107287554785280 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mmoroz@google.com
, Apr 18 2016