Chromium change log:
https://chromium.googlesource.com/chromium/src/+log/59a2e54eeb0e61971a0c27c44c54dd0c30b5d06d..e4eb2a57c8667ab31903237e3c316fcaf4afe718?pretty=fuller

Suspected CL could be 
https://chromium.googlesource.com/chromium/src/+/22d7c9d03b17a725a5abd968af8d64311e89b0b8
mmoroz@, could you please take a look and reassign if it is not related your changes.

Great to see fuzzer in action!

+phajdan.jr@, who is the hunspell maintainer.

If you're going to be submitting patches to hunspell, first make sure that Chrome is running the latest version of hunspell (a.k.a. bump the dep).

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5659240345894912

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  hunspell::BDictReader::GetReplacementIterator
  SuggestMgr::replchars
  SuggestMgr::suggest
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=398256:398314

Minimized Testcase (0.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JrZ7aat_U0IAxhyXBqJgbahQL4ukWnNWLthe0wbNkHf4SmxP-0anfd2X3ddBfYXRCCi029hW-vp2eoSlfwf8XViN_jnNqpl-2xIBdrqxpYJPMbMPApnZgSPFEIdQGLMP0wtZ_3oDjTCS8GkH3c9wVsQ9UeA

Filer: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

mummareddy@, my CL introduced the fuzzer, but I haven't changed anything in hunspell itself.

Assigning to phajdan.jr@, since he is the hunspell maintainer.

Assigning to groby@, one of actual OWNERS in third_party/hunspell.

Of course if you'd like to submit some patches upstream, I can help review and merge your pull requests. :)

Heh - if you want to upstream BDictReader (a google extension that passes a reader object to the Hunspell ctor, instead of a file path), let me know. 

Because that's where the issue is. Constructing a BDictReader without calling Init() after will always break. That bug is probably on us. (Although I think BDictReader _should_ be upstreamed)

That one is easily fixed - make BDictReader ctor and Init call private, add a static factory method that's guaranteed to call Init, done. (Or just do all the work in the ctor - nobody checks the return value of Init.)

While we're there, there are a few uninitialized members on BDictReader as well

Of course, that will _still_ explode under fuzzing, because the Hunspell ctor can fail, but no handling is provided for that. And the Hunspell object doesn't account for that. So we'll need to fix the fuzzer as well.

That's probably beyond the scope of a small patch :)

thanks mmoroz@, for looking and assigning.

Rachel, I'd be in favor of upstreaming BDictReader. I think it's up to you / other chromium folks to send a pull request for that, but once you do I can review and merge it.

How does that sound to you?

groby@, could you please clarify: what kind of fix should be done for the fuzzer? Is there any missing call (I guess Init()) or should we change any return value there?

I'm not an expert in hunspell, actually I've just ported that fuzzer from google3, but I'm ready to update it with any fixes necessary + take care of fixing google3 version.

re c#9: yes, the quick fix is adding an init call. 

Sigh. Ignore me. I have no idea _how_ I was misreading the code, but I did. 

The main issue is that the fuzzer tries to load a plain dictionary. That doesn't work.

kHunspellDictionary needs to represent the contents of a .bdic file, not a .dic file. The fuzzer operates with an invalid hunspell object at all times. It's a miracle it doesn't fail earlier. 

Patch is WIP at https://codereview.chromium.org/2081893002

That patch will only fix bdic_reader to behave sanely. Also filed issue #621765 for the bigger cleanup that we should tackle. 

The patch will address the immediate fuzzer issue, but we should also fix the fuzzer to use a proper dictionary. 

I've changed kHunspellDictionary locally and now getting this crash:

==20826==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000091 (pc 0x0000005743ab bp 0x7ffcf73c8190 sp 0x7ffcf73c80e0 T0)
==20826==The signal is caused by a READ memory access.
==20826==Hint: address points to the zero page.
    #0 0x5743aa in SuggestMgr::leftcommonsubstring(char*, char const*) third_party/hunspell/src/hunspell/suggestmgr.cxx:1998:64
    #1 0x56cfd2 in SuggestMgr::ngsuggest(char**, char*, int, HashMgr**, int) third_party/hunspell/src/hunspell/suggestmgr.cxx:1247:2
    #2 0x54e0ae in Hunspell::suggest(char***, char const*) third_party/hunspell/src/hunspell/hunspell.cxx:906:27
    #3 0x4dd959 in LLVMFuzzerTestOneInput third_party/hunspell/fuzz/hunspell_fuzzer.cc:24:36
    #4 0x58e439 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:514:13
    #5 0x58cd9d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:440:3
    #6 0x58d864 in RunOne third_party/libFuzzer/src/FuzzerInternal.h:429:39
    #7 0x58d864 in fuzzer::Fuzzer::ShuffleAndMinimize() third_party/libFuzzer/src/FuzzerLoop.cpp:403
    #8 0x57f574 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:412:5
    #9 0x59d006 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #10 0x7f8792457f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287



Will upload the CL soon.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/935d1f6af681c09dfc175535924268626f07d5fa

commit 935d1f6af681c09dfc175535924268626f07d5fa
Author: groby <groby@chromium.org>
Date: Tue Jun 21 18:29:27 2016

[Hunspell] Better handling of invalid dictionary

When dictionary data is invalid, this code returns a default (empty)
iterator.

BUG= 618040 , 621765

Review-Url: https://codereview.chromium.org/2081893002
Cr-Commit-Position: refs/heads/master@{#401050}

[modify] https://crrev.com/935d1f6af681c09dfc175535924268626f07d5fa/third_party/hunspell/google/bdict_reader.cc

ClusterFuzz has detected this issue as fixed in range 401002:401127.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6178043236450304

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  hunspell::BDictReader::GetReplacementIterator
  SuggestMgr::replchars
  SuggestMgr::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398229:398287
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401002:401127

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97PTa61qurRXV__32sXdbM3tqNwRLmLNh6-9FgAdQEyvFM9wnzI3Z0EahXbRqMaCwsIfTV-yQSJQTZIfNx6OOtvoc5jxQTx3TunaSxDCTB8YiTmLS4Bhu_JYEWFvHn4KXq4IwVvz539Xb8DThw1mnMTpew3HQ?testcase_id=6178043236450304

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 401002:401127.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6178043236450304

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  hunspell::BDictReader::GetReplacementIterator
  SuggestMgr::replchars
  SuggestMgr::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398229:398287
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401002:401127

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97PTa61qurRXV__32sXdbM3tqNwRLmLNh6-9FgAdQEyvFM9wnzI3Z0EahXbRqMaCwsIfTV-yQSJQTZIfNx6OOtvoc5jxQTx3TunaSxDCTB8YiTmLS4Bhu_JYEWFvHn4KXq4IwVvz539Xb8DThw1mnMTpew3HQ?testcase_id=6178043236450304

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

It has been clusterunfuzzed. Yay. Which means the change in c#14 stuck, and I'm closing this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cf3e7e2ae4087ed941106aee0411c786dc4f112d

commit cf3e7e2ae4087ed941106aee0411c786dc4f112d
Author: mmoroz <mmoroz@chromium.org>
Date: Fri Jun 24 11:06:02 2016

[libfuzzer] Use contents of .bdic file as a dictionary for hunspell_fuzzer.

R=groby@chromium.org
BUG= 618040 

Review URL: https://codereview.chromium.org/2089623002 .

Cr-Commit-Position: refs/heads/master@{#401849}

[modify] https://crrev.com/cf3e7e2ae4087ed941106aee0411c786dc4f112d/third_party/hunspell/BUILD.gn
[modify] https://crrev.com/cf3e7e2ae4087ed941106aee0411c786dc4f112d/third_party/hunspell/fuzz/hunspell_fuzzer.cc
[delete] https://crrev.com/83e93cf04db96326a89176429d604bf131cf9229/third_party/hunspell/fuzz/hunspell_fuzzer_dictionary.h
[add] https://crrev.com/cf3e7e2ae4087ed941106aee0411c786dc4f112d/third_party/hunspell/fuzz/hunspell_fuzzer_hunspell_dictionary.h

ClusterFuzz has detected this issue as fixed in range 401020:401156.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5659240345894912

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  hunspell::BDictReader::GetReplacementIterator
  SuggestMgr::replchars
  SuggestMgr::suggest
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=398256:398314
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=401020:401156

Minimized Testcase (0.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JrZ7aat_U0IAxhyXBqJgbahQL4ukWnNWLthe0wbNkHf4SmxP-0anfd2X3ddBfYXRCCi029hW-vp2eoSlfwf8XViN_jnNqpl-2xIBdrqxpYJPMbMPApnZgSPFEIdQGLMP0wtZ_3oDjTCS8GkH3c9wVsQ9UeA?testcase_id=5659240345894912

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

??? Why would it redetect it as fixed?

We had two CF reports linked to this issue:
1) https://cluster-fuzz.appspot.com/testcase?key=6178043236450304
2) https://cluster-fuzz.appspot.com/testcase?key=5659240345894912

1st one has been detected as Fixed on Jun 22, 2016:
"ClusterFuzz has detected this issue as fixed in range 401002:401127.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6178043236450304"

(for some reason CF posted that comment twice)


and now we've got the second one marked as Fixed: Today (7 hours ago)

"ClusterFuzz has detected this issue as fixed in range 401020:401156.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5659240345894912"


I agree that it's surprising a bit that it took so long to verify the fix.

This is likely because of a bug I fixed yesterday. There were some cases where fixed testing tasks weren't getting recreated properly, which should no longer happen.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot