Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This happens almost every time the fuzzer starts to run: https://cluster-fuzz.appspot.com/v2/fuzzer-stats/by-day/2017-01-13/2017-01-19/fuzzer/libfuzzer_v8_serialized_script_value_fuzzer/job/libfuzzer_chrome_asan

Would be super-awesome if you Jeremy can take a look or suggest another owner at least...

Yeah, I've looked a little (and will try to find more time to look). It's not apparent to me whether it's actually using a lot of memory (I don't see how) or whether V8/Oilpan just aren't convinced there's enough memory pressure to bother collecting. (After all, the 300MB limit isn't visible to it -- that's just a thread monitoring the RSS.)

Alright, I give up on trying to be fast here. Forcing a major GC each time does the trick for me, at the cost of a order-of-magnitude slowdown. But since the fuzzer isn't managing to run for long anyhow, that won't be worse.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd795a387b29430c851f367b2b7f3015f47a4ff6

commit bd795a387b29430c851f367b2b7f3015f47a4ff6
Author: jbroman <jbroman@chromium.org>
Date: Thu Jan 26 14:23:56 2017

Always force a major GC after each input in v8_serialized_script_value_fuzzer.

This causes a significant slowdown, but there have been persistent issues with
trying to be more clever and do infrequent collections (and doing so increases
cross-contamination between inputs).

This will have both V8 and Oilpan do one major GC each time (note that if there
is a chain of persistent objects, some objects may not be freed until a later
cycle).

BUG= 659357 

Review-Url: https://codereview.chromium.org/2658653003
Cr-Commit-Position: refs/heads/master@{#446320}

[modify] https://crrev.com/bd795a387b29430c851f367b2b7f3015f47a4ff6/third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValueFuzzer.cpp

ClusterFuzz has detected this issue as fixed in range 446305:446370.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4527890118213632

Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  v8_serialized_script_value_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=424448:424536
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=446305:446370

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94iPdWfvR0NfEJJbicEtCykV9yKS-zsmPca4ORWqlaTEiI35kB3sSQg-P3iAbs1rit1MjazKhPuu79O7IT46fJeJUZFiscSTH5XCz1_9yqQwxx76ZDBh7oBx6sM2PDz9gtq8_2U3OXJA0qKCkkTeMqsuYaNyvBoxuks8MXIpej4R2TbJUV8_qoI45k602U0P_rAZewn8u6dS0-Z9M2_iNPm-ESW2NyzIx8UmL8BUolaoD3hkOm0-IIaPUacYy31-WODUXebtmBi1eQgJZQ-xcRtlPvpkqE2WMOqUCLZ2i9-8c2Td34TCAwEi2GcgZIusjw3hA-4WieGK-XwgQP6xvvZleI_8R1J2Y_XkrVGTqOngwiunkM?testcase_id=4527890118213632

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4527890118213632 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.