Out-of-memory in v8_serialized_script_value_fuzzer |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4625497146523648 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: v8_serialized_script_value_fuzzer Sanitizer: memory (MSAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94t1Y-n9DdU7KL_VYleDrhoBJYOPLB4emz5FBQMeilh1CykAtjxRxD-35oyYVC6RB2YtNfakPUimkZCyAlTWvaWBDVopUCI43Ry73jyaBS9npciHHZ75gCAv5I_z0M6SGpFb-DSmbjxJ_oc7avkQLYITelYrQGq6-3IrxRNrxrj6QTQ5zmnth3HBlxSbAR44Tr_7QDO3pp_XwP7cyVUruh0R_eDQOz1rLy04HM3F3okWMwqZjsI-tjkq3B3PZTOmSG6Fdqi09OfOuqhMmHVl72tOL68RKVsR23urTODMjXqSH-Kjnh8LUAIIx41hRsDIDam7eqqEiBe4U086XEUuECxI-BX0whPDaPmb4YJJAXMnSMXmt80-9xH3Au-SiHaw77mKvMeM0GKatm7Dk2J6-i-QMkBNA?testcase_id=4625497146523648 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 20 2017
Looks like an OOM of the fuzzer itself. Not a V8 upstream issue AFAICT (unless this is caused by a leak somewhere in V8).
,
Feb 21 2017
(+jkummerow to double-check my reasoning) I'm going to WontFix this one. Yes, it's possible to construct a small-ish message that expands into quite a lot of heap space (which might OOM the receiver), but actually preventing that seems intractable and there's no easy fix here that seems worthwhile. What's happening is that it's making a bunch of sparse arrays with various lengths. Some of these are large but under kMaxFastArrayLength (from JSArray::SetLengthWouldNormalize), which is 32M. If I understand correctly, V8 used to be more aggressive about using dictionary elements for more cases, but ended up giving developers the freedom to make large sparse arrays. While we _could_ add a different, smaller, threshold for the deserializer when making sparse arrays, such a choice would be arbitrary (and just make the message size needed to OOM the receiver somewhat larger). And forcing all received sparse arrays to have dictionary elements seems like it needlessly slows down real use cases.
,
Feb 22 2017
Makes sense; arbitrary input can always cause OOMs.
,
Mar 22 2017
ClusterFuzz has detected this issue as fixed in range 458395:458423. Detailed report: https://clusterfuzz.com/testcase?key=4625497146523648 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: v8_serialized_script_value_fuzzer Sanitizer: memory (MSAN) Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=458395:458423 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94t1Y-n9DdU7KL_VYleDrhoBJYOPLB4emz5FBQMeilh1CykAtjxRxD-35oyYVC6RB2YtNfakPUimkZCyAlTWvaWBDVopUCI43Ry73jyaBS9npciHHZ75gCAv5I_z0M6SGpFb-DSmbjxJ_oc7avkQLYITelYrQGq6-3IrxRNrxrj6QTQ5zmnth3HBlxSbAR44Tr_7QDO3pp_XwP7cyVUruh0R_eDQOz1rLy04HM3F3okWMwqZjsI-tjkq3B3PZTOmSG6Fdqi09OfOuqhMmHVl72tOL68RKVsR23urTODMjXqSH-Kjnh8LUAIIx41hRsDIDam7eqqEiBe4U086XEUuECxI-BX0whPDaPmb4YJJAXMnSMXmt80-9xH3Au-SiHaw77mKvMeM0GKatm7Dk2J6-i-QMkBNA?testcase_id=4625497146523648 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Feb 20 2017