New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 729900 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Timeout in media_pipeline_integration_fuzzer

Project Member Reported by ClusterFuzz, Jun 6 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5667612355985408

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  media_pipeline_integration_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5667612355985408


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong M-59
Owner: xhw...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "media_pipeline_integration_fuzzer" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/f28d27c829e63a20d7a0551afcfd39b88eacee1c

@xhwang -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Cc: mmoroz@chromium.org
The blamelist actually dated back a year ago, which I don't understand why we are finding this "regression" now :)

mmoroz: Could this be caused by my CL to specify seed_corpus for media_pipeline_integration_fuzzer?

https://chromium-review.googlesource.com/c/518256/
Project Member

Comment 3 by ClusterFuzz, Jun 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4780935114653696
xhwang@, yes, most likely those seed inputs helped to discover this one leading to OOM. However, it has been found with MSan build, and MSan has a large memory overhead, so let's see if it reproduces with ASan.
Project Member

Comment 5 by ClusterFuzz, Jun 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5334273501691904
Looks like a valid bug to me. I tried it locally with ASan build, it eats 1.4 GB of memory and dies with a timeout:


$ out/Release/media_pipeline_integration_fuzzer -timeout=25 -print_final_stats=1 ./clusterfuzz-testcase-minimized-5667612355985408 
INFO: Seed: 230398267
INFO: Loaded 2 modules (467497 guards): [0x7f35281aa620, 0x7f35281c7b50), [0x354eca0, 0x36fa014), 
/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/Release/media_pipeline_integration_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-minimized-5667612355985408
ALARM: working on the last Unit for 25 seconds
       and the timeout value is 25 (use -timeout=N to change)
==79784== ERROR: libFuzzer: timeout after 25 seconds
    #0 0x4d16d7 in __sanitizer_print_stack_trace (/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/Release/media_pipeline_integration_fuzzer+0x4d16d7)
    #1 0x561e02 in fuzzer::Fuzzer::AlarmCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:234:7
    #2 0x7f3527a7932f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #3 0x9b00a9 in Run base/callback.h:92:3
    #4 0x9b00a9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59
    #5 0x8aeda9 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:418:19
    #6 0x8afec0 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:429:5
    #7 0x8b0e64 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:536:13
    #8 0x8b8f5f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31
    #9 0x8f326a in base::RunLoop::Run() base/run_loop.cc:111:14
    #10 0x503792 in media::PipelineIntegrationTestBase::WaitUntilEndedOrError() media/test/pipeline_integration_test_base.cc:183:19
    #11 0x4f6e6a in LLVMFuzzerTestOneInput media/test/pipeline_integration_fuzzertest.cc:56:26
    #12 0x564c04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:451:13
    #13 0x565325 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:408:3
    #14 0x543eb9 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:268:6
    #15 0x54d6af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:620:9
    #16 0x56d808 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #17 0x7f3526b5bf44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287

SUMMARY: libFuzzer: timeout
stat::number_of_executed_units: 1
stat::average_exec_per_sec:     0
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              1439



Project Member

Comment 7 by ClusterFuzz, Jun 6 2017

Detailed report: https://clusterfuzz.com/testcase?key=5473308415098880

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  media_pipeline_integration_fuzzer
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5473308415098880


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Summary: Timeout in media_pipeline_integration_fuzzer (was: Out-of-memory in media_pipeline_integration_fuzzer)
Project Member

Comment 9 by ClusterFuzz, Jun 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5045765247598592
Components: Internals>Media
Thanks! I'll take a look.
Project Member

Comment 11 by ClusterFuzz, Jun 7 2017

Labels: OS-Mac
Project Member

Comment 12 by ClusterFuzz, Jun 7 2017

ClusterFuzz has detected this issue as fixed in range 477310:477433.

Detailed report: https://clusterfuzz.com/testcase?key=5667612355985408

Fuzzer: libFuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  media_pipeline_integration_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=477310:477433

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5667612355985408


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Jun 7 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5667612355985408 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment