Out-of-memory in net_host_resolver_impl_fuzzer |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6624406469345280 Fuzzer: libFuzzer_net_host_resolver_impl_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: net_host_resolver_impl_fuzzer Sanitizer: memory (MSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6624406469345280 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Sep 21 2017
Took a look at unminimized test case, and it looks a random string, not even look like some sort of HTML. Is this expected?
,
Sep 21 2017
The question is, that I cannot find any relationship between
the name ("net_host_resolver_impl_fuzzer") and the test case itself.
Is this really trying to test host name resolution by fuzzing, or just
feeding random junk bytes to HTML parser (or whatever)?
,
Sep 22 2017
Ah, it was just assigned "Blink" component by default, but as it is a *net_host_resolver_impl* fuzzer, not a chrome fuzzer, so the input could be fine. Routing to Internals>network>DNS so someone can take a look.
,
Sep 22 2017
I can't repro with the individual testcase, but I can reliably get an OOM just by running the fuzzer for a while. Maybe the fuzzer itself has a leak, or we introduced a leak somewhere in the code it's fuzzing. Stats say this has been happening with about the same frequency since February 2. I don't know if that's when something regressed or when this configuration started running.
,
Sep 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/01d1d1c15c54f84470463190d2da98e5b6755d97 commit 01d1d1c15c54f84470463190d2da98e5b6755d97 Author: Miriam Gershenson <mgersh@chromium.org> Date: Fri Sep 22 18:21:23 2017 HostResolverImpl fuzzer fixes The cleanup code at the end of the fuzzer was never run, and WaitUntilDone() was a no-op because is_running_ was never true. This CL fixes both of those things, which makes the fuzzer's memory growth a lot slower. It still grows over time enough that I think there's still a leak somewhere, but these two bugs were responsible for most of it. BUG= 767341 Change-Id: I9c71a28fcb0b9737b7252db5251ca41ef01e40bc Reviewed-on: https://chromium-review.googlesource.com/678475 Commit-Queue: Miriam Gershenson <mgersh@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#503796} [modify] https://crrev.com/01d1d1c15c54f84470463190d2da98e5b6755d97/net/dns/host_resolver_impl_fuzzer.cc
,
Sep 23 2017
,
Oct 24 2017
For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md. The link referenced in the description is no longer valid.
,
Mar 23 2018
,
Apr 17 2018
We are closing all ooms and timeouts that are unreproducible. We won't be filing such bugs in future. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by kkaluri@chromium.org
, Sep 21 2017Components: Blink
Labels: -Pri-1 Test-Predator-Wrong CF-NeedsTriage Pri-2