New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 767341 link

Starred by 4 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Out-of-memory in net_host_resolver_impl_fuzzer

Project Member Reported by ClusterFuzz, Sep 21 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6624406469345280

Fuzzer: libFuzzer_net_host_resolver_impl_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  net_host_resolver_impl_fuzzer
  
Sanitizer: memory (MSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6624406469345280

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
 
Cc: msrchandra@chromium.org kkaluri@chromium.org
Components: Blink
Labels: -Pri-1 Test-Predator-Wrong CF-NeedsTriage Pri-2
Redo Task has been performed for a regression range.

Thank You.

Comment 2 by kochi@chromium.org, Sep 21 2017

Took a look at unminimized test case, and it looks a random string, not even
look like some sort of HTML.  Is this expected?

Comment 3 by kochi@chromium.org, Sep 21 2017

The question is, that I cannot find any relationship between
the name ("net_host_resolver_impl_fuzzer") and the test case itself.
Is this really trying to test host name resolution by fuzzing, or just
feeding random junk bytes to HTML parser (or whatever)?
 

Comment 4 by kochi@chromium.org, Sep 22 2017

Components: -Blink Internals>Network>DNS
Ah, it was just assigned "Blink" component by default, but as it is a
*net_host_resolver_impl* fuzzer, not a chrome fuzzer, so the input could be fine.

Routing to Internals>network>DNS so someone can take a look.

Comment 5 by mge...@chromium.org, Sep 22 2017

Owner: mge...@chromium.org
Status: Assigned (was: Untriaged)
I can't repro with the individual testcase, but I can reliably get an OOM just by running the fuzzer for a while. Maybe the fuzzer itself has a leak, or we introduced a leak somewhere in the code it's fuzzing. Stats say this has been happening with about the same frequency since February 2. I don't know if that's when something regressed or when this configuration started running.
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01d1d1c15c54f84470463190d2da98e5b6755d97

commit 01d1d1c15c54f84470463190d2da98e5b6755d97
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Fri Sep 22 18:21:23 2017

HostResolverImpl fuzzer fixes

The cleanup code at the end of the fuzzer was never run, and
WaitUntilDone() was a no-op because is_running_ was never true. This CL
fixes both of those things, which makes the fuzzer's memory growth a lot
slower. It still grows over time enough that I think there's still a
leak somewhere, but these two bugs were responsible for most of it.

BUG= 767341 

Change-Id: I9c71a28fcb0b9737b7252db5251ca41ef01e40bc
Reviewed-on: https://chromium-review.googlesource.com/678475
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#503796}
[modify] https://crrev.com/01d1d1c15c54f84470463190d2da98e5b6755d97/net/dns/host_resolver_impl_fuzzer.cc

Project Member

Comment 7 by ClusterFuzz, Sep 23 2017

Labels: OS-Mac

Comment 8 by mmoroz@chromium.org, Oct 24 2017

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

Comment 9 by mge...@chromium.org, Mar 23 2018

Owner: ----
Status: Available (was: Assigned)
Status: WontFix (was: Available)
We are closing all ooms and timeouts that are unreproducible. We won't be filing such bugs in future.

Sign in to add a comment