Timeout in pdf_codec_gif_fuzzer |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5320157978427392 Fuzzer: libFuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: pdf_codec_gif_fuzzer Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5320157978427392 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Sep 30 2017
We're going to temporarily disable this fuzz target on ClusterFuzz side, as it is wasting CPU cycles due to frequent crashing. We might not have crash stats from CF after that, but the target will stay in the repository and available for local reproducing and testing bug fixes. https://chromium-review.googlesource.com/c/chromium/src/+/692525
,
Oct 1 2017
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 1 2017
,
Oct 2 2017
GIF is XFA only, so not in production
,
Oct 3 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/0feba6f9ef721e4927e37da68ac27572ffae1453 commit 0feba6f9ef721e4927e37da68ac27572ffae1453 Author: Ryan Harrison <rharrison@chromium.org> Date: Tue Oct 03 13:53:21 2017 Rewrite how GIF headers are read Break up reading the signature and local screen descriptors into seperate functions. Fix a bug in how matching in the signature validation works. Move LSD value assignment to after sufficient data has been confirmed. Convert LSB to MSB methods where they were just wrong. Add unit tests for ReadData, SetInputBuffer, ReadSignature, ReadLocalScreenDescriptor, and ReadHeader. BUG= pdfium:913 , chromium:770470 Change-Id: I1683b8aefc11300625b9be8087c6988549308a8f Reviewed-on: https://pdfium-review.googlesource.com/15250 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/core/fxcodec/gif/cfx_gif.cpp [modify] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/BUILD.gn [modify] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/core/fxcodec/gif/cfx_gifcontext.cpp [modify] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/core/fxcodec/gif/cfx_gif.h [add] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/core/fxcodec/gif/cfx_gifcontext_unittest.cpp [modify] https://crrev.com/0feba6f9ef721e4927e37da68ac27572ffae1453/core/fxcodec/gif/cfx_gifcontext.h
,
Oct 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/14141c8b388fc8f001443e97cecc8f9f956cd3e7 commit 14141c8b388fc8f001443e97cecc8f9f956cd3e7 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Tue Oct 03 16:03:31 2017 Roll src/third_party/pdfium/ c2ae41abd..0feba6f9e (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/c2ae41abd16a..0feba6f9ef72 $ git log c2ae41abd..0feba6f9e --date=short --no-merges --format='%ad %ae %s' 2017-10-03 rharrison Rewrite how GIF headers are read Created with: roll-dep src/third_party/pdfium BUG= 770470 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I9e516840c8d754b59bf1433303a776cefef304b8 Reviewed-on: https://chromium-review.googlesource.com/697824 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#506054} [modify] https://crrev.com/14141c8b388fc8f001443e97cecc8f9f956cd3e7/DEPS
,
Oct 5 2017
Per c2, when disabling the fuzz target, does that just stop generating new fuzz cases, or should that be stopping testing this specific case? When I go to test case and click to see the stats I am seeing reports of crashes after https://chromium-review.googlesource.com/c/chromium/src/+/692525 landed. I maybe misunderstanding what those statistics are trying to tell me
,
Oct 5 2017
I have fixed some things in the gif code that I discovered while investigating this, but this specific test case should be exiting fast even without them. I suspect this might be an issue with how timeouts are calculated, so speculatively blocking on the timeout bug.
,
Oct 20 2017
ClusterFuzz testcase 5320157978427392 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 23 2017
Reopening, since this was only not being been seen since it is disabled.
,
Oct 23 2017
,
Oct 23 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/c9d0bcccbd4cc460bb3e26f767eea2d33a5b48b6 commit c9d0bcccbd4cc460bb3e26f767eea2d33a5b48b6 Author: Ryan Harrison <rharrison@chromium.org> Date: Mon Oct 23 20:52:07 2017 Return error when attempting to load frame with 0 height A frame with 0 height will have no data, so there is not point in attempting to load it. Additionally some of the loading code assumes a non-zero height implicitly. BUG= chromium:770470 Change-Id: I38b222b46b43ce5d47924526913285510be40603 Reviewed-on: https://pdfium-review.googlesource.com/16551 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/c9d0bcccbd4cc460bb3e26f767eea2d33a5b48b6/core/fxcodec/gif/cfx_gifcontext.cpp
,
Oct 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1313bd84a4c33bc5be4edbed952c4753ef7b3cb3 commit 1313bd84a4c33bc5be4edbed952c4753ef7b3cb3 Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Tue Oct 24 01:30:58 2017 Roll src/third_party/pdfium/ c970895f9..826480cf5 (7 commits) https://pdfium.googlesource.com/pdfium.git/+log/c970895f94cf..826480cf599f $ git log c970895f9..826480cf5 --date=short --no-merges --format='%ad %ae %s' 2017-10-23 npm Upgrade LibopenJPEG to 2.3 2017-10-23 npm Fix some integer overflows in CJBig2_TRDProc 2017-10-23 rharrison Return error when attempting to load frame with 0 height 2017-10-23 asweintraub Fix cpdf_textpage so it doesn't omit spaces. 2017-10-23 dsinclair Cleanup some javascript color code 2017-10-23 dsinclair Cleaning up JS macros 2017-10-23 dsinclair Remove CJS_PropValue Created with: roll-dep src/third_party/pdfium BUG= 770470 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I63392e31f10fd4ba0a6d6f93cab524a2e005a0a5 Reviewed-on: https://chromium-review.googlesource.com/733956 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#510992} [modify] https://crrev.com/1313bd84a4c33bc5be4edbed952c4753ef7b3cb3/DEPS
,
Oct 24 2017
,
Oct 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f2d24819ac5cb5a0c682f50d56ede57c124b94b1 commit f2d24819ac5cb5a0c682f50d56ede57c124b94b1 Author: Ryan Harrison <rharrison@chromium.org> Date: Tue Oct 24 18:25:33 2017 Re-enable pdf_codec_gif_fuzzer The bug that it was disabled for has been resolved. BUG= chromium:770470 Change-Id: I8e7378516567fbc43b8828d71bd871ba040720b0 Reviewed-on: https://chromium-review.googlesource.com/735780 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> Cr-Commit-Position: refs/heads/master@{#511212} [modify] https://crrev.com/f2d24819ac5cb5a0c682f50d56ede57c124b94b1/pdf/pdfium/fuzzers/BUILD.gn
,
Dec 1
ClusterFuzz has detected this issue as fixed in range 506787:506835. Detailed report: https://clusterfuzz.com/testcase?key=5320157978427392 Fuzzer: libFuzzer_pdf_codec_gif_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: pdf_codec_gif_fuzzer Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=506787:506835 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5320157978427392 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mmoroz@chromium.org
, Sep 30 2017