Timeout in origin_trial_token_fuzzer |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5241025345093632 Fuzzer: libFuzzer_origin_trial_token_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: origin_trial_token_fuzzer Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5241025345093632 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Jan 20 2018
,
Jan 24 2018
brajkumar@, Blink>Infra doesn't seem appropriate as a fallback label to me. While it has a lot to do with tests (especially LayoutTests), unless there's a suspicion that the infra itself is the cause of the problem, the component for the suspect feature seems better. Trying Internals>OriginTrials based on the test name alone.
,
Jan 24 2018
The test case contains a 500kb JSON string, of the form
{"origin": "https:<garbage>"}, where <garbage> is ~499kb of random characters, mostly (93%) 0x00, 0x04, 0x2e, 0x60, 0x68, 0x7f, and 0xdf, but with a smattering of other characters and fuzzer-seeded strings.
This exceeds the header size limit for Chrome, but conceivably a string this long could be generated in javascript and added in a <meta> element, so we should do some sanitizing in the TrialToken::Parse method.
,
Jan 25 2018
,
Jan 25 2018
,
Jan 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7 commit 4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7 Author: Jason Chase <chasej@chromium.org> Date: Mon Jan 29 23:03:21 2018 Limit the size of origin trial tokens that will parsed There is a fuzzer for parsing of origin trial tokens. In bug 802377 , we discovered that fuzzer was generating tokens > 500KB in size. This was apparently causing sporadic timeouts in the fuzzer. The token generation and parsing logic can support valid tokens of such large sizes. Realistically, there's no need for such large tokens. In the token contents, the origin is only portion that is user-supplied. While there is no specified limit on the size of URLs or domains, there do seem to be practical limits. This CL limits token payloads to 4KB in size. That allows for the origin to be ~4KB in size, which is 2x some practical limits for URLs. Bug: 802377 Change-Id: I80c31dcd6d0e02afe9cbc1c53479fea3b5821751 Reviewed-on: https://chromium-review.googlesource.com/886822 Commit-Queue: Jason Chase <chasej@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Cr-Commit-Position: refs/heads/master@{#532645} [modify] https://crrev.com/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7/third_party/WebKit/common/origin_trials/trial_token.cc [modify] https://crrev.com/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7/third_party/WebKit/common/origin_trials/trial_token_unittest.cc
,
Jan 31 2018
The stats for the fuzzer show that the # of crashes decreased significantly after the CL in #6 were landed. Stats available here: https://clusterfuzz.com/testcase?key=5241025345093632 |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by brajkumar@chromium.org
, Jan 17 2018Components: Blink>Infra
Labels: Test-Predator-Wrong CF-NeedsTriage