Out-of-memory in sdp_parser_fuzzer |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6568212653932544 Fuzzer: libFuzzer_sdp_parser_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: sdp_parser_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=419171:419261 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6568212653932544 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Feb 19 2018
,
Feb 19 2018
Ha, yeah it sure caused it, in a sense, since it's the CL that enabled the fuzzer like two years ago :) There is probably no culprit here, it probably just grew in mem usage over time or something. I'll leave it to the component triager to triage this.
,
Feb 26 2018
,
Mar 23 2018
Ping for triaging.
,
Apr 26 2018
Ping.
,
May 21 2018
It looks like the problematic SDP here is just an "a=ice-options: " with lots of spaces (hundreds of thousands), causing "rtc::split" to make hundreds of thousands of substrings. Closing this as WontFix, since it's expected that large SDP strings could take a lot of memory to store in parsed form; it's just something that should never happen with real SDP. phoglund@: is there a way to limit the max input size of a fuzzer? Or is that something we should implement in the fuzzer itself "if (size > kMaxSize) return;", expecting the fuzzer to learn the limitation?
,
May 22 2018
Yes, as it turns out. Send you a CL: https://webrtc-review.googlesource.com/c/src/+/78280
,
May 23 2018
The following revision refers to this bug: https://webrtc.googlesource.com/src.git/+/547e3169d9e059117de6a22f34c6e959707598e7 commit 547e3169d9e059117de6a22f34c6e959707598e7 Author: Patrik Höglund <phoglund@webrtc.org> Date: Wed May 23 10:33:40 2018 Limit input length for SDP fuzzer. This limits the SDP to 16KB, which sounds enough. Bug: chromium:813328 Change-Id: I58c7b3e073108fd7b3495e8182b5c632e9619fe7 Reviewed-on: https://webrtc-review.googlesource.com/78280 Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org> Commit-Queue: Patrik Höglund <phoglund@webrtc.org> Cr-Commit-Position: refs/heads/master@{#23360} [modify] https://crrev.com/547e3169d9e059117de6a22f34c6e959707598e7/test/fuzzers/BUILD.gn
,
May 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/349158ec7d7da1de29628c682e1b26a476e6381d commit 349158ec7d7da1de29628c682e1b26a476e6381d Author: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed May 23 15:38:33 2018 Roll src/third_party/webrtc/ a832019f4..547e3169d (45 commits) https://webrtc.googlesource.com/src.git/+log/a832019f4e3a..547e3169d9e0 $ git log a832019f4..547e3169d --date=short --no-merges --format='%ad %ae %s' Created with: roll-dep src/third_party/webrtc BUG= chromium:813328 , chromium:845135 ,chromium:none,chromium:841962,chromium:888042,chromium:None,chromium:845158,chromium:None,chromium:None The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng TBR=webrtc-chromium-sheriffs-robots@google.com Change-Id: I1d118a77cf2b61247d8720d3c9b93091416454a9 Reviewed-on: https://chromium-review.googlesource.com/1070209 Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#561102} [modify] https://crrev.com/349158ec7d7da1de29628c682e1b26a476e6381d/DEPS
,
May 29 2018
,
Jun 5 2018
ClusterFuzz testcase 6568212653932544 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jun 5 2018
I don't understand. I added libfuzzer_options = [ "max_len=16384" ] which I thought meant "don't feed more than 16K of input into the fuzzer". Why is it still failing? |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by brajkumar@chromium.org
, Feb 19 2018Components: Blink>WebRTC
Labels: -Pri-1 M-65 Test-Predator-Wrong CF-NeedsTriage Pri-2