New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 813619 link

Starred by 1 user
Status: Fixed
Owner:
eroman@chromium.org
Closed: Mar 2018
Cc:
brajkumar@chromium.org
mmenke@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Timeout in net_parse_proxy_bypass_rules_fuzzer

Project Member Reported by ClusterFuzz, Feb 19 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4793276532785152

Fuzzer: libFuzzer_net_parse_proxy_bypass_rules_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  net_parse_proxy_bypass_rules_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=410283:410286

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4793276532785152

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by brajkumar@chromium.org, Feb 20 2018

Cc: brajkumar@chromium.org
Components: Internals>Network
Labels: -Pri-1 M-65 Test-Predator-Wrong CF-NeedsTriage Pri-2
Unable to find the suspect through code search and also from the provided CL, hence adding appropriate label and leaving it as untriaged for further updates.

Thanks!

Comment 2 by mmenke@chromium.org, Feb 28 2018

Cc: eroman@chromium.org mmenke@chromium.org
Components: -Internals>Network Internals>Network>Proxy
This may be a URL issuem either way, seems like we can restrict length.  Eric:  You want to take this, or should I?

Comment 3 by eroman@chromium.org, Feb 28 2018 

This is not the same as  Issue 802258 .

I ran a profile, and and the problem is the sheer amount of proxy bypass rules being parsed (over 316,000).

The parsing of each individual rule isn't bad -- on average they are 1-2 characters long. However all the overheads of allocations, URL and hostname canonicalizations, repeated 316k times add up to a long runtime.

Restricting the length of input to the fuzzer SGTM; I can take a look.

Comment 4 by mmenke@chromium.org, Feb 28 2018

Cc: -eroman@chromium.org
Owner: eroman@chromium.org
Status: Assigned (was: Untriaged)
Great, thanks!

Comment 5 by eroman@chromium.org, Feb 28 2018 

Slight correction: we are parsing 633,264 rules (since the fuzzer parses twice).

With the coverage instrumentation, that comes out to an average time of 24 microseconds per rule, which isn't a concern given how this code is used.
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 1 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b8522d6eac154f8916f6685eae5a0c2914a08fe7

commit b8522d6eac154f8916f6685eae5a0c2914a08fe7
Author: Eric Roman <eroman@chromium.org>
Date: Thu Mar 01 02:53:58 2018

Limit the size of input to parse_proxy_bypass_rules_fuzzer to 512 bytes.

Clusterfuzz is currently sending inputs in excess of 814 KB, which results in a correct but slow execution (times out).

Given the simple grammar of proxy bypass rules, 512 bytes is more than enough to explore it.

Bug:  813619 
Change-Id: I1415a1a15bb2996b6698b96b9cdef856a4988110
Reviewed-on: https://chromium-review.googlesource.com/942098
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Abhishek Arya <inferno@chromium.org>
Commit-Queue: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540004}
[modify] https://crrev.com/b8522d6eac154f8916f6685eae5a0c2914a08fe7/net/BUILD.gn
[modify] https://crrev.com/b8522d6eac154f8916f6685eae5a0c2914a08fe7/net/proxy_resolution/parse_proxy_bypass_rules_fuzzer.cc

Comment 7 by eroman@chromium.org, Mar 5 2018

Status: Fixed (was: Assigned)

Sign in to add a comment