OOM in regexp fuzzer caused by \b\B pattern |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5735862013526016 Fuzzer: libFuzzer_v8_regexp_parser_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: NULL Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=556128:556143 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5735862013526016 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Aug 22
There are potentially two issues here: 1) this 32 byte fuzzer input causes creation of 105Mb code object 2) the regexp fuzzer treats OOM as a crash
,
Aug 22
,
Aug 22
Indeed an OOM when trying to alloc the code object. The pattern is again '\b\B\b\B\b\B\b\B\b\B\b\B\b\B\b\B\b\B\b', the fuzzer really seems to love this one. Duping on https://crbug.com/v8/6515. Clusterfuzz crash state detection seems broken currently. This used to work, see also other similar OOMs like https://crbug.com/735559 . # # Fatal javascript OOM in CALL_AND_RETRY_LAST # UndefinedBehaviorSanitizer:DEADLYSIGNAL ==29806==ERROR: UndefinedBehaviorSanitizer: ILL on unknown address 0x00000120b577 (pc 0x00000120b577 bp 0x7ffe580a7f70 sp 0x7ffe580a7f60 T29806) #0 0x120b576 in v8::base::OS::Abort() v8/src/base/platform/platform-posix.cc:401:3 #1 0x687206 in v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) v8/src/api.cc:480:7 #2 0x687110 in v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) v8/src/api.cc:448:3 #3 0xb630bd in v8::internal::Heap::FatalProcessOutOfMemory(char const*) v8/src/heap/heap.cc:5216:3 #4 0xb6edab in v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) v8/src/heap/heap.cc:4658:3 #5 0xb4b77b in v8::internal::Factory::NewCode(v8::internal::CodeDesc const&, v8::internal::Code::Kind, v8::internal::Handle<v8::internal::Object>, int, v8::internal::MaybeHandle<v8::internal::ByteArray>, v8::internal::MaybeHandle<v8::internal::DeoptimizationData>, v8::internal::Movability, unsigned int, bool, int, int, int) v8/src/heap/factory.cc:2636:15
,
Aug 29
ClusterFuzz testcase 5735862013526016 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Aug 29
,
Oct 7
,
Nov 23
,
Dec 1
ClusterFuzz testcase 5735862013526016 appears to be flaky, updating reproducibility label. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Aug 21Labels: Test-Predator-Auto-Components