Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue.

Thanks!

dsinclair@, just wondering do you have any inputs here?

Thank you!

XFA only.

mmoroz: Did the fuzzer fail to start here?

No, it seems to work, but hits the timeout very quickly, below is another log.

+metzman@ in case this is something Windows specific.

Command: 'c:\clusterfuzz\slave-bot\builds\chromium-browser-libfuzzer_win32-release_x64-asan_4834a5339bd661fb993ed9448e3738d3c07ca989\revisions\libfuzzer-win32-release_x64-599743\pdf_bidi_fuzzer.exe' -timeout=25 -rss_limit_mb=2048 '-artifact_prefix=c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/' -max_total_time=2650 -print_final_stats=1 'c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases-disk\temp\new' 'c:\clusterfuzz\slave-bot\inputs\data-bundles\global\pdf_bidi_fuzzer'
Bot: clusterfuzz-windows-zone2-pre-0lgm
Time ran: 481.642000

INFO: Seed: 2568330412
INFO: Loaded 1 modules   (598609 inline 8-bit counters): 598609 [00007FF66FAD7B48, 00007FF66FB69D99),
INFO: Loaded 1 PC tables (598609 PCs): 598609 [00007FF66EED40E8,00007FF66F7F65F8),
INFO:        0 files found in c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases-disk\temp\new
INFO:     2466 files found in c:\clusterfuzz\slave-bot\inputs\data-bundles\global\pdf_bidi_fuzzer
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 2466 min: 1b max: 1453505b total: 104157922b rss: 78Mb
#256	pulse  cov: 2060 ft: 6939 corp: 219/1248b lim: 4 exec/s: 85 rss: 401Mb
#512	pulse  cov: 2142 ft: 9220 corp: 444/5177b lim: 4 exec/s: 64 rss: 410Mb
#1024	pulse  cov: 2188 ft: 11929 corp: 768/27Kb lim: 4 exec/s: 35 rss: 459Mb
Slowest unit: 10 s:
artifact_prefix='c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/'; Test unit written to c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/slow-unit-6b86985ef8fde725bb1c8627c45424956a6f40de
Slowest unit: 13 s:
artifact_prefix='c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/'; Test unit written to c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/slow-unit-20e30a61adb74c1618d2adf78bfb72e1717b0da9
Slowest unit: 17 s:
artifact_prefix='c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/'; Test unit written to c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/slow-unit-603f4987fa4341b73fb744b031068300d6069fa9
Slowest unit: 25 s:
artifact_prefix='c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/'; Test unit written to c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/slow-unit-2ac407b99b8c639df151a4b3ce5327ea54cfd98c
ALARM: working on the last Unit for 34 seconds
       and the timeout value is 25 (use -timeout=N to change)
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/'; Test unit written to c:\clusterfuzz\slave-bot\inputs\fuzzer-testcases/timeout-ea79fcc889f7783d829e61b3fd2f5189e5625beb
==3892== ERROR: libFuzzer: timeout after 34 seconds
    #0 0x7ff66db571d4 in __sanitizer_print_stack_trace C:\b\rr\tmpagbdek\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_stack.cc:38
    #1 0x7ff669ac7da8 in fuzzer::PrintStackTrace(void) C:\b\s\w\ir\cache\builder\src\third_party\libFuzzer\src\FuzzerUtil.cpp:206
    #2 0x7ff669aaf642 in fuzzer::Fuzzer::AlarmCallback(void) C:\b\s\w\ir\cache\builder\src\third_party\libFuzzer\src\FuzzerLoop.cpp:300
    #3 0x7ffd2c8d8c9c  (C:\Windows\SYSTEM32\ntdll.dll+0x180078c9c)
    #4 0x7ffd2c8d8bb8  (C:\Windows\SYSTEM32\ntdll.dll+0x180078bb8)
    #5 0x7ffd2c89326e  (C:\Windows\SYSTEM32\ntdll.dll+0x18003326e)
    #6 0x7ffd2aad8363  (C:\Windows\System32\KERNEL32.DLL+0x180008363)
    #7 0x7ffd2c8c7090  (C:\Windows\SYSTEM32\ntdll.dll+0x180067090)

custom-crash-state: pdf_bidi_fuzzer
SUMMARY: libFuzzer: timeout
stat::number_of_executed_units: 2048
stat::average_exec_per_sec:     4
stat::new_units_added:          0
stat::slowest_unit_time_sec:    25
stat::peak_rss_mb:              867

This timeout repros on Windows only.

My guess is the difference is caused by in CFGAS_FontMgr::GetFontByUnicode (https://cs.chromium.org/chromium/src/third_party/pdfium/xfa/fgas/font/cfgas_fontmgr.cpp?l=795).

That function can quit early if not on Windows. And according to perf the function and its children only take up 1.8% of program time on Linux.

Visual Studios profiling tools seem to say it takes much longer on Windows.
 
I'm pretty new to profiling (particularly on Windows) but I've seen differences in font handling being a reason for different behavior between libFuzzer targets on Linux and Windows (maybe I'm wrong and just blaming fonts because of past experience =).

Deleted: unicode.png 10.3 KB

	unicode.png 10.3 KB View Download

Thanks for taking a look. The explanation sounds plausible.

Can repro locally. GetFontByUnicode() gets called 12K times on Windows and 62K times on Linux, yet Linux is 500 times faster.

Hopefully https://pdfium-review.googlesource.com/44251 will take care of this.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/4df46054105e71ecc6a80d29c8d56ef0778b5aa8

commit 4df46054105e71ecc6a80d29c8d56ef0778b5aa8
Author: Lei Zhang <thestig@chromium.org>
Date: Thu Oct 18 16:58:07 2018

Cache CFGAS_FontMgr::GetFontByUnicode() failures on Windows.

Non-Windows does this already, which is why it can handle fuzzers that
throws the same invalid unicode character at it efficiently. Whereas
Windows tries to do the same failing font load repeatedly.

BUG= chromium:895469 

Change-Id: I6780d1ec0881222348e05a5a63e7b2238f39a3a6
Reviewed-on: https://pdfium-review.googlesource.com/c/44251
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/4df46054105e71ecc6a80d29c8d56ef0778b5aa8/xfa/fgas/font/cfgas_fontmgr.cpp
[modify] https://crrev.com/4df46054105e71ecc6a80d29c8d56ef0778b5aa8/xfa/fgas/font/cfgas_fontmgr.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb4f089ef766860917e7e38e34a20b0b17eed920

commit eb4f089ef766860917e7e38e34a20b0b17eed920
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Oct 18 21:49:31 2018

Roll src/third_party/pdfium ec885bad72ef..4754adaf70d8 (14 commits)

https://pdfium.googlesource.com/pdfium.git/+log/ec885bad72ef..4754adaf70d8


git log ec885bad72ef..4754adaf70d8 --date=short --no-merges --format='%ad %ae %s'
2018-10-18 thestig@chromium.org Add unit tests for CFX_Matrix::TransformRect().
2018-10-18 thestig@chromium.org Forward declare some fxjs/ classes.
2018-10-18 thestig@chromium.org Remove a few V8 includes from header files.
2018-10-18 thestig@chromium.org Change CXFA_LoaderContext::dwFlags to bFilterSpace.
2018-10-18 thestig@chromium.org Avoid pass by value in FPDFPage_Flatten()'s GetMatrix() helper.
2018-10-18 thestig@chromium.org Push/pop the graphics state stack when flattening.
2018-10-18 thestig@chromium.org Convert CXFA_LoaderContext to a struct.
2018-10-18 thestig@chromium.org Clean up CXFA_TextLayout.
2018-10-18 tsepez@chromium.org Add JavaScript tests for event API.
2018-10-18 thestig@chromium.org Cache CFGAS_FontMgr::GetFontByUnicode() failures on Windows.
2018-10-18 thestig@chromium.org Shuffle platform-specifc code in CFGAS_FontMgr::GetFontByUnicode().
2018-10-18 tsepez@chromium.org De-dup some static string tables in cjs_publicmethods.cpp
2018-10-18 tsepez@chromium.org Add JavaScript public methods tests.
2018-10-18 tsepez@chromium.org Repack CPDFSDK_FieldAction.


Created with:
  gclient setdep -r src/third_party/pdfium@4754adaf70d8

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:896366 , chromium:895469 
TBR=dsinclair@chromium.org

Change-Id: I1ed6f308d1b8f8606e7d90d0cf2794e1ed929ae8
Reviewed-on: https://chromium-review.googlesource.com/c/1289649
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#600925}
[modify] https://crrev.com/eb4f089ef766860917e7e38e34a20b0b17eed920/DEPS

ClusterFuzz has detected this issue as fixed in range 600922:600946.

Detailed report: https://clusterfuzz.com/testcase?key=4646987855822848

Fuzzer: libFuzzer_pdf_bidi_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_bidi_fuzzer
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=600922:600946

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4646987855822848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4646987855822848 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 600922:600946.

Detailed report: https://clusterfuzz.com/testcase?key=4646987855822848

Fuzzer: libFuzzer_pdf_bidi_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_bidi_fuzzer
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=600922:600946

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4646987855822848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 600922:600946.

Detailed report: https://clusterfuzz.com/testcase?key=4646987855822848

Fuzzer: libFuzzer_pdf_bidi_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_bidi_fuzzer
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=600922:600946

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4646987855822848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.