New issue
Advanced search Search tips

Issue 910505 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 7
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Timeout in pdf_codec_fax_fuzzer

Project Member Reported by ClusterFuzz, Nov 30

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6554355555368960

Fuzzer: libFuzzer_pdf_codec_fax_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_codec_fax_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=583292:583305

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6554355555368960

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 30

Labels: OS-Windows OS-Mac
Project Member

Comment 2 by ClusterFuzz, Nov 30

Cc: thestig@chromium.org jochen@chromium.org jam@chromium.org caryclark@google.com tsepez@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Cc: -jochen@chromium.org -jam@chromium.org -caryclark@google.com
Components: Internals>Plugins>PDF
Cc: kcc@chromium.org
kcc: Got any advice here? A big portion of the time is spent in the sanitizers. On Linux, I recorded a trace with "perf record -g path/to/pdf_codec_fax_fuzzer bug_910505.fuzz" and viewed the "perf report" output.

With MSAN, 21% of the time is in __sanitizer_cov_trace_cmp8, 19% in fuzzer::ValueBitMap::AddValue, 10% in __interceptor_memcmp, and 10% in __sanitizer_cov_trace_const_cmp4 = 60%.

With ASAN, __interceptor_memcmp takes 40% of the time, and __asan::QuickCheckForUnpoisonedRegion takes 27% of the time = 67%.
There isn't much I can do here with the sanitizers to speed things up. 
The input here is 621k -- is it at all reasonable to run this fuzzer on inputs this large? 
(sometimes it is, but it's very expensive and inefficient and so 
often the best solution is to limit the input side with something like 10K,
you can do this inside the fuzz target)
Project Member

Comment 6 by ClusterFuzz, Dec 1

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 6554355555368960 appears to be flaky, updating reproducibility label.
Labels: -Unreproducible Reproducible
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.
Labels: M-71 Test-Predator-Wrong
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
With reference to the  Issue 845117 , assigning it to thestig@
core/fxcodec/codec/ccodec_faxmodule.cpp has (almost) 100% coverage via the fuzzer, so maybe it is ok to reduce the size.
Project Member

Comment 10 by bugdroid1@chromium.org, Dec 6

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/51340b520686e85ac182d22de352e237047e3b4c

commit 51340b520686e85ac182d22de352e237047e3b4c
Author: Lei Zhang <thestig@chromium.org>
Date: Thu Dec 06 20:38:04 2018

Limit pdf_codec_fax_fuzzer input size.

Larger inputs probably do not improve coverage.

BUG= chromium:910505 

Change-Id: I9a2fb4a1c1addbae8f5bd24db018b5be1ef5bb9d
Reviewed-on: https://pdfium-review.googlesource.com/c/46612
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/51340b520686e85ac182d22de352e237047e3b4c/testing/fuzzers/pdf_codec_fax_fuzzer.cc

Project Member

Comment 11 by bugdroid1@chromium.org, Dec 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9dbfb69b67406cdee217e9970fafea98e8c70c40

commit 9dbfb69b67406cdee217e9970fafea98e8c70c40
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Fri Dec 07 04:39:56 2018

Roll src/third_party/pdfium f1038808a9c8..994719731644 (6 commits)

https://pdfium.googlesource.com/pdfium.git/+log/f1038808a9c8..994719731644


git log f1038808a9c8..994719731644 --date=short --no-merges --format='%ad %ae %s'
2018-12-07 tsepez@chromium.org Move element/parent relationship data to .inc file
2018-12-06 tsepez@chromium.org Use symbols to represent parents in script hierarchy
2018-12-06 tsepez@chromium.org XFA: generate element tables via C preprocessor
2018-12-06 tsepez@chromium.org XFA: generate value tables with C preprocessor.
2018-12-06 tsepez@chromium.org XFA: generate attribute tables via C Preprocessor.
2018-12-06 thestig@chromium.org Limit pdf_codec_fax_fuzzer input size.


Created with:
  gclient setdep -r src/third_party/pdfium@994719731644

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:910505 
TBR=dsinclair@chromium.org

Change-Id: I666c94ba76957f9159579f9c9932e9769bbc8915
Reviewed-on: https://chromium-review.googlesource.com/c/1367102
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#614597}
[modify] https://crrev.com/9dbfb69b67406cdee217e9970fafea98e8c70c40/DEPS

Project Member

Comment 12 by ClusterFuzz, Dec 7

ClusterFuzz has detected this issue as fixed in range 614588:614611.

Detailed report: https://clusterfuzz.com/testcase?key=6554355555368960

Fuzzer: libFuzzer_pdf_codec_fax_fuzzer
Fuzz target binary: pdf_codec_fax_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_codec_fax_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=583292:583305
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=614588:614611

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6554355555368960

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Dec 7

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6554355555368960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment