New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: Avoid accumulating allocated memory in a global state if LogPrintf is called when fuzzing #17894
tests: Avoid accumulating allocated memory in a global state if LogPrintf is called when fuzzing #17894
Conversation
Concept ACK. I'm not too familiar with libFuzzer so I can't speak to that, but won't this buildup only occur if AFL is in persistent mode since then there's a loop rather than a new binary being executed? |
Traceback (most recent call last):
File "test/fuzz/test_runner.py", line 175, in <module>
main()
File "test/fuzz/test_runner.py", line 115, in main
universal_newlines=True,
File "/usr/lib/python3.6/subprocess.py", line 438, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/home/travis/build/bitcoin/bitcoin/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/addr_info_deserialize', '-help=1']'
died with <Signals.SIGABRT: 6>. |
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
@Crypt-iQ Yes, the build-up will only occur if in-process fuzzing is used: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concept ACK. Approach NACK.
125de8a
to
91013dd
Compare
…intf is called when fuzzing
91013dd
to
d7f4583
Compare
@MarcoFalke Approach ACK now with the updated version? :) |
@MarcoFalke How can we proceed with this one? Would be really nice to not have deal with this memory leak when fuzzing the deserialisation code :) |
Closing due to lack of interest :) |
Avoid accumulating allocated memory in a global state if
LogPrintf
is called when fuzzing.The accumulation takes place via the
m_msgs_before_open
buffering.Resolved by enabling logging and writing log messages to standard output.
This has the added benefit of making the fuzzing operator aware of any log printing caused by fuzzing which is likely to be an anomaly in itself (in the general case).
The only fuzzing harness in
master
that I've seen callingLogPrintf
ismessageheader_deserialize
via the call toCMessageHeader::IsValid()
which somewhat surprisingly does aLogPrintf
in the case ofnMessageSize > MAX_SIZE
:)Before:
After:
How to test this PR