From: Josh Steadmon <steadmon@google.com>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] fuzz-commit-graph: properly free graph struct
Date: Fri, 5 Jun 2020 16:30:19 -0700 [thread overview]
Message-ID: <20200605233019.GC65111@google.com> (raw)
In-Reply-To: <20200605230233.GA167014@google.com>
[-- Attachment #1: Type: text/plain, Size: 2876 bytes --]
On 2020.06.05 16:02, Jonathan Nieder wrote:
> Josh Steadmon wrote:
>
> > Use the provided free_commit_graph() to properly free the commit graph
> > in fuzz-commit-graph. Otherwise, the fuzzer itself leaks memory when the
> > struct contains pointers to allocated memory.
> >
> > Signed-off-by: Josh Steadmon <steadmon@google.com>
> > ---
> > fuzz-commit-graph.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> How can I reproduce this?
Building the fuzzer is dependent on the exact versions of clang &
libFuzzer that you have installed; on my machine, with clang 9.0.1-10
and libFuzzer 9, I build as follows:
$ make CC=clang \
CXX=clang++ \
CFLAGS="-fsanitize=fuzzer-no-link,address" \
LIB_FUZZING_ENGINE=/usr/lib/llvm-9/lib/libFuzzer.a \
fuzz-all
Then you can run fuzz-commit-graph on the attached test case:
$ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak
When built from master, I get a leak error:
$ ./fuzz-commit-graph /tmp/testcase-fuzzer-leak
INFO: Seed: 2332984289
INFO: Loaded 1 modules (70798 inline 8-bit counters): 70798 [0x15c8b82, 0x15da010),
INFO: Loaded 1 PC tables (70798 PCs): 70798 [0x12a7db8,0x13bc698),
./fuzz-commit-graph: Running 1 inputs 1 time(s) each.
Running: /tmp/testcase-5725798091980800
=================================================================
==192153==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x49be6d in malloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x49be6d)
#1 0xc2ff15 in do_xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2ff15)
#2 0xc2fe66 in xmalloc (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0xc2fe66)
#3 0x5cfc4e in parse_commit_graph (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x5cfc4e)
#4 0x1085b39 in LLVMFuzzerTestOneInput (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x1085b39)
#5 0x109b41c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/local/google/home/steadmon/src/git/fuzz-commit-graph+0x109b41c)
SUMMARY: AddressSanitizer: 12 byte(s) leaked in 1 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
When run with this patch, the fuzzer does not report a leak.
> > diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c
> > index 9fd1c04edd..430817214d 100644
> > --- a/fuzz-commit-graph.c
> > +++ b/fuzz-commit-graph.c
> > @@ -12,7 +12,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
> > initialize_the_repository();
> > g = parse_commit_graph((void *)data, size);
> > repo_clear(the_repository);
> > - free(g);
> > + free_commit_graph(g);
>
> In any event, the patch itself is sensible, so
> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
>
> Thanks.
[-- Attachment #2: testcase-fuzzer-leak --]
[-- Type: application/octet-stream, Size: 1100 bytes --]
prev parent reply other threads:[~2020-06-05 23:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-05 22:55 [PATCH] fuzz-commit-graph: properly free graph struct Josh Steadmon
2020-06-05 23:02 ` Jonathan Nieder
2020-06-05 23:30 ` Josh Steadmon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605233019.GC65111@google.com \
--to=steadmon@google.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).