The DocumentBroker dtor adds a callback:
#0 SocketPoll::addCallback(std::function<void ()> const&) (this=0x377dce0 <Admin::instance()::admin>, fn=...) at ./net/Socket.hpp:773
#1 0x0000000000947db5 in Admin::rmDoc (this=<optimized out>, docKey=...) at wsd/Admin.cpp:544
#2 0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579
So even if the fuzzer called Admin::instance().poll() on shutdown, there
was one more callback inserted to the list later, leading to OOM in the
long run.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323
An alternative would be to tweak online-fuzz/wsd/DocumentBroker.cpp:534
to check for Util::isFuzzing(), but this is probably a better & more
generic way.
'./clientsession_fuzzer fuzzer/data/load' now works again.
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I4d9fa387597695ff0802b268bc4d86be51dbabb2
fuzzers build was failing with:
In file included from fuzzer/Admin.cpp:3:
In file included from ./wsd/Admin.hpp:12:
In file included from ./wsd/AdminModel.hpp:20:
In file included from ./net/WebSocketHandler.hpp:18:
./net/HttpRequest.hpp:667:31: error: expected ')'
_header.add("Server", HTTP_SERVER_STRING);
^
./common/Common.hpp:62:51: note: expanded from macro 'HTTP_SERVER_STRING'
#define HTTP_SERVER_STRING "LOOLWSD HTTP Server " LOOLWSD_VERSION
^
./net/HttpRequest.hpp:667:20: note: to match this '('
_header.add("Server", HTTP_SERVER_STRING);
^
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ibc3905e3e62e0eb9788b750971916ff4a4937f12
The fuzzer ran out of memory, 955443527 bytes (79%) of the used memory
was this map.
Change-Id: I2dd84a094d3dd3d98618667e3c78591e2193bce2
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Also decrease the poll timeout to 0, otherwise testing each input would
now take 5 sec, rather than ~3 ms.
Change-Id: I1a4f347e5ec08a62d40131bfec3c504a19727323
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95437
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
This avoids depending on LOOLWSD's statics, which
makes adding unit-tests much more difficult due to
the high number of dependencies LOOLWSD pulls.
Adds a number of unit-tests for RequestDetails.
Change-Id: I9f1d56f80a633505c7ff548ec0e33ffe61f59f53
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95290
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Tested-by: Jenkins
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
And bypass configuration access at two new places, so the fuzzer can
find more interesting failures.
Change-Id: I4c09172e781a7c6120b8c4befe1a84fdd74f2ddc
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93617
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Also adds ServiceRoot handling for clipboard.
Change-Id: I7bc6591130fcc7d693e59ab8561fb9e99f4e93d5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93578
Tested-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Admin::instance().dumpState(std::cerr) at the end of a run shows:
Poll [0] - wakeup r: 11 w: 12
callbacks: 103
fd events rsize wsize
This is more a problem in the fuzzer itself than in the code, the
unprocessed callbacks reached the intentionally set 2GB limit in about
20 mins, so process them at the end of each run.
Change-Id: Ic12d3e8555417371f4ca44228fc1ff515d704592
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89632
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
- target ClientSession::_handleInput(), since crashing there would bring
down the whole loolwsd (not just a kit process), and it deals with
input from untrusted users (browsers)
- add a --enable-fuzzers configure switch to build with
-fsanitize=fuzzer (compared to normal sanitizers build, this is the only
special flag needed)
- configuring other sanitizers is not done automatically, either use
--with-sanitizer=... or the environment variables from LODE's sanitizer
config
- run the actual fuzzer like this:
./clientsession_fuzzer -max_len=16384 fuzzer/data/
- note that at least openSUSE Leap 15.1 sadly ships with a clang with
libfuzzer static libs removed from the package, so you need a
self-built clang to run the fuzzer (either manual build or one from
LODE)
- <https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/refs/heads/master/efficient_fuzzing.md#execution-speed>
suggests that "You should aim for at least 1,000 exec/s from your fuzz
target locally" (i.e. one run should not take more than 1 ms), so try
this minimal approach first. The alternative would be to start from the
existing loolwsd_fuzzer binary, then step by step cut it down to not
fork(), not do any network traffic, etc -- till it's fast enough that
the fuzzer can find interesting input
- the various configurations start to be really complex (the matrix is
just very large), so try to use Util::isFuzzing() for fuzzer-specific
changes (this is what core.git does as well), and only resort to ifdefs
for the Util::isFuzzing() itself
Change-Id: I72dc1193b34c93eacb5d8e39cef42387d42bd72f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89226
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>