fuzzitdev/jsfuzz

Allocation failed - JavaScript heap out of memory (tokenize)

cawalch opened this issue · 4 comments

cawalch commented

I encountered a core dump while fuzzing that traces back to jsfuzz's versifier.js:413

[6242:0x34faa20]    18540 ms: Mark-sweep 1291.7 (1426.7) -> 1291.7 (1427.2) MB, 15.0 / 0.0 ms  (average mu = 0.244, current mu = 0.169) allocation failure GC in old space requested
[6242:0x34faa20]    18549 ms: Mark-sweep 1292.4 (1427.2) -> 1292.1 (1427.2) MB, 7.8 / 0.1 ms  (average mu = 0.212, current mu = 0.153) allocation failure GC in old space requested


<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 0x16ebcc0dbe1d]
Security context: 0x147d4f69e6e9 <JSObject>
    1: tokenize(aka tokenize) [0x14d370af2101] [/home/me/.nvm/versions/node/v10.16.3/lib/node_modules/jsfuzz/build/src/versifier.js:~413] [pc=0x16ebcc0ea74d](this=0x35c17a8826f1 <undefined>,data=0x1bc2ece351d1 <Uint8Array map = 0xc82d755b89>)
    2: BuildVerse [0x14d370af1e01] [/home/me/.nvm/versions/node/v10.16.3/lib/node_modules/jsfuzz/build/src/...

It also generated a corpus file of ~144K, while the average corpus size was ~20 bytes

jsfuzz - 1.0.10
node - 10.16.3

yevgenypats commented

Hey @cawalch thanks for reporting! versifier is a new algorithm that we just released and it can be disabled with --versifier=false just as a quick work-around.

Any chance you can share with me the fuzz-target or a repo that will help me to reproduce this behaviour?

  • 👍1
cawalch commented

...can be disabled with --versifier=false just as a quick work-around.

Got it. Thanks.

Any chance you can share with me the fuzz-target or a repo that will help me to reproduce this behaviour?

https://github.com/asciidoctor/asciidoctor.js

Corpus seed

http://asciidoctor.org[*Asciidoctor*] running on https://opalrb.com[_Opal_]  brings AsciiDoc to Node.js!

Hopefully that helps.

mattacosta commented

I just tried this tool out and I've been seeing this a lot as well. On one run, I even had a 40MB corpus file.

Since maximum call stack errors were expected in my project, I also put this code into my fuzz function and don't recall seeing it since.

if (buffer.length > 1024) {
  return;
}
yevgenypats commented

Thanks for reporting I think I'll disable versifier for now by default.