[Help with fuzzer] Unsupported allocation size when adding tabs.

[Jason Segnini]

Hello, it's me again. Now I have a somewhat different issue compared to the ones I've been dealing with. Maybe someone with experience can help me.

To explain the situation a little, I'm developing a fuzzer for a certain mojo interface which requires adding tabs as part of the environment set up. This is my first complex fuzzer for chromium, and for the environment set up I've been getting some ideas by studying the unit tests' source code.

I've been able to deal with every SEGV I've got while trying to run the fuzzer, by setting up the required global instances and settings in an environment singleton. However, I'm now getting a different error. It's not a SEGV! (Stack trace):

==8034==ERROR: AddressSanitizer: requested allocation size 0xbebebebebebebec0 (0xbebebebebebecec0 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x55a2362f517d in operator new(unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
#1 0x7f2fbafb2da0 in std::__Cr::__libcpp_allocate(unsigned long, unsigned long) buildtools/third_party/libc++/trunk/include/new:253:10
#2 0x7f2fbafb2cdd in std::__Cr::allocator<char>::allocate(unsigned long, void const*) buildtools/third_party/libc++/trunk/include/memory:1853:37
#3 0x7f2fbafb2962 in std::__Cr::allocator_traits<std::__Cr::allocator<char> >::allocate(std::__Cr::allocator<char>&, unsigned long) buildtools/third_party/libc++/trunk/include/memory:1570:21
#4 0x7f2fbb0678e5 in std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >::__init(char const*, unsigned long) buildtools/third_party/libc++/trunk/include/string:1787:15
#5 0x7f2fbb06768f in std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >::basic_string(std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > const&) buildtools/third_party/libc++/trunk/include/string:1838:9
#6 0x7f3022294aff in url::SchemeHostPort::SchemeHostPort(url::SchemeHostPort const&) url/scheme_host_port.h:112:3
#7 0x7f3022294aaf in url::Origin::Origin(url::Origin const&) url/origin.cc:68:9
#8 0x7f301cbae640 in net::SchemefulSite::SchemefulSite(net::SchemefulSite const&) net/base/schemeful_site.cc:75:16
#9 0x7f301ce35de6 in void base::internal::OptionalStorageBase<net::SchemefulSite, false>::Init<net::SchemefulSite const&>(net::SchemefulSite const&) base/optional.h:64:36
#10 0x7f301ce35d77 in base::internal::OptionalStorage<net::SchemefulSite, false, false>::OptionalStorage(base::internal::OptionalStorage<net::SchemefulSite, false, false> const&) base/optional.h:166:7
#11 0x7f301ce35d00 in base::internal::OptionalBase<net::SchemefulSite>::OptionalBase(base::internal::OptionalBase<net::SchemefulSite> const&) base/optional.h:235:13
#12 0x7f301ce33050 in base::Optional<net::SchemefulSite>::Optional(base::Optional<net::SchemefulSite> const&) base/optional.h:474:13
#13 0x7f301ce32ffd in net::NetworkIsolationKey::NetworkIsolationKey(net::NetworkIsolationKey const&) net/base/network_isolation_key.cc:47:22
#14 0x55a23fb7739b in content::TestNavigationURLLoader::CallOnResponseStarted(mojo::StructPtr<network::mojom::URLResponseHead>) content/test/test_navigation_url_loader.cc:101:7
#15 0x55a23fb7b328 in content::TestRenderFrameHost::PrepareForCommitInternal(net::IPEndPoint const&, bool, bool, net::HttpResponseInfo::ConnectionInfo, base::Optional<net::SSLInfo>, scoped_refptr<net::HttpResponseHeaders>, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > > const&) content/test/test_render_frame_host.cc:424:15
#16 0x55a23fb7b565 in content::TestRenderFrameHost::PrepareForCommitDeprecatedForNavigationSimulator(net::IPEndPoint const&, bool, bool, net::HttpResponseInfo::ConnectionInfo, base::Optional<net::SSLInfo>, scoped_refptr<net::HttpResponseHeaders>, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > > const&) content/test/test_render_frame_host.cc:364:3
#17 0x55a23fb65ece in content::NavigationSimulatorImpl::ReadyToCommit() content/test/navigation_simulator_impl.cc:527:11
#18 0x55a23fb66c27 in content::NavigationSimulatorImpl::Commit() content/test/navigation_simulator_impl.cc:582:5
#19 0x55a23fb3d596 in content::RenderFrameHostTester::CommitPendingLoad(content::NavigationController*) content/public/test/test_renderer_host.cc:86:15

Function triggering the error:

content::RenderFrameHostTester::CommitPendingLoad(content::NavigationController*)

URL of source code:

https://source.chromium.org/chromium/chromium/src/+/master:chrome/test/base/browser_with_test_window_test.cc;l=142

Note: My fuzzer has it's own version of BrowserWithTestWindowTest::AddTab implemented in a class that is an almost exact copy of BrowserWithTestWindowTest but without inheriting from testing::Test. Changes are minimal.

Maybe someone has a very general idea of what's going on? What do you suspect could be causing that big allocation request? Something missing in my code maybe? Could it be a bug? Or this should be expected and maybe is AddressSanitizer not suited for this test (doubt it)?

Thanks in advance!

[Bruce Dawson]

The value bebebebebebebec0 is a request for almost 2^64 bytes. That is an impossible allocation size, even on a 64-bit operating system.

That value looks like you are reading from uninitialized memory. I would recommend looking at the failure in a debugger. You should be able to see where the value came from.

[Jason Segnini]

Update: I was able to solve the issue by creating a content::RenderViewHostTestEnabler global object.