Skip to content
This repository has been archived by the owner on Apr 30, 2021. It is now read-only.

Allocation failed - JavaScript heap out of memory (tokenize) #5

Open
cawalch opened this issue Nov 2, 2019 · 4 comments
Open

Allocation failed - JavaScript heap out of memory (tokenize) #5

cawalch opened this issue Nov 2, 2019 · 4 comments

Comments

@cawalch
Copy link

cawalch commented Nov 2, 2019

I encountered a core dump while fuzzing that traces back to jsfuzz's versifier.js:413

[6242:0x34faa20]    18540 ms: Mark-sweep 1291.7 (1426.7) -> 1291.7 (1427.2) MB, 15.0 / 0.0 ms  (average mu = 0.244, current mu = 0.169) allocation failure GC in old space requested
[6242:0x34faa20]    18549 ms: Mark-sweep 1292.4 (1427.2) -> 1292.1 (1427.2) MB, 7.8 / 0.1 ms  (average mu = 0.212, current mu = 0.153) allocation failure GC in old space requested


<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 0x16ebcc0dbe1d]
Security context: 0x147d4f69e6e9 <JSObject>
    1: tokenize(aka tokenize) [0x14d370af2101] [/home/me/.nvm/versions/node/v10.16.3/lib/node_modules/jsfuzz/build/src/versifier.js:~413] [pc=0x16ebcc0ea74d](this=0x35c17a8826f1 <undefined>,data=0x1bc2ece351d1 <Uint8Array map = 0xc82d755b89>)
    2: BuildVerse [0x14d370af1e01] [/home/me/.nvm/versions/node/v10.16.3/lib/node_modules/jsfuzz/build/src/...

It also generated a corpus file of ~144K, while the average corpus size was ~20 bytes

jsfuzz - 1.0.10
node - 10.16.3
@yevgenypats
Copy link

Hey @cawalch thanks for reporting! versifier is a new algorithm that we just released and it can be disabled with --versifier=false just as a quick work-around.

Any chance you can share with me the fuzz-target or a repo that will help me to reproduce this behaviour?

@cawalch
Copy link
Author

cawalch commented Nov 2, 2019

...can be disabled with --versifier=false just as a quick work-around.

Got it. Thanks.

Any chance you can share with me the fuzz-target or a repo that will help me to reproduce this behaviour?

https://github.com/asciidoctor/asciidoctor.js

Corpus seed

http://asciidoctor.org[*Asciidoctor*] running on https://opalrb.com[_Opal_]  brings AsciiDoc to Node.js!

Hopefully that helps.

@mattacosta
Copy link

I just tried this tool out and I've been seeing this a lot as well. On one run, I even had a 40MB corpus file.

Since maximum call stack errors were expected in my project, I also put this code into my fuzz function and don't recall seeing it since.

if (buffer.length > 1024) {
  return;
}

@yevgenypats
Copy link

Thanks for reporting I think I'll disable versifier for now by default.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cawalch @mattacosta @yevgenypats