search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
28.03k stars 11.58k forks source link

Libfuzzer leaks memory in 32 bit mode #31133

Open llvmbot opened 7 years ago

llvmbot commented 7 years ago
Bugzilla Link 31785
Version trunk
OS Linux
Reporter LLVM Bugzilla Contributor
CC @filcab,@kcc

Extended Description

When I build my fuzzing application using libfuzzer in 32 bit mode, the memory keeps growing until it hits 2 GB after half an hour or something. The same applications in 64 bit mode keep using around 550 - 600 MB.

kcc commented 7 years ago

The quarantine size is only a part of the problem. The bigger problem is that when the quarantine is large, and the program changes the allocation pattern, a portion of the memory freed by the user but not returned to the OS by the allocator keeps growing. Imagine the application does free(malloc(32) lots of times. We will have some number of these 32-byte chunkds in quarantine. Then the application stops allocating 32-byte chunks and instead starts working with 200-byte chunks. The 32-byte chunks get evicted from the quarantine, and just sit in the allocator -- they are not returned to the OS.

In the 64-bit allocator we have implemented allocator_release_to_os_interval_ms to solve this issue (hoping to enable it by default soon), but for 32-bit we don't have any remedy other than making smaller quarantine.

filcab commented 7 years ago

Shouldn't be bigger than on 64 bit mode, though (quarantines are smaller, etc). Unless we're missing something in ASan anyway.

llvmbot commented 7 years ago

It seems to grow much slower in that case.

kcc commented 7 years ago

We don't test libFuzzer in 32-bit mode, so everything is possible, but more likely the leak is not libFuzzer's fault, but asan's fault. Are you using libFuzzer with asan? If so, try setting env. var. ASAN_OPTIONS=quarantine_size_mb=1 and tell us if this helps.